forked from
cool-handle.ebil.club/meowzone
beatufitull front end for ozone modration ,, wit catpucoin and ebergarden !
Updatez
authored by
Isla
and committed by
tangled.org
c39c0e9f
a82030c7
+64
-12
+15
-3
nix/default.nix
+15
-3
nix/default.nix
···
1
1
{
2
2
fetchPnpmDeps,
3
+
makeBinaryWrapper,
3
4
nodejs_22,
4
5
pnpm,
5
6
pnpmConfigHook,
···
19
20
nodejs_22
20
21
pnpmConfigHook
21
22
pnpm
23
+
makeBinaryWrapper
22
24
];
23
25
24
26
pnpmDeps = fetchPnpmDeps {
···
28
30
};
29
31
30
32
buildPhase = ''
33
+
runHook preBuild
34
+
31
35
pnpm run build
36
+
makeWrapper "${lib.getExe nodejs_22}" "$out/bin/meowzone" \
37
+
--add-flags "$out/lib/meowzone/build/index.js"
38
+
39
+
runHook postBuild
32
40
'';
33
41
34
42
installPhase = ''
35
-
mkdir -p $out
36
-
cp -r . $out/
43
+
runHook preInstall
44
+
45
+
mkdir -p $out/{bin,lib/meowzone}
46
+
cp -r . $out/lib/meowzone
47
+
runHook postInstall
48
+
37
49
'';
38
50
39
51
meta = {
40
52
description = "fontend for ozone , made for cats";
41
53
license = lib.licenses.mit;
42
-
mainProgram = "build";
54
+
mainProgram = "meowzone";
43
55
};
44
56
})
+49
-9
nix/module.nix
+49
-9
nix/module.nix
···
1
+
self:
1
2
{
2
3
config,
3
4
lib,
···
13
14
{
14
15
options.services.meowzone = {
15
16
enable = mkEnableOption "meowzone. frontend for ozone";
17
+
18
+
package = mkOption {
19
+
type = types.package;
20
+
default = self.packages.${pkgs.stdenv.hostPlatform.system}.meowzone;
21
+
defaultText = literalExpression "self.packages.\${pkgs.stdenv.hostPlatform.system}.meowzone";
22
+
description = "The ozone package to use";
23
+
};
16
24
17
25
port = mkOption {
18
26
type = types.port;
···
54
62
description = "Authentication method to use";
55
63
};
56
64
57
-
package = mkOption {
58
-
type = types.package;
59
-
default = pkgs.callPackage ./default.nix { };
60
-
description = "Ozone package to use";
61
-
};
62
65
};
63
66
64
67
config = mkIf cfg.enable {
···
79
82
};
80
83
81
84
serviceConfig = {
82
-
Type = "simple";
83
-
ExecStart = "${pkgs.nodejs}/bin/node ${cfg.package}/build/index.js";
85
+
ExecStart = getExe cfg.package;
84
86
Restart = "on-failure";
85
87
RestartSec = 5;
86
88
User = "meowzone";
87
89
Group = "meowzone";
88
90
StandardOutput = "journal";
89
91
StandardError = "journal";
92
+
93
+
CapabilityBoundingSet = [
94
+
"CAP_NET_BIND_SERVICE"
95
+
];
96
+
97
+
NoNewPrivileges = true;
98
+
ProtectSystem = "strict";
99
+
ProtectHome = true;
100
+
ProtectHostname = true;
101
+
ProtectClock = true;
102
+
ProtectKernelTunables = true;
103
+
ProtectKernelModules = true;
104
+
ProtectKernelLogs = true;
105
+
ProtectControlGroups = true;
106
+
RestrictAddressFamilies = [
107
+
"AF_UNIX"
108
+
"AF_INET"
109
+
"AF_INET6"
110
+
];
111
+
RestrictNamespaces = true;
112
+
LockPersonality = true;
113
+
RestrictRealtime = true;
114
+
RestrictSUIDSGID = true;
115
+
RemoveIPC = true;
116
+
PrivateMounts = true;
117
+
PrivateTmp = true;
118
+
PrivateUsers = true;
119
+
PrivateDevices = true;
120
+
MemoryDenyWriteExecute = false; # required for V8 JIT
121
+
SystemCallArchitectures = "native";
122
+
SystemCallFilter = [
123
+
"@system-service"
124
+
"~@privileged @resources"
125
+
];
126
+
SystemCallErrorNumber = "EPERM";
127
+
UMask = "0077";
128
+
ProcSubset = "pid";
129
+
ProtectProc = "invisible";
90
130
};
91
131
};
92
132
93
133
users = {
94
-
users.meowzone = mkIf (cfg.enable) {
134
+
users.meowzone = mkIf cfg.enable {
95
135
isSystemUser = true;
96
136
group = "meowzone";
97
137
description = "meowzone service user";
98
138
};
99
-
groups.meowzone = mkIf (cfg.enable) { };
139
+
groups.meowzone = mkIf cfg.enable { };
100
140
};
101
141
};
102
142
}