+46

default.nix

reviewed

··· 1 1 + { lib, buildGoModule, tailwindcss }: 2 2 + 3 3 + buildGoModule rec { 4 4 + pname = "arabica"; 5 5 + version = "0.1.0"; 6 6 + src = ./.; 7 7 + vendorHash = "sha256-4Z6KAxox3EY9RGtFKUcqxtB/kj3Ed+o+ggPwtLSPctU="; 8 8 + 9 9 + nativeBuildInputs = [ tailwindcss ]; 10 10 + 11 11 + preBuild = '' 12 12 + tailwindcss -i web/static/css/style.css -o web/static/css/output.css --minify 13 13 + ''; 14 14 + 15 15 + buildPhase = '' 16 16 + runHook preBuild 17 17 + go build -o arabica cmd/server/main.go 18 18 + runHook postBuild 19 19 + ''; 20 20 + 21 21 + installPhase = '' 22 22 + mkdir -p $out/bin 23 23 + mkdir -p $out/share/arabica 24 24 + 25 25 + # Copy static files, migrations, and templates 26 26 + cp -r web $out/share/arabica/ 27 27 + cp -r migrations $out/share/arabica/ 28 28 + cp -r internal $out/share/arabica/ 29 29 + cp arabica $out/bin/arabica-unwrapped 30 30 + cat > $out/bin/arabica <<'EOF' 31 31 + #!/bin/sh 32 32 + SCRIPT_DIR="$(dirname "$(readlink -f "$0")")" 33 33 + SHARE_DIR="$SCRIPT_DIR/../share/arabica" 34 34 + cd "$SHARE_DIR" 35 35 + exec "$SCRIPT_DIR/arabica-unwrapped" "$@" 36 36 + EOF 37 37 + chmod +x $out/bin/arabica 38 38 + ''; 39 39 + 40 40 + meta = with lib; { 41 41 + description = "Arabica - Coffee brew tracker"; 42 42 + license = licenses.mit; 43 43 + platforms = platforms.linux; 44 44 + mainProgram = "arabica"; 45 45 + }; 46 46 + }

+4 -53

flake.nix

reviewed

··· 1 1 { 2 2 - description = "Dev Shells Flake"; 2 2 + description = "Arabica - Coffee brew tracking application"; 3 3 inputs = { nixpkgs.url = "nixpkgs/nixpkgs-unstable"; }; 4 4 outputs = { nixpkgs, self, ... }: 5 5 let ··· 13 13 }); 14 14 15 15 packages = forAllSystems (pkgs: system: rec { 16 16 - arabica = pkgs.buildGoModule { 17 17 - pname = "arabica"; 18 18 - version = "0.1.0"; 19 19 - src = ./.; 20 20 - 21 21 - # Vendor hash for Go dependencies 22 22 - vendorHash = "sha256-4Z6KAxox3EY9RGtFKUcqxtB/kj3Ed+o+ggPwtLSPctU="; 23 23 - 24 24 - nativeBuildInputs = with pkgs; [ tailwindcss ]; 25 25 - 26 26 - preBuild = '' 27 27 - # Build Tailwind CSS 28 28 - tailwindcss -i web/static/css/style.css -o web/static/css/output.css --minify 29 29 - ''; 30 30 - 31 31 - # Build output goes to bin/arabica 32 32 - buildPhase = '' 33 33 - runHook preBuild 34 34 - go build -o arabica cmd/server/main.go 35 35 - runHook postBuild 36 36 - ''; 37 37 - 38 38 - installPhase = '' 39 39 - mkdir -p $out/bin 40 40 - mkdir -p $out/share/arabica 41 41 - 42 42 - # Copy static files, migrations, and templates 43 43 - cp -r web $out/share/arabica/ 44 44 - cp -r migrations $out/share/arabica/ 45 45 - cp -r internal $out/share/arabica/ 46 46 - 47 47 - # Install the actual binary 48 48 - cp arabica $out/bin/arabica-unwrapped 49 49 - 50 50 - # Create wrapper script that changes to the share directory 51 51 - cat > $out/bin/arabica <<'EOF' 52 52 - #!/bin/sh 53 53 - SCRIPT_DIR="$(dirname "$(readlink -f "$0")")" 54 54 - SHARE_DIR="$SCRIPT_DIR/../share/arabica" 55 55 - cd "$SHARE_DIR" 56 56 - exec "$SCRIPT_DIR/arabica-unwrapped" "$@" 57 57 - EOF 58 58 - chmod +x $out/bin/arabica 59 59 - ''; 60 60 - 61 61 - meta = with pkgs.lib; { 62 62 - description = "Arabica - Coffee brew tracker"; 63 63 - license = licenses.mit; 64 64 - platforms = platforms.linux; 65 65 - }; 66 66 - }; 67 67 - 16 16 + arabica = pkgs.callPackage ./default.nix { }; 68 17 default = arabica; 69 18 }); 70 19 ··· 74 23 program = "${self.packages.${system}.arabica}/bin/arabica"; 75 24 }; 76 25 }); 26 26 + 27 27 + nixosModules.default = import ./module.nix; 77 28 }; 78 29 }

+100

module.nix

reviewed

··· 1 1 + { config, lib, pkgs, ... }: 2 2 + 3 3 + let cfg = config.services.arabica; 4 4 + in { 5 5 + options.services.arabica = { 6 6 + enable = lib.mkEnableOption "Arabica coffee brew tracking service"; 7 7 + 8 8 + package = lib.mkOption { 9 9 + type = lib.types.package; 10 10 + default = pkgs.callPackage ./default.nix { }; 11 11 + defaultText = lib.literalExpression "pkgs.callPackage ./default.nix { }"; 12 12 + description = "The arabica package to use."; 13 13 + }; 14 14 + 15 15 + settings = { 16 16 + port = lib.mkOption { 17 17 + type = lib.types.port; 18 18 + default = 18910; 19 19 + description = "Port on which the arabica server listens."; 20 20 + }; 21 21 + }; 22 22 + 23 23 + dataDir = lib.mkOption { 24 24 + type = lib.types.path; 25 25 + default = "/var/lib/arabica"; 26 26 + description = "Directory where arabica stores its database."; 27 27 + }; 28 28 + 29 29 + user = lib.mkOption { 30 30 + type = lib.types.str; 31 31 + default = "arabica"; 32 32 + description = "User account under which arabica runs."; 33 33 + }; 34 34 + 35 35 + group = lib.mkOption { 36 36 + type = lib.types.str; 37 37 + default = "arabica"; 38 38 + description = "Group under which arabica runs."; 39 39 + }; 40 40 + 41 41 + openFirewall = lib.mkOption { 42 42 + type = lib.types.bool; 43 43 + default = false; 44 44 + description = "Whether to open the firewall for the arabica port."; 45 45 + }; 46 46 + }; 47 47 + 48 48 + config = lib.mkIf cfg.enable { 49 49 + users.users.${cfg.user} = lib.mkIf (cfg.user == "arabica") { 50 50 + isSystemUser = true; 51 51 + group = cfg.group; 52 52 + description = "Arabica service user"; 53 53 + home = cfg.dataDir; 54 54 + createHome = true; 55 55 + }; 56 56 + 57 57 + users.groups.${cfg.group} = lib.mkIf (cfg.group == "arabica") { }; 58 58 + 59 59 + systemd.services.arabica = { 60 60 + description = "Arabica Coffee Brew Tracking Service"; 61 61 + wantedBy = [ "multi-user.target" ]; 62 62 + after = [ "network.target" ]; 63 63 + 64 64 + serviceConfig = { 65 65 + Type = "simple"; 66 66 + User = cfg.user; 67 67 + Group = cfg.group; 68 68 + ExecStart = "${cfg.package}/bin/arabica"; 69 69 + Restart = "on-failure"; 70 70 + RestartSec = "10s"; 71 71 + 72 72 + # Security hardening 73 73 + NoNewPrivileges = true; 74 74 + PrivateTmp = true; 75 75 + ProtectSystem = "strict"; 76 76 + ProtectHome = true; 77 77 + ReadWritePaths = [ cfg.dataDir ]; 78 78 + ProtectKernelTunables = true; 79 79 + ProtectKernelModules = true; 80 80 + ProtectControlGroups = true; 81 81 + RestrictAddressFamilies = [ "AF_INET" "AF_INET6" "AF_UNIX" ]; 82 82 + RestrictNamespaces = true; 83 83 + LockPersonality = true; 84 84 + RestrictRealtime = true; 85 85 + RestrictSUIDSGID = true; 86 86 + MemoryDenyWriteExecute = true; 87 87 + SystemCallArchitectures = "native"; 88 88 + CapabilityBoundingSet = ""; 89 89 + }; 90 90 + 91 91 + environment = { 92 92 + PORT = toString cfg.settings.port; 93 93 + DB_PATH = "${cfg.dataDir}/arabica.db"; 94 94 + }; 95 95 + }; 96 96 + 97 97 + networking.firewall = 98 98 + lib.mkIf cfg.openFirewall { allowedTCPPorts = [ cfg.settings.port ]; }; 99 99 + }; 100 100 + }