flake reorg

2026-06-03 09:54:21 +02:00 · 2024-12-15 14:35:27 +01:00 · 2024-12-15 14:35:27 +01:00 · d7fde02c00
commit d7fde02c00
parent f5630c7960
10 changed files with 140 additions and 140 deletions
--- a/nix/module.nix
+++ b/nix/module.nix
@ -0,0 +1,63 @@
+{ config
+, lib
+, pkgs
+, ...
+}:
+with lib; let
+  cfg = config.services.prometheus-mdns-sd;
+in
+{
+  options.services.prometheus-mdns-sd = {
+    enable = mkEnableOption "WiFi prometheus exporter";
+
+    target = mkOption {
+      type = types.str;
+      default = "/run/prometheus-mdns-sd/services.json";
+      description = "json file to write the discovered services to";
+    };
+
+    package = mkOption {
+      type = types.package;
+      defaultText = literalExpression "pkgs.prometheus-mdns-sd";
+      description = "package to use";
+    };
+  };
+
+  config = mkIf cfg.enable {
+    systemd.services."prometheus-mdns-sd" = {
+      wantedBy = [ "multi-user.target" ];
+
+      serviceConfig = {
+        ExecStart = "${cfg.package}/bin/prometheus-mdns-sd-rs ${cfg.target}";
+        Restart = "on-failure";
+        DynamicUser = true;
+        PrivateTmp = true;
+        ProtectSystem = "strict";
+        ProtectHome = true;
+        NoNewPrivileges = true;
+        PrivateDevices = true;
+        ProtectClock = true;
+        CapabilityBoundingSet = true;
+        ProtectKernelLogs = true;
+        ProtectControlGroups = true;
+        SystemCallArchitectures = "native";
+        ProtectKernelModules = true;
+        RestrictNamespaces = true;
+        MemoryDenyWriteExecute = true;
+        ProtectHostname = true;
+        LockPersonality = true;
+        ProtectKernelTunables = true;
+        RestrictAddressFamilies = "AF_INET";
+        RestrictRealtime = true;
+        ProtectProc = "invisible";
+        SystemCallFilter = [ "@system-service" "~@resources" "~@privileged" ];
+        IPAddressDeny = "any";
+        IPAddressAllow = [ "multicast" "192.168.0.0/16" ];
+        PrivateUsers = true;
+        ProcSubset = "pid";
+        RuntimeDirectory = "prometheus-mdns-sd";
+        RestrictSUIDSGID = true;
+      };
+    };
+  };
+}
--- a/nix/overlay.nix
+++ b/nix/overlay.nix
@ -0,0 +1,3 @@
+final: prev: {
+  prometheus-mdns-sd = final.callPackage ./package.nix { };
+}
--- a/nix/package.nix
+++ b/nix/package.nix
@ -0,0 +1,22 @@
+{ stdenv
+, rustPlatform
+, lib
+,
+}:
+let
+  inherit (lib.sources) sourceByRegex;
+  inherit (builtins) fromTOML readFile;
+  src = sourceByRegex ../. [ "Cargo.*" "(src)(/.*)?" ];
+  cargoPackage = (fromTOML (readFile ../Cargo.toml)).package;
+in
+rustPlatform.buildRustPackage rec {
+  inherit (cargoPackage) version;
+
+  pname = cargoPackage.name;
+
+  inherit src;
+
+  cargoLock = {
+    lockFile = ../Cargo.lock;
+  };
+}