nixos module

2026-06-03 18:04:09 +02:00 · 2022-07-17 14:08:41 +02:00 · 2022-07-17 14:08:41 +02:00 · 21e8b90d8f
commit 21e8b90d8f
parent 92b11efae9
1 changed files with 99 additions and 14 deletions
--- a/flake.nix
+++ b/flake.nix
@ -4,13 +4,17 @@
    naersk.url = "github:nix-community/naersk";
  };

-  outputs = { self, nixpkgs, flake-utils, naersk }:
+  outputs = {
+    self,
+    nixpkgs,
+    flake-utils,
+    naersk,
+  }:
    flake-utils.lib.eachDefaultSystem (
      system: let
        pkgs = nixpkgs.legacyPackages."${system}";
        naersk-lib = naersk.lib."${system}";
-      in
-        rec {
+      in rec {
        # `nix build`
        packages.rss-webhook-trigger = naersk-lib.buildPackage {
          pname = "rss-webhook-trigger";
@ -21,8 +25,89 @@

        # `nix develop`
        devShell = pkgs.mkShell {
-            nativeBuildInputs = with pkgs; [ rustc cargo bacon cargo-edit cargo-outdated ];
+          nativeBuildInputs = with pkgs; [rustc cargo bacon cargo-edit cargo-outdated];
        };
      }
-    );
+    )
+    // {
+      nixosModule = {
+        config,
+        lib,
+        pkgs,
+        ...
+      }:
+        with lib; let
+          cfg = config.services.rss-webhook-trigger;
+          format = pkgs.formats.toml {};
+          configFile = format.generate "trigger.toml" {
+            feed = cfg.hooks;
+          };
+        in {
+          options.services.rss-webhook-trigger = {
+            enable = mkEnableOption "Enables the rss-webhook-trigger service";
+
+            hooks = mkOption rec {
+              description = "Hook configuration";
+              type = types.listOf (types.submodule {
+                options = {
+                  feed = mkOption {
+                    type = types.str;
+                    description = "Source feed";
+                  };
+                  hook = mkOption {
+                    type = types.str;
+                    description = "hook url";
+                  };
+                  headers = mkOption {
+                    type = types.attrs;
+                    default = {};
+                    description = "headers to send";
+                  };
+                  body = mkOption {
+                    type = types.attrs;
+                    default = {};
+                    description = "body to send";
+                  };
+                };
+              });
+            };
+          };
+
+          config = mkIf cfg.enable {
+            systemd.services."rss-webhook-trigger" = let
+              pkg = self.defaultPackage.${pkgs.system};
+            in {
+              wantedBy = ["multi-user.target"];
+              script = "${pkg}/bin/rss-webhook-trigger ${configFile}";
+
+              serviceConfig = {
+                Restart = "on-failure";
+                DynamicUser = true;
+                PrivateTmp = true;
+                ProtectSystem = "full";
+                ProtectHome = true;
+                NoNewPrivileges = true;
+                PrivateDevices = true;
+                ProtectClock = true;
+                CapabilityBoundingSet = true;
+                ProtectKernelLogs = true;
+                ProtectControlGroups = true;
+                SystemCallArchitectures = "native";
+                ProtectKernelModules = true;
+                RestrictNamespaces = true;
+                MemoryDenyWriteExecute = true;
+                ProtectHostname = true;
+                LockPersonality = true;
+                ProtectKernelTunables = true;
+                RestrictAddressFamilies = "AF_INET AF_INET6";
+                RestrictRealtime = true;
+                ProtectProc = "noaccess";
+                PrivateUsers = true;
+                SystemCallFilter = ["@system-service" "~@resources" "~@privileged"];
+                IPAddressDeny = "localhost link-local multicast";
+              };
+            };
+          };
+        };
+    };
 }