flake reorg

2026-06-03 09:54:18 +02:00 · 2024-12-14 19:26:31 +01:00 · 2024-12-14 19:26:31 +01:00 · 9b6e80d522
commit 9b6e80d522
parent 8ace94b418
11 changed files with 125 additions and 231 deletions
--- a/nix/module.nix
+++ b/nix/module.nix
@ -0,0 +1,91 @@
+{ config
+, lib
+, pkgs
+, ...
+}:
+with lib; let
+  cfg = config.services.rss-webhook-trigger;
+  format = pkgs.formats.toml { };
+  configFile = format.generate "trigger.toml" {
+    feed = cfg.hooks;
+  };
+in
+{
+  options.services.rss-webhook-trigger = {
+    enable = mkEnableOption "Enables the rss-webhook-trigger service";
+
+    hooks = mkOption rec {
+      description = "Hook configuration";
+      type = types.listOf (types.submodule {
+        options = {
+          feed = mkOption {
+            type = types.str;
+            description = "Source feed";
+          };
+          hook = mkOption {
+            type = types.str;
+            description = "hook url";
+          };
+          headers = mkOption {
+            type = types.attrs;
+            default = { };
+            description = "headers to send";
+          };
+          body = mkOption {
+            type = types.attrs;
+            default = { };
+            description = "body to send";
+          };
+        };
+      });
+    };
+
+    log = mkOption {
+      type = types.str;
+      default = "INFO";
+      description = "Log level";
+    };
+
+    package = mkOption {
+      type = types.package;
+      description = "package to use";
+    };
+  };
+
+  config = mkIf cfg.enable {
+    systemd.services."rss-webhook-trigger" = {
+      wantedBy = [ "multi-user.target" ];
+
+      environment = {
+        RUST_LOG = cfg.log;
+      };
+
+      serviceConfig = {
+        ExecStart = "${cfg.package}/bin/rss-webhook-trigger ${configFile}";
+        Restart = "on-failure";
+        DynamicUser = true;
+        PrivateTmp = true;
+        ProtectSystem = "strict";
+        ProtectHome = true;
+        NoNewPrivileges = true;
+        PrivateDevices = true;
+        ProtectClock = true;
+        CapabilityBoundingSet = true;
+        ProtectKernelLogs = true;
+        ProtectControlGroups = true;
+        SystemCallArchitectures = "native";
+        ProtectKernelModules = true;
+        RestrictNamespaces = true;
+        MemoryDenyWriteExecute = true;
+        ProtectHostname = true;
+        LockPersonality = true;
+        ProtectKernelTunables = true;
+        RestrictAddressFamilies = "AF_INET AF_INET6";
+        RestrictRealtime = true;
+        ProtectProc = "noaccess";
+        SystemCallFilter = [ "@system-service" "~@resources" "~@privileged" ];
+        IPAddressDeny = "localhost link-local multicast";
+      };
+    };
+  };
+}
--- a/nix/overlay.nix
+++ b/nix/overlay.nix
@ -0,0 +1,3 @@
+final: prev: {
+  rss-webhook-trigger = final.callPackage ./package.nix { };
+}
--- a/nix/package.nix
+++ b/nix/package.nix
@ -0,0 +1,19 @@
+{ rustPlatform
+, lib
+}:
+let
+  inherit (lib.sources) sourceByRegex;
+  inherit (builtins) fromTOML readFile;
+  src = sourceByRegex ../. [ "Cargo.*" "(src)(/.*)?" ];
+  cargoPackage = (fromTOML (readFile ../Cargo.toml)).package;
+in
+rustPlatform.buildRustPackage rec {
+  inherit (cargoPackage) version;
+  pname = cargoPackage.name;
+
+  inherit src;
+
+  cargoLock = {
+    lockFile = ../Cargo.lock;
+  };
+}