pubcached/flake.nix

{
  inputs = {
    nixpkgs.url = "github:NixOS/nixpkgs/nixpkgs-unstable";
  };

  outputs = { self, nixpkgs, ... }@inputs: let
    forAllSystems = nixpkgs.lib.genAttrs nixpkgs.lib.systems.flakeExposed;
  in {
    nixosModule = { pkgs, config, lib, ... }: let
      cfg = config.papatutuwawa.pubcached;
    in {
      options.papatutuwawa.pubcached = {
        enable = lib.mkEnableOption "Enable pubcached";

        serverUrl = lib.mkOption {
          description = "The URL to which archives should be redirected";
        };

        host = lib.mkOption {
          description = "The host to bind to";
          default = "127.0.0.1";
        };
        port = lib.mkOption {
          description = "The port to bind to";
          default = 8000;
        };
      };

      config = lib.mkIf cfg.enable {
        systemd.services.pubcached = let
          settingsFormat = pkgs.formats.toml {};
          configRaw = {
            "db_path" = "/var/lib/pubcached/db.sqlite";
            "package_path" = "/var/lib/pubcached/packages/";
            "server_url" = cfg.serverUrl;
            
            "host" = cfg.host;
            "port" = cfg.port;
          };
        in {
          description = "pubcached Service";
          wantedBy = [ "multi-user.target" ];
          after = [ "network-online.target" ];
          wants = [ "network-online.target" ];
          serviceConfig = {
            DynamicUser = true;
            WorkingDirectory = "%S/pubcached";
            StateDirectory = "pubcached";
            StateDirectoryMode = "0700";
            UMask = "0007";
            ConfigurationDirectory = "pubcached";
            ExecStart = "${pkgs.pubcached}/bin/pubcached -c ${settingsFormat.generate "config.toml" configRaw}";
            Restart = "on-failure";
            RestartSec = 15;
            CapabilityBoundingSet = "";
            # Security
            NoNewPrivileges = true;
            # Sandboxing
            ProtectSystem = "strict";
            ProtectHome = true;
            PrivateTmp = true;
            PrivateDevices = true;
            PrivateUsers = true;
            ProtectHostname = true;
            ProtectClock = true;
            ProtectKernelTunables = true;
            ProtectKernelModules = true;
            ProtectKernelLogs = true;
            ProtectControlGroups = true;
            RestrictAddressFamilies = [ "AF_UNIX AF_INET AF_INET6" ];
            LockPersonality = true;
            MemoryDenyWriteExecute = true;
            RestrictRealtime = true;
            RestrictSUIDSGID = true;
            PrivateMounts = true;
            # System Call Filtering
            SystemCallArchitectures = "native";
            SystemCallFilter = "~@clock @privileged @cpu-emulation @debug @keyring @module @mount @obsolete @raw-io @reboot @setuid @swap";
          };
        };
      };
    };

    packages = forAllSystems (system: let
      pkgs = import nixpkgs { inherit system; };
    in {
      pubcached = pkgs.callPackage ./pkgs/pubcached.nix {};
    });
  };
}
flake: Add a NixOS flake 2023-08-20 18:22:42 +00:00			`{`
			`inputs = {`
			`nixpkgs.url = "github:NixOS/nixpkgs/nixpkgs-unstable";`
			`};`

			`outputs = { self, nixpkgs, ... }@inputs: let`
			`forAllSystems = nixpkgs.lib.genAttrs nixpkgs.lib.systems.flakeExposed;`
			`in {`
			`nixosModule = { pkgs, config, lib, ... }: let`
			`cfg = config.papatutuwawa.pubcached;`
			`in {`
			`options.papatutuwawa.pubcached = {`
			`enable = lib.mkEnableOption "Enable pubcached";`

			`serverUrl = lib.mkOption {`
			`description = "The URL to which archives should be redirected";`
			`};`

			`host = lib.mkOption {`
			`description = "The host to bind to";`
			`default = "127.0.0.1";`
			`};`
			`port = lib.mkOption {`
			`description = "The port to bind to";`
			`default = 8000;`
			`};`
			`};`

			`config = lib.mkIf cfg.enable {`
			`systemd.services.pubcached = let`
			`settingsFormat = pkgs.formats.toml {};`
			`configRaw = {`
			`"db_path" = "/var/lib/pubcached/db.sqlite";`
			`"package_path" = "/var/lib/pubcached/packages/";`
			`"server_url" = cfg.serverUrl;`

			`"host" = cfg.host;`
			`"port" = cfg.port;`
			`};`
			`in {`
			`description = "pubcached Service";`
			`wantedBy = [ "multi-user.target" ];`
			`after = [ "network-online.target" ];`
			`wants = [ "network-online.target" ];`
			`serviceConfig = {`
			`DynamicUser = true;`
			`WorkingDirectory = "%S/pubcached";`
			`StateDirectory = "pubcached";`
			`StateDirectoryMode = "0700";`
			`UMask = "0007";`
			`ConfigurationDirectory = "pubcached";`
			`ExecStart = "${pkgs.pubcached}/bin/pubcached -c ${settingsFormat.generate "config.toml" configRaw}";`
			`Restart = "on-failure";`
			`RestartSec = 15;`
			`CapabilityBoundingSet = "";`
			`# Security`
			`NoNewPrivileges = true;`
			`# Sandboxing`
			`ProtectSystem = "strict";`
			`ProtectHome = true;`
			`PrivateTmp = true;`
			`PrivateDevices = true;`
			`PrivateUsers = true;`
			`ProtectHostname = true;`
			`ProtectClock = true;`
			`ProtectKernelTunables = true;`
			`ProtectKernelModules = true;`
			`ProtectKernelLogs = true;`
			`ProtectControlGroups = true;`
			`RestrictAddressFamilies = [ "AF_UNIX AF_INET AF_INET6" ];`
			`LockPersonality = true;`
			`MemoryDenyWriteExecute = true;`
			`RestrictRealtime = true;`
			`RestrictSUIDSGID = true;`
			`PrivateMounts = true;`
			`# System Call Filtering`
			`SystemCallArchitectures = "native";`
			`SystemCallFilter = "~@clock @privileged @cpu-emulation @debug @keyring @module @mount @obsolete @raw-io @reboot @setuid @swap";`
			`};`
			`};`
			`};`
			`};`

			`packages = forAllSystems (system: let`
			`pkgs = import nixpkgs { inherit system; };`
			`in {`
			`pubcached = pkgs.callPackage ./pkgs/pubcached.nix {};`
			`});`
			`};`
			`}`