nix module

icewind1991 · icewind1991 · commit c11281384a13 · 2025-05-10T15:52:52.000+02:00
diff --git a/flake.nix b/flake.nix
@@ -10,5 +10,21 @@
       inputs.flakelight.follows = "flakelight";
     };
   };
-  outputs = { mill-scale, ... }: mill-scale ./. { };
+  outputs = {mill-scale, ...}:
+    mill-scale ./. {
+      nixosModules = {outputs, ...}: {
+        default = {
+          pkgs,
+          config,
+          lib,
+          ...
+        }: {
+          imports = [./nix/module.nix];
+          config = lib.mkIf config.services.demostf.sync.enable {
+            nixpkgs.overlays = [outputs.overlays.default];
+            services.demostf.sync.package = lib.mkDefault pkgs.demostf-sync;
+          };
+        };
+      };
+    };
 }
diff --git a/nix/docker.nix b/nix/docker.nix
@@ -1,6 +1,6 @@
-{ dockerTools
-, demostf-sync
-,
+{
+  dockerTools,
+  demostf-sync,
 }:
 dockerTools.buildLayeredImage {
   name = "demostf/sync";
@@ -11,9 +11,9 @@ dockerTools.buildLayeredImage {
     dockerTools.caCertificates
   ];
   config = {
-    Cmd = [ "sync" ];
+    Cmd = ["sync"];
     ExposedPorts = {
-      "80/tcp" = { };
+      "80/tcp" = {};
     };
   };
 }
diff --git a/nix/module.nix b/nix/module.nix
@@ -0,0 +1,64 @@
+{
+  lib,
+  config,
+  ...
+}: let
+  cfg = config.services.demostf.sync;
+in {
+  options = {
+    services.demostf.sync = with lib; {
+      enable = mkEnableOption "demostf sync";
+      package = mkOption {
+        type = types.package;
+        defaultText = literalExpression "pkgs.demostf-sync";
+        description = "package to use";
+      };
+      socket = mkOption {
+        type = types.str;
+        default = "/var/run/demostf-sync/sync.socket";
+      };
+    };
+  };
+
+  config = lib.mkIf cfg.enable {
+    systemd.services.demostf-sync = {
+      wantedBy = ["multi-user.target"];
+      environment = {
+        SOCKET = cfg.socket;
+      };
+
+      serviceConfig = {
+        DynamicUser = true;
+        ExecStart = "${cfg.package}/bin/sync";
+        Restart = "on-failure";
+
+        PrivateTmp = true;
+        PrivateUsers = true;
+        ProtectSystem = "strict";
+        ProtectHome = true;
+        NoNewPrivileges = true;
+        PrivateDevices = true;
+        ProtectClock = true;
+        CapabilityBoundingSet = true;
+        ProtectKernelLogs = true;
+        ProtectControlGroups = true;
+        SystemCallArchitectures = "native";
+        ProtectKernelModules = true;
+        RestrictNamespaces = true;
+        MemoryDenyWriteExecute = true;
+        ProtectHostname = true;
+        LockPersonality = true;
+        ProtectKernelTunables = true;
+        DevicePolicy = "closed";
+        RestrictAddressFamilies = ["AF_UNIX"];
+        RestrictRealtime = true;
+        ProcSubset = "pid";
+        ProtectProc = "invisible";
+        SystemCallFilter = ["@system-service" "~@resources" "~@privileged"];
+        UMask = "0007";
+        IPAddressDeny = "any";
+        RuntimeDirectory = "demostf-sync";
+      };
+    };
+  };
+}
diff --git a/nix/overlay.nix b/nix/overlay.nix
@@ -1,4 +1,4 @@
 prev: final: {
-  demostf-sync = final.callPackage ./package.nix { };
-  demostf-sync-docker = final.callPackage ./docker.nix { };
+  demostf-sync = final.callPackage ./package.nix {};
+  demostf-sync-docker = final.callPackage ./docker.nix {};
 }
diff --git a/nix/package.nix b/nix/package.nix
@@ -1,26 +1,25 @@
-{ stdenv
-, rustPlatform
-, lib
-, pkg-config
-, openssl
-,
-}:
-let
+{
+  stdenv,
+  rustPlatform,
+  lib,
+  pkg-config,
+  openssl,
+}: let
   inherit (lib.sources) sourceByRegex;
   inherit (builtins) fromTOML readFile;
-  src = sourceByRegex ../. [ "Cargo.*" "(src)(/.*)?" ];
+  src = sourceByRegex ../. ["Cargo.*" "(src)(/.*)?"];
   version = (fromTOML (readFile ../Cargo.toml)).package.version;
 in
-rustPlatform.buildRustPackage rec {
-  pname = "demostf-sync";
+  rustPlatform.buildRustPackage rec {
+    pname = "demostf-sync";
 
-  inherit src version;
+    inherit src version;
 
-  buildInputs = [ openssl ];
+    buildInputs = [openssl];
 
-  nativeBuildInputs = [ pkg-config ];
+    nativeBuildInputs = [pkg-config];
 
-  cargoLock = {
-    lockFile = ../Cargo.lock;
-  };
-}
+    cargoLock = {
+      lockFile = ../Cargo.lock;
+    };
+  }

Original file line number	Diff line number	Diff line change
`@@ -1,4 +1,4 @@`
`1`	`1`	`prev: final: {`
`2`		`- demostf-sync = final.callPackage ./package.nix { };`
`3`		`- demostf-sync-docker = final.callPackage ./docker.nix { };`
	`2`	`+ demostf-sync = final.callPackage ./package.nix {};`
	`3`	`+ demostf-sync-docker = final.callPackage ./docker.nix {};`
`4`	`4`	`}`