2 files changed, 140 insertions, 0 deletions
diff --git a/nix/module.nix b/nix/module.nix
new file mode 100644
index 0000000..4a22467
--- /dev/null
+++ b/nix/module.nix
@@ -0,0 +1,102 @@
+# Back - An extremely simple git bug visualization system. Inspired by TVL's
+# panettone.
+#
+# Copyright (C) 2025 Benedikt Peetz <benedikt.peetz@b-peetz.de>
+# SPDX-License-Identifier: AGPL-3.0-or-later
+#
+# This file is part of Back.
+#
+# You should have received a copy of the License along with this program.
+# If not, see <https://www.gnu.org/licenses/agpl.txt>.
+{
+  config,
+  lib,
+  vhackPackages,
+  pkgs,
+  ...
+}: let
+  cfg = config.vhack.back;
+in {
+  options.vhack.back = {
+    enable = lib.mkEnableOption "Back issue tracker (inspired by tvix's panettone)";
+
+    domain = lib.mkOption {
+      type = lib.types.str;
+      description = "The domain to host this `back` instance on.";
+    };
+
+    settings = {
+      scan_path = lib.mkOption {
+        type = lib.types.path;
+        description = "The path to the directory under which all the repositories reside";
+      };
+      project_list = lib.mkOption {
+        type = lib.types.path;
+        description = "The path to the `projects.list` file.";
+      };
+
+      source_code_repository_url = lib.mkOption {
+        description = "The url to the source code of this instance of back";
+        default = "https://git.foss-syndicate.org/vhack.eu/nixos-server/tree/pkgs/by-name/ba/back";
+        type = lib.types.str;
+      };
+
+      root_url = lib.mkOption {
+        type = lib.types.str;
+        description = "The url to this instance of back.";
+        default = "https://${cfg.domain}";
+      };
+    };
+  };
+
+  config = lib.mkIf cfg.enable {
+    systemd.services."back" = {
+      description = "Back issue tracking system.";
+      requires = ["network-online.target"];
+      after = ["network-online.target"];
+      wantedBy = ["default.target"];
+
+      serviceConfig = {
+        ExecStart = "${lib.getExe vhackPackages.back} ${(pkgs.formats.json {}).generate "config.json" cfg.settings}";
+
+        # Ensure that the service can read the repository
+        # FIXME(@bpeetz): This has the implied assumption, that all the exposed git
+        # repositories are readable for the git group. This should not be necessary. <2024-12-23>
+        User = "git";
+        Group = "git";
+
+        DynamicUser = true;
+        Restart = "always";
+
+        # Sandboxing
+        ProtectSystem = "strict";
+        ProtectHome = true;
+        PrivateTmp = true;
+        PrivateDevices = true;
+        ProtectHostname = true;
+        ProtectClock = true;
+        ProtectKernelTunables = true;
+        ProtectKernelModules = true;
+        ProtectKernelLogs = true;
+        ProtectControlGroups = true;
+        RestrictAddressFamilies = ["AF_UNIX" "AF_INET" "AF_INET6"];
+        RestrictNamespaces = true;
+        LockPersonality = true;
+        MemoryDenyWriteExecute = true;
+        RestrictRealtime = true;
+        RestrictSUIDSGID = true;
+        RemoveIPC = true;
+        PrivateMounts = true;
+        # System Call Filtering
+        SystemCallArchitectures = "native";
+        SystemCallFilter = ["~@cpu-emulation @debug @keyring @mount @obsolete @privileged @setuid"];
+      };
+    };
+    services.nginx.virtualHosts."${cfg.domain}" = {
+      locations."/".proxyPass = "http://127.0.0.1:8000";
+
+      enableACME = true;
+      forceSSL = true;
+    };
+  };
+}
diff --git a/nix/package.nix b/nix/package.nix
new file mode 100644
index 0000000..ef00195
--- /dev/null
+++ b/nix/package.nix
@@ -0,0 +1,38 @@
+# Back - An extremely simple git bug visualization system. Inspired by TVL's
+# panettone.
+#
+# Copyright (C) 2024 Benedikt Peetz <benedikt.peetz@b-peetz.de>
+# Copyright (C) 2025 Benedikt Peetz <benedikt.peetz@b-peetz.de>
+# SPDX-License-Identifier: AGPL-3.0-or-later
+#
+# This file is part of Back.
+#
+# You should have received a copy of the License along with this program.
+# If not, see <https://www.gnu.org/licenses/agpl.txt>.
+{
+  rustPlatform,
+  lib,
+}:
+rustPlatform.buildRustPackage {
+  pname = "back";
+  version = "1.0.0";
+
+  src = lib.cleanSourceWith {
+    src = lib.cleanSource ./.;
+    filter = name: type:
+      (type == "directory")
+      || (builtins.elem (builtins.baseNameOf name) ["Cargo.toml" "Cargo.lock" "style.css"])
+      || (lib.strings.hasSuffix ".rs" (builtins.baseNameOf name))
+      || (lib.strings.hasSuffix ".html" (builtins.baseNameOf name));
+  };
+
+  doCheck = true;
+
+  cargoLock = {
+    lockFile = ./Cargo.lock;
+  };
+
+  meta = {
+    mainProgram = "back";
+  };
+}