diff --git a/.gitignore b/.gitignore index 3107f4b..95eca68 100644 --- a/.gitignore +++ b/.gitignore @@ -6,3 +6,4 @@ dist/ *.egg-info tmp/ venv/ +result diff --git a/flake.lock b/flake.lock new file mode 100644 index 0000000..99820f4 --- /dev/null +++ b/flake.lock @@ -0,0 +1,27 @@ +{ + "nodes": { + "nixpkgs": { + "locked": { + "lastModified": 1692494774, + "narHash": "sha256-noGVoOTyZ2Kr5OFglzKYOX48cx3hggdCPbXrYMG2FDw=", + "owner": "NixOS", + "repo": "nixpkgs", + "rev": "3476a10478587dec90acb14ec6bde0966c545cc0", + "type": "github" + }, + "original": { + "owner": "NixOS", + "ref": "nixpkgs-unstable", + "repo": "nixpkgs", + "type": "github" + } + }, + "root": { + "inputs": { + "nixpkgs": "nixpkgs" + } + } + }, + "root": "root", + "version": 7 +} diff --git a/flake.nix b/flake.nix new file mode 100644 index 0000000..4a80681 --- /dev/null +++ b/flake.nix @@ -0,0 +1,90 @@ +{ + inputs = { + nixpkgs.url = "github:NixOS/nixpkgs/nixpkgs-unstable"; + }; + + outputs = { self, nixpkgs, ... }@inputs: let + forAllSystems = nixpkgs.lib.genAttrs nixpkgs.lib.systems.flakeExposed; + in { + nixosModule = { pkgs, config, lib, ... }: let + cfg = config.papatutuwawa.pubcached; + in { + options.papatutuwawa.pubcached = { + enable = lib.mkEnableOption "Enable pubcached"; + + serverUrl = lib.mkOption { + description = "The URL to which archives should be redirected"; + }; + + host = lib.mkOption { + description = "The host to bind to"; + default = "127.0.0.1"; + }; + port = lib.mkOption { + description = "The port to bind to"; + default = 8000; + }; + }; + + config = lib.mkIf cfg.enable { + systemd.services.pubcached = let + settingsFormat = pkgs.formats.toml {}; + configRaw = { + "db_path" = "/var/lib/pubcached/db.sqlite"; + "package_path" = "/var/lib/pubcached/packages/"; + "server_url" = cfg.serverUrl; + + "host" = cfg.host; + "port" = cfg.port; + }; + in { + description = "pubcached Service"; + wantedBy = [ "multi-user.target" ]; + after = [ "network-online.target" ]; + wants = [ "network-online.target" ]; + serviceConfig = { + DynamicUser = true; + WorkingDirectory = "%S/pubcached"; + StateDirectory = "pubcached"; + StateDirectoryMode = "0700"; + UMask = "0007"; + ConfigurationDirectory = "pubcached"; + ExecStart = "${pkgs.pubcached}/bin/pubcached -c ${settingsFormat.generate "config.toml" configRaw}"; + Restart = "on-failure"; + RestartSec = 15; + CapabilityBoundingSet = ""; + # Security + NoNewPrivileges = true; + # Sandboxing + ProtectSystem = "strict"; + ProtectHome = true; + PrivateTmp = true; + PrivateDevices = true; + PrivateUsers = true; + ProtectHostname = true; + ProtectClock = true; + ProtectKernelTunables = true; + ProtectKernelModules = true; + ProtectKernelLogs = true; + ProtectControlGroups = true; + RestrictAddressFamilies = [ "AF_UNIX AF_INET AF_INET6" ]; + LockPersonality = true; + MemoryDenyWriteExecute = true; + RestrictRealtime = true; + RestrictSUIDSGID = true; + PrivateMounts = true; + # System Call Filtering + SystemCallArchitectures = "native"; + SystemCallFilter = "~@clock @privileged @cpu-emulation @debug @keyring @module @mount @obsolete @raw-io @reboot @setuid @swap"; + }; + }; + }; + }; + + packages = forAllSystems (system: let + pkgs = import nixpkgs { inherit system; }; + in { + pubcached = pkgs.callPackage ./pkgs/pubcached.nix {}; + }); + }; +} diff --git a/pkgs/pubcached.nix b/pkgs/pubcached.nix new file mode 100644 index 0000000..6dea46a --- /dev/null +++ b/pkgs/pubcached.nix @@ -0,0 +1,25 @@ +{ + lib +, python3Packages +}: + +python3Packages.buildPythonApplication { + pname = "pubcached"; + version = "0.1.0"; + + src = ./../.; + + doCheck = false; + + propagatedBuildInputs = with python3Packages; [ + loguru aiofiles requests falcon toml uvicorn + ]; + + meta = with lib; { + homepage = "https://git.polynom.me/PapaTutuWawa/pubcached"; + description = "Caching proxy for pub.dev"; + license = licenses.mit; + maintainers = []; + platforms = platforms.linux; + }; +}