diff options
| -rw-r--r-- | parts/deployment.nix | 72 | ||||
| -rw-r--r-- | parts/derivation.nix | 20 | ||||
| -rw-r--r-- | parts/module.nix | 67 | ||||
| -rw-r--r-- | parts/packages.nix | 20 |
4 files changed, 96 insertions, 83 deletions
diff --git a/parts/deployment.nix b/parts/deployment.nix index b9e43da..b76120f 100644 --- a/parts/deployment.nix +++ b/parts/deployment.nix @@ -1,82 +1,22 @@ -{self, ...}: let - bin = teawiebot-smol: "${teawiebot-smol}/bin/teawiebot"; - service = pkgs: cmd: - pkgs.writeTextFile { - name = "teawiebot.service"; - text = '' - [Unit] - Description=teawiebot service - - [Service] - Environment="TOKEN=" - ExecStart="${cmd}" - DynamicUser=yes - ProtectSystem=strict - ProtectHome=yes - ProtectKernelTunables=yes - ProtectKernelModules=yes - ProtectControlGroups=yes - SystemCallFilter=@system-service - SystemCallErrorNumber=EPERM - NoNewPrivileges=yes - PrivateTmp=yes - - [Install] - WantedBy=multi-user.target - ''; - }; -in { +{self, ...}: { perSystem = { + lib, pkgs, system, ... }: let - inherit (pkgs) cacert dockerTools portableService; - inherit (self.packages.${system}) teawiebot teawiebot-smol; - cmd = bin teawiebot-smol; + inherit (pkgs) dockerTools; + inherit (self.packages.${system}) teawiebot-smol; in { packages = { container = dockerTools.buildLayeredImage { name = "teawiebot"; tag = "latest"; contents = [dockerTools.caCertificates]; - config.Cmd = ["${cmd}"]; - }; - - service = portableService { - inherit (teawiebot) pname; - inherit (teawiebot-smol) version; - description = "portable service for teawiebot!"; - units = [(service pkgs cmd)]; - symlinks = [ - { - object = "${cacert}/etc/ssl"; - symlink = "/etc/ssl"; - } - ]; + config.Cmd = ["${lib.getExe teawiebot-smol}"]; }; }; }; - flake = { - nixosModules = { - default = { - config, - lib, - pkgs, - ... - }: let - cfg = config.services.teawiebot; - inherit (lib) mkEnableOption mkIf; - in { - options.services.teawiebot.enable = mkEnableOption "teawiebot"; - - config.systemd.services = mkIf cfg.enable { - teawiebot = { - text = service pkgs (bin pkgs.teawiebot-smol); - }; - }; - }; - }; - }; + flake.nixosModules.default = import ./module.nix self; } diff --git a/parts/derivation.nix b/parts/derivation.nix new file mode 100644 index 0000000..f95446f --- /dev/null +++ b/parts/derivation.nix @@ -0,0 +1,20 @@ +{ + lib, + stdenv, + craneLib, + self, + ... +}: +craneLib.buildPackage { + src = craneLib.cleanCargoSource self; + inherit (self.packages.${stdenv.hostPlatform.system}) cargoArtifacts; + + meta = with lib; { + mainProgram = "teawiebot"; + description = "funni bot"; + homepage = "https://github.com/getchoo/teawiebot"; + license = licenses.mit; + platforms = with platforms; unix; + maintainers = with maintainers; [getchoo]; + }; +} diff --git a/parts/module.nix b/parts/module.nix new file mode 100644 index 0000000..167ad9c --- /dev/null +++ b/parts/module.nix @@ -0,0 +1,67 @@ +self: { + config, + lib, + pkgs, + ... +}: let + cfg = config.services.teawiebot; + + inherit + (lib) + getExe + literalExpression + mkDefault + mkDoc + mkEnableOption + mkIf + mkOption + mkPackageOption + types + ; +in { + options.services.teawiebot = { + enable = mkEnableOption "teawiebot"; + package = mkPackageOption self.packages.${pkgs.stdenv.hostPlatform.system} "teawiebot" {}; + environmentFile = mkOption { + description = mkDoc '' + Environment file as defined in {manpage}`systemd.exec(5)` + ''; + type = types.nullOr types.path; + default = null; + example = literalExpression '' + "/run/agenix.d/1/teawieBot" + ''; + }; + }; + + config = mkIf cfg.enable { + systemd.services = { + enable = true; + wantedBy = mkDefault ["multi-user.target"]; + after = mkDefault ["network.target"]; + script = '' + ${getExe cfg.package} + ''; + + serviceConfig = { + Type = "simple"; + Restart = "always"; + + EnvironmentFile = mkIf (cfg.environmentFile != null) cfg.environmentFile; + + # hardening + DynamicUser = true; + PrivateTmp = true; + NoNewPrivileges = true; + RestrictNamespaces = "uts ipc pid user cgroup"; + ProtectSystem = "strict"; + ProtectHome = true; + ProtectKernelTunables = true; + ProtectKernelModules = true; + ProtectControlGroups = true; + PrivateDevices = true; + RestrictSUIDSGID = true; + }; + }; + }; +} diff --git a/parts/packages.nix b/parts/packages.nix index f44ac50..6c5d10b 100644 --- a/parts/packages.nix +++ b/parts/packages.nix @@ -4,25 +4,11 @@ pkgs, system, ... - }: let - inherit (pkgs.lib) licenses maintainers platforms; - inherit (craneLib) buildPackage; - in { + }: { packages = { - cargoArtifacts = craneLib.buildDepsOnly {src = self;}; + cargoArtifacts = craneLib.buildDepsOnly {src = craneLib.cleanCargoSource self;}; - teawiebot = buildPackage { - src = self; - inherit (self.packages.${system}) cargoArtifacts; - - meta = { - description = "funni bot"; - homepage = "https://github.com/getchoo/teawiebot"; - license = licenses.mit; - platforms = platforms.unix; - maintainers = with maintainers; [getchoo]; - }; - }; + teawiebot = pkgs.callPackage ./derivation.nix {inherit craneLib self;}; teawiebot-smol = self.packages.${system}.teawiebot.overrideAttrs (_: { |