flake reorg + updates

2026-06-03 20:14:08 +02:00 · 2024-12-01 17:29:24 +01:00 · 2024-12-01 17:29:24 +01:00 · bde8457b34
commit bde8457b34
parent 62859c260c
12 changed files with 483 additions and 630 deletions
--- a/nix/module.nix
+++ b/nix/module.nix
@ -0,0 +1,82 @@
+{ config
+, lib
+, pkgs
+, ...
+}:
+with lib; let
+  cfg = config.services.shelve;
+in
+{
+  options.services.shelve = {
+    enable = mkEnableOption "Enables the shelve service";
+
+    port = mkOption rec {
+      type = types.int;
+      example = 8080;
+      description = "The port to listen on";
+    };
+
+    bindAddress = mkOption {
+      type = types.str;
+      default = "0.0.0.0";
+      description = "Address to listen on";
+    };
+
+    tokens = mkOption {
+      type = types.listOf types.str;
+      default = [ ];
+      example = [ "foo" "bar" ];
+      description = "upload tokens";
+    };
+
+    basedir = mkOption {
+      type = types.str;
+      description = "data base directory";
+    };
+
+    package = mkOption {
+      type = types.package;
+      defaultText = literalExpression "pkgs.shelve";
+      description = "package to use";
+    };
+
+    openPort = mkOption {
+      type = types.bool;
+      default = false;
+      example = true;
+      description = "open port";
+    };
+  };
+
+  config = mkIf cfg.enable {
+    networking.firewall.allowedTCPPorts = lib.optional cfg.openPort cfg.port;
+
+    users.groups.shelve = { };
+    users.users.shelve = {
+      isSystemUser = true;
+      group = "shelve";
+    };
+
+    systemd.services.shelve = {
+      wantedBy = [ "multi-user.target" ];
+      environment = {
+        ROCKET_PORT = toString cfg.port;
+        ROCKET_ADDRESS = cfg.bindAddress;
+        BASEDIR = cfg.basedir;
+        TOKENS = concatStringsSep "," cfg.tokens;
+      };
+      script = "${cfg.package}/bin/shelve";
+
+      serviceConfig = {
+        Restart = "on-failure";
+        User = "shelve";
+        PrivateTmp = true;
+        ProtectSystem = "full";
+        ProtectHome = true;
+        NoNewPrivileges = true;
+        ReadWritePaths = cfg.basedir;
+        NoExecPaths = cfg.basedir;
+      };
+    };
+  };
+}
--- a/nix/overlay.nix
+++ b/nix/overlay.nix
@ -0,0 +1,3 @@
+final: prev: {
+  shelve = final.callPackage ./package.nix { };
+}
--- a/nix/package.nix
+++ b/nix/package.nix
@ -0,0 +1,21 @@
+{ stdenv
+, rustPlatform
+, lib
+,
+}:
+let
+  inherit (lib.sources) sourceByRegex;
+  inherit (builtins) fromTOML readFile;
+  src = sourceByRegex ../. [ "Cargo.*" "(src|templates)(/.*)?" ];
+  cargoPackage = (fromTOML (readFile ../Cargo.toml)).package;
+in
+rustPlatform.buildRustPackage rec {
+  pname = cargoPackage.name;
+  inherit (cargoPackage) version;
+
+  inherit src;
+
+  cargoLock = {
+    lockFile = ../Cargo.lock;
+  };
+}