public/nixpkgs
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
nixpkgs/nixos/modules/services/misc/n8n.nix

79 lines
2.1 KiB
Nix
Raw Normal View History

nixos/n8n: init module and test
2020-11-28 18:00:25 +01:00
{ config, pkgs, lib, ... }:
with lib;
let
cfg = config.services.n8n;
format = pkgs.formats.json {};
configFile = format.generate "n8n.json" cfg.settings;
in
{
options.services.n8n = {
enable = mkEnableOption "n8n server";
openFirewall = mkOption {
type = types.bool;
default = false;
description = "Open ports in the firewall for the n8n web interface.";
};
settings = mkOption {
type = format.type;
default = {};
description = ''
Configuration for n8n, see <link xlink:href="https://docs.n8n.io/reference/configuration.html"/>
for supported values.
'';
};
};
config = mkIf cfg.enable {
services.n8n.settings = {
# We use this to open the firewall, so we need to know about the default at eval time
port = lib.mkDefault 5678;
};
systemd.services.n8n = {
description = "N8N service";
after = [ "network.target" ];
wantedBy = [ "multi-user.target" ];
environment = {
# This folder must be writeable as the application is storing
# its data in it, so the StateDirectory is a good choice
N8N_USER_FOLDER = "/var/lib/n8n";
N8N_CONFIG_FILES = "${configFile}";
};
serviceConfig = {
Type = "simple";
ExecStart = "${pkgs.n8n}/bin/n8n";
Restart = "on-failure";
StateDirectory = "n8n";
# Basic Hardening
NoNewPrivileges = "yes";
PrivateTmp = "yes";
PrivateDevices = "yes";
DevicePolicy = "closed";
DynamicUser = "true";
ProtectSystem = "strict";
ProtectHome = "read-only";
ProtectControlGroups = "yes";
ProtectKernelModules = "yes";
ProtectKernelTunables = "yes";
RestrictAddressFamilies = "AF_UNIX AF_INET AF_INET6 AF_NETLINK";
RestrictNamespaces = "yes";
RestrictRealtime = "yes";
RestrictSUIDSGID = "yes";
MemoryDenyWriteExecute = "yes";
LockPersonality = "yes";
};
};
networking.firewall = mkIf cfg.openFirewall {
allowedTCPPorts = [ cfg.settings.port ];
};
};
}
Reference in New Issue Copy Permalink