min
/
breeze
1
0
Fork 0
Code Issues 2 Pull Requests Packages Projects Releases Wiki Activity

Compare commits

base: min:1fc0ecad20fc589ddce09a2ef04f40e052e2a91a
Branches Tags
min:main
min:0.1.5-p2
min:0.1.5-p1
..
compare: min:80b1727d09dd59a660ccdc10ad1dc12ef931b03b
Branches Tags
min:main
min:0.1.5-p2
min:0.1.5-p1

No commits in common. "1fc0ecad20fc589ddce09a2ef04f40e052e2a91a" and "80b1727d09dd59a660ccdc10ad1dc12ef931b03b" have entirely different histories.
1fc0ecad20 ... 80b1727d09

5 changed files with 19 additions and 259 deletions
Show Stats Expand all files Collapse all files

2
Cargo.lock generated
View File

@ -228,7 +228,7 @@ checksum = "cf4b9d6a944f767f8e5e0db018570623c85f3d925ac718db4e06d0187adb21c1"
[[package]] [[package]]
name = "breeze" name = "breeze"
version = "0.2.5" version = "0.2.4"
dependencies = [ dependencies = [
"anyhow", "anyhow",
"argh", "argh",

2
Cargo.toml
View File

@ -1,6 +1,6 @@
[package] [package]
name = "breeze" name = "breeze"
version = "0.2.5" version = "0.2.4"
edition = "2021" edition = "2021"
[dependencies] [dependencies]

7
README.md
View File

@ -84,11 +84,6 @@ motd = "my image host, currently hosting %uplcount% files"
# cached anyways. # cached anyways.
max_temp_lifetime = 43200 max_temp_lifetime = 43200
# OPTIONAL - the maximum length (in bytes) a file being uploaded may be.
# A word of warning about this: the error shown to ShareX users who
# hit the limit is *not* very clear. ("connection closed" or similar)
max_upload_len = 2_147_483_648
# The maximum length (in bytes) an image file may be before the server # The maximum length (in bytes) an image file may be before the server
# will skip removing its EXIF data. # will skip removing its EXIF data.
# The performance impact of breeze's EXIF data removal is not # The performance impact of breeze's EXIF data removal is not
@ -113,7 +108,7 @@ upload_lifetime = 1800
scan_freq = 60 scan_freq = 60
# How much memory (in bytes) the cache is allowed to consume. # How much memory (in bytes) the cache is allowed to consume.
mem_capacity = 4_294_967_296 mem_capacity = 4_294_967_295
[http] [http]
# The address that the HTTP server will listen on. (ip:port) # The address that the HTTP server will listen on. (ip:port)

154
flake.nix
View File

@ -7,15 +7,14 @@
flake-utils.url = "github:numtide/flake-utils"; flake-utils.url = "github:numtide/flake-utils";
}; };
outputs = outputs = {
{ self self,
, nixpkgs nixpkgs,
, crane crane,
, flake-utils flake-utils,
, ... ...
}: }:
flake-utils.lib.eachDefaultSystem (system: flake-utils.lib.eachDefaultSystem (system: let
let
pkgs = nixpkgs.legacyPackages.${system}; pkgs = nixpkgs.legacyPackages.${system};
craneLib = crane.mkLib pkgs; craneLib = crane.mkLib pkgs;
@ -38,14 +37,13 @@
breeze = craneLib.buildPackage (commonArgs breeze = craneLib.buildPackage (commonArgs
// { // {
cargoArtifacts = craneLib.buildDepsOnly commonArgs; cargoArtifacts = craneLib.buildDepsOnly commonArgs;
# Additional environment variables or build phases/hooks can be set # Additional environment variables or build phases/hooks can be set
# here *without* rebuilding all dependency crates # here *without* rebuilding all dependency crates
# MY_CUSTOM_VAR = "some value"; # MY_CUSTOM_VAR = "some value";
}); });
in in {
{
checks = { checks = {
inherit breeze; inherit breeze;
}; };
@ -64,129 +62,9 @@
# MY_CUSTOM_DEVELOPMENT_VAR = "something else"; # MY_CUSTOM_DEVELOPMENT_VAR = "something else";
# Extra inputs can be added here; cargo and rustc are provided by default. # Extra inputs can be added here; cargo and rustc are provided by default.
packages = with pkgs; [ packages = [
alejandra pkgs.rewrk
rewrk
]; ];
}; };
nixosModules.breeze =
{ config
, pkgs
, lib
, ...
}:
with lib; let
cfg = config.services.breeze;
settingsFormat = pkgs.formats.toml { };
in
{
options = {
services.breeze = {
enable = mkEnableOption "breeze file server";
package = mkOption {
type = types.package;
default = breeze;
description = "Package for `breeze` to use";
};
user = mkOption {
type = types.str;
default = "breeze";
description = "User that `breeze` will run under";
};
group = mkOption {
type = types.str;
default = "breeze";
description = "Group that `breeze` will run under";
};
extraGroups = mkOption {
type = types.listOf types.str;
default = [ ];
description = "Supplementary groups";
};
settings = mkOption {
type = settingsFormat.type;
default = { };
description = ''
The *.toml configuration to run `breeze` with.
There is no formal documentation, but there is an example in the [readme](https://git.min.rip/min/breeze/src/branch/main/README.md).
'';
};
};
};
config = mkIf cfg.enable {
users.users.${cfg.user} = {
isSystemUser = true;
inherit (cfg) group;
};
users.groups.${cfg.group} = { };
systemd.services.breeze = {
description = "breeze file server";
after = [ "local-fs.target" "network.target" ];
wantedBy = [ "multi-user.target" ];
serviceConfig = rec {
User = cfg.user;
Group = cfg.group;
DynamicUser = false; # we write files, so don't do that
SupplementaryGroups = cfg.extraGroups;
StateDirectory = "breeze";
CacheDirectory = "breeze";
ExecStart = escapeShellArgs [
"${cfg.package}/bin/breeze"
"--config"
(settingsFormat.generate "breeze.toml" cfg.settings)
];
Restart = "on-failure";
# Security Options #
NoNewPrivileges = true; # implied by DynamicUser
RemoveIPC = true; # implied by DynamicUser
AmbientCapabilities = "";
CapabilityBoundingSet = "";
DeviceAllow = "";
LockPersonality = true;
PrivateTmp = true; # implied by DynamicUser
PrivateDevices = true;
PrivateUsers = true;
ProtectClock = true;
ProtectControlGroups = true;
ProtectHostname = true;
ProtectKernelLogs = true;
ProtectKernelModules = true;
ProtectKernelTunables = true;
RestrictNamespaces = true;
RestrictAddressFamilies = [ "AF_INET" "AF_INET6" "AF_UNIX" ];
RestrictRealtime = true;
RestrictSUIDSGID = true; # implied by DynamicUser
SystemCallArchitectures = "native";
SystemCallErrorNumber = "EPERM";
SystemCallFilter = [
"@system-service"
"~@keyring"
"~@memlock"
"~@privileged"
"~@setuid"
];
};
};
};
};
}); });
} }

113
nix/module.nix
View File

@ -1,113 +0,0 @@
{ config
, pkgs
, lib
, ...
}:
with lib; let
cfg = config.services.breeze;
settingsFormat = pkgs.formats.toml { };
in
{
options = {
services.breeze = {
enable = mkEnableOption "breeze file server";
package = mkPackageOption self.packages.${system} "breeze";
user = mkOption {
type = types.str;
default = "breeze";
description = "User that `breeze` will run under";
};
group = mkOption {
type = types.str;
default = "breeze";
description = "Group that `breeze` will run under";
};
extraGroups = mkOption {
type = types.listOf types.str;
default = [ ];
description = "Supplementary groups";
};
settings = mkOption {
type = settingsFormat.type;
default = { };
description = ''
The *.toml configuration to run `breeze` with.
There is no formal documentation, but there is an example in the [readme](https://git.min.rip/min/breeze/src/branch/main/README.md).
'';
};
};
};
config = mkIf cfg.enable {
users.users.${cfg.user} = {
isSystemUser = true;
inherit (cfg) group;
};
users.groups.${cfg.group} = { };
systemd.services.breeze = {
description = "breeze file server";
after = [ "local-fs.target" "network.target" ];
wantedBy = [ "multi-user.target" ];
serviceConfig = rec {
User = cfg.user;
Group = cfg.group;
DynamicUser = false; # we write files, so don't do that
SupplementaryGroups = cfg.extraGroups;
StateDirectory = "breeze";
CacheDirectory = "breeze";
ExecStart = escapeShellArgs [
"${cfg.package}/bin/breeze"
"--config"
(settingsFormat.generate "breeze.toml" cfg.settings)
];
Restart = "on-failure";
# Security Options #
NoNewPrivileges = true; # implied by DynamicUser
RemoveIPC = true; # implied by DynamicUser
AmbientCapabilities = "";
CapabilityBoundingSet = "";
DeviceAllow = "";
LockPersonality = true;
PrivateTmp = true; # implied by DynamicUser
PrivateDevices = true;
PrivateUsers = true;
ProtectClock = true;
ProtectControlGroups = true;
ProtectHostname = true;
ProtectKernelLogs = true;
ProtectKernelModules = true;
ProtectKernelTunables = true;
RestrictNamespaces = true;
RestrictAddressFamilies = [ "AF_INET" "AF_INET6" "AF_UNIX" ];
RestrictRealtime = true;
RestrictSUIDSGID = true; # implied by DynamicUser
SystemCallArchitectures = "native";
SystemCallErrorNumber = "EPERM";
SystemCallFilter = [
"@system-service"
"~@keyring"
"~@memlock"
"~@privileged"
"~@setuid"
];
};
};
};
}