summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorpennae <github@quasiparticle.net>2022-07-18 20:21:30 +0200
committerpennae <github@quasiparticle.net>2022-07-19 00:01:29 +0200
commit5a8888a1cbe3d9ffab0497ea10ad84def60d8827 (patch)
tree9ec2f21caac78fe2bfe16d01ff3a7e0ffd53329c
parenta89158377f829720a98342cf434a18b962006ee7 (diff)
downloadminor-skulk-5a8888a1cbe3d9ffab0497ea10ad84def60d8827.tar.gz
minor-skulk-5a8888a1cbe3d9ffab0497ea10ad84def60d8827.tar.xz
minor-skulk-5a8888a1cbe3d9ffab0497ea10ad84def60d8827.zip
add module
-rw-r--r--flake.nix4
-rw-r--r--module.nix148
2 files changed, 151 insertions, 1 deletions
diff --git a/flake.nix b/flake.nix
index 8276544..1d05cc3 100644
--- a/flake.nix
+++ b/flake.nix
@@ -13,7 +13,9 @@
in
mapAttrs (k: _: mapAttrs (s: _: parts.${s}.${k} or {}) systems) keys;
in
- combine (pkgs: rec {
+ {
+ nixosModule = import ./module.nix self;
+ } // combine (pkgs: rec {
packages = rec {
minor-skulk = pkgs.callPackage ./default.nix {};
default = minor-skulk;
diff --git a/module.nix b/module.nix
new file mode 100644
index 0000000..8930a0b
--- /dev/null
+++ b/module.nix
@@ -0,0 +1,148 @@
+self:
+
+{ config, lib, pkgs, ... }:
+
+let
+ format = pkgs.formats.toml {};
+ cfg = config.services.minorskulk;
+
+ config_file = format.generate "Rocket.toml" {
+ default = {
+ ident = "minor skulk";
+ limits.string = "32KiB";
+ limits.bytes = "128KiB";
+ }
+ // cfg.settings
+ // {
+ vapid_key = "vapid.key";
+ };
+ };
+
+ pkg = self.packages.${config.nixpkgs.system}.default;
+in
+{
+ options.services.minorskulk = with lib; {
+ enable = mkEnableOption "the minor-skulk firefox accounts server";
+
+ settings = mkOption {
+ type = types.submodule {
+ freeformType = format.type;
+
+ options = {
+ database_url = mkOption {
+ type = types.str;
+ default = "postgres:///minorskulk";
+ description = ''
+ Database to use for storage. Only postgres is supported at this time.
+ '';
+ };
+
+ location = mkOption {
+ type = types.str;
+ example = "https://minorskulk.my.domain";
+ description = ''
+ Web location of the API endpoints.
+ '';
+ };
+
+ token_server_location = mkOption {
+ type = types.str;
+ example = "https://syncstorage.my.domain";
+ description = ''
+ Web location of the syncstorage token server.
+ '';
+ };
+
+ vapid_subject = mkOption {
+ type = types.str;
+ example = "minorskulk@my.domain";
+ description = ''
+ VAPID subject added to push messages sent over mozilla push services.
+ '';
+ };
+
+ vapid_key = mkOption {
+ type = types.path;
+ example = "/etc/secrets/minorskulk-vapid-key";
+ description = ''
+ VAPID key used to sign push messages sent over mozilla push services.
+ '';
+ };
+
+ mail_from = mkOption {
+ type = types.str;
+ example = "minorskulk@my.domain";
+ description = ''
+ Sender address for generated emails.
+ '';
+ };
+ };
+ };
+ };
+ };
+
+ config = lib.mkIf cfg.enable {
+ services.postgresql = {
+ enable = true;
+ ensureDatabases = [ "minorskulk" ];
+ ensureUsers = [ {
+ name = "minorskulk";
+ ensurePermissions = {
+ "DATABASE minorskulk" = "ALL PRIVILEGES";
+ };
+ } ];
+ };
+
+ systemd.services.minorskulk = {
+ wantedBy = [ "multi-user.target" ];
+ requires = [ "postgresql.service" ];
+ after = [ "postgresql.service" ];
+
+ path = [ pkg ];
+ script = ''
+ umask 0077
+ cd "$RUNTIME_DIRECTORY"
+ cp ${config_file} Rocket.toml
+ cp "$CREDENTIALS_DIRECTORY/vapid" vapid.key
+ exec minorskulk
+ '';
+
+ serviceConfig = {
+ User = "minorskulk";
+ Group = "minorskulk";
+ LoadCredential = "vapid:${cfg.settings.vapid_key}";
+
+ RuntimeDirectory = "minorskulk";
+ AmbientCapabilities = [ "" ];
+ CapabilityBoundingSet = [ "" ];
+ DynamicUser = true;
+ LockPersonality = true;
+ MemoryDenyWriteExecute = true;
+ NoNewPrivileges = true;
+ PrivateDevices = true;
+ PrivateTmp = true;
+ ProcSubset = "pid";
+ ProtectClock = true;
+ ProtectControlGroups = true;
+ ProtectHome = true;
+ ProtectHostname = true;
+ ProtectKernelLogs = true;
+ ProtectKernelModules = true;
+ ProtectKernelTunables = true;
+ ProtectProc = "invisible";
+ ProtectSystem = true;
+ RemoveIPC = true;
+ RestrictAddressFamilies = "AF_INET AF_INET6 AF_UNIX";
+ RestrictNamespaces = true;
+ RestrictRealtime = true;
+ RestrictSUIDSGID = true;
+ SystemCallArchitectures = "native";
+ SystemCallFilter = [
+ "@system-service"
+ "~ @resources @privileged"
+ ];
+ UMask = "0077";
+ };
+ };
+ };
+}