From ae01bd40a9b908a6af3da563376c672b089773be Mon Sep 17 00:00:00 2001
From: Robin Appelman <robin@icewind.nl>
Date: Sun, 17 Jul 2022 17:49:32 +0200
Subject: [PATCH] nixos service

---
 flake.nix | 97 ++++++++++++++++++++++++++++++++++++++++++++++++++++++-
 1 file changed, 96 insertions(+), 1 deletion(-)

diff --git a/flake.nix b/flake.nix
index fa62fd4..0eda1e4 100644
--- a/flake.nix
+++ b/flake.nix
@@ -29,5 +29,100 @@
             nativeBuildInputs = with pkgs; [ rustc cargo ];
           };
         }
-    );
+    )
+    // {
+      nixosModule = {
+        config,
+        lib,
+        pkgs,
+        ...
+      }:
+        with lib; let
+          cfg = config.services.demosbackup;
+        in {
+          options.services.demosbackup = {
+            enable = mkEnableOption "Enables the demos backup service";
+
+            target = mkOption {
+              type = types.str;
+              description = "target directory";
+            };
+            api = mkOption {
+              type = types.str;
+              default = "https://api.demos.tf";
+              description = "demos.tf api url";
+            };
+            stateFile = mkOption {
+              type = types.str;
+              description = "state file path";
+            };
+            logLevel = mkOption {
+              type = types.str;
+              default = "INFO";
+              description = "log level";
+            };
+            user = mkOption {
+              type = types.str;
+              description = "user that owns the demos";
+            };
+            interval = mkOption {
+              type = types.str;
+              default = "*:0/10";
+              description = "Interval to run the service";
+            };
+          };
+
+          config = mkIf cfg.enable {
+            systemd.services.demosbackup = let
+              pkg = self.defaultPackage.${pkgs.system};
+            in {
+              script = "${pkg}/bin/backup";
+              description = "Backup demos for demos.tf";
+
+              environment = {
+                STORAGE_ROOT = cfg.target;
+                SOURCE = cfg.api;
+                STATE_FILE = cfg.stateFile;
+                RUST_LOG = cfg.logLevel;
+              };
+
+              serviceConfig = {
+                ReadWritePaths = [cfg.target cfg.stateFile];
+                Restart = "on-failure";
+                User = cfg.user;
+                PrivateTmp = true;
+                ProtectSystem = "strict";
+                ProtectHome = true;
+                NoNewPrivileges = true;
+                PrivateDevices = true;
+                ProtectClock = true;
+                CapabilityBoundingSet = true;
+                ProtectKernelLogs = true;
+                ProtectControlGroups = true;
+                SystemCallArchitectures = "native";
+                ProtectKernelModules = true;
+                RestrictNamespaces = true;
+                MemoryDenyWriteExecute = true;
+                ProtectHostname = true;
+                LockPersonality = true;
+                ProtectKernelTunables = true;
+                RestrictAddressFamilies = "AF_INET AF_INET6";
+                RestrictRealtime = true;
+                ProtectProc = "noaccess";
+                SystemCallFilter = ["@system-service" "~@resources" "~@privileged"];
+                IPAddressDeny = "localhost link-local multicast";
+              };
+            };
+
+            systemd.timers.demosbackup = {
+              enable = true;
+              description = "Backup demos for demos.tf";
+              wantedBy = ["multi-user.target"];
+              timerConfig = {
+                OnCalendar = "*:0/10";
+              };
+            };
+          };
+        };
+    };
 }