Add nixos module

2023-07-28 00:05:34 +02:00 · 2023-07-28 00:05:34 +02:00 · 7f79bf8a62
commit 7f79bf8a62
parent 20067da9e1
2 changed files with 106 additions and 2 deletions
--- a/flake.nix
+++ b/flake.nix
@ -22,7 +22,7 @@
    trunk,
    dioxus,
  }:
-    flake-utils.lib.eachDefaultSystem (system: let
+    (flake-utils.lib.eachDefaultSystem (system: let
      pkgs = import nixpkgs {
        inherit system;
        overlays = [(import rust-overlay)];
@ -103,5 +103,8 @@
        in
          pkgs.callPackage pkg {};
      };
-    });
+    }))
+    // {
+      nixosModules.default = import ./nixos self;
+    };
 }
--- a/nixos/default.nix
+++ b/nixos/default.nix
@ -0,0 +1,101 @@
+self: {
+  pkgs,
+  lib,
+  config,
+  ...
+}:
+with lib; {
+  options.services.regalade = {
+    enable = mkEnableOption "regalade, a recipe manager";
+
+    package = mkOption {
+      type = types.package;
+      default = self.packages.${config.nixpkgs.system}.server;
+    };
+
+    apiPort = mkOption {
+      type = types.port;
+      default = 8085;
+    };
+
+    user = mkOption {
+      type = types.str;
+      default = "regalade";
+    };
+
+    environmentFile = mkOption {
+      type = types.nullOr types.path;
+      default = null;
+    };
+
+    frontend = {
+      enable = mkEnableOption "the frontend for regalade";
+
+      package = mkOption {
+        type = types.package;
+        default = self.packages.${config.nixpkgs.system}.frontend;
+      };
+    };
+  };
+
+  config = let
+    cfg = config.services.regalade;
+  in
+    mkIf cfg.enable {
+      systemd.services.regalade = {
+        description = "regalade";
+        after = ["network.target" "postgresql.service"];
+        wantedBy = ["multi-user.target"];
+
+        serviceConfig = {
+          Type = "simple";
+          User = cfg.user;
+          ExecStart = "${cfg.package}/bin/regalade";
+          EnvironmentFile = optional (cfg.environmentFile != null) cfg.environmentFile;
+          # Security
+          NoNewPrivileges = true;
+          # Sandboxing
+          ProtectSystem = "strict";
+          ProtectHome = true;
+          PrivateTmp = true;
+          PrivateDevices = true;
+          PrivateUsers = true;
+          ProtectHostname = true;
+          ProtectClock = true;
+          ProtectKernelTunables = true;
+          ProtectKernelModules = true;
+          ProtectKernelLogs = true;
+          ProtectControlGroups = true;
+          RestrictAddressFamilies = ["AF_UNIX AF_INET AF_INET6"];
+          LockPersonality = true;
+          MemoryDenyWriteExecute = true;
+          RestrictRealtime = true;
+          RestrictSUIDSGID = true;
+          PrivateMounts = true;
+        };
+
+        environment = {
+          REGALADE_DATABASE_URL = "postgres://${cfg.user}/regalade?host=/var/run/postgresql";
+        };
+      };
+
+      services.postgresql = {
+        ensureUsers = [
+          {
+            name = cfg.user;
+            ensurePermissions = {"DATABASE \"regalade\"" = "ALL PRIVILEGES";};
+          }
+        ];
+        ensureDatabases = ["regalade"];
+      };
+
+      users = mkIf (cfg.user == "regalade") {
+        users.regalade = {
+          description = "Regalade API server";
+          group = "regalade";
+          isSystemUser = true;
+        };
+        groups.regalade = {};
+      };
+    };
+}