🏡 index : ~doyle/pisshoff.git

{
  inputs = {
    naersk.url = "github:nix-community/naersk/master";
    nixpkgs.url = "github:NixOS/nixpkgs/nixpkgs-unstable";
    utils.url = "github:numtide/flake-utils";
  };

  outputs = { self, nixpkgs, utils, naersk }:
    utils.lib.eachDefaultSystem (system:
      let
        pkgs = import nixpkgs { inherit system; };
        naersk-lib = pkgs.callPackage naersk { };
      in
      {
        formatter = nixpkgs.legacyPackages."${system}".nixpkgs-fmt;

        packages.default = naersk-lib.buildPackage {
          src = ./.;
          nativeBuildInputs = with pkgs; [ pkg-config ];
          buildInputs = with pkgs; [ libsodium ];
        };

        devShells.default = with pkgs; mkShell {
          buildInputs = [ cargo rustc rustfmt pre-commit rustPackages.clippy ];
          RUST_SRC_PATH = rustPlatform.rustLibSrc;
        };

        nixosModules.pisshoff-server = { config, lib, pkgs, ... }:
          with lib;
          let
            cfg = config.services.pisshoff-server;
          in
          {
            options.services.pisshoff-server = {
              enable = mkEnableOption "pisshoff-server";
              settings = mkOption {
                type = (pkgs.formats.toml { }).type;
                default = { };
                description = "Specify the configuration for pisshoff-server in Nix";
              };
            };

            config = mkIf cfg.enable {
              systemd.services.pisshoff-server = {
                enable = true;
                wantedBy = [ "multi-user.target" ];
                after = [ "network-online.target" ];
                serviceConfig =
                  let
                    format = pkgs.formats.toml { };
                    conf = format.generate "pisshoff.toml" cfg.settings;
                  in
                  {
                    Type = "exec";
                    ExecStart = "${self.packages."${system}".default}/bin/pisshoff-server -c \"${conf}\"";
                    ExecReload = "${pkgs.coreutils}/bin/kill -HUP $MAINPID";
                    Restart = "on-failure";

                    LogsDirectory = "pisshoff";
                    CapabilityBoundingSet = "";
                    NoNewPrivileges = true;
                    PrivateDevices = true;
                    PrivateTmp = true;
                    PrivateUsers = true;
                    PrivateMounts = true;
                    ProtectHome = true;
                    ProtectClock = true;
                    ProtectProc = "invisible";
                    ProcSubset = "pid";
                    ProtectKernelLogs = true;
                    ProtectKernelModules = true;
                    ProtectKernelTunables = true;
                    ProtectControlGroups = true;
                    ProtectHostname = true;
                    ProtectSystem = "strict";
                    RestrictSUIDSGID = true;
                    RestrictRealtime = true;
                    RestrictNamespaces = true;
                    LockPersonality = true;
                    RemoveIPC = true;
                    MemoryDenyWriteExecute = true;
                    DynamicUser = true;
                    RestrictAddressFamilies = [ "AF_INET" "AF_INET6" ];
                    SystemCallFilter = [ "@system-service" "~@privileged" ];
                  };
              };

              services.logrotate.settings.pisshoff-server = {
                files = "/var/log/pisshoff/audit.log";
                rotate = 31;
                frequency = "daily";
                compress = true;
                delaycompress = true;
                missingok = true;
                notifempty = true;
                postrotate = "systemctl reload pisshoff";
              };
            };
          };

        nixosModules.pisshoff-timescaledb-exporter = { config, lib, pkgs, ... }:
          with lib;
          let
            cfg = config.services.pisshoff-timescaledb-exporter;
          in
          {
            options.services.pisshoff-timescaledb-exporter = {
              enable = mkEnableOption "pisshoff-timescaledb-exporter";
              settings = mkOption {
                type = (pkgs.formats.toml { }).type;
                default = { };
                description = "Specify the configuration for pisshoff-timescaledb-exporter in Nix";
              };
            };

            config = mkIf cfg.enable {
              systemd.services.pisshoff-timescaledb-exporter = {
                enable = true;
                wantedBy = [ "multi-user.target" ];
                after = [ "network-online.target" ];
                serviceConfig =
                  let
                    format = pkgs.formats.toml { };
                    conf = format.generate "pisshoff.toml" cfg.settings;
                  in
                  {
                    Type = "exec";
                    ExecStart = "${self.packages."${system}".default}/bin/pisshoff-timescaledb-exporter -c \"${conf}\"";
                    ExecReload = "${pkgs.coreutils}/bin/kill -HUP $MAINPID";
                    Restart = "on-failure";

                    RuntimeDirectory = "pisshoff-timescaledb-exporter";
                    LogsDirectory = "pisshoff-timescaledb-exporter";
                    CapabilityBoundingSet = "";
                    NoNewPrivileges = true;
                    PrivateDevices = true;
                    PrivateTmp = true;
                    PrivateUsers = true;
                    PrivateMounts = true;
                    ProtectHome = true;
                    ProtectClock = true;
                    ProtectProc = "invisible";
                    ProcSubset = "pid";
                    ProtectKernelLogs = true;
                    ProtectKernelModules = true;
                    ProtectKernelTunables = true;
                    ProtectControlGroups = true;
                    ProtectHostname = true;
                    ProtectSystem = "strict";
                    RestrictSUIDSGID = true;
                    RestrictRealtime = true;
                    RestrictNamespaces = true;
                    LockPersonality = true;
                    RemoveIPC = true;
                    MemoryDenyWriteExecute = true;
                    DynamicUser = true;
                    RestrictAddressFamilies = [ "AF_UNIX" "AF_INET" "AF_INET6" ];
                    SystemCallFilter = [ "@system-service" "~@privileged" ];
                  };
              };
            };
          };
      });
}