{
inputs = {
naersk.url = "github:nix-community/naersk/master";
nixpkgs.url = "github:NixOS/nixpkgs/nixpkgs-unstable";
utils.url = "github:numtide/flake-utils";
};
outputs = { self, nixpkgs, utils, naersk }:
utils.lib.eachDefaultSystem (system:
let
pkgs = import nixpkgs { inherit system; };
naersk-lib = pkgs.callPackage naersk { };
in
{
formatter = nixpkgs.legacyPackages."${system}".nixpkgs-fmt;
packages.default = naersk-lib.buildPackage {
src = ./.;
nativeBuildInputs = with pkgs; [ pkg-config ];
buildInputs = with pkgs; [ libsodium ];
};
devShells.default = with pkgs; mkShell {
buildInputs = [ cargo rustc rustfmt pre-commit rustPackages.clippy ];
RUST_SRC_PATH = rustPlatform.rustLibSrc;
};
nixosModules.pisshoff-server = { config, lib, pkgs, ... }:
with lib;
let
cfg = config.services.pisshoff-server;
in
{
options.services.pisshoff-server = {
enable = mkEnableOption "pisshoff-server";
settings = mkOption {
type = (pkgs.formats.toml { }).type;
default = { };
description = "Specify the configuration for pisshoff-server in Nix";
};
};
config = mkIf cfg.enable {
systemd.services.pisshoff-server = {
enable = true;
wantedBy = [ "multi-user.target" ];
after = [ "network-online.target" ];
serviceConfig =
let
format = pkgs.formats.toml { };
conf = format.generate "pisshoff.toml" cfg.settings;
in
{
Type = "exec";
ExecStart = "${self.packages."${system}".default}/bin/pisshoff-server -c \"${conf}\"";
ExecReload = "${pkgs.coreutils}/bin/kill -HUP $MAINPID";
Restart = "on-failure";
LogsDirectory = "pisshoff";
CapabilityBoundingSet = "";
NoNewPrivileges = true;
PrivateDevices = true;
PrivateTmp = true;
PrivateUsers = true;
PrivateMounts = true;
ProtectHome = true;
ProtectClock = true;
ProtectProc = "invisible";
ProcSubset = "pid";
ProtectKernelLogs = true;
ProtectKernelModules = true;
ProtectKernelTunables = true;
ProtectControlGroups = true;
ProtectHostname = true;
ProtectSystem = "strict";
RestrictSUIDSGID = true;
RestrictRealtime = true;
RestrictNamespaces = true;
LockPersonality = true;
RemoveIPC = true;
MemoryDenyWriteExecute = true;
DynamicUser = true;
RestrictAddressFamilies = [ "AF_INET" "AF_INET6" ];
SystemCallFilter = [ "@system-service" "~@privileged" ];
};
};
services.logrotate.settings.pisshoff-server = {
files = "/var/log/pisshoff/audit.log";
rotate = 31;
frequency = "daily";
compress = true;
delaycompress = true;
missingok = true;
notifempty = true;
postrotate = "systemctl reload pisshoff";
};
};
};
nixosModules.pisshoff-timescaledb-exporter = { config, lib, pkgs, ... }:
with lib;
let
cfg = config.services.pisshoff-timescaledb-exporter;
in
{
options.services.pisshoff-timescaledb-exporter = {
enable = mkEnableOption "pisshoff-timescaledb-exporter";
settings = mkOption {
type = (pkgs.formats.toml { }).type;
default = { };
description = "Specify the configuration for pisshoff-timescaledb-exporter in Nix";
};
};
config = mkIf cfg.enable {
systemd.services.pisshoff-timescaledb-exporter = {
enable = true;
wantedBy = [ "multi-user.target" ];
after = [ "network-online.target" ];
serviceConfig =
let
format = pkgs.formats.toml { };
conf = format.generate "pisshoff.toml" cfg.settings;
in
{
Type = "exec";
ExecStart = "${self.packages."${system}".default}/bin/pisshoff-timescaledb-exporter -c \"${conf}\"";
ExecReload = "${pkgs.coreutils}/bin/kill -HUP $MAINPID";
Restart = "on-failure";
RuntimeDirectory = "pisshoff-timescaledb-exporter";
LogsDirectory = "pisshoff-timescaledb-exporter";
CapabilityBoundingSet = "";
NoNewPrivileges = true;
PrivateDevices = true;
PrivateTmp = true;
PrivateUsers = true;
PrivateMounts = true;
ProtectHome = true;
ProtectClock = true;
ProtectProc = "invisible";
ProcSubset = "pid";
ProtectKernelLogs = true;
ProtectKernelModules = true;
ProtectKernelTunables = true;
ProtectControlGroups = true;
ProtectHostname = true;
ProtectSystem = "strict";
RestrictSUIDSGID = true;
RestrictRealtime = true;
RestrictNamespaces = true;
LockPersonality = true;
RemoveIPC = true;
MemoryDenyWriteExecute = true;
DynamicUser = true;
RestrictAddressFamilies = [ "AF_UNIX" "AF_INET" "AF_INET6" ];
SystemCallFilter = [ "@system-service" "~@privileged" ];
};
};
};
};
});
}