From fbb0afac681917667f6f34b74451fbd3aefac1f1 Mon Sep 17 00:00:00 2001 From: Jordan Doyle Date: Sun, 04 Dec 2022 18:38:40 +0000 Subject: [PATCH] Add flake.nix --- .gitignore | 1 + flake.lock | 77 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ flake.nix | 99 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ 3 files changed, 177 insertions(+) diff --git a/.gitignore b/.gitignore index d81f12e..bb411aa 100644 --- a/.gitignore +++ a/.gitignore @@ -1,2 +1,3 @@ /target /.idea +result diff --git a/flake.lock b/flake.lock new file mode 100644 index 0000000..31e6c5a 100644 --- /dev/null +++ a/flake.lock @@ -1,0 +1,77 @@ +{ + "nodes": { + "naersk": { + "inputs": { + "nixpkgs": "nixpkgs" + }, + "locked": { + "lastModified": 1662220400, + "narHash": "sha256-9o2OGQqu4xyLZP9K6kNe1pTHnyPz0Wr3raGYnr9AIgY=", + "owner": "nix-community", + "repo": "naersk", + "rev": "6944160c19cb591eb85bbf9b2f2768a935623ed3", + "type": "github" + }, + "original": { + "owner": "nix-community", + "ref": "master", + "repo": "naersk", + "type": "github" + } + }, + "nixpkgs": { + "locked": { + "lastModified": 1670086663, + "narHash": "sha256-hT8C8AQB74tdoCPwz4nlJypLMD7GI2F5q+vn+VE/qQk=", + "owner": "NixOS", + "repo": "nixpkgs", + "rev": "813836d64fa57285d108f0dbf2356457ccd304e3", + "type": "github" + }, + "original": { + "id": "nixpkgs", + "type": "indirect" + } + }, + "nixpkgs_2": { + "locked": { + "lastModified": 1670086663, + "narHash": "sha256-hT8C8AQB74tdoCPwz4nlJypLMD7GI2F5q+vn+VE/qQk=", + "owner": "NixOS", + "repo": "nixpkgs", + "rev": "813836d64fa57285d108f0dbf2356457ccd304e3", + "type": "github" + }, + "original": { + "owner": "NixOS", + "ref": "nixpkgs-unstable", + "repo": "nixpkgs", + "type": "github" + } + }, + "root": { + "inputs": { + "naersk": "naersk", + "nixpkgs": "nixpkgs_2", + "utils": "utils" + } + }, + "utils": { + "locked": { + "lastModified": 1667395993, + "narHash": "sha256-nuEHfE/LcWyuSWnS8t12N1wc105Qtau+/OdUAjtQ0rA=", + "owner": "numtide", + "repo": "flake-utils", + "rev": "5aed5285a952e0b949eb3ba02c12fa4fcfef535f", + "type": "github" + }, + "original": { + "owner": "numtide", + "repo": "flake-utils", + "type": "github" + } + } + }, + "root": "root", + "version": 7 +} diff --git a/flake.nix b/flake.nix new file mode 100644 index 0000000..7f6df95 100644 --- /dev/null +++ a/flake.nix @@ -1,0 +1,99 @@ +{ + inputs = { + naersk.url = "github:nix-community/naersk/master"; + nixpkgs.url = "github:NixOS/nixpkgs/nixpkgs-unstable"; + utils.url = "github:numtide/flake-utils"; + }; + + outputs = { self, nixpkgs, utils, naersk }: + utils.lib.eachDefaultSystem (system: + let + pkgs = import nixpkgs { inherit system; }; + naersk-lib = pkgs.callPackage naersk { }; + in + { + defaultPackage = naersk-lib.buildPackage { + root = ./.; + nativeBuildInputs = with pkgs; [ pkg-config ]; + buildInputs = with pkgs; [ openssl ]; + }; + devShell = with pkgs; mkShell { + buildInputs = [ cargo rustc rustfmt pre-commit rustPackages.clippy ]; + RUST_SRC_PATH = rustPlatform.rustLibSrc; + }; + + nixosModules.default = { config, lib, pkgs, ... }: + with lib; + let + cfg = config.services.rgit; + in + { + options.services.rgit = { + enable = mkEnableOption "rgit"; + bindAddress = mkOption { + default = "[::]:8333"; + description = "Address and port to listen on"; + type = types.str; + }; + dbStorePath = mkOption { + default = "/tmp/rgit.db"; + description = "Path to store the temporary cache"; + type = types.path; + }; + repositoryStorePath = mkOption { + default = "/git"; + description = "Path to repositories"; + type = types.path; + }; + }; + + config = mkIf cfg.enable { + users.groups.rgit = { }; + users.users.rgit = { + description = "RGit service user"; + group = "rgit"; + isSystemUser = true; + home = "/git"; + }; + + systemd.services.rgit = { + enable = true; + wantedBy = [ "multi-user.target" ]; + after = [ "network-online.target" ]; + path = [ pkgs.git ]; + serviceConfig = { + Type = "exec"; + ExecStart = "${self.defaultPackage."${system}"}/bin/rgit --db-store ${cfg.dbStorePath} ${cfg.bindAddress} ${cfg.repositoryStorePath}"; + Restart = "on-failure"; + + User = "rgit"; + Group = "rgit"; + + CapabilityBoundingSet = ""; + NoNewPrivileges = true; + PrivateDevices = true; + PrivateTmp = true; + PrivateUsers = true; + PrivateMounts = true; + ProtectHome = true; + ProtectClock = true; + ProtectProc = "noaccess"; + ProcSubset = "pid"; + ProtectKernelLogs = true; + ProtectKernelModules = true; + ProtectKernelTunables = true; + ProtectControlGroups = true; + ProtectHostname = true; + RestrictSUIDSGID = true; + RestrictRealtime = true; + RestrictNamespaces = true; + LockPersonality = true; + RemoveIPC = true; + RestrictAddressFamilies = [ "AF_INET" "AF_INET6" ]; + SystemCallFilter = [ "@system-service" "~@privileged" ]; + }; + }; + }; + }; + }); +} -- rgit 0.1.3