refactor: reorganize docs and aux files

2025-07-03 21:05:33 +00:00 · 2024-09-10 03:59:31 -04:00 · 2024-09-10 03:59:31 -04:00 · 7160e5adbd
commit 7160e5adbd
parent 0ac841e6fa
9 changed files with 4 additions and 4 deletions
--- a/contrib/blahd.example.service
+++ b/contrib/blahd.example.service
@ -0,0 +1,46 @@
+[Unit]
+Description=Blah Chat Server
+After=network.target
+
+[Service]
+Type=notify
+ExecStart=/usr/bin/blahd serve --config ${CONFIGURATION_DIRECTORY}/blahd.toml
+ConfigurationDirectory=blahd
+StateDirectory=blahd
+Restart=always
+RestartSec=10s
+
+# Permission and capabilities
+
+DynamicUser=yes
+AmbientCapabilities=CAP_NET_BIND_SERVICE
+CapabilityBoundingSet=CAP_NET_BIND_SERVICE
+# 0640 / 0750
+UMask=0027
+
+# Sandboxing
+# Mostly copied from: https://github.com/NixOS/nixpkgs/blob/6414ef7ca3bf18ec4f9628d09ccc1eb030276ee2/nixos/modules/services/web-servers/nginx/default.nix#L1246
+
+LockPersonality=yes
+MemoryDenyWriteExecute=yes
+NoNewPrivileges=yes
+PrivateDevices=yes
+PrivateMounts=yes
+PrivateUsers=yes
+ProcSubset=pid
+ProtectClock=yes
+ProtectControlGroups=yes
+ProtectHome=yes
+ProtectHostname=yes
+ProtectHostname=yes
+ProtectKernelLogs=yes
+ProtectKernelModules=yes
+ProtectKernelTunables=yes
+ProtectProc=invisible
+ProtectProc=invisible
+RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6
+RestrictNamespaces=yes
+RestrictRealtime=yes
+SystemCallArchitectures=native
+SystemCallFilter=@system-service
+SystemCallFilter=~@privileged
--- a/contrib/module.nix
+++ b/contrib/module.nix
@ -0,0 +1,98 @@
+{ self }:
+{
+  lib,
+  config,
+  pkgs,
+  ...
+}:
+let
+  inherit (lib)
+    literalMD
+    mdDoc
+    mkEnableOption
+    mkIf
+    mkOption
+    types
+    ;
+
+  cfg = config.services.blahd;
+
+  toml = pkgs.formats.toml { };
+  mkConfigFile =
+    name: config:
+    (toml.generate name config).overrideAttrs (old: {
+      buildCommand =
+        old.buildCommand
+        + ''
+          ${lib.getBin cfg.package}/bin/blahd validate --config $out
+        '';
+    });
+
+  settingsType = types.submodule {
+    freeformType = toml.type;
+
+    # TODO: Auto-generate these options? Now only required options are documented.
+    options = {
+      database.path = mkOption {
+        type = types.path;
+        default = "/var/lib/blahd/db.sqlite";
+      };
+
+      server.listen = mkOption {
+        type = types.str;
+        example = "localhost:8080";
+      };
+
+      server.base_url = mkOption {
+        type = types.str;
+        example = "http://localhost:8080";
+      };
+    };
+  };
+
+in
+{
+  options.services.blahd = {
+    enable = mkEnableOption "Blah Chat Server";
+
+    package = mkOption {
+      description = mdDoc "The blahd package to use.";
+      type = types.package;
+      default = self.packages.${pkgs.system}.blahd;
+      defaultText = literalMD "blahd package from its flake output";
+    };
+
+    settings = mkOption {
+      description = ''
+        blahd configuration.
+        Will be ignored if `settingsFile` is non-null.
+      '';
+      type = settingsType;
+    };
+
+    settingsFile = mkOption {
+      description = ''
+        blahd configuration file path.
+        If non-null, this will be used and `settings` will be ignored.
+      '';
+      type = types.nullOr types.path;
+      defaultText = literalMD "generated from `settings`";
+      default = mkConfigFile "blahd.toml" cfg.settings;
+    };
+  };
+
+  config = mkIf cfg.enable {
+    systemd.packages = [ cfg.package ];
+    environment.systemPackages = [ cfg.package ];
+
+    systemd.services."blahd" = {
+      overrideStrategy = "asDropin";
+
+      wantedBy = [ "multi-user.target" ];
+      restartIfChanged = false;
+      stopIfChanged = false;
+    };
+
+    environment.etc."blahd/blahd.toml".source = cfg.settingsFile;
+  };
+}