Lock down systemd service
2 files changed, 80 insertions, 53 deletions
diff --git a/DEPLOY.md b/DEPLOY.md
index 201ce8b..63f89c5 100644
--- a/DEPLOY.md
+++ b/DEPLOY.md
@@ -5,7 +5,7 @@
flake.nix: (production: [inputs](https://cgit.rory.gay/Rory-Open-Architecture.git/tree/flake.nix?h=d94f5#n104), [modules](https://cgit.rory.gay/Rory-Open-Architecture.git/tree/flake.nix?h=d94f5#n147), [service](https://cgit.rory.gay/Rory-Open-Architecture.git/tree/host/Rory-ovh/services/safensound.nix))
```nix
-# inputs section
+# inputs section - using public mirror for unauthenticated access
inputs.safeNSound.url = "git+https://cgit.rory.gay/school/nodejs-final-assignment.git/";
# system configuration section
@@ -13,7 +13,7 @@ inputs.safeNSound.url = "git+https://cgit.rory.gay/school/nodejs-final-assignmen
safeNSound.modules.default
# configuration section
-# services.mongodb = { enable = true; ... };
+# Make sure mongodb is set up: services.mongodb = { enable = true; ... };
services.safeNSound = {
enable = true;
package = safeNSound.packages.default;
diff --git a/flake.nix b/flake.nix
index 211b64b..22dca66 100644
--- a/flake.nix
+++ b/flake.nix
@@ -85,59 +85,86 @@
];
};
}
- )) // {
- nixosModules.default = { pkgs, config, lib, ...}: {
- options.services.safensound = {
- enable = lib.mkEnableOption "Enable SafeNSound service";
- package = lib.mkOption {
- type = lib.types.package;
- default = self.packages.${pkgs.stdenv.hostPlatform.system}.default;
- description = "The SafeNSound service package to run.";
- };
- port = lib.mkOption {
- type = lib.types.port;
- default = 3000;
- description = "The port on which the SafeNSound service will listen.";
- };
- dbCredentialsPath = lib.mkOption {
- type = lib.types.path;
- description = "Path to the database credentials file.";
- };
- jwtSecretPath = lib.mkOption {
- type = lib.types.path;
- description = "Path to the JWT secret directory.";
- };
- logRequests = lib.mkEnableOption "Log requests";
- logQueries = lib.mkEnableOption "Log queries";
- logAuth = lib.mkEnableOption "Log authentication";
- };
-
- config = lib.mkIf (config.services.safensound.enable) (
- let
- cfg = config.services.safensound;
- in
+ ))
+ // {
+ nixosModules.default =
{
- systemd.services.safensound = {
- description = "SafeNSound Service";
- wantedBy = [ "multi-user.target" ];
- after = [ "network.target" "mongodb.service" ];
- requires = [ "mongodb.service" ];
- environment = {
- PORT = cfg.port;
- LOG_REQUESTS = cfg.logRequests;
- DATABASE_SECRET_PATH = cfg.dbCredentialsPath;
- JWT_SECRET_PATH = cfg.jwtSecretPath;
- LOG_QUERIES = cfg.logQueries;
- LOG_AUTH = cfg.logAuth;
+ pkgs,
+ config,
+ lib,
+ ...
+ }:
+ {
+ options.services.safensound = {
+ enable = lib.mkEnableOption "Enable SafeNSound service";
+ package = lib.mkOption {
+ type = lib.types.package;
+ default = self.packages.${pkgs.stdenv.hostPlatform.system}.default;
+ description = "The SafeNSound service package to run.";
+ };
+ port = lib.mkOption {
+ type = lib.types.port;
+ default = 3000;
+ description = "The port on which the SafeNSound service will listen.";
+ };
+ dbCredentialsPath = lib.mkOption {
+ type = lib.types.path;
+ description = "Path to the database credentials file.";
};
- serviceConfig = {
- Type = "simple";
- ExecStart = "${cfg.package}/bin/start";
- Restart = "on-failure";
- DynamicUser = true;
+ jwtSecretPath = lib.mkOption {
+ type = lib.types.path;
+ description = "Path to the JWT secret directory.";
+ default = "/var/lib/SafeNSound";
};
+ logRequests = lib.mkEnableOption "Log requests";
+ logQueries = lib.mkEnableOption "Log queries";
+ logAuth = lib.mkEnableOption "Log authentication";
};
- });
- };
+
+ config = lib.mkIf (config.services.safensound.enable) (
+ let
+ cfg = config.services.safensound;
+ in
+ {
+ systemd.services.safensound = {
+ description = "SafeNSound Service";
+ wantedBy = [ "multi-user.target" ];
+ after = [
+ "network.target"
+ "mongodb.service"
+ ];
+ requires = [ "mongodb.service" ];
+ environment = {
+ PORT = cfg.port;
+ LOG_REQUESTS = cfg.logRequests;
+ DATABASE_SECRET_PATH = "/run/credentials/safensound.service/mongodb";
+ JWT_SECRET_PATH = cfg.jwtSecretPath;
+ LOG_QUERIES = cfg.logQueries;
+ LOG_AUTH = cfg.logAuth;
+ };
+ serviceConfig = {
+ Type = "simple";
+ ExecStart = "${cfg.package}/bin/start";
+ WorkingDirectory = "/var/lib/SafeNSound";
+ StateDirectory = "SafeNSound";
+ StateDirectoryMode = "0700";
+ ProtectSystem = "strict";
+ ProtectHome = true;
+ PrivateTmp = true;
+ NoNewPrivileges = true;
+ PrivateDevices = true;
+ DynamicUser = true;
+ Restart = "always";
+ StartLimitIntervalSec = 60;
+ StartLimitBurst = 5;
+
+ LoadCredential = [
+ "mongodb:${cfg.dbCredentialsPath}"
+ ];
+ };
+ };
+ }
+ );
+ };
};
-}
\ No newline at end of file
+}
|
