38 lines
1 KiB
Nix
38 lines
1 KiB
Nix
{pkgs, ...}: {
|
|
# Create dedicated user and group
|
|
users.users.oxigraph = {
|
|
isSystemUser = true;
|
|
group = "oxigraph";
|
|
description = "Oxigraph SPARQL database service user";
|
|
};
|
|
|
|
users.groups.oxigraph = {};
|
|
|
|
# Configure systemd service
|
|
systemd.services.oxigraph = {
|
|
description = "Oxigraph SPARQL database server";
|
|
after = ["network.target"];
|
|
wantedBy = ["multi-user.target"];
|
|
|
|
serviceConfig = {
|
|
ExecStart = "${pkgs._elements.oxigraph}/bin/oxigraph serve --location /var/lib/oxigraph --bind 127.0.0.1:7878";
|
|
Restart = "on-failure";
|
|
User = "oxigraph";
|
|
Group = "oxigraph";
|
|
StateDirectory = "oxigraph";
|
|
|
|
# Security hardening
|
|
NoNewPrivileges = true;
|
|
PrivateTmp = true;
|
|
ProtectSystem = "strict";
|
|
ProtectHome = true;
|
|
ReadWritePaths = "/var/lib/oxigraph";
|
|
};
|
|
};
|
|
|
|
# Configure Traefik route for public access
|
|
services.traefik.routes.sparql = {
|
|
rule = "Host(`sparql.toph.so`)";
|
|
url = "http://localhost:7878";
|
|
};
|
|
}
|