Add nixos module

2023-07-28 00:05:34 +02:00 · 2023-07-28 00:05:34 +02:00 · 7f79bf8a62
commit 7f79bf8a62
parent 20067da9e1
2 changed files with 106 additions and 2 deletions
--- a/flake.nix
+++ b/flake.nix
@ -22,7 +22,7 @@
    trunk,
    dioxus,
  }:
-    flake-utils.lib.eachDefaultSystem (system: let
+    (flake-utils.lib.eachDefaultSystem (system: let
      pkgs = import nixpkgs {
        inherit system;
        overlays = [(import rust-overlay)];
@ -103,5 +103,8 @@
        in
          pkgs.callPackage pkg {};
      };
-    });
+    }))
    // {
      nixosModules.default = import ./nixos self;
    };
 }
--- a/nixos/default.nix
+++ b/nixos/default.nix
@ -0,0 +1,101 @@
 self: {
  pkgs,
  lib,
  config,
  ...
 }:
 with lib; {
  options.services.regalade = {
    enable = mkEnableOption "regalade, a recipe manager";
    package = mkOption {
      type = types.package;
      default = self.packages.${config.nixpkgs.system}.server;
    };
    apiPort = mkOption {
      type = types.port;
      default = 8085;
    };
    user = mkOption {
      type = types.str;
      default = "regalade";
    };
    environmentFile = mkOption {
      type = types.nullOr types.path;
      default = null;
    };
    frontend = {
      enable = mkEnableOption "the frontend for regalade";
      package = mkOption {
        type = types.package;
        default = self.packages.${config.nixpkgs.system}.frontend;
      };
    };
  };
  config = let
    cfg = config.services.regalade;
  in
    mkIf cfg.enable {
      systemd.services.regalade = {
        description = "regalade";
        after = ["network.target" "postgresql.service"];
        wantedBy = ["multi-user.target"];
        serviceConfig = {
          Type = "simple";
          User = cfg.user;
          ExecStart = "${cfg.package}/bin/regalade";
          EnvironmentFile = optional (cfg.environmentFile != null) cfg.environmentFile;
          # Security
          NoNewPrivileges = true;
          # Sandboxing
          ProtectSystem = "strict";
          ProtectHome = true;
          PrivateTmp = true;
          PrivateDevices = true;
          PrivateUsers = true;
          ProtectHostname = true;
          ProtectClock = true;
          ProtectKernelTunables = true;
          ProtectKernelModules = true;
          ProtectKernelLogs = true;
          ProtectControlGroups = true;
          RestrictAddressFamilies = ["AF_UNIX AF_INET AF_INET6"];
          LockPersonality = true;
          MemoryDenyWriteExecute = true;
          RestrictRealtime = true;
          RestrictSUIDSGID = true;
          PrivateMounts = true;
        };
        environment = {
          REGALADE_DATABASE_URL = "postgres://${cfg.user}/regalade?host=/var/run/postgresql";
        };
      };
      services.postgresql = {
        ensureUsers = [
          {
            name = cfg.user;
            ensurePermissions = {"DATABASE \"regalade\"" = "ALL PRIVILEGES";};
          }
        ];
        ensureDatabases = ["regalade"];
      };
      users = mkIf (cfg.user == "regalade") {
        users.regalade = {
          description = "Regalade API server";
          group = "regalade";
          isSystemUser = true;
        };
        groups.regalade = {};
      };
    };
 }