args@{ lib, config, pkgs, custom-utils, ... }: let ports = import ../ports.nix args; in { sops.secrets.calibre-htpasswd = { owner = "nginx"; sopsFile = ../secrets.yaml; }; services = { calibre-server = { enable = true; port = ports.calibre-server.tcp; host = "127.0.0.1"; }; calibre-web = { enable = true; inherit (config.services.calibre-server) user; inherit (config.services.calibre-server) group; listen = { ip = "127.0.0.1"; port = ports.calibre-web.tcp; }; options = { enableBookUploading = true; reverseProxyAuth = { enable = true; header = "X-Remote-User"; }; }; }; }; systemd.services.calibre-web = { serviceConfig = { BindPaths = [ "/var/lib/calibre-web" "/var/lib/calibre-server" ]; BindReadOnlyPaths = [ "/nix/store" ]; CapabilityBoundingSet = ""; IPAddressAllow = "localhost"; IPAddressDeny = "any"; LockPersonality = true; MemoryDenyWriteExecute = true; NoNewPrivileges = true; PrivateDevices = lib.mkForce true; PrivateTmp = true; PrivateUsers = true; ProcSubset = "pid"; ProtectClock = true; ProtectControlGroups = true; ProtectHome = true; ProtectHostname = true; ProtectKernelLogs = true; ProtectKernelModules = true; ProtectKernelTunables = true; ProtectProc = "noaccess"; ProtectSystem = "strict"; ReadWritePaths = ""; RemoveIPC = true; RestrictAddressFamilies = [ "AF_INET" "AF_INET6" ]; RestrictNamespaces = true; RestrictRealtime = true; RestrictSUIDSGID = true; RootDirectory = "/run/calibre-web"; RuntimeDirectory = "calibre-web"; StateDirectory = "calibre-web"; SystemCallArchitectures = "native"; SystemCallFilter = [ "@system-service" "~@privileged" ]; WorkingDirectory = "/var/lib/calibre-web"; }; }; services.nginx.virtualHosts."books.jalr.de" = { enableACME = true; forceSSL = true; kTLS = true; basicAuthFile = config.sops.secrets.calibre-htpasswd.path; locations."/" = { proxyPass = "http://127.0.0.1:${toString ports.calibre-web.tcp}/"; recommendedProxySettings = true; extraConfig = '' client_max_body_size 200M; proxy_set_header X-Remote-User $remote_user; ''; }; }; }