From a5daa4c2976e4e68892b18a5e08a48ddcd4edae4 Mon Sep 17 00:00:00 2001 From: Xe Date: Sun, 26 Dec 2021 11:44:41 -0500 Subject: [PATCH] convert to flakes Signed-off-by: Xe --- flake.lock | 74 +++++++++++++++++++++++++++ flake.nix | 144 +++++++++++++++++++++++++++++++++++++++++++++++++++++ 2 files changed, 218 insertions(+) create mode 100644 flake.lock create mode 100644 flake.nix diff --git a/flake.lock b/flake.lock new file mode 100644 index 0000000..a376f86 --- /dev/null +++ b/flake.lock @@ -0,0 +1,74 @@ +{ + "nodes": { + "flake-utils": { + "locked": { + "lastModified": 1638122382, + "narHash": "sha256-sQzZzAbvKEqN9s0bzWuYmRaA03v40gaJ4+iL1LXjaeI=", + "owner": "numtide", + "repo": "flake-utils", + "rev": "74f7e4319258e287b0f9cb95426c9853b282730b", + "type": "github" + }, + "original": { + "owner": "numtide", + "repo": "flake-utils", + "type": "github" + } + }, + "naersk": { + "inputs": { + "nixpkgs": "nixpkgs" + }, + "locked": { + "lastModified": 1639947939, + "narHash": "sha256-pGsM8haJadVP80GFq4xhnSpNitYNQpaXk4cnA796Cso=", + "owner": "nix-community", + "repo": "naersk", + "rev": "2fc8ce9d3c025d59fee349c1f80be9785049d653", + "type": "github" + }, + "original": { + "owner": "nix-community", + "repo": "naersk", + "type": "github" + } + }, + "nixpkgs": { + "locked": { + "lastModified": 1640418986, + "narHash": "sha256-a8GGtxn2iL3WAkY5H+4E0s3Q7XJt6bTOvos9qqxT5OQ=", + "owner": "NixOS", + "repo": "nixpkgs", + "rev": "5c37ad87222cfc1ec36d6cd1364514a9efc2f7f2", + "type": "github" + }, + "original": { + "id": "nixpkgs", + "type": "indirect" + } + }, + "nixpkgs_2": { + "locked": { + "lastModified": 1640418986, + "narHash": "sha256-a8GGtxn2iL3WAkY5H+4E0s3Q7XJt6bTOvos9qqxT5OQ=", + "owner": "NixOS", + "repo": "nixpkgs", + "rev": "5c37ad87222cfc1ec36d6cd1364514a9efc2f7f2", + "type": "github" + }, + "original": { + "id": "nixpkgs", + "type": "indirect" + } + }, + "root": { + "inputs": { + "flake-utils": "flake-utils", + "naersk": "naersk", + "nixpkgs": "nixpkgs_2" + } + } + }, + "root": "root", + "version": 7 +} diff --git a/flake.nix b/flake.nix new file mode 100644 index 0000000..8df966c --- /dev/null +++ b/flake.nix @@ -0,0 +1,144 @@ +{ + inputs = { + flake-utils.url = "github:numtide/flake-utils"; + naersk.url = "github:nix-community/naersk"; + }; + + outputs = { self, nixpkgs, flake-utils, naersk }: + flake-utils.lib.eachDefaultSystem (system: + let + pkgs = nixpkgs.legacyPackages."${system}"; + naersk-lib = naersk.lib."${system}"; + in rec { + # `nix build` + packages.printerfacts = naersk-lib.buildPackage { + pname = "printerfacts"; + root = ./.; + }; + defaultPackage = packages.printerfacts; + + # `nix run` + apps.printerfacts = + flake-utils.lib.mkApp { drv = packages.printerfacts; }; + defaultApp = apps.printerfacts; + + # `nix develop` + devShell = + pkgs.mkShell { nativeBuildInputs = with pkgs; [ rustc cargo ]; }; + + nixosModules.printerfacts = { config, lib, pkgs, ... }: + with lib; + let cfg = config.within.services.printerfacts; + in { + options.within.services.printerfacts = { + enable = mkEnableOption "Activates the printerfacts server"; + useACME = mkEnableOption "Enables ACME for cert stuff"; + + domain = mkOption { + type = types.str; + default = "printerfacts.akua"; + example = "printerfacts.cetacean.club"; + description = + "The domain name that nginx should check against for HTTP hostnames"; + }; + + sockPath = mkOption rec { + type = types.str; + default = "/srv/within/run/printerfacts.sock"; + example = default; + description = + "The unix domain socket that printerfacts should listen on"; + }; + }; + + config = mkIf cfg.enable { + users.users.printerfacts = { + createHome = true; + description = "tulpa.dev/cadey/printerfacts"; + isSystemUser = true; + group = "within"; + home = "/srv/within/printerfacts"; + extraGroups = [ "keys" ]; + }; + + systemd.services.printerfacts = { + wantedBy = [ "multi-user.target" ]; + + serviceConfig = { + User = "printerfacts"; + Group = "within"; + Restart = "on-failure"; + WorkingDirectory = "/srv/within/printerfacts"; + RestartSec = "30s"; + + # Security + CapabilityBoundingSet = ""; + DeviceAllow = [ ]; + NoNewPrivileges = "true"; + ProtectControlGroups = "true"; + ProtectClock = "true"; + PrivateDevices = "true"; + PrivateUsers = "true"; + ProtectHome = "true"; + ProtectHostname = "true"; + ProtectKernelLogs = "true"; + ProtectKernelModules = "true"; + ProtectKernelTunables = "true"; + ProtectSystem = "true"; + ProtectProc = "invisible"; + RemoveIPC = "true"; + RestrictAddressFamilies = [ "~AF_NETLINK" ]; + RestrictNamespaces = [ + "CLONE_NEWCGROUP" + "CLONE_NEWIPC" + "CLONE_NEWNET" + "CLONE_NEWNS" + "CLONE_NEWPID" + "CLONE_NEWUTS" + "CLONE_NEWUSER" + ]; + RestrictSUIDSGID = "true"; + RestrictRealtime = "true"; + SystemCallArchitectures = "native"; + SystemCallFilter = [ + "~@reboot" + "~@module" + "~@mount" + "~@swap" + "~@resources" + "~@cpu-emulation" + "~@obsolete" + "~@debug" + "~@privileged" + ]; + UMask = "007"; + }; + + script = let site = pkgs.tulpa.dev.cadey.printerfacts; + in '' + export SOCKPATH=${cfg.sockPath} + export DOMAIN=${toString cfg.domain} + export RUST_LOG=info + cd ${site} + exec ${site}/bin/printerfacts + ''; + }; + + services.cfdyndns = + mkIf cfg.useACME { records = [ "${cfg.domain}" ]; }; + + services.nginx.virtualHosts."${cfg.domain}" = { + locations."/" = { + proxyPass = "http://unix:${cfg.sockPath}"; + proxyWebsockets = true; + }; + forceSSL = cfg.useACME; + useACMEHost = "cetacean.club"; + extraConfig = '' + access_log /var/log/nginx/printerfacts.access.log; + ''; + }; + }; + }; + }); +}