nixos-configuration/hosts/iron/services/calibre.nix

args@{ lib, config, pkgs, custom-utils, ... }:
let
  ports = import ../ports.nix args;
in
{
  sops.secrets.calibre-htpasswd = {
    owner = "nginx";
    sopsFile = ../secrets.yaml;
  };

  services = {
    calibre-server = {
      enable = true;
      port = ports.calibre-server.tcp;
      host = "127.0.0.1";
    };

    calibre-web = {
      enable = true;
      inherit (config.services.calibre-server) user;
      inherit (config.services.calibre-server) group;
      listen = {
        ip = "127.0.0.1";
        port = ports.calibre-web.tcp;
      };
      options = {
        enableBookUploading = true;
        reverseProxyAuth = {
          enable = true;
          header = "X-Remote-User";
        };
      };
    };
  };

  systemd.services.calibre-web = {
    serviceConfig = {
      BindPaths = [
        "/var/lib/calibre-web"
        "/var/lib/calibre-server"
      ];
      BindReadOnlyPaths = [
        "/nix/store"
      ];
      CapabilityBoundingSet = "";
      IPAddressAllow = "localhost";
      IPAddressDeny = "any";
      LockPersonality = true;
      MemoryDenyWriteExecute = true;
      NoNewPrivileges = true;
      PrivateDevices = lib.mkForce true;
      PrivateTmp = true;
      PrivateUsers = true;
      ProcSubset = "pid";
      ProtectClock = true;
      ProtectControlGroups = true;
      ProtectHome = true;
      ProtectHostname = true;
      ProtectKernelLogs = true;
      ProtectKernelModules = true;
      ProtectKernelTunables = true;
      ProtectProc = "noaccess";
      ProtectSystem = "strict";
      ReadWritePaths = "";
      RemoveIPC = true;
      RestrictAddressFamilies = [ "AF_INET" "AF_INET6" ];
      RestrictNamespaces = true;
      RestrictRealtime = true;
      RestrictSUIDSGID = true;
      RootDirectory = "/run/calibre-web";
      RuntimeDirectory = "calibre-web";
      StateDirectory = "calibre-web";
      SystemCallArchitectures = "native";
      SystemCallFilter = [
        "@system-service"
        "~@privileged"
      ];
      WorkingDirectory = "/var/lib/calibre-web";
    };
  };


  services.nginx.virtualHosts."books.jalr.de" = {
    enableACME = true;
    forceSSL = true;
    kTLS = true;
    basicAuthFile = config.sops.secrets.calibre-htpasswd.path;
    locations."/" = {
      proxyPass = "http://127.0.0.1:${toString ports.calibre-web.tcp}/";
      recommendedProxySettings = true;
      extraConfig = ''
        client_max_body_size 200M;
        proxy_set_header     X-Remote-User $remote_user;
      '';
    };
  };
}