From d48ab1b30a4b6c093c2d7ff27dfb0b6d7a2bafdd Mon Sep 17 00:00:00 2001 From: seth Date: Wed, 20 Mar 2024 08:12:19 -0400 Subject: nix: naersk -> rustPlatform --- nix/deployment.nix | 52 ---------------- nix/deployment/default.nix | 35 +++++++++++ nix/deployment/module.nix | 146 +++++++++++++++++++++++++++++++++++++++++++++ nix/deployment/static.nix | 50 ++++++++++++++++ nix/derivation.nix | 14 +++-- nix/module.nix | 146 --------------------------------------------- nix/packages.nix | 12 +--- nix/static.nix | 38 ------------ 8 files changed, 243 insertions(+), 250 deletions(-) delete mode 100644 nix/deployment.nix create mode 100644 nix/deployment/default.nix create mode 100644 nix/deployment/module.nix create mode 100644 nix/deployment/static.nix delete mode 100644 nix/module.nix delete mode 100644 nix/static.nix (limited to 'nix') diff --git a/nix/deployment.nix b/nix/deployment.nix deleted file mode 100644 index 514b307..0000000 --- a/nix/deployment.nix +++ /dev/null @@ -1,52 +0,0 @@ -{ - inputs, - flake-parts-lib, - withSystem, - ... -}: { - flake.nixosModules.default = flake-parts-lib.importApply ./module.nix { - inherit withSystem; - }; - - perSystem = { - lib, - pkgs, - system, - config, - inputs', - self', - ... - }: let - crossPkgs = with pkgs.pkgsCross; { - x86_64 = musl64; - aarch64 = aarch64-multiplatform.pkgsStatic; - }; - - teawieFor = arch: - pkgs.callPackage ./static.nix { - inherit (self'.packages) teawiebot; - pkgsStatic = crossPkgs.${arch}; - fenix = inputs'.fenix.packages; - naersk = inputs.naersk.lib.${system}; - }; - - containerFor = arch: - pkgs.dockerTools.buildLayeredImage { - name = "teawiebot"; - tag = "latest-${arch}"; - contents = [pkgs.dockerTools.caCertificates]; - config.Cmd = [ - (lib.getExe self'.packages."teawiebot-static-${arch}") - ]; - - architecture = crossPkgs.${arch}.go.GOARCH; - }; - in { - packages = { - teawiebot-static-x86_64 = teawieFor "x86_64"; - teawiebot-static-aarch64 = teawieFor "aarch64"; - container-x86_64 = containerFor "x86_64"; - container-aarch64 = containerFor "aarch64"; - }; - }; -} diff --git a/nix/deployment/default.nix b/nix/deployment/default.nix new file mode 100644 index 0000000..7fd379f --- /dev/null +++ b/nix/deployment/default.nix @@ -0,0 +1,35 @@ +{ + flake-parts-lib, + withSystem, + ... +}: { + imports = [./static.nix]; + + flake.nixosModules.default = flake-parts-lib.importApply ./module.nix { + inherit withSystem; + }; + + perSystem = { + lib, + pkgs, + self', + ... + }: let + containerFor = arch: + pkgs.dockerTools.buildLayeredImage { + name = "teawiebot"; + tag = "latest-${arch}"; + contents = [pkgs.dockerTools.caCertificates]; + config.Cmd = [ + (lib.getExe self'.packages."teawiebot-static-${arch}") + ]; + + architecture = withSystem "${arch}-linux" ({pkgs, ...}: pkgs.pkgsStatic.go.GOARCH); + }; + in { + packages = { + container-x86_64 = containerFor "x86_64"; + container-aarch64 = containerFor "aarch64"; + }; + }; +} diff --git a/nix/deployment/module.nix b/nix/deployment/module.nix new file mode 100644 index 0000000..09999f1 --- /dev/null +++ b/nix/deployment/module.nix @@ -0,0 +1,146 @@ +{withSystem, ...}: { + config, + lib, + pkgs, + ... +}: let + cfg = config.services.teawiebot; + defaultUser = "teawiebot"; + + inherit + (lib) + getExe + literalExpression + mdDoc + mkEnableOption + mkIf + mkOption + mkPackageOption + optionals + types + ; +in { + options.services.teawiebot = { + enable = mkEnableOption "teawiebot"; + package = mkPackageOption ( + withSystem pkgs.stdenv.hostPlatform.system ({self', ...}: self'.packages) + ) "teawiebot" {}; + + user = mkOption { + description = mdDoc '' + User under which the service should run. If this is the default value, + the user will be created, with the specified group as the primary + group. + ''; + type = types.str; + default = defaultUser; + example = literalExpression '' + "bob" + ''; + }; + + group = mkOption { + description = mdDoc '' + Group under which the service should run. If this is the default value, + the group will be created. + ''; + type = types.str; + default = defaultUser; + example = literalExpression '' + "discordbots" + ''; + }; + + redisUrl = mkOption { + description = mdDoc '' + Connection to a redis server. If this needs to include credentials + that shouldn't be world-readable in the Nix store, set environmentFile + and override the `REDIS_URL` entry. + Pass the string `local` to setup a local Redis database. + ''; + type = types.str; + default = "local"; + example = literalExpression '' + "redis://localhost/" + ''; + }; + + environmentFile = mkOption { + description = mdDoc '' + Environment file as defined in {manpage}`systemd.exec(5)` + ''; + type = types.nullOr types.path; + default = null; + example = literalExpression '' + "/run/agenix.d/1/teawieBot" + ''; + }; + }; + + config = mkIf cfg.enable { + services.redis.servers.teawiebot = mkIf (cfg.redisUrl == "local") { + enable = true; + inherit (cfg) user; + port = 0; # disable tcp listener + }; + + systemd.services."teawiebot" = { + enable = true; + wantedBy = ["multi-user.target"]; + after = + ["network.target"] + ++ optionals (cfg.redisUrl == "local") ["redis-teawiebot.service"]; + + script = '' + ${getExe cfg.package} + ''; + + environment = { + REDIS_URL = + if cfg.redisUrl == "local" + then "unix:${config.services.redis.servers.teawiebot.unixSocket}" + else cfg.redisUrl; + }; + + serviceConfig = { + Type = "simple"; + Restart = "always"; + + EnvironmentFile = mkIf (cfg.environmentFile != null) cfg.environmentFile; + + User = cfg.user; + Group = cfg.group; + + # hardening + NoNewPrivileges = true; + PrivateDevices = true; + PrivateTmp = true; + PrivateUsers = true; + ProtectClock = true; + ProtectControlGroups = true; + ProtectHome = true; + ProtectHostname = true; + ProtectKernelLogs = true; + ProtectKernelModules = true; + ProtectKernelTunables = true; + ProtectSystem = "strict"; + RestrictNamespaces = "uts ipc pid user cgroup"; + RestrictSUIDSGID = true; + Umask = "0007"; + }; + }; + + users = { + users = mkIf (cfg.user == defaultUser) { + ${defaultUser} = { + isSystemUser = true; + inherit (cfg) group; + }; + }; + + groups = mkIf (cfg.group == defaultUser) { + ${defaultUser} = {}; + }; + }; + }; +} diff --git a/nix/deployment/static.nix b/nix/deployment/static.nix new file mode 100644 index 0000000..dcdf0f3 --- /dev/null +++ b/nix/deployment/static.nix @@ -0,0 +1,50 @@ +{ + perSystem = { + lib, + pkgs, + inputs', + self', + ... + }: let + targets = with pkgs.pkgsCross; { + x86_64 = musl64.pkgsStatic; + aarch64 = aarch64-multiplatform.pkgsStatic; + }; + + toolchain = let + fenix = inputs'.fenix.packages; + in + with fenix; + combine ( + [minimal.cargo minimal.rustc] + ++ map ( + pkgs: + fenix.targets.${pkgs.stdenv.hostPlatform.config}.latest.rust-std + ) (lib.attrValues targets) + ); + + rustPlatforms = + lib.mapAttrs ( + lib.const (pkgs: + pkgs.makeRustPlatform ( + lib.genAttrs ["cargo" "rustc"] (lib.const toolchain) + )) + ) + targets; + + buildTeawieWith = rustPlatform: + self'.packages.teawiebot.override { + inherit rustPlatform; + lto = true; + optimizeSize = true; + }; + in { + packages = lib.optionalAttrs pkgs.stdenv.isLinux ( + lib.mapAttrs' ( + target: rustPlatform: + lib.nameValuePair "teawiebot-static-${target}" (buildTeawieWith rustPlatform) + ) + rustPlatforms + ); + }; +} diff --git a/nix/derivation.nix b/nix/derivation.nix index 3456e6c..bb60706 100644 --- a/nix/derivation.nix +++ b/nix/derivation.nix @@ -1,17 +1,19 @@ { lib, stdenv, - naersk, + rustPlatform, darwin, self, lto ? false, optimizeSize ? false, }: -naersk.buildPackage { +rustPlatform.buildRustPackage { pname = "teawiebot"; version = - toString (lib.importTOML ../Cargo.toml).package.version - + "-${self.shortRev or self.dirtyShortRev or "dirty"}"; + (lib.importTOML ../Cargo.toml).package.version + + "-${self.shortRev or self.dirtyShortRev or "unknown-dirty"}"; + + __structuredAttrs = true; src = lib.fileset.toSource { root = ../.; @@ -23,6 +25,10 @@ naersk.buildPackage { ]; }; + cargoLock = { + lockFile = ../Cargo.lock; + }; + buildInputs = lib.optionals stdenv.isDarwin (with darwin.apple_sdk.frameworks; [ CoreFoundation Security diff --git a/nix/module.nix b/nix/module.nix deleted file mode 100644 index 09999f1..0000000 --- a/nix/module.nix +++ /dev/null @@ -1,146 +0,0 @@ -{withSystem, ...}: { - config, - lib, - pkgs, - ... -}: let - cfg = config.services.teawiebot; - defaultUser = "teawiebot"; - - inherit - (lib) - getExe - literalExpression - mdDoc - mkEnableOption - mkIf - mkOption - mkPackageOption - optionals - types - ; -in { - options.services.teawiebot = { - enable = mkEnableOption "teawiebot"; - package = mkPackageOption ( - withSystem pkgs.stdenv.hostPlatform.system ({self', ...}: self'.packages) - ) "teawiebot" {}; - - user = mkOption { - description = mdDoc '' - User under which the service should run. If this is the default value, - the user will be created, with the specified group as the primary - group. - ''; - type = types.str; - default = defaultUser; - example = literalExpression '' - "bob" - ''; - }; - - group = mkOption { - description = mdDoc '' - Group under which the service should run. If this is the default value, - the group will be created. - ''; - type = types.str; - default = defaultUser; - example = literalExpression '' - "discordbots" - ''; - }; - - redisUrl = mkOption { - description = mdDoc '' - Connection to a redis server. If this needs to include credentials - that shouldn't be world-readable in the Nix store, set environmentFile - and override the `REDIS_URL` entry. - Pass the string `local` to setup a local Redis database. - ''; - type = types.str; - default = "local"; - example = literalExpression '' - "redis://localhost/" - ''; - }; - - environmentFile = mkOption { - description = mdDoc '' - Environment file as defined in {manpage}`systemd.exec(5)` - ''; - type = types.nullOr types.path; - default = null; - example = literalExpression '' - "/run/agenix.d/1/teawieBot" - ''; - }; - }; - - config = mkIf cfg.enable { - services.redis.servers.teawiebot = mkIf (cfg.redisUrl == "local") { - enable = true; - inherit (cfg) user; - port = 0; # disable tcp listener - }; - - systemd.services."teawiebot" = { - enable = true; - wantedBy = ["multi-user.target"]; - after = - ["network.target"] - ++ optionals (cfg.redisUrl == "local") ["redis-teawiebot.service"]; - - script = '' - ${getExe cfg.package} - ''; - - environment = { - REDIS_URL = - if cfg.redisUrl == "local" - then "unix:${config.services.redis.servers.teawiebot.unixSocket}" - else cfg.redisUrl; - }; - - serviceConfig = { - Type = "simple"; - Restart = "always"; - - EnvironmentFile = mkIf (cfg.environmentFile != null) cfg.environmentFile; - - User = cfg.user; - Group = cfg.group; - - # hardening - NoNewPrivileges = true; - PrivateDevices = true; - PrivateTmp = true; - PrivateUsers = true; - ProtectClock = true; - ProtectControlGroups = true; - ProtectHome = true; - ProtectHostname = true; - ProtectKernelLogs = true; - ProtectKernelModules = true; - ProtectKernelTunables = true; - ProtectSystem = "strict"; - RestrictNamespaces = "uts ipc pid user cgroup"; - RestrictSUIDSGID = true; - Umask = "0007"; - }; - }; - - users = { - users = mkIf (cfg.user == defaultUser) { - ${defaultUser} = { - isSystemUser = true; - inherit (cfg) group; - }; - }; - - groups = mkIf (cfg.group == defaultUser) { - ${defaultUser} = {}; - }; - }; - }; -} diff --git a/nix/packages.nix b/nix/packages.nix index ba6dc6e..764301c 100644 --- a/nix/packages.nix +++ b/nix/packages.nix @@ -1,8 +1,4 @@ -{ - self, - inputs, - ... -}: { +{self, ...}: { perSystem = { pkgs, system, @@ -10,11 +6,7 @@ ... }: { packages = { - teawiebot = pkgs.callPackage ./derivation.nix { - inherit self; - naersk = inputs.naersk.lib.${system}; - }; - + teawiebot = pkgs.callPackage ./derivation.nix {inherit self;}; default = self'.packages.teawiebot; }; }; diff --git a/nix/static.nix b/nix/static.nix deleted file mode 100644 index 22fbad6..0000000 --- a/nix/static.nix +++ /dev/null @@ -1,38 +0,0 @@ -{ - lib, - pkgsStatic, - fenix, - naersk, - teawiebot, -}: let - inherit (pkgsStatic.stdenv) cc; - - target = pkgsStatic.stdenv.hostPlatform.config; - target' = builtins.replaceStrings ["-"] ["_"] target; - targetUpper = lib.toUpper target'; - - toolchain = with fenix; - combine [ - minimal.cargo - minimal.rustc - targets.${target}.latest.rust-std - ]; - - naersk' = naersk.override { - cargo = toolchain; - rustc = toolchain; - }; -in - (teawiebot.override { - naersk = naersk'; - lto = true; - optimizeSize = true; - }) - .overrideAttrs (new: old: { - env = { - "CC_${target'}" = "${cc}/bin/${cc.targetPrefix}cc"; - CARGO_BUILD_TARGET = target; - CARGO_BUILD_RUSTFLAGS = old.env.CARGO_BUILD_RUSTFLAGS + " -C target-feature=+crt-static"; - "CARGO_TARGET_${targetUpper}_LINKER" = new.env."CC_${target'}"; - }; - }) -- cgit v1.2.3