{ config, lib, pkgs, ... }: let cfg = config.services.tinder-api-wrapper; in { options.services.tinder-api-wrapper = with lib; { enable = mkEnableOption "Tinder API wrapper service"; port = mkOption { type = types.port; default = 8080; description = "Port to listen on"; }; apiEndpoint = mkOption { type = types.str; default = "https://api.gotinder.com"; description = "Target Tinder API endpoint URL"; }; user = mkOption { type = types.str; default = "tinder-api"; description = "User account to run service."; }; group = mkOption { type = types.str; default = "tinder-api"; description = "Group account to run service."; }; }; config = lib.mkIf cfg.enable { nixpkgs.overlays = [ (self: super: { tinder-api-wrapper = self.callPackage ../pkgs/tinder-api.nix {}; }) ]; users.users.${cfg.user} = { isSystemUser = true; group = cfg.group; description = "Tinder API wrapper service user"; }; users.groups.${cfg.group} = {}; systemd.services.tinder-api-wrapper = { description = "Tinder API Wrapper Service"; wantedBy = [ "multi-user.target" ]; after = [ "network.target" ]; serviceConfig = { Type = "simple"; User = cfg.user; Group = cfg.group; ExecStart = "${pkgs.tinder-api-wrapper}/bin/server -listen :${toString cfg.port} -target ${cfg.apiEndpoint}"; Restart = "always"; RestartSec = "10"; # Hardening NoNewPrivileges = true; ProtectSystem = "strict"; ProtectHome = true; PrivateTmp = true; PrivateDevices = true; ProtectHostname = true; ProtectClock = true; ProtectKernelTunables = true; ProtectKernelModules = true; ProtectKernelLogs = true; ProtectControlGroups = true; RestrictAddressFamilies = [ "AF_INET" "AF_INET6" ]; RestrictNamespaces = true; LockPersonality = true; MemoryDenyWriteExecute = true; RestrictRealtime = true; RestrictSUIDSGID = true; RemoveIPC = true; }; }; }; }