RGBCube/Site
1
Fork 0
mirror of https://github.com/RGBCube/Site synced 2025-08-01 13:37:49 +00:00
Code Issues Activity Actions

Add NixOS module

Browse source
This commit is contained in:
RGBCube 2023-12-30 14:01:45 +03:00
parent 283d858a6d
commit e1da2eabcb
No known key found for this signature in database
1 changed files with 88 additions and 7 deletions
Download patch file Download diff file Expand all files Collapse all files

95
flake.nix
View file

@ -11,8 +11,9 @@
url = "github:NixOS/nixpkgs/nixos-unstable"; url = "github:NixOS/nixpkgs/nixos-unstable";
}; };
flake-utils = { tools = {
url = "github:numtide/flake-utils"; url = "github:RGBCube/FlakeTools";
inputs.nixpkgs.follows = "nixpkgs";
}; };
cargo2nix = { cargo2nix = {
@ -22,9 +23,10 @@
}; };
}; };
outputs = { nixpkgs, flake-utils, cargo2nix, ... } @ inputs: flake-utils.lib.eachDefaultSystem (system: let outputs = { self, nixpkgs, tools, cargo2nix } @ inputs: tools.eachDefaultLinuxArch (system: let
pkgs = import nixpkgs { pkgs = import nixpkgs {
inherit system; inherit system;
overlays = [ cargo2nix.overlays.default ]; overlays = [ cargo2nix.overlays.default ];
}; };
@ -34,12 +36,91 @@
rustProfile = "minimal"; rustProfile = "minimal";
packageFun = import ./Cargo.nix; packageFun = import ./Cargo.nix;
}; };
in rec { in {
devShells.default = rustPackages.workspaceShell { devShells.${system}.default = rustPackages.workspaceShell {
packages = [ cargo2nix.packages.${system}.default ]; packages = [ cargo2nix.packages.${system}.default ];
}; };
packages.site = rustPackages.workspace.site {}; packages.${system}.site = rustPackages.workspace.site {};
packages.default = packages.site; packages.${system}.default = self.packages.${system}.site;
nixosModules.default = { config, lib, pkgs, ... }: with lib; let
cfg = config.services.site;
in {
options = {
services.site = {
enable = mkEnableOption (mdDoc "site service");
port = mkOption {
type = types.port;
default = 8080;
example = 80;
description = mdDoc ''
Specifies on which port the site service listens for connections.
'';
};
openFirewall = mkOption {
type = types.bool;
default = false;
description = mdDoc ''
Whether to open the firewall port for the tcp listener.
'';
};
};
};
config = mkIf cfg.enable {
systemd.services.site = {
description = "RGBCube's Homepage";
requires = [ "network.target" ];
wantedBy = [ "multi-user.target" ];
serviceConfig = let
needsPrivilidges = cfg.port < 1024;
capabilities = [ "" ] ++ optionals needsPrivileges [ "CAP_NET_BIND_SERVICE" ];
rootDirectory = "/run/site";
in {
ExecStart = "${self.packages.${pkgs.system}.site}/bin/site --port ${cfg.port}";
Restart = "always";
DynamicUser = true;
RootDirectory = rootDirectory;
BindReadOnlyPaths = [ builtins.storeDir ];
InaccessiblePaths = [ "-+${rootDirectory}"];
RuntimeDirectory = builtins.baseNameOf rootDirectory;
RuntimeDirectoryMode = 700;
AmbientCapabilities = capabilities;
CapabilityBoundingSet = capabilities;
UMask = "0077";
LockPersonality = true;
MemoryDenyWriteExecute = true;
NoNewPrivileges = true;
PrivateDevices = true;
PrivateTmp = true;
PrivateUsers = !needsPrivileges;
ProtectClock = true;
ProtectControlGroups = true;
ProtectHome = true;
ProtectHostname = true;
ProtectKernelLogs = true;
ProtectKernelModules = true;
ProtectKernelTunables = true;
ProtectSystem = "strict";
ProtectProc = "noaccess";
ProcSubset = "pid";
RemoveIPC = true;
RestrictAddressFamilies = [ "AF_INET" "AF_INET6" ];
RestrictNamespaces = true;
RestrictRealtime = true;
RestrictSUIDSGID = true;
SystemCallArchitectures = "native";
SystemCallFilter = [ "@system-service" "~@resources" "~@privileged" ];
};
};
networking.firewall.allowedTCPPorts =
optionals cfg.openFirewall [ cfg.port ];
};
};
}); });
} }