{ self, system, }: { config, lib, ... }: let inherit (lib) mkEnableOption mkIf mkOption; inherit (lib.types) submodule str int; inherit (lib.strings) escapeShellArgs; inherit (self.packages.${system}) server templates; cfg = config.services.tlaternet-webserver; in { options = { services.tlaternet-webserver = { enable = mkEnableOption "tlaternet web server"; listen = mkOption { type = submodule { options = { addr = mkOption { type = str; description = "IP address."; default = "127.0.0.1"; }; port = mkOption { type = int; description = "Port number."; default = 8000; }; }; }; }; }; }; config = mkIf cfg.enable { systemd.services.tlaternet-webserver = { description = "tlaternet webserver"; wantedBy = ["multi-user.target"]; after = ["network.target"]; script = escapeShellArgs [ "${server}/bin/tlaternet-webserver" "--template-directory" templates "--address" "${cfg.listen.addr}:${toString cfg.listen.port}" ]; serviceConfig = { Restart = "always"; DynamicUser = true; ProtectHome = true; # Override the default (read-only) PrivateDevices = true; PrivateIPC = true; PrivateUsers = true; ProtectHostname = true; ProtectClock = true; ProtectKernelTunables = true; ProtectKernelModules = true; ProtectKernelLogs = true; ProtectControlGroups = true; RestrictAddressFamilies = ["AF_UNIX" "AF_INET" "AF_INET6"]; RestrictNamespaces = true; LockPersonality = true; MemoryDenyWriteExecute = true; RestrictRealtime = true; RestrictSUIDSGID = true; SystemCallArchitectures = "native"; SystemCallFilter = ["@system-service" "~@privileged @resources @setuid @keyring"]; }; }; }; }