From 1cfd74809b8342733e7b1ab453bb13d1dda49c87 Mon Sep 17 00:00:00 2001 From: Thiago Kenji Okada Date: Wed, 5 Jun 2024 15:14:56 -0300 Subject: [PATCH] nixos/flood: init --- nixos/modules/module-list.nix | 1 + nixos/modules/services/torrent/flood.nix | 85 +++++++++++++++++++ nixos/tests/all-tests.nix | 1 + nixos/tests/flood.nix | 27 ++++++ .../networking/p2p/flood/default.nix | 5 ++ 5 files changed, 119 insertions(+) create mode 100644 nixos/modules/services/torrent/flood.nix create mode 100644 nixos/tests/flood.nix diff --git a/nixos/modules/module-list.nix b/nixos/modules/module-list.nix index b20e98a9f229..a008c3c5bdea 100644 --- a/nixos/modules/module-list.nix +++ b/nixos/modules/module-list.nix @@ -1316,6 +1316,7 @@ ./services/system/zram-generator.nix ./services/torrent/deluge.nix ./services/torrent/flexget.nix + ./services/torrent/flood.nix ./services/torrent/magnetico.nix ./services/torrent/opentracker.nix ./services/torrent/peerflix.nix diff --git a/nixos/modules/services/torrent/flood.nix b/nixos/modules/services/torrent/flood.nix new file mode 100644 index 000000000000..213f4ef04648 --- /dev/null +++ b/nixos/modules/services/torrent/flood.nix @@ -0,0 +1,85 @@ +{ config, lib, pkgs, utils, ... }: + +let + cfg = config.services.flood; +in +{ + meta.maintainers = with lib.maintainers; [ thiagokokada ]; + + options.services.flood = { + enable = lib.mkEnableOption "flood"; + package = lib.mkPackageOption pkgs "flood" { }; + openFirewall = lib.mkEnableOption "" // { + description = "Whether to open the firewall for the port in {option}`services.flood.port`."; + }; + port = lib.mkOption { + type = lib.types.int; + description = "Port to bind webserver."; + default = 3000; + example = 3001; + }; + host = lib.mkOption { + type = lib.types.str; + description = "Host to bind webserver."; + default = "localhost"; + example = "::"; + }; + extraArgs = lib.mkOption { + type = with lib.types; listOf str; + description = "Extra arguments passed to `flood`."; + default = [ ]; + example = [ "--baseuri=/" ]; + }; + }; + + config = lib.mkIf cfg.enable { + systemd.services.flood = { + description = "A modern web UI for various torrent clients."; + after = [ "network.target" ]; + wantedBy = [ "multi-user.target" ]; + unitConfig = { + Documentation = "https://github.com/jesec/flood/wiki"; + }; + serviceConfig = { + Restart = "on-failure"; + RestartSec = "3s"; + ExecStart = utils.escapeSystemdExecArgs ([ + (lib.getExe cfg.package) + "--host" + cfg.host + "--port" + (toString cfg.port) + "--rundir=/var/lib/flood" + ] ++ cfg.extraArgs); + + CapabilityBoundingSet = [ "" ]; + DynamicUser = true; + LockPersonality = true; + NoNewPrivileges = true; + PrivateDevices = true; + PrivateTmp = true; + ProtectClock = true; + ProtectControlGroups = true; + ProtectHome = true; + ProtectHostname = true; + ProtectKernelLogs = true; + ProtectKernelModules = true; + ProtectKernelTunables = true; + ProtectProc = "invisible"; + ProtectSystem = "strict"; + RestrictAddressFamilies = [ "AF_UNIX" "AF_INET" "AF_INET6" ]; + RestrictNamespaces = true; + RestrictRealtime = true; + RestrictSUIDSGID = true; + StateDirectory = "flood"; + SystemCallArchitectures = "native"; + SystemCallFilter = [ "@system-service" "@pkey" "~@privileged" ]; + }; + }; + + networking.firewall.allowedTCPPorts = lib.mkIf cfg.openFirewall [ + cfg.port + ]; + }; +} + diff --git a/nixos/tests/all-tests.nix b/nixos/tests/all-tests.nix index 746b29fd2725..708332a9317b 100644 --- a/nixos/tests/all-tests.nix +++ b/nixos/tests/all-tests.nix @@ -328,6 +328,7 @@ in { firewall-nftables = handleTest ./firewall.nix { nftables = true; }; fish = handleTest ./fish.nix {}; flannel = handleTestOn ["x86_64-linux"] ./flannel.nix {}; + flood = handleTest ./flood.nix {}; floorp = handleTest ./firefox.nix { firefoxPackage = pkgs.floorp; }; fluentd = handleTest ./fluentd.nix {}; fluidd = handleTest ./fluidd.nix {}; diff --git a/nixos/tests/flood.nix b/nixos/tests/flood.nix new file mode 100644 index 000000000000..075d37e62835 --- /dev/null +++ b/nixos/tests/flood.nix @@ -0,0 +1,27 @@ +import ./make-test-python.nix ({ pkgs, ... }: +let + port = 3001; +in +{ + name = "flood"; + meta = { + maintainers = with pkgs.lib.maintainers; [ thiagokokada ]; + }; + + nodes.machine = { pkgs, ... }: { + services.flood = { + inherit port; + enable = true; + openFirewall = true; + extraArgs = [ "--baseuri=/" ]; + }; + }; + + testScript = /* python */ '' + machine.start() + machine.wait_for_unit("flood.service") + machine.wait_for_open_port(${toString port}) + + machine.succeed("curl --fail http://localhost:${toString port}") + ''; +}) diff --git a/pkgs/applications/networking/p2p/flood/default.nix b/pkgs/applications/networking/p2p/flood/default.nix index 85ef8b2130bb..ada2a69e6947 100644 --- a/pkgs/applications/networking/p2p/flood/default.nix +++ b/pkgs/applications/networking/p2p/flood/default.nix @@ -1,6 +1,7 @@ { lib , buildNpmPackage , fetchFromGitHub +, nixosTests }: buildNpmPackage rec { @@ -16,6 +17,10 @@ buildNpmPackage rec { npmDepsHash = "sha256-md76I7W5QQvfbOmk5ODssMtJAVOj8nvaJ2PakEZ8WUA="; + passthru.tests = { + inherit (nixosTests) flood; + }; + meta = with lib; { description = "Modern web UI for various torrent clients with a Node.js backend and React frontend"; homepage = "https://flood.js.org";