convert to flakes

Signed-off-by: Xe <me@christine.website>
2021-12-26 11:44:41 -05:00 · 2021-12-26 11:44:41 -05:00 · a5daa4c297
parent e159fc7124
commit a5daa4c297
2 changed files with 218 additions and 0 deletions
--- a/flake.lock
+++ b/flake.lock
@ -0,0 +1,74 @@
+{
+  "nodes": {
+    "flake-utils": {
+      "locked": {
+        "lastModified": 1638122382,
+        "narHash": "sha256-sQzZzAbvKEqN9s0bzWuYmRaA03v40gaJ4+iL1LXjaeI=",
+        "owner": "numtide",
+        "repo": "flake-utils",
+        "rev": "74f7e4319258e287b0f9cb95426c9853b282730b",
+        "type": "github"
+      },
+      "original": {
+        "owner": "numtide",
+        "repo": "flake-utils",
+        "type": "github"
+      }
+    },
+    "naersk": {
+      "inputs": {
+        "nixpkgs": "nixpkgs"
+      },
+      "locked": {
+        "lastModified": 1639947939,
+        "narHash": "sha256-pGsM8haJadVP80GFq4xhnSpNitYNQpaXk4cnA796Cso=",
+        "owner": "nix-community",
+        "repo": "naersk",
+        "rev": "2fc8ce9d3c025d59fee349c1f80be9785049d653",
+        "type": "github"
+      },
+      "original": {
+        "owner": "nix-community",
+        "repo": "naersk",
+        "type": "github"
+      }
+    },
+    "nixpkgs": {
+      "locked": {
+        "lastModified": 1640418986,
+        "narHash": "sha256-a8GGtxn2iL3WAkY5H+4E0s3Q7XJt6bTOvos9qqxT5OQ=",
+        "owner": "NixOS",
+        "repo": "nixpkgs",
+        "rev": "5c37ad87222cfc1ec36d6cd1364514a9efc2f7f2",
+        "type": "github"
+      },
+      "original": {
+        "id": "nixpkgs",
+        "type": "indirect"
+      }
+    },
+    "nixpkgs_2": {
+      "locked": {
+        "lastModified": 1640418986,
+        "narHash": "sha256-a8GGtxn2iL3WAkY5H+4E0s3Q7XJt6bTOvos9qqxT5OQ=",
+        "owner": "NixOS",
+        "repo": "nixpkgs",
+        "rev": "5c37ad87222cfc1ec36d6cd1364514a9efc2f7f2",
+        "type": "github"
+      },
+      "original": {
+        "id": "nixpkgs",
+        "type": "indirect"
+      }
+    },
+    "root": {
+      "inputs": {
+        "flake-utils": "flake-utils",
+        "naersk": "naersk",
+        "nixpkgs": "nixpkgs_2"
+      }
+    }
+  },
+  "root": "root",
+  "version": 7
+}
--- a/flake.nix
+++ b/flake.nix
@ -0,0 +1,144 @@
+{
+  inputs = {
+    flake-utils.url = "github:numtide/flake-utils";
+    naersk.url = "github:nix-community/naersk";
+  };
+
+  outputs = { self, nixpkgs, flake-utils, naersk }:
+    flake-utils.lib.eachDefaultSystem (system:
+      let
+        pkgs = nixpkgs.legacyPackages."${system}";
+        naersk-lib = naersk.lib."${system}";
+      in rec {
+        # `nix build`
+        packages.printerfacts = naersk-lib.buildPackage {
+          pname = "printerfacts";
+          root = ./.;
+        };
+        defaultPackage = packages.printerfacts;
+
+        # `nix run`
+        apps.printerfacts =
+          flake-utils.lib.mkApp { drv = packages.printerfacts; };
+        defaultApp = apps.printerfacts;
+
+        # `nix develop`
+        devShell =
+          pkgs.mkShell { nativeBuildInputs = with pkgs; [ rustc cargo ]; };
+
+        nixosModules.printerfacts = { config, lib, pkgs, ... }:
+          with lib;
+          let cfg = config.within.services.printerfacts;
+          in {
+            options.within.services.printerfacts = {
+              enable = mkEnableOption "Activates the printerfacts server";
+              useACME = mkEnableOption "Enables ACME for cert stuff";
+
+              domain = mkOption {
+                type = types.str;
+                default = "printerfacts.akua";
+                example = "printerfacts.cetacean.club";
+                description =
+                  "The domain name that nginx should check against for HTTP hostnames";
+              };
+
+              sockPath = mkOption rec {
+                type = types.str;
+                default = "/srv/within/run/printerfacts.sock";
+                example = default;
+                description =
+                  "The unix domain socket that printerfacts should listen on";
+              };
+            };
+
+            config = mkIf cfg.enable {
+              users.users.printerfacts = {
+                createHome = true;
+                description = "tulpa.dev/cadey/printerfacts";
+                isSystemUser = true;
+                group = "within";
+                home = "/srv/within/printerfacts";
+                extraGroups = [ "keys" ];
+              };
+
+              systemd.services.printerfacts = {
+                wantedBy = [ "multi-user.target" ];
+
+                serviceConfig = {
+                  User = "printerfacts";
+                  Group = "within";
+                  Restart = "on-failure";
+                  WorkingDirectory = "/srv/within/printerfacts";
+                  RestartSec = "30s";
+
+                  # Security
+                  CapabilityBoundingSet = "";
+                  DeviceAllow = [ ];
+                  NoNewPrivileges = "true";
+                  ProtectControlGroups = "true";
+                  ProtectClock = "true";
+                  PrivateDevices = "true";
+                  PrivateUsers = "true";
+                  ProtectHome = "true";
+                  ProtectHostname = "true";
+                  ProtectKernelLogs = "true";
+                  ProtectKernelModules = "true";
+                  ProtectKernelTunables = "true";
+                  ProtectSystem = "true";
+                  ProtectProc = "invisible";
+                  RemoveIPC = "true";
+                  RestrictAddressFamilies = [ "~AF_NETLINK" ];
+                  RestrictNamespaces = [
+                    "CLONE_NEWCGROUP"
+                    "CLONE_NEWIPC"
+                    "CLONE_NEWNET"
+                    "CLONE_NEWNS"
+                    "CLONE_NEWPID"
+                    "CLONE_NEWUTS"
+                    "CLONE_NEWUSER"
+                  ];
+                  RestrictSUIDSGID = "true";
+                  RestrictRealtime = "true";
+                  SystemCallArchitectures = "native";
+                  SystemCallFilter = [
+                    "~@reboot"
+                    "~@module"
+                    "~@mount"
+                    "~@swap"
+                    "~@resources"
+                    "~@cpu-emulation"
+                    "~@obsolete"
+                    "~@debug"
+                    "~@privileged"
+                  ];
+                  UMask = "007";
+                };
+
+                script = let site = pkgs.tulpa.dev.cadey.printerfacts;
+                in ''
+                  export SOCKPATH=${cfg.sockPath}
+                  export DOMAIN=${toString cfg.domain}
+                  export RUST_LOG=info
+                  cd ${site}
+                  exec ${site}/bin/printerfacts
+                '';
+              };
+
+              services.cfdyndns =
+                mkIf cfg.useACME { records = [ "${cfg.domain}" ]; };
+
+              services.nginx.virtualHosts."${cfg.domain}" = {
+                locations."/" = {
+                  proxyPass = "http://unix:${cfg.sockPath}";
+                  proxyWebsockets = true;
+                };
+                forceSSL = cfg.useACME;
+                useACMEHost = "cetacean.club";
+                extraConfig = ''
+                  access_log /var/log/nginx/printerfacts.access.log;
+                '';
+              };
+            };
+          };
+      });
+}