self: { config, lib, ... }: let cfg = config.services.noisebell-rss; bin = "${self.packages.x86_64-linux.default}/bin/noisebell-rss"; in { options.services.noisebell-rss = { enable = lib.mkEnableOption "noisebell RSS/Atom feed"; domain = lib.mkOption { type = lib.types.str; description = "Domain for the Caddy virtual host."; }; port = lib.mkOption { type = lib.types.port; default = 3002; }; webhookSecretFile = lib.mkOption { type = lib.types.path; description = "Path to file containing the webhook secret."; }; dataDir = lib.mkOption { type = lib.types.str; default = "/var/lib/noisebell-rss"; }; }; config = lib.mkIf cfg.enable { users.users.noisebell-rss = { isSystemUser = true; group = "noisebell-rss"; }; users.groups.noisebell-rss = {}; services.caddy.virtualHosts.${cfg.domain}.extraConfig = '' reverse_proxy localhost:${toString cfg.port} ''; systemd.services.noisebell-rss = { description = "Noisebell RSS/Atom feed"; wantedBy = [ "multi-user.target" ]; after = [ "network-online.target" ]; wants = [ "network-online.target" ]; environment = { NOISEBELL_RSS_PORT = toString cfg.port; NOISEBELL_RSS_DATA_DIR = cfg.dataDir; NOISEBELL_RSS_SITE_URL = "https://${cfg.domain}"; RUST_LOG = "info"; }; script = '' export NOISEBELL_RSS_WEBHOOK_SECRET="$(cat ${cfg.webhookSecretFile})" exec ${bin} ''; serviceConfig = { Type = "simple"; Restart = "on-failure"; RestartSec = 5; User = "noisebell-rss"; Group = "noisebell-rss"; StateDirectory = "noisebell-rss"; NoNewPrivileges = true; ProtectSystem = "strict"; ProtectHome = true; PrivateTmp = true; ProtectKernelTunables = true; ProtectKernelModules = true; ProtectControlGroups = true; RestrictSUIDSGID = true; ReadWritePaths = [ cfg.dataDir ]; }; }; }; }