Add flake.nix
Diff
.gitignore | 1 +
flake.lock | 77 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
flake.nix | 99 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
3 files changed, 177 insertions(+)
@@ -1,2 +1,3 @@
/target
/.idea
result
@@ -1,0 +1,77 @@
{
"nodes": {
"naersk": {
"inputs": {
"nixpkgs": "nixpkgs"
},
"locked": {
"lastModified": 1662220400,
"narHash": "sha256-9o2OGQqu4xyLZP9K6kNe1pTHnyPz0Wr3raGYnr9AIgY=",
"owner": "nix-community",
"repo": "naersk",
"rev": "6944160c19cb591eb85bbf9b2f2768a935623ed3",
"type": "github"
},
"original": {
"owner": "nix-community",
"ref": "master",
"repo": "naersk",
"type": "github"
}
},
"nixpkgs": {
"locked": {
"lastModified": 1670086663,
"narHash": "sha256-hT8C8AQB74tdoCPwz4nlJypLMD7GI2F5q+vn+VE/qQk=",
"owner": "NixOS",
"repo": "nixpkgs",
"rev": "813836d64fa57285d108f0dbf2356457ccd304e3",
"type": "github"
},
"original": {
"id": "nixpkgs",
"type": "indirect"
}
},
"nixpkgs_2": {
"locked": {
"lastModified": 1670086663,
"narHash": "sha256-hT8C8AQB74tdoCPwz4nlJypLMD7GI2F5q+vn+VE/qQk=",
"owner": "NixOS",
"repo": "nixpkgs",
"rev": "813836d64fa57285d108f0dbf2356457ccd304e3",
"type": "github"
},
"original": {
"owner": "NixOS",
"ref": "nixpkgs-unstable",
"repo": "nixpkgs",
"type": "github"
}
},
"root": {
"inputs": {
"naersk": "naersk",
"nixpkgs": "nixpkgs_2",
"utils": "utils"
}
},
"utils": {
"locked": {
"lastModified": 1667395993,
"narHash": "sha256-nuEHfE/LcWyuSWnS8t12N1wc105Qtau+/OdUAjtQ0rA=",
"owner": "numtide",
"repo": "flake-utils",
"rev": "5aed5285a952e0b949eb3ba02c12fa4fcfef535f",
"type": "github"
},
"original": {
"owner": "numtide",
"repo": "flake-utils",
"type": "github"
}
}
},
"root": "root",
"version": 7
}
@@ -1,0 +1,99 @@
{
inputs = {
naersk.url = "github:nix-community/naersk/master";
nixpkgs.url = "github:NixOS/nixpkgs/nixpkgs-unstable";
utils.url = "github:numtide/flake-utils";
};
outputs = { self, nixpkgs, utils, naersk }:
utils.lib.eachDefaultSystem (system:
let
pkgs = import nixpkgs { inherit system; };
naersk-lib = pkgs.callPackage naersk { };
in
{
defaultPackage = naersk-lib.buildPackage {
root = ./.;
nativeBuildInputs = with pkgs; [ pkg-config ];
buildInputs = with pkgs; [ openssl ];
};
devShell = with pkgs; mkShell {
buildInputs = [ cargo rustc rustfmt pre-commit rustPackages.clippy ];
RUST_SRC_PATH = rustPlatform.rustLibSrc;
};
nixosModules.default = { config, lib, pkgs, ... }:
with lib;
let
cfg = config.services.rgit;
in
{
options.services.rgit = {
enable = mkEnableOption "rgit";
bindAddress = mkOption {
default = "[::]:8333";
description = "Address and port to listen on";
type = types.str;
};
dbStorePath = mkOption {
default = "/tmp/rgit.db";
description = "Path to store the temporary cache";
type = types.path;
};
repositoryStorePath = mkOption {
default = "/git";
description = "Path to repositories";
type = types.path;
};
};
config = mkIf cfg.enable {
users.groups.rgit = { };
users.users.rgit = {
description = "RGit service user";
group = "rgit";
isSystemUser = true;
home = "/git";
};
systemd.services.rgit = {
enable = true;
wantedBy = [ "multi-user.target" ];
after = [ "network-online.target" ];
path = [ pkgs.git ];
serviceConfig = {
Type = "exec";
ExecStart = "${self.defaultPackage."${system}"}/bin/rgit --db-store ${cfg.dbStorePath} ${cfg.bindAddress} ${cfg.repositoryStorePath}";
Restart = "on-failure";
User = "rgit";
Group = "rgit";
CapabilityBoundingSet = "";
NoNewPrivileges = true;
PrivateDevices = true;
PrivateTmp = true;
PrivateUsers = true;
PrivateMounts = true;
ProtectHome = true;
ProtectClock = true;
ProtectProc = "noaccess";
ProcSubset = "pid";
ProtectKernelLogs = true;
ProtectKernelModules = true;
ProtectKernelTunables = true;
ProtectControlGroups = true;
ProtectHostname = true;
RestrictSUIDSGID = true;
RestrictRealtime = true;
RestrictNamespaces = true;
LockPersonality = true;
RemoveIPC = true;
RestrictAddressFamilies = [ "AF_INET" "AF_INET6" ];
SystemCallFilter = [ "@system-service" "~@privileged" ];
};
};
};
};
});
}