diff options
| author | Benedikt Peetz <benedikt.peetz@b-peetz.de> | 2025-06-06 21:34:09 +0200 |
|---|---|---|
| committer | Benedikt Peetz <benedikt.peetz@b-peetz.de> | 2025-06-06 21:34:09 +0200 |
| commit | c5f4fd12735673831ead5faca8d9ad410d77a938 (patch) | |
| tree | bbdeb8c5e328740f4ff64a001e0ce9e33f450900 /nix/module.nix | |
| parent | fix(back::web::main): Pretty print error, on failed connection accept (diff) | |
| download | back-c5f4fd12735673831ead5faca8d9ad410d77a938.zip | |
feat(flake): Export the module and ensure that it works with a test
Diffstat (limited to 'nix/module.nix')
| -rw-r--r-- | nix/module.nix | 41 |
1 files changed, 23 insertions, 18 deletions
diff --git a/nix/module.nix b/nix/module.nix index eb1257c..82a6bd3 100644 --- a/nix/module.nix +++ b/nix/module.nix @@ -8,21 +8,34 @@ # # You should have received a copy of the License along with this program. # If not, see <https://www.gnu.org/licenses/agpl.txt>. -{ +{extraPackages}: { config, lib, - vhackPackages, pkgs, ... }: let cfg = config.vhack.back; in { options.vhack.back = { - enable = lib.mkEnableOption "Back issue tracker (inspired by TVL's panettone)"; + enable = lib.mkEnableOption "Back"; - domain = lib.mkOption { + package = lib.mkPackageOption extraPackages "back" {}; + + group = lib.mkOption { + type = lib.types.str; + description = '' + The group to run back under. + + This group needs read and write access to the git repositories. + ''; + }; + user = lib.mkOption { type = lib.types.str; - description = "The domain to host this `back` instance on."; + description = '' + The user to run back under. + + This user needs read and write access to the git repositories. + ''; }; settings = { @@ -44,7 +57,6 @@ in { root_url = lib.mkOption { type = lib.types.str; description = "The url to this instance of back."; - default = "https://${cfg.domain}"; }; }; }; @@ -57,19 +69,19 @@ in { wantedBy = ["default.target"]; serviceConfig = { - ExecStart = "${lib.getExe vhackPackages.back} ${(pkgs.formats.json {}).generate "config.json" cfg.settings}"; + ExecStart = "${lib.getExe cfg.package} ${(pkgs.formats.json {}).generate "config.json" cfg.settings}"; # Ensure that the service can read the repository # FIXME(@bpeetz): This has the implied assumption, that all the exposed git # repositories are readable for the git group. This should not be necessary. <2024-12-23> - User = "git"; - Group = "git"; + Group = cfg.group; + User = cfg.user; - DynamicUser = true; Restart = "always"; # Sandboxing ProtectSystem = "strict"; + ReadWritePaths = ["${cfg.settings.scan_path}"]; ProtectHome = true; PrivateTmp = true; PrivateDevices = true; @@ -89,15 +101,8 @@ in { PrivateMounts = true; # System Call Filtering SystemCallArchitectures = "native"; - SystemCallFilter = ["~@cpu-emulation @debug @keyring @mount @obsolete @privileged @setuid"]; + SystemCallFilter = []; }; }; - - services.nginx.virtualHosts."${cfg.domain}" = { - locations."/".proxyPass = "http://127.0.0.1:8000"; - - enableACME = true; - forceSSL = true; - }; }; } |