robin/rss-webhook-trigger
1
0
Fork 0
mirror of https://codeberg.org/icewind/rss-webhook-trigger.git synced 2026-06-03 09:54:18 +02:00
Code Issues Projects Releases Wiki Activity

nixos module

Browse source
This commit is contained in:
Robin Appelman 2022-07-17 14:08:41 +02:00
commit 21e8b90d8f
1 changed files with 99 additions and 14 deletions
Download patch file Download diff file Expand all files Collapse all files

115
flake.nix
View file

@ -4,25 +4,110 @@
naersk.url = "github:nix-community/naersk"; naersk.url = "github:nix-community/naersk";
}; };
outputs = { self, nixpkgs, flake-utils, naersk }: outputs = {
self,
nixpkgs,
flake-utils,
naersk,
}:
flake-utils.lib.eachDefaultSystem ( flake-utils.lib.eachDefaultSystem (
system: let system: let
pkgs = nixpkgs.legacyPackages."${system}"; pkgs = nixpkgs.legacyPackages."${system}";
naersk-lib = naersk.lib."${system}"; naersk-lib = naersk.lib."${system}";
in in rec {
rec { # `nix build`
# `nix build` packages.rss-webhook-trigger = naersk-lib.buildPackage {
packages.rss-webhook-trigger = naersk-lib.buildPackage { pname = "rss-webhook-trigger";
pname = "rss-webhook-trigger"; root = ./.;
root = ./.; };
}; defaultPackage = packages.rss-webhook-trigger;
defaultPackage = packages.rss-webhook-trigger; defaultApp = packages.rss-webhook-trigger;
defaultApp = packages.rss-webhook-trigger;
# `nix develop` # `nix develop`
devShell = pkgs.mkShell { devShell = pkgs.mkShell {
nativeBuildInputs = with pkgs; [ rustc cargo bacon cargo-edit cargo-outdated ]; nativeBuildInputs = with pkgs; [rustc cargo bacon cargo-edit cargo-outdated];
};
}
)
// {
nixosModule = {
config,
lib,
pkgs,
...
}:
with lib; let
cfg = config.services.rss-webhook-trigger;
format = pkgs.formats.toml {};
configFile = format.generate "trigger.toml" {
feed = cfg.hooks;
}; };
} in {
); options.services.rss-webhook-trigger = {
enable = mkEnableOption "Enables the rss-webhook-trigger service";
hooks = mkOption rec {
description = "Hook configuration";
type = types.listOf (types.submodule {
options = {
feed = mkOption {
type = types.str;
description = "Source feed";
};
hook = mkOption {
type = types.str;
description = "hook url";
};
headers = mkOption {
type = types.attrs;
default = {};
description = "headers to send";
};
body = mkOption {
type = types.attrs;
default = {};
description = "body to send";
};
};
});
};
};
config = mkIf cfg.enable {
systemd.services."rss-webhook-trigger" = let
pkg = self.defaultPackage.${pkgs.system};
in {
wantedBy = ["multi-user.target"];
script = "${pkg}/bin/rss-webhook-trigger ${configFile}";
serviceConfig = {
Restart = "on-failure";
DynamicUser = true;
PrivateTmp = true;
ProtectSystem = "full";
ProtectHome = true;
NoNewPrivileges = true;
PrivateDevices = true;
ProtectClock = true;
CapabilityBoundingSet = true;
ProtectKernelLogs = true;
ProtectControlGroups = true;
SystemCallArchitectures = "native";
ProtectKernelModules = true;
RestrictNamespaces = true;
MemoryDenyWriteExecute = true;
ProtectHostname = true;
LockPersonality = true;
ProtectKernelTunables = true;
RestrictAddressFamilies = "AF_INET AF_INET6";
RestrictRealtime = true;
ProtectProc = "noaccess";
PrivateUsers = true;
SystemCallFilter = ["@system-service" "~@resources" "~@privileged"];
IPAddressDeny = "localhost link-local multicast";
};
};
};
};
};
} }