+34

overlays/obsidian-headless.nix

reviewed

··· 1 1 + { 2 2 + lib, 3 3 + buildNpmPackage, 4 4 + fetchFromGitHub, 5 5 + nodejs_22, 6 6 + python3, 7 7 + }: 8 8 + buildNpmPackage rec { 9 9 + pname = "obsidian-headless"; 10 10 + version = "0.0.3"; 11 11 + 12 12 + src = fetchFromGitHub { 13 13 + owner = "obsidianmd"; 14 14 + repo = "obsidian-headless"; 15 15 + rev = "v${version}"; 16 16 + hash = lib.fakeHash; 17 17 + }; 18 18 + 19 19 + nodejs = nodejs_22; 20 20 + npmDepsHash = lib.fakeHash; 21 21 + 22 22 + # better-sqlite3 needs python3 + native build tools 23 23 + nativeBuildInputs = [ python3 ]; 24 24 + 25 25 + dontNpmBuild = true; 26 26 + 27 27 + meta = { 28 28 + description = "Headless client for Obsidian Sync"; 29 29 + homepage = "https://github.com/obsidianmd/obsidian-headless"; 30 30 + license = lib.licenses.unfree; 31 31 + platforms = lib.platforms.linux ++ lib.platforms.darwin; 32 32 + mainProgram = "ob"; 33 33 + }; 34 34 + }

+129

overlays/obsidian-sync.nix

reviewed

··· 1 1 + { 2 2 + config, 3 3 + lib, 4 4 + pkgs, 5 5 + ... 6 6 + }: 7 7 + let 8 8 + cfg = config.services.obsidian-sync; 9 9 + 10 10 + vaultOpts = 11 11 + { name, ... }: 12 12 + { 13 13 + options = { 14 14 + name = lib.mkOption { 15 15 + type = lib.types.str; 16 16 + default = name; 17 17 + description = "Name or ID of the remote vault to sync."; 18 18 + }; 19 19 + 20 20 + path = lib.mkOption { 21 21 + type = lib.types.str; 22 22 + description = "Local directory to sync this vault to."; 23 23 + }; 24 24 + }; 25 25 + }; 26 26 + in 27 27 + { 28 28 + options.services.obsidian-sync = { 29 29 + enable = lib.mkEnableOption "Obsidian headless sync"; 30 30 + 31 31 + package = lib.mkPackageOption pkgs "obsidian-headless" { }; 32 32 + 33 33 + path = lib.mkOption { 34 34 + type = lib.types.str; 35 35 + default = "/var/lib/obsidian-sync"; 36 36 + description = "Base directory for Obsidian sync state and data."; 37 37 + }; 38 38 + 39 39 + authTokenFile = lib.mkOption { 40 40 + type = lib.types.nullOr lib.types.path; 41 41 + default = null; 42 42 + description = '' 43 43 + Path to a file containing the OBSIDIAN_AUTH_TOKEN environment variable 44 44 + in the format OBSIDIAN_AUTH_TOKEN=<token>. Used for non-interactive 45 45 + authentication. If null, you must run `ob login` manually as the 46 46 + service user before enabling the service. 47 47 + ''; 48 48 + }; 49 49 + 50 50 + user = lib.mkOption { 51 51 + type = lib.types.str; 52 52 + default = "obsidian"; 53 53 + description = "User account under which the sync services run."; 54 54 + }; 55 55 + 56 56 + group = lib.mkOption { 57 57 + type = lib.types.str; 58 58 + default = "obsidian"; 59 59 + description = "Group under which the sync services run."; 60 60 + }; 61 61 + 62 62 + vaults = lib.mkOption { 63 63 + type = lib.types.attrsOf (lib.types.submodule vaultOpts); 64 64 + default = { }; 65 65 + description = '' 66 66 + Vaults to sync. Each vault must first be linked via 67 67 + `ob sync-setup --vault <name> --path <path>` before the service 68 68 + will function. The service runs `ob sync --path <path> --continuous` 69 69 + for each configured vault. 70 70 + ''; 71 71 + example = lib.literalExpression '' 72 72 + { 73 73 + "personal-notes" = { 74 74 + path = "/srv/obsidian/personal"; 75 75 + }; 76 76 + "work" = { 77 77 + path = "/srv/obsidian/work"; 78 78 + }; 79 79 + } 80 80 + ''; 81 81 + }; 82 82 + }; 83 83 + 84 84 + config = lib.mkIf cfg.enable { 85 85 + users.users.${cfg.user} = lib.mkIf (cfg.user == "obsidian") { 86 86 + isSystemUser = true; 87 87 + group = cfg.group; 88 88 + home = cfg.path; 89 89 + createHome = true; 90 90 + }; 91 91 + 92 92 + users.groups.${cfg.group} = lib.mkIf (cfg.group == "obsidian") { }; 93 93 + 94 94 + systemd.services = lib.mapAttrs' ( 95 95 + name: vault: 96 96 + lib.nameValuePair "obsidian-sync-${name}" { 97 97 + description = "Obsidian Sync - ${name}"; 98 98 + after = [ "network-online.target" ]; 99 99 + wants = [ "network-online.target" ]; 100 100 + wantedBy = [ "multi-user.target" ]; 101 101 + 102 102 + environment = { 103 103 + HOME = cfg.path; 104 104 + }; 105 105 + 106 106 + serviceConfig = { 107 107 + Type = "simple"; 108 108 + User = cfg.user; 109 109 + Group = cfg.group; 110 110 + ExecStart = "${lib.getExe cfg.package} sync --path ${lib.escapeShellArg vault.path} --continuous"; 111 111 + Restart = "on-failure"; 112 112 + RestartSec = "30s"; 113 113 + 114 114 + # Hardening 115 115 + NoNewPrivileges = true; 116 116 + ProtectSystem = "strict"; 117 117 + ReadWritePaths = [ 118 118 + vault.path 119 119 + cfg.path 120 120 + ]; 121 121 + PrivateTmp = true; 122 122 + } 123 123 + // lib.optionalAttrs (cfg.authTokenFile != null) { 124 124 + EnvironmentFile = cfg.authTokenFile; 125 125 + }; 126 126 + } 127 127 + ) cfg.vaults; 128 128 + }; 129 129 + }