flake: Add a NixOS flake

This commit is contained in:
PapaTutuWawa 2023-08-20 20:22:42 +02:00
parent 801d7d73d9
commit d2c60e0c87
4 changed files with 143 additions and 0 deletions

1
.gitignore vendored
View File

@ -6,3 +6,4 @@ dist/
*.egg-info
tmp/
venv/
result

27
flake.lock Normal file
View File

@ -0,0 +1,27 @@
{
"nodes": {
"nixpkgs": {
"locked": {
"lastModified": 1692494774,
"narHash": "sha256-noGVoOTyZ2Kr5OFglzKYOX48cx3hggdCPbXrYMG2FDw=",
"owner": "NixOS",
"repo": "nixpkgs",
"rev": "3476a10478587dec90acb14ec6bde0966c545cc0",
"type": "github"
},
"original": {
"owner": "NixOS",
"ref": "nixpkgs-unstable",
"repo": "nixpkgs",
"type": "github"
}
},
"root": {
"inputs": {
"nixpkgs": "nixpkgs"
}
}
},
"root": "root",
"version": 7
}

90
flake.nix Normal file
View File

@ -0,0 +1,90 @@
{
inputs = {
nixpkgs.url = "github:NixOS/nixpkgs/nixpkgs-unstable";
};
outputs = { self, nixpkgs, ... }@inputs: let
forAllSystems = nixpkgs.lib.genAttrs nixpkgs.lib.systems.flakeExposed;
in {
nixosModule = { pkgs, config, lib, ... }: let
cfg = config.papatutuwawa.pubcached;
in {
options.papatutuwawa.pubcached = {
enable = lib.mkEnableOption "Enable pubcached";
serverUrl = lib.mkOption {
description = "The URL to which archives should be redirected";
};
host = lib.mkOption {
description = "The host to bind to";
default = "127.0.0.1";
};
port = lib.mkOption {
description = "The port to bind to";
default = 8000;
};
};
config = lib.mkIf cfg.enable {
systemd.services.pubcached = let
settingsFormat = pkgs.formats.toml {};
configRaw = {
"db_path" = "/var/lib/pubcached/db.sqlite";
"package_path" = "/var/lib/pubcached/packages/";
"server_url" = cfg.serverUrl;
"host" = cfg.host;
"port" = cfg.port;
};
in {
description = "pubcached Service";
wantedBy = [ "multi-user.target" ];
after = [ "network-online.target" ];
wants = [ "network-online.target" ];
serviceConfig = {
DynamicUser = true;
WorkingDirectory = "%S/pubcached";
StateDirectory = "pubcached";
StateDirectoryMode = "0700";
UMask = "0007";
ConfigurationDirectory = "pubcached";
ExecStart = "${pkgs.pubcached}/bin/pubcached -c ${settingsFormat.generate "config.toml" configRaw}";
Restart = "on-failure";
RestartSec = 15;
CapabilityBoundingSet = "";
# Security
NoNewPrivileges = true;
# Sandboxing
ProtectSystem = "strict";
ProtectHome = true;
PrivateTmp = true;
PrivateDevices = true;
PrivateUsers = true;
ProtectHostname = true;
ProtectClock = true;
ProtectKernelTunables = true;
ProtectKernelModules = true;
ProtectKernelLogs = true;
ProtectControlGroups = true;
RestrictAddressFamilies = [ "AF_UNIX AF_INET AF_INET6" ];
LockPersonality = true;
MemoryDenyWriteExecute = true;
RestrictRealtime = true;
RestrictSUIDSGID = true;
PrivateMounts = true;
# System Call Filtering
SystemCallArchitectures = "native";
SystemCallFilter = "~@clock @privileged @cpu-emulation @debug @keyring @module @mount @obsolete @raw-io @reboot @setuid @swap";
};
};
};
};
packages = forAllSystems (system: let
pkgs = import nixpkgs { inherit system; };
in {
pubcached = pkgs.callPackage ./pkgs/pubcached.nix {};
});
};
}

25
pkgs/pubcached.nix Normal file
View File

@ -0,0 +1,25 @@
{
lib
, python3Packages
}:
python3Packages.buildPythonApplication {
pname = "pubcached";
version = "0.1.0";
src = ./../.;
doCheck = false;
propagatedBuildInputs = with python3Packages; [
loguru aiofiles requests falcon toml uvicorn
];
meta = with lib; {
homepage = "https://git.polynom.me/PapaTutuWawa/pubcached";
description = "Caching proxy for pub.dev";
license = licenses.mit;
maintainers = [];
platforms = platforms.linux;
};
}