flake: Add a NixOS flake
This commit is contained in:
parent
801d7d73d9
commit
d2c60e0c87
1
.gitignore
vendored
1
.gitignore
vendored
@ -6,3 +6,4 @@ dist/
|
||||
*.egg-info
|
||||
tmp/
|
||||
venv/
|
||||
result
|
||||
|
27
flake.lock
Normal file
27
flake.lock
Normal file
@ -0,0 +1,27 @@
|
||||
{
|
||||
"nodes": {
|
||||
"nixpkgs": {
|
||||
"locked": {
|
||||
"lastModified": 1692494774,
|
||||
"narHash": "sha256-noGVoOTyZ2Kr5OFglzKYOX48cx3hggdCPbXrYMG2FDw=",
|
||||
"owner": "NixOS",
|
||||
"repo": "nixpkgs",
|
||||
"rev": "3476a10478587dec90acb14ec6bde0966c545cc0",
|
||||
"type": "github"
|
||||
},
|
||||
"original": {
|
||||
"owner": "NixOS",
|
||||
"ref": "nixpkgs-unstable",
|
||||
"repo": "nixpkgs",
|
||||
"type": "github"
|
||||
}
|
||||
},
|
||||
"root": {
|
||||
"inputs": {
|
||||
"nixpkgs": "nixpkgs"
|
||||
}
|
||||
}
|
||||
},
|
||||
"root": "root",
|
||||
"version": 7
|
||||
}
|
90
flake.nix
Normal file
90
flake.nix
Normal file
@ -0,0 +1,90 @@
|
||||
{
|
||||
inputs = {
|
||||
nixpkgs.url = "github:NixOS/nixpkgs/nixpkgs-unstable";
|
||||
};
|
||||
|
||||
outputs = { self, nixpkgs, ... }@inputs: let
|
||||
forAllSystems = nixpkgs.lib.genAttrs nixpkgs.lib.systems.flakeExposed;
|
||||
in {
|
||||
nixosModule = { pkgs, config, lib, ... }: let
|
||||
cfg = config.papatutuwawa.pubcached;
|
||||
in {
|
||||
options.papatutuwawa.pubcached = {
|
||||
enable = lib.mkEnableOption "Enable pubcached";
|
||||
|
||||
serverUrl = lib.mkOption {
|
||||
description = "The URL to which archives should be redirected";
|
||||
};
|
||||
|
||||
host = lib.mkOption {
|
||||
description = "The host to bind to";
|
||||
default = "127.0.0.1";
|
||||
};
|
||||
port = lib.mkOption {
|
||||
description = "The port to bind to";
|
||||
default = 8000;
|
||||
};
|
||||
};
|
||||
|
||||
config = lib.mkIf cfg.enable {
|
||||
systemd.services.pubcached = let
|
||||
settingsFormat = pkgs.formats.toml {};
|
||||
configRaw = {
|
||||
"db_path" = "/var/lib/pubcached/db.sqlite";
|
||||
"package_path" = "/var/lib/pubcached/packages/";
|
||||
"server_url" = cfg.serverUrl;
|
||||
|
||||
"host" = cfg.host;
|
||||
"port" = cfg.port;
|
||||
};
|
||||
in {
|
||||
description = "pubcached Service";
|
||||
wantedBy = [ "multi-user.target" ];
|
||||
after = [ "network-online.target" ];
|
||||
wants = [ "network-online.target" ];
|
||||
serviceConfig = {
|
||||
DynamicUser = true;
|
||||
WorkingDirectory = "%S/pubcached";
|
||||
StateDirectory = "pubcached";
|
||||
StateDirectoryMode = "0700";
|
||||
UMask = "0007";
|
||||
ConfigurationDirectory = "pubcached";
|
||||
ExecStart = "${pkgs.pubcached}/bin/pubcached -c ${settingsFormat.generate "config.toml" configRaw}";
|
||||
Restart = "on-failure";
|
||||
RestartSec = 15;
|
||||
CapabilityBoundingSet = "";
|
||||
# Security
|
||||
NoNewPrivileges = true;
|
||||
# Sandboxing
|
||||
ProtectSystem = "strict";
|
||||
ProtectHome = true;
|
||||
PrivateTmp = true;
|
||||
PrivateDevices = true;
|
||||
PrivateUsers = true;
|
||||
ProtectHostname = true;
|
||||
ProtectClock = true;
|
||||
ProtectKernelTunables = true;
|
||||
ProtectKernelModules = true;
|
||||
ProtectKernelLogs = true;
|
||||
ProtectControlGroups = true;
|
||||
RestrictAddressFamilies = [ "AF_UNIX AF_INET AF_INET6" ];
|
||||
LockPersonality = true;
|
||||
MemoryDenyWriteExecute = true;
|
||||
RestrictRealtime = true;
|
||||
RestrictSUIDSGID = true;
|
||||
PrivateMounts = true;
|
||||
# System Call Filtering
|
||||
SystemCallArchitectures = "native";
|
||||
SystemCallFilter = "~@clock @privileged @cpu-emulation @debug @keyring @module @mount @obsolete @raw-io @reboot @setuid @swap";
|
||||
};
|
||||
};
|
||||
};
|
||||
};
|
||||
|
||||
packages = forAllSystems (system: let
|
||||
pkgs = import nixpkgs { inherit system; };
|
||||
in {
|
||||
pubcached = pkgs.callPackage ./pkgs/pubcached.nix {};
|
||||
});
|
||||
};
|
||||
}
|
25
pkgs/pubcached.nix
Normal file
25
pkgs/pubcached.nix
Normal file
@ -0,0 +1,25 @@
|
||||
{
|
||||
lib
|
||||
, python3Packages
|
||||
}:
|
||||
|
||||
python3Packages.buildPythonApplication {
|
||||
pname = "pubcached";
|
||||
version = "0.1.0";
|
||||
|
||||
src = ./../.;
|
||||
|
||||
doCheck = false;
|
||||
|
||||
propagatedBuildInputs = with python3Packages; [
|
||||
loguru aiofiles requests falcon toml uvicorn
|
||||
];
|
||||
|
||||
meta = with lib; {
|
||||
homepage = "https://git.polynom.me/PapaTutuWawa/pubcached";
|
||||
description = "Caching proxy for pub.dev";
|
||||
license = licenses.mit;
|
||||
maintainers = [];
|
||||
platforms = platforms.linux;
|
||||
};
|
||||
}
|
Loading…
Reference in New Issue
Block a user