From 7f79bf8a623df61d1eaa796a6210a89c2bb309bd Mon Sep 17 00:00:00 2001
From: traxys <quentin+dev@familleboyer.net>
Date: Fri, 28 Jul 2023 00:05:34 +0200
Subject: [PATCH] Add nixos module

---
 flake.nix         |   7 +++-
 nixos/default.nix | 101 ++++++++++++++++++++++++++++++++++++++++++++++
 2 files changed, 106 insertions(+), 2 deletions(-)
 create mode 100644 nixos/default.nix

diff --git a/flake.nix b/flake.nix
index 74ee777..87f1134 100644
--- a/flake.nix
+++ b/flake.nix
@@ -22,7 +22,7 @@
     trunk,
     dioxus,
   }:
-    flake-utils.lib.eachDefaultSystem (system: let
+    (flake-utils.lib.eachDefaultSystem (system: let
       pkgs = import nixpkgs {
         inherit system;
         overlays = [(import rust-overlay)];
@@ -103,5 +103,8 @@
         in
           pkgs.callPackage pkg {};
       };
-    });
+    }))
+    // {
+      nixosModules.default = import ./nixos self;
+    };
 }
diff --git a/nixos/default.nix b/nixos/default.nix
new file mode 100644
index 0000000..051bbdf
--- /dev/null
+++ b/nixos/default.nix
@@ -0,0 +1,101 @@
+self: {
+  pkgs,
+  lib,
+  config,
+  ...
+}:
+with lib; {
+  options.services.regalade = {
+    enable = mkEnableOption "regalade, a recipe manager";
+
+    package = mkOption {
+      type = types.package;
+      default = self.packages.${config.nixpkgs.system}.server;
+    };
+
+    apiPort = mkOption {
+      type = types.port;
+      default = 8085;
+    };
+
+    user = mkOption {
+      type = types.str;
+      default = "regalade";
+    };
+
+    environmentFile = mkOption {
+      type = types.nullOr types.path;
+      default = null;
+    };
+
+    frontend = {
+      enable = mkEnableOption "the frontend for regalade";
+
+      package = mkOption {
+        type = types.package;
+        default = self.packages.${config.nixpkgs.system}.frontend;
+      };
+    };
+  };
+
+  config = let
+    cfg = config.services.regalade;
+  in
+    mkIf cfg.enable {
+      systemd.services.regalade = {
+        description = "regalade";
+        after = ["network.target" "postgresql.service"];
+        wantedBy = ["multi-user.target"];
+
+        serviceConfig = {
+          Type = "simple";
+          User = cfg.user;
+          ExecStart = "${cfg.package}/bin/regalade";
+          EnvironmentFile = optional (cfg.environmentFile != null) cfg.environmentFile;
+          # Security
+          NoNewPrivileges = true;
+          # Sandboxing
+          ProtectSystem = "strict";
+          ProtectHome = true;
+          PrivateTmp = true;
+          PrivateDevices = true;
+          PrivateUsers = true;
+          ProtectHostname = true;
+          ProtectClock = true;
+          ProtectKernelTunables = true;
+          ProtectKernelModules = true;
+          ProtectKernelLogs = true;
+          ProtectControlGroups = true;
+          RestrictAddressFamilies = ["AF_UNIX AF_INET AF_INET6"];
+          LockPersonality = true;
+          MemoryDenyWriteExecute = true;
+          RestrictRealtime = true;
+          RestrictSUIDSGID = true;
+          PrivateMounts = true;
+        };
+
+        environment = {
+          REGALADE_DATABASE_URL = "postgres://${cfg.user}/regalade?host=/var/run/postgresql";
+        };
+      };
+
+      services.postgresql = {
+        ensureUsers = [
+          {
+            name = cfg.user;
+            ensurePermissions = {"DATABASE \"regalade\"" = "ALL PRIVILEGES";};
+          }
+        ];
+        ensureDatabases = ["regalade"];
+      };
+
+      users = mkIf (cfg.user == "regalade") {
+        users.regalade = {
+          description = "Regalade API server";
+          group = "regalade";
+          isSystemUser = true;
+        };
+        groups.regalade = {};
+      };
+    };
+}