From 264cd9ebfa0d4b6ef33d8c2092d97a9de2ab4b3e Mon Sep 17 00:00:00 2001
From: Quantenzitrone <quantenzitrone@protonmail.com>
Date: Sat, 16 Sep 2023 05:09:22 +0200
Subject: [PATCH 1/2] rimgo: init at 1.2.0

---
 pkgs/by-name/ri/rimgo/package.nix | 40 +++++++++++++++++++++++++++++++
 1 file changed, 40 insertions(+)
 create mode 100644 pkgs/by-name/ri/rimgo/package.nix

diff --git a/pkgs/by-name/ri/rimgo/package.nix b/pkgs/by-name/ri/rimgo/package.nix
new file mode 100644
index 00000000000..1f8ca9b8459
--- /dev/null
+++ b/pkgs/by-name/ri/rimgo/package.nix
@@ -0,0 +1,40 @@
+{
+  lib,
+  fetchFromGitea,
+  buildGoModule,
+  tailwindcss,
+}:
+buildGoModule rec {
+  pname = "rimgo";
+  version = "1.2.0";
+
+  src = fetchFromGitea {
+    domain = "codeberg.org";
+    owner = "rimgo";
+    repo = "rimgo";
+    rev = "v${version}";
+    hash = "sha256-C878ABs978viVtIuv3fPn2F2anOg2GB/+f5jaCO13tc=";
+  };
+
+  vendorHash = "sha256-u5N7aI9RIQ3EmiyHv0qhMcKkvmpp+5G7xbzdQcbhybs=";
+
+  nativeBuildInputs = [ tailwindcss ];
+
+  preBuild = ''
+    tailwindcss -i static/tailwind.css -o static/app.css -m
+  '';
+
+  ldflags = [
+    "-s"
+    "-w"
+    "-X codeberg.org/rimgo/rimgo/pages.VersionInfo=${version}"
+  ];
+
+  meta = with lib; {
+    description = "An alternative frontend for Imgur";
+    homepage = "https://codeberg.org/rimgo/rimgo";
+    license = licenses.agpl3Only;
+    mainProgram = "rimgo";
+    maintainers = with maintainers; [ quantenzitrone ];
+  };
+}

From f857cfd5bee8e5f10f7361cdcb032ba04aee8d54 Mon Sep 17 00:00:00 2001
From: Quantenzitrone <quantenzitrone@protonmail.com>
Date: Wed, 13 Sep 2023 14:06:11 +0200
Subject: [PATCH 2/2] rimgo: add module

---
 nixos/modules/module-list.nix             |   1 +
 nixos/modules/services/web-apps/rimgo.nix | 107 ++++++++++++++++++++++
 2 files changed, 108 insertions(+)
 create mode 100644 nixos/modules/services/web-apps/rimgo.nix

diff --git a/nixos/modules/module-list.nix b/nixos/modules/module-list.nix
index cbd5e6467f8..9826866a9c3 100644
--- a/nixos/modules/module-list.nix
+++ b/nixos/modules/module-list.nix
@@ -1284,6 +1284,7 @@
   ./services/web-apps/powerdns-admin.nix
   ./services/web-apps/prosody-filer.nix
   ./services/web-apps/restya-board.nix
+  ./services/web-apps/rimgo.nix
   ./services/web-apps/sftpgo.nix
   ./services/web-apps/rss-bridge.nix
   ./services/web-apps/selfoss.nix
diff --git a/nixos/modules/services/web-apps/rimgo.nix b/nixos/modules/services/web-apps/rimgo.nix
new file mode 100644
index 00000000000..4d35473fda3
--- /dev/null
+++ b/nixos/modules/services/web-apps/rimgo.nix
@@ -0,0 +1,107 @@
+{
+  config,
+  lib,
+  pkgs,
+  ...
+}:
+let
+  cfg = config.services.rimgo;
+  inherit (lib)
+    mkOption
+    mkEnableOption
+    mkPackageOption
+    mkDefault
+    mkIf
+    types
+    literalExpression
+    optionalString
+    getExe
+    mapAttrs
+  ;
+in
+{
+  options.services.rimgo = {
+    enable = mkEnableOption "rimgo";
+    package = mkPackageOption pkgs "rimgo" { };
+    settings = mkOption {
+      type = types.submodule {
+        freeformType = with types; attrsOf str;
+        options = {
+          PORT = mkOption {
+            type = types.port;
+            default = 3000;
+            example = 69420;
+            description = "The port to use.";
+          };
+          ADDRESS = mkOption {
+            type = types.str;
+            default = "127.0.0.1";
+            example = "1.1.1.1";
+            description = "The address to listen on.";
+          };
+        };
+      };
+      example = literalExpression ''
+        {
+          PORT = 69420;
+          FORCE_WEBP = "1";
+        }
+      '';
+      description = ''
+        Settings for rimgo, see [the official documentation](https://rimgo.codeberg.page/docs/usage/configuration/) for supported options.
+      '';
+    };
+  };
+
+  config = mkIf cfg.enable {
+    systemd.services.rimgo = {
+      description = "Rimgo";
+      wantedBy = [ "multi-user.target" ];
+      after = [ "network.target" ];
+      environment = mapAttrs (_: toString) cfg.settings;
+      serviceConfig = {
+        ExecStart = getExe cfg.package;
+        AmbientCapabilities = mkIf (cfg.settings.PORT < 1024) [
+          "CAP_NET_BIND_SERVICE"
+        ];
+        DynamicUser = true;
+        Restart = "on-failure";
+        RestartSec = "5s";
+        CapabilityBoundingSet = [
+          (optionalString (cfg.settings.PORT < 1024) "CAP_NET_BIND_SERVICE")
+        ];
+        DeviceAllow = [ "" ];
+        LockPersonality = true;
+        MemoryDenyWriteExecute = true;
+        PrivateDevices = true;
+        PrivateUsers = cfg.settings.PORT >= 1024;
+        ProcSubset = "pid";
+        ProtectClock = true;
+        ProtectControlGroups = true;
+        ProtectHome = true;
+        ProtectHostname = true;
+        ProtectKernelLogs = true;
+        ProtectKernelModules = true;
+        ProtectKernelTunables = true;
+        ProtectProc = "invisible";
+        RestrictAddressFamilies = [
+          "AF_INET"
+          "AF_INET6"
+        ];
+        RestrictNamespaces = true;
+        RestrictRealtime = true;
+        RestrictSUIDSGID = true;
+        SystemCallArchitectures = "native";
+        SystemCallFilter = [
+          "@system-service"
+          "~@privileged"
+        ];
+        UMask = "0077";
+      };
+    };
+  };
+
+  meta = {
+    maintainers = with lib.maintainers; [ quantenzitrone ];
+  };
+}