-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathflake.nix
141 lines (119 loc) · 4.69 KB
/
flake.nix
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
{
inputs.nixpkgs.url = "nixpkgs/nixos-unstable";
outputs = { self, nixpkgs }: let
version = "${self.shortRev or "dirty"}";
in {
packages = nixpkgs.lib.genAttrs [ "aarch64-linux" "x86_64-linux" ] (system: let
pkgs = import nixpkgs { inherit system; };
in {
default = pkgs.callPackage (
{ rustPlatform, lib }: rustPlatform.buildRustPackage rec {
pname = "axolotl_client-api";
version = "0.0.0";
src = builtins.path {
name = "axolotl_client-api-${version}";
path = lib.cleanSource ./.;
};
nativeBuildInputs = [ pkgs.pkg-config ];
buildInputs = [ pkgs.openssl ];
SQLX_OFFLINE = true;
cargoLock.lockFile = ./Cargo.lock;
}
) {};
});
nixosModules.default = { config, lib, pkgs, ... }: with lib; let cfg = config.services.axolotlClientApi; in {
options.services.axolotlClientApi = {
enable = mkEnableOption "AxolotlClient-API";
postgresUrl = mkOption {
type = types.nullOr types.str;
description = "Postgres Connection Url, see: <https://docs.rs/sqlx/latest/sqlx/postgres/struct.PgConnectOptions.html>. Mutually exclusive with postgresUrlFile.";
default = null;
};
postgresUrlFile = mkOption {
type = types.nullOr types.path;
description = "File containing a Postgres Connection Url, see: <https://docs.rs/sqlx/latest/sqlx/postgres/struct.PgConnectOptions.html>. Mutually exclusive with postgresUrl.";
default = null;
};
hypixelApiKey = mkOption {
type = types.nullOr types.str;
description = "Hypixel API Key. Mutually exclusive with hypixelApiKeyFile.";
default = null;
};
hypixelApiKeyFile = mkOption {
type = types.nullOr types.path;
description = "File containing a Hypixel API Key. Mutually exclusive with hypixelApiKey.";
default = null;
};
notesFile = mkOption {
type = types.nullOr types.path;
description = "File containing notes to be returned by the Api.";
default = null;
};
domainName = mkOption {
type = types.nullOr types.str;
description = "Domain Name the API is hosted on";
default = null;
};
cacheLimitBytes = mkOption {
type = types.nullOr types.ints.unsigned;
description = "Cache Size Limits in Bytes";
default = null;
};
};
config = mkIf cfg.enable {
users.users.axolotl_client-api = { isSystemUser = true; name = "axolotl_client-api"; group = "axolotl_client-api"; };
users.groups.axolotl_client-api = {};
systemd.services.axolotl_client-api = {
description = "AxolotlClient API Service";
after = [ "postgresql.service" ];
requires = [ "postgresql.service" ];
upheldBy = [ "multi-user.target" ];
environment.RUST_BACKTRACE = "true";
serviceConfig = with config.age.secrets; {
User = "axolotl_client-api";
Group = "axolotl_client-api";
Type = "exec";
# Would be nice if we validated this to ensure that we aren't passing a set of invalid options, but oh well.
ExecStart = ''
${self.packages.${pkgs.stdenv.hostPlatform.system}.default}/bin/axolotl_client-api \
${optionalString (cfg.postgresUrl != null) "--postgres-url ${cfg.postgresUrl}"} \
${optionalString (cfg.postgresUrlFile != null) "--postgres-url-file ${cfg.postgresUrlFile}"} \
${optionalString (cfg.hypixelApiKey != null) "--hypixel-api-key ${cfg.hypixelApiKey}"} \
${optionalString (cfg.hypixelApiKeyFile != null) "--hypixel-api-key-file ${cfg.hypixelApiKeyFile}"} \
${optionalString (cfg.notesFile != null) "--notes-file ${cfg.notesFile}"} \
${optionalString (cfg.domainName != null) "--domain-name ${cfg.domainName}"} \
${optionalString (cfg.cacheLimitBytes != null) "--cache-limit-bytes ${cfg.cacheLimitBytes}"}
'';
# Why can't this shit just be the default?
CapabilityBoundingSet = "";
LockPersonality = true;
MemoryDenyWriteExecute = true;
NoNewPrivileges = true;
PrivateDevices = true;
PrivateMounts = true;
PrivateTmp = true;
PrivateUsers = true;
ProcSubset = "pid";
ProtectClock = true;
ProtectControlGroups = true;
ProtectHome = true;
ProtectHostname = true;
ProtectKernelLogs = true;
ProtectKernelModules = true;
ProtectKernelTunables = true;
ProtectProc = "invisible";
ProtectSystem = "strict";
RemoveIPC = true;
RestrictAddressFamilies = "AF_UNIX AF_INET AF_INET6";
RestrictNamespaces = true;
RestrictRealtime = true;
RestrictSUIDSGID = true;
SystemCallArchitectures = "native";
SystemCallFilter = "@basic-io @file-system @io-event @network-io @process @signal ioctl madvise mremap";
UMask = "777";
};
};
};
};
};
}