diff options
-rw-r--r-- | flake.nix | 4 | ||||
-rw-r--r-- | module.nix | 148 |
2 files changed, 151 insertions, 1 deletions
@@ -13,7 +13,9 @@ in mapAttrs (k: _: mapAttrs (s: _: parts.${s}.${k} or {}) systems) keys; in - combine (pkgs: rec { + { + nixosModule = import ./module.nix self; + } // combine (pkgs: rec { packages = rec { minor-skulk = pkgs.callPackage ./default.nix {}; default = minor-skulk; diff --git a/module.nix b/module.nix new file mode 100644 index 0000000..8930a0b --- /dev/null +++ b/module.nix @@ -0,0 +1,148 @@ +self: + +{ config, lib, pkgs, ... }: + +let + format = pkgs.formats.toml {}; + cfg = config.services.minorskulk; + + config_file = format.generate "Rocket.toml" { + default = { + ident = "minor skulk"; + limits.string = "32KiB"; + limits.bytes = "128KiB"; + } + // cfg.settings + // { + vapid_key = "vapid.key"; + }; + }; + + pkg = self.packages.${config.nixpkgs.system}.default; +in +{ + options.services.minorskulk = with lib; { + enable = mkEnableOption "the minor-skulk firefox accounts server"; + + settings = mkOption { + type = types.submodule { + freeformType = format.type; + + options = { + database_url = mkOption { + type = types.str; + default = "postgres:///minorskulk"; + description = '' + Database to use for storage. Only postgres is supported at this time. + ''; + }; + + location = mkOption { + type = types.str; + example = "https://minorskulk.my.domain"; + description = '' + Web location of the API endpoints. + ''; + }; + + token_server_location = mkOption { + type = types.str; + example = "https://syncstorage.my.domain"; + description = '' + Web location of the syncstorage token server. + ''; + }; + + vapid_subject = mkOption { + type = types.str; + example = "minorskulk@my.domain"; + description = '' + VAPID subject added to push messages sent over mozilla push services. + ''; + }; + + vapid_key = mkOption { + type = types.path; + example = "/etc/secrets/minorskulk-vapid-key"; + description = '' + VAPID key used to sign push messages sent over mozilla push services. + ''; + }; + + mail_from = mkOption { + type = types.str; + example = "minorskulk@my.domain"; + description = '' + Sender address for generated emails. + ''; + }; + }; + }; + }; + }; + + config = lib.mkIf cfg.enable { + services.postgresql = { + enable = true; + ensureDatabases = [ "minorskulk" ]; + ensureUsers = [ { + name = "minorskulk"; + ensurePermissions = { + "DATABASE minorskulk" = "ALL PRIVILEGES"; + }; + } ]; + }; + + systemd.services.minorskulk = { + wantedBy = [ "multi-user.target" ]; + requires = [ "postgresql.service" ]; + after = [ "postgresql.service" ]; + + path = [ pkg ]; + script = '' + umask 0077 + cd "$RUNTIME_DIRECTORY" + cp ${config_file} Rocket.toml + cp "$CREDENTIALS_DIRECTORY/vapid" vapid.key + exec minorskulk + ''; + + serviceConfig = { + User = "minorskulk"; + Group = "minorskulk"; + LoadCredential = "vapid:${cfg.settings.vapid_key}"; + + RuntimeDirectory = "minorskulk"; + AmbientCapabilities = [ "" ]; + CapabilityBoundingSet = [ "" ]; + DynamicUser = true; + LockPersonality = true; + MemoryDenyWriteExecute = true; + NoNewPrivileges = true; + PrivateDevices = true; + PrivateTmp = true; + ProcSubset = "pid"; + ProtectClock = true; + ProtectControlGroups = true; + ProtectHome = true; + ProtectHostname = true; + ProtectKernelLogs = true; + ProtectKernelModules = true; + ProtectKernelTunables = true; + ProtectProc = "invisible"; + ProtectSystem = true; + RemoveIPC = true; + RestrictAddressFamilies = "AF_INET AF_INET6 AF_UNIX"; + RestrictNamespaces = true; + RestrictRealtime = true; + RestrictSUIDSGID = true; + SystemCallArchitectures = "native"; + SystemCallFilter = [ + "@system-service" + "~ @resources @privileged" + ]; + UMask = "0077"; + }; + }; + }; +} |