From 22e2e02118b2e84a5471edaadec6a1cfc34e477d Mon Sep 17 00:00:00 2001 From: Savyasachee Jha Date: Mon, 23 Sep 2024 23:10:35 +0530 Subject: [PATCH] nixos/privatebin: init --- .../manual/release-notes/rl-2411.section.md | 2 + nixos/modules/module-list.nix | 1 + .../modules/services/web-apps/privatebin.nix | 228 ++++++++++++++++++ 3 files changed, 231 insertions(+) create mode 100644 nixos/modules/services/web-apps/privatebin.nix diff --git a/nixos/doc/manual/release-notes/rl-2411.section.md b/nixos/doc/manual/release-notes/rl-2411.section.md index 1ec8c7ff9066..6225e1795852 100644 --- a/nixos/doc/manual/release-notes/rl-2411.section.md +++ b/nixos/doc/manual/release-notes/rl-2411.section.md @@ -69,6 +69,8 @@ - [Goatcounter](https://www.goatcounter.com/), Easy web analytics. No tracking of personal data. Available as [services.goatcounter](options.html#opt-services.goatcocunter.enable). +- [Privatebin](https://github.com/PrivateBin/PrivateBin/), A minimalist, open source online pastebin where the server has zero knowledge of pasted data. Available as [services.privatebin](#opt-services.privatebin.enable) + - [UWSM](https://github.com/Vladimir-csp/uwsm), a wayland session manager to wrap Wayland Compositors into useful systemd units such as `graphical-session.target`. Available as [programs.uwsm](#opt-programs.uwsm.enable). - [Open-WebUI](https://github.com/open-webui/open-webui), a user-friendly WebUI diff --git a/nixos/modules/module-list.nix b/nixos/modules/module-list.nix index 4a97be04fe7f..3d6886f31bff 100644 --- a/nixos/modules/module-list.nix +++ b/nixos/modules/module-list.nix @@ -1480,6 +1480,7 @@ ./services/web-apps/powerdns-admin.nix ./services/web-apps/pretalx.nix ./services/web-apps/pretix.nix + ./services/web-apps/privatebin.nix ./services/web-apps/prosody-filer.nix ./services/web-apps/rimgo.nix ./services/web-apps/rutorrent.nix diff --git a/nixos/modules/services/web-apps/privatebin.nix b/nixos/modules/services/web-apps/privatebin.nix new file mode 100644 index 000000000000..6f6f9c27e389 --- /dev/null +++ b/nixos/modules/services/web-apps/privatebin.nix @@ -0,0 +1,228 @@ +{ + pkgs, + config, + lib, + ... +}: + +let + cfg = config.services.privatebin; + + customToINI = lib.generators.toINI { + mkKeyValue = lib.generators.mkKeyValueDefault { + mkValueString = + v: + if v == true then + ''true'' + else if v == false then + ''false'' + else if builtins.isInt v then + ''${builtins.toString v}'' + else if builtins.isPath v then + ''"${builtins.toString v}"'' + else if builtins.isString v then + ''"${v}"'' + else + lib.generators.mkValueStringDefault { } v; + } "="; + }; + + privatebinSettings = pkgs.writeTextDir "conf.php" (customToINI cfg.settings); + + user = cfg.user; + group = cfg.group; + + defaultUser = "privatebin"; + defaultGroup = "privatebin"; + +in +{ + + options.services.privatebin = { + + enable = lib.mkEnableOption "Privatebin: A minimalist, open source online + pastebin where the server has zero knowledge of pasted data."; + + user = lib.mkOption { + type = lib.types.str; + default = defaultUser; + description = "User account under which privatebin runs."; + }; + + group = lib.mkOption { + type = lib.types.str; + default = if cfg.enableNginx then "nginx" else defaultGroup; + defaultText = "If `services.privatebin.enableNginx` is true then `nginx` else ${defaultGroup}"; + description = '' + Group under which privatebin runs. It is best to set this to the group + of whatever webserver is being used as the frontend. + ''; + }; + + dataDir = lib.mkOption { + type = lib.types.path; + default = "/var/lib/privatebin"; + description = '' + The place where privatebin stores its state. + ''; + }; + + package = lib.mkPackageOption pkgs "privatebin" { }; + + enableNginx = lib.mkOption { + type = lib.types.bool; + default = false; + description = '' + Whether to enable nginx or not. If enabled, an nginx virtual host will + be created for access to firefly-iii. If not enabled, then you may use + `''${config.services.firefly-iii.package}` as your document root in + whichever webserver you wish to setup. + ''; + }; + + virtualHost = lib.mkOption { + type = lib.types.str; + default = "localhost"; + description = '' + The hostname at which you wish privatebin to be served. If you have + enabled nginx using `services.privatebin.enableNginx` then this will + be used. + ''; + }; + + poolConfig = lib.mkOption { + type = lib.types.attrsOf ( + lib.types.oneOf [ + lib.types.str + lib.types.int + lib.types.bool + ] + ); + defaultText = lib.literalExpression '' + { + "pm" = "dynamic"; + "pm.max_children" = 32; + "pm.start_servers" = 2; + "pm.min_spare_servers" = 2; + "pm.max_spare_servers" = 4; + "pm.max_requests" = 500; + } + ''; + default = { }; + description = '' + Options for the PrivateBin PHP pool. See the documentation on php-fpm.conf + for details on configuration directives. + ''; + }; + + settings = lib.mkOption { + default = { }; + description = '' + Options for privatebin configuration. Refer to + for + details on supported values. + ''; + example = lib.literalExpression '' + { + main = { + name = "NixOS Based Privatebin"; + discussion = false; + defaultformatter = "plalib.types.intext"; + qrcode = true + }; + model.class = "Filesystem"; + model_options.dir = "/var/lib/privatebin/data"; + } + ''; + type = lib.types.submodule { freeformType = lib.types.attrsOf lib.types.anything; }; + }; + }; + + config = lib.mkIf cfg.enable { + + services.privatebin.settings = { + main = lib.mkDefault { }; + model.class = lib.mkDefault "Filesystem"; + model_options.dir = lib.mkDefault "${cfg.dataDir}/data"; + purge.dir = lib.mkDefault "${cfg.dataDir}/purge"; + traffic = { + dir = lib.mkDefault "${cfg.dataDir}/traffic"; + header = "X_FORWARDED_FOR"; + }; + }; + + services.phpfpm.pools.privatebin = { + inherit user group; + phpPackage = pkgs.php83; + phpOptions = '' + log_errors = on + ''; + settings = { + "listen.mode" = lib.mkDefault "0660"; + "listen.owner" = lib.mkDefault user; + "listen.group" = lib.mkDefault group; + "pm" = lib.mkDefault "dynamic"; + "pm.max_children" = lib.mkDefault 32; + "pm.start_servers" = lib.mkDefault 2; + "pm.min_spare_servers" = lib.mkDefault 2; + "pm.max_spare_servers" = lib.mkDefault 4; + "pm.max_requests" = lib.mkDefault 500; + }; + phpEnv.CONFIG_PATH = lib.strings.removeSuffix "/conf.php" (builtins.toString privatebinSettings); + }; + + services.nginx = lib.mkIf cfg.enableNginx { + enable = true; + recommendedTlsSettings = lib.mkDefault true; + recommendedOptimisation = lib.mkDefault true; + recommendedGzipSettings = lib.mkDefault true; + virtualHosts.${cfg.virtualHost} = { + root = "${cfg.package}"; + locations = { + "/" = { + tryFiles = "$uri $uri/ /index.php?$query_string"; + index = "index.php"; + extraConfig = '' + sendfile off; + ''; + }; + "~ \.php$" = { + extraConfig = '' + include ${config.services.nginx.package}/conf/fastcgi_params ; + fastcgi_param SCRIPT_FILENAME $request_filename; + fastcgi_param modHeadersAvailable true; #Avoid sending the security headers twice + fastcgi_pass unix:${config.services.phpfpm.pools.privatebin.socket}; + ''; + }; + }; + }; + }; + + systemd.tmpfiles.settings."10-privatebin" = + lib.attrsets.genAttrs + [ + "${cfg.dataDir}/data" + "${cfg.dataDir}/traffic" + "${cfg.dataDir}/purge" + ] + (n: { + d = { + group = group; + mode = "0750"; + user = user; + }; + }); + + users = { + users = lib.mkIf (user == defaultUser) { + ${defaultUser} = { + description = "Privatebin service user"; + inherit group; + isSystemUser = true; + home = cfg.dataDir; + }; + }; + groups = lib.mkIf (group == defaultGroup) { ${defaultGroup} = { }; }; + }; + }; +}