feat(flake): Export the module and ensure that it works with a test

2 files changed, 24 insertions, 18 deletions

diff --git a/nix/module.nix b/nix/module.nix
index eb1257c..82a6bd3 100644
--- a/nix/module.nix
+++ b/nix/module.nix
@@ -8,21 +8,34 @@
 #
 # You should have received a copy of the License along with this program.
 # If not, see <https://www.gnu.org/licenses/agpl.txt>.
-{
+{extraPackages}: {
   config,
   lib,
-  vhackPackages,
   pkgs,
   ...
 }: let
   cfg = config.vhack.back;
 in {
   options.vhack.back = {
-    enable = lib.mkEnableOption "Back issue tracker (inspired by TVL's panettone)";
+    enable = lib.mkEnableOption "Back";
 
-    domain = lib.mkOption {
+    package = lib.mkPackageOption extraPackages "back" {};
+
+    group = lib.mkOption {
+      type = lib.types.str;
+      description = ''
+        The group to run back under.
+
+        This group needs read and write access to the git repositories.
+      '';
+    };
+    user = lib.mkOption {
       type = lib.types.str;
-      description = "The domain to host this `back` instance on.";
+      description = ''
+        The user to run back under.
+
+        This user needs read and write access to the git repositories.
+      '';
     };
 
     settings = {
@@ -44,7 +57,6 @@ in {
       root_url = lib.mkOption {
         type = lib.types.str;
         description = "The url to this instance of back.";
-        default = "https://${cfg.domain}";
       };
     };
   };
@@ -57,19 +69,19 @@ in {
       wantedBy = ["default.target"];
 
       serviceConfig = {
-        ExecStart = "${lib.getExe vhackPackages.back} ${(pkgs.formats.json {}).generate "config.json" cfg.settings}";
+        ExecStart = "${lib.getExe cfg.package} ${(pkgs.formats.json {}).generate "config.json" cfg.settings}";
 
         # Ensure that the service can read the repository
         # FIXME(@bpeetz): This has the implied assumption, that all the exposed git
         # repositories are readable for the git group. This should not be necessary. <2024-12-23>
-        User = "git";
-        Group = "git";
+        Group = cfg.group;
+        User = cfg.user;
 
-        DynamicUser = true;
         Restart = "always";
 
         # Sandboxing
         ProtectSystem = "strict";
+        ReadWritePaths = ["${cfg.settings.scan_path}"];
         ProtectHome = true;
         PrivateTmp = true;
         PrivateDevices = true;
@@ -89,15 +101,8 @@ in {
         PrivateMounts = true;
         # System Call Filtering
         SystemCallArchitectures = "native";
-        SystemCallFilter = ["~@cpu-emulation @debug @keyring @mount @obsolete @privileged @setuid"];
+        SystemCallFilter = [];
       };
     };
-
-    services.nginx.virtualHosts."${cfg.domain}" = {
-      locations."/".proxyPass = "http://127.0.0.1:8000";
-
-      enableACME = true;
-      forceSSL = true;
-    };
   };
 }
diff --git a/nix/package.nix b/nix/package.nix
index b974ea2..bbcf981 100644
--- a/nix/package.nix
+++ b/nix/package.nix
@@ -33,5 +33,6 @@ rustPlatform.buildRustPackage {
 
   meta = {
     mainProgram = "back";
+    description = "An extremely simple git bug visualization system. Inspired by TVL's panettone";
   };
 }