1 files changed, 83 insertions, 51 deletions
diff --git a/flake.nix b/flake.nix
index 211b64b..16db909 100644
--- a/flake.nix
+++ b/flake.nix
@@ -80,64 +80,96 @@
devShell = pkgs.mkShell {
buildInputs = with pkgs; [
mongodb-compass
+ webstorm
nodejs
nodePackages.prettier
];
};
}
- )) // {
- nixosModules.default = { pkgs, config, lib, ...}: {
- options.services.safensound = {
- enable = lib.mkEnableOption "Enable SafeNSound service";
- package = lib.mkOption {
- type = lib.types.package;
- default = self.packages.${pkgs.stdenv.hostPlatform.system}.default;
- description = "The SafeNSound service package to run.";
- };
- port = lib.mkOption {
- type = lib.types.port;
- default = 3000;
- description = "The port on which the SafeNSound service will listen.";
- };
- dbCredentialsPath = lib.mkOption {
- type = lib.types.path;
- description = "Path to the database credentials file.";
- };
- jwtSecretPath = lib.mkOption {
- type = lib.types.path;
- description = "Path to the JWT secret directory.";
- };
- logRequests = lib.mkEnableOption "Log requests";
- logQueries = lib.mkEnableOption "Log queries";
- logAuth = lib.mkEnableOption "Log authentication";
- };
-
- config = lib.mkIf (config.services.safensound.enable) (
- let
- cfg = config.services.safensound;
- in
+ ))
+ // {
+ nixosModules.default =
+ {
+ pkgs,
+ config,
+ lib,
+ ...
+ }:
{
- systemd.services.safensound = {
- description = "SafeNSound Service";
- wantedBy = [ "multi-user.target" ];
- after = [ "network.target" "mongodb.service" ];
- requires = [ "mongodb.service" ];
- environment = {
- PORT = cfg.port;
- LOG_REQUESTS = cfg.logRequests;
- DATABASE_SECRET_PATH = cfg.dbCredentialsPath;
- JWT_SECRET_PATH = cfg.jwtSecretPath;
- LOG_QUERIES = cfg.logQueries;
- LOG_AUTH = cfg.logAuth;
+ options.services.safensound = {
+ enable = lib.mkEnableOption "Enable SafeNSound service";
+ package = lib.mkOption {
+ type = lib.types.package;
+ default = self.packages.${pkgs.stdenv.hostPlatform.system}.default;
+ description = "The SafeNSound service package to run.";
};
- serviceConfig = {
- Type = "simple";
- ExecStart = "${cfg.package}/bin/start";
- Restart = "on-failure";
- DynamicUser = true;
+ port = lib.mkOption {
+ type = lib.types.port;
+ default = 3000;
+ description = "The port on which the SafeNSound service will listen.";
};
+ dbCredentialsPath = lib.mkOption {
+ type = lib.types.path;
+ description = "Path to the database credentials file.";
+ };
+ jwtSecretPath = lib.mkOption {
+ type = lib.types.path;
+ default = "/var/lib/SafeNSound";
+ description = "Path to the JWT secret directory.";
+ };
+ logRequests = lib.mkOption {
+ type = lib.types.string;
+ description = "Which requests to log.";
+ default = "-";
+ };
+ logQueries = lib.mkEnableOption "Log queries";
+ logAuth = lib.mkEnableOption "Log authentication";
};
- });
- };
+
+ config = lib.mkIf (config.services.safensound.enable) (
+ let
+ cfg = config.services.safensound;
+ in
+ {
+ systemd.services.safensound = {
+ description = "SafeNSound Service";
+ wantedBy = [ "multi-user.target" ];
+ after = [
+ "network.target"
+ "mongodb.service"
+ ];
+ requires = [ "mongodb.service" ];
+ environment = {
+ PORT = toString cfg.port;
+ DATABASE_SECRET_PATH = "/run/credentials/safensound.service/mongodb";
+ JWT_SECRET_PATH = cfg.jwtSecretPath;
+ LOG_AUTH = lib.boolToString cfg.logAuth;
+ LOG_QUERIES = lib.boolToString cfg.logQueries;
+ LOG_REQUESTS = cfg.logRequests;
+ };
+ serviceConfig = {
+ Type = "simple";
+ ExecStart = "${cfg.package}/bin/start";
+ WorkingDirectory = "/var/lib/SafeNSound";
+ StateDirectory = "SafeNSound";
+ StateDirectoryMode = "0700";
+ ProtectSystem = "strict";
+ ProtectHome = true;
+ PrivateTmp = true;
+ NoNewPrivileges = true;
+ PrivateDevices = true;
+ DynamicUser = true;
+ Restart = "always";
+ StartLimitIntervalSec = 60;
+ StartLimitBurst = 5;
+
+ LoadCredential = [
+ "mongodb:${cfg.dbCredentialsPath}"
+ ];
+ };
+ };
+ }
+ );
+ };
};
-}
\ No newline at end of file
+}
|
