add module

author: pennae <github@quasiparticle.net> 2022-07-18 20:21:30 +0200
committer: pennae <github@quasiparticle.net> 2022-07-19 00:01:29 +0200
commit: 5a8888a1cbe3d9ffab0497ea10ad84def60d8827 (patch)
tree: 9ec2f21caac78fe2bfe16d01ff3a7e0ffd53329c
parent: a89158377f829720a98342cf434a18b962006ee7 (diff)
download: minor-skulk-5a8888a1cbe3d9ffab0497ea10ad84def60d8827.tar.gz
minor-skulk-5a8888a1cbe3d9ffab0497ea10ad84def60d8827.tar.xz
minor-skulk-5a8888a1cbe3d9ffab0497ea10ad84def60d8827.zip
2 files changed, 151 insertions, 1 deletions
diff --git a/flake.nix b/flake.nix
index 8276544..1d05cc3 100644
--- a/flake.nix
+++ b/flake.nix
@@ -13,7 +13,9 @@
         in
           mapAttrs (k: _: mapAttrs (s: _: parts.${s}.${k} or {}) systems) keys;
     in
-      combine (pkgs: rec {
+      {
+        nixosModule = import ./module.nix self;
+      } // combine (pkgs: rec {
         packages = rec {
           minor-skulk = pkgs.callPackage ./default.nix {};
           default = minor-skulk;
diff --git a/module.nix b/module.nix
new file mode 100644
index 0000000..8930a0b
--- /dev/null
+++ b/module.nix
@@ -0,0 +1,148 @@
+self:
+
+{ config, lib, pkgs, ... }:
+
+let
+  format = pkgs.formats.toml {};
+  cfg = config.services.minorskulk;
+
+  config_file = format.generate "Rocket.toml" {
+    default = {
+      ident = "minor skulk";
+      limits.string = "32KiB";
+      limits.bytes = "128KiB";
+    }
+    // cfg.settings
+    // {
+      vapid_key = "vapid.key";
+    };
+  };
+
+  pkg = self.packages.${config.nixpkgs.system}.default;
+in
+{
+  options.services.minorskulk = with lib; {
+    enable = mkEnableOption "the minor-skulk firefox accounts server";
+
+    settings = mkOption {
+      type = types.submodule {
+        freeformType = format.type;
+
+        options = {
+          database_url = mkOption {
+            type = types.str;
+            default = "postgres:///minorskulk";
+            description = ''
+              Database to use for storage. Only postgres is supported at this time.
+            '';
+          };
+
+          location = mkOption {
+            type = types.str;
+            example = "https://minorskulk.my.domain";
+            description = ''
+              Web location of the API endpoints.
+            '';
+          };
+
+          token_server_location = mkOption {
+            type = types.str;
+            example = "https://syncstorage.my.domain";
+            description = ''
+              Web location of the syncstorage token server.
+            '';
+          };
+
+          vapid_subject = mkOption {
+            type = types.str;
+            example = "minorskulk@my.domain";
+            description = ''
+              VAPID subject added to push messages sent over mozilla push services.
+            '';
+          };
+
+          vapid_key = mkOption {
+            type = types.path;
+            example = "/etc/secrets/minorskulk-vapid-key";
+            description = ''
+              VAPID key used to sign push messages sent over mozilla push services.
+            '';
+          };
+
+          mail_from = mkOption {
+            type = types.str;
+            example = "minorskulk@my.domain";
+            description = ''
+              Sender address for generated emails.
+            '';
+          };
+        };
+      };
+    };
+  };
+
+  config = lib.mkIf cfg.enable {
+    services.postgresql = {
+      enable = true;
+      ensureDatabases = [ "minorskulk" ];
+      ensureUsers = [ {
+        name = "minorskulk";
+        ensurePermissions = {
+          "DATABASE minorskulk" = "ALL PRIVILEGES";
+        };
+      } ];
+    };
+
+    systemd.services.minorskulk = {
+      wantedBy = [ "multi-user.target" ];
+      requires = [ "postgresql.service" ];
+      after = [ "postgresql.service" ];
+
+      path = [ pkg ];
+      script = ''
+        umask 0077
+        cd "$RUNTIME_DIRECTORY"
+        cp ${config_file} Rocket.toml
+        cp "$CREDENTIALS_DIRECTORY/vapid" vapid.key
+        exec minorskulk
+      '';
+
+      serviceConfig = {
+        User = "minorskulk";
+        Group = "minorskulk";
+        LoadCredential = "vapid:${cfg.settings.vapid_key}";
+
+        RuntimeDirectory = "minorskulk";
+        AmbientCapabilities = [ "" ];
+        CapabilityBoundingSet = [ "" ];
+        DynamicUser = true;
+        LockPersonality = true;
+        MemoryDenyWriteExecute = true;
+        NoNewPrivileges = true;
+        PrivateDevices = true;
+        PrivateTmp = true;
+        ProcSubset = "pid";
+        ProtectClock = true;
+        ProtectControlGroups = true;
+        ProtectHome = true;
+        ProtectHostname = true;
+        ProtectKernelLogs = true;
+        ProtectKernelModules = true;
+        ProtectKernelTunables = true;
+        ProtectProc = "invisible";
+        ProtectSystem = true;
+        RemoveIPC = true;
+        RestrictAddressFamilies = "AF_INET AF_INET6 AF_UNIX";
+        RestrictNamespaces = true;
+        RestrictRealtime = true;
+        RestrictSUIDSGID = true;
+        SystemCallArchitectures = "native";
+        SystemCallFilter = [
+          "@system-service"
+          "~ @resources @privileged"
+        ];
+        UMask = "0077";
+      };
+    };
+  };
+}
author	pennae <github@quasiparticle.net>	2022-07-18 20:21:30 +0200
committer	pennae <github@quasiparticle.net>	2022-07-19 00:01:29 +0200
commit	5a8888a1cbe3d9ffab0497ea10ad84def60d8827 (patch)
tree	9ec2f21caac78fe2bfe16d01ff3a7e0ffd53329c
parent	a89158377f829720a98342cf434a18b962006ee7 (diff)
download	minor-skulk-5a8888a1cbe3d9ffab0497ea10ad84def60d8827.tar.gz minor-skulk-5a8888a1cbe3d9ffab0497ea10ad84def60d8827.tar.xz minor-skulk-5a8888a1cbe3d9ffab0497ea10ad84def60d8827.zip