tlaternet-server/configuration/services/afvalcalendar.nix

{
  pkgs,
  config,
  ...
}: {
  systemd.services.afvalcalendar = {
    description = "Enschede afvalcalendar -> ical converter";
    wantedBy = ["multi-user.target"];
    after = ["network.target"];

    script = ''
      ${pkgs.local.afvalcalendar}/bin/afvalcalendar > /srv/afvalcalendar/afvalcalendar.ical
    '';

    startAt = "daily";

    serviceConfig = {
      DynamicUser = true;
      ProtectHome = true; # Override the default (read-only)
      PrivateDevices = true;
      PrivateIPC = true;
      PrivateUsers = true;
      ProtectHostname = true;
      ProtectClock = true;
      ProtectKernelTunables = true;
      ProtectKernelModules = true;
      ProtectKernelLogs = true;
      ProtectControlGroups = true;
      RestrictAddressFamilies = ["AF_UNIX" "AF_INET" "AF_INET6"];
      RestrictNamespaces = true;
      LockPersonality = true;
      MemoryDenyWriteExecute = true;
      RestrictRealtime = true;
      RestrictSUIDSGID = true;
      SystemCallArchitectures = "native";
      SystemCallFilter = ["@system-service" "~@privileged @resources @setuid @keyring"];

      Umask = 0002;
      SupplementaryGroups = "afvalcalendar-hosting";

      ReadWritePaths = "/srv/afvalcalendar";
    };
  };

  services.nginx.virtualHosts."afvalcalendar.${config.services.nginx.domain}" = {
    forceSSL = true;
    enableACME = true;
    enableHSTS = true;

    root = "/srv/afvalcalendar";
  };

  users.groups.afvalcalendar-hosting = {};
  systemd.tmpfiles.settings."10-afvalcalendar" = {
    "/srv/afvalcalendar".d = {
      user = "nginx";
      group = "afvalcalendar-hosting";
      mode = "0775";
    };

    "/srv/afvalcalendar/afvalcalendar.ical".f = {
      user = "nginx";
      group = "afvalcalendar-hosting";
      mode = "0775";
    };
  };
}
afvalcalendar: Host enschede afvalcalendar 2024-04-15 01:58:09 +01:00			`{`
			`pkgs,`
			`config,`
			`...`
			`}: {`
			`systemd.services.afvalcalendar = {`
			`description = "Enschede afvalcalendar -> ical converter";`
			`wantedBy = ["multi-user.target"];`
			`after = ["network.target"];`

			`script = ''`
			`${pkgs.local.afvalcalendar}/bin/afvalcalendar > /srv/afvalcalendar/afvalcalendar.ical`
			`'';`

			`startAt = "daily";`

			`serviceConfig = {`
			`DynamicUser = true;`
			`ProtectHome = true; # Override the default (read-only)`
			`PrivateDevices = true;`
			`PrivateIPC = true;`
			`PrivateUsers = true;`
			`ProtectHostname = true;`
			`ProtectClock = true;`
			`ProtectKernelTunables = true;`
			`ProtectKernelModules = true;`
			`ProtectKernelLogs = true;`
			`ProtectControlGroups = true;`
			`RestrictAddressFamilies = ["AF_UNIX" "AF_INET" "AF_INET6"];`
			`RestrictNamespaces = true;`
			`LockPersonality = true;`
			`MemoryDenyWriteExecute = true;`
			`RestrictRealtime = true;`
			`RestrictSUIDSGID = true;`
			`SystemCallArchitectures = "native";`
			`SystemCallFilter = ["@system-service" "~@privileged @resources @setuid @keyring"];`

			`Umask = 0002;`
			`SupplementaryGroups = "afvalcalendar-hosting";`

			`ReadWritePaths = "/srv/afvalcalendar";`
			`};`
			`};`

			`services.nginx.virtualHosts."afvalcalendar.${config.services.nginx.domain}" = {`
			`forceSSL = true;`
			`enableACME = true;`
			`enableHSTS = true;`

			`root = "/srv/afvalcalendar";`
			`};`

			`users.groups.afvalcalendar-hosting = {};`
			`systemd.tmpfiles.settings."10-afvalcalendar" = {`
			`"/srv/afvalcalendar".d = {`
			`user = "nginx";`
			`group = "afvalcalendar-hosting";`
			`mode = "0775";`
			`};`

			`"/srv/afvalcalendar/afvalcalendar.ical".f = {`
			`user = "nginx";`
			`group = "afvalcalendar-hosting";`
			`mode = "0775";`
			`};`
			`};`
			`}`