-
Notifications
You must be signed in to change notification settings - Fork 0
Expand file tree
/
Copy pathflake.nix
More file actions
149 lines (132 loc) · 4.85 KB
/
flake.nix
File metadata and controls
149 lines (132 loc) · 4.85 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
{
description = "simple webhook runner (SWHR)";
inputs = {
nixpkgs.url = "github:NixOS/nixpkgs/nixos-25.05";
flake-utils.url = "github:numtide/flake-utils";
};
outputs = { self, nixpkgs, flake-utils, ... }:
let
# Function to create the NixOS module for a specific system
mkNixosModule = system: { config, lib, pkgs, ... }:
let
cfg = config.services.swhr;
swhrPackage = self.packages.${system}.swhr;
configFile = pkgs.writeText "swhr.yaml" (builtins.toJSON cfg.configuration);
in {
options.services.swhr = {
enable = lib.mkEnableOption "SWHR webhook runner service";
configuration = lib.mkOption {
type = lib.types.attrs;
default = {};
description = "SWHR configuration (will be converted to YAML)";
example = {
services = [
{
path = "/webhook/example";
method = "POST";
script = "/usr/local/bin/example_script.sh";
dir = "/tmp";
}
{
path = "/webhook/secure-example";
method = "POST";
script = "/usr/local/bin/secure_example_script.sh";
dir = "/tmp";
api_key = "my-secret-api-key";
}
];
};
};
listenAddress = lib.mkOption {
type = lib.types.str;
default = "127.0.0.1:3344";
description = "Address and port for SWHR to listen on";
};
logLevel = lib.mkOption {
type = lib.types.enum [ "trace" "debug" "info" "warn" "error" ];
default = "info";
description = "Log level for SWHR";
};
user = lib.mkOption {
type = lib.types.str;
default = "swhr";
description = "User to run SWHR as";
};
group = lib.mkOption {
type = lib.types.str;
default = "swhr";
description = "Group to run SWHR as";
};
};
config = lib.mkIf cfg.enable {
# Create user and group if they don't exist and aren't overridden
users.users = lib.mkIf (cfg.user == "swhr") {
swhr = {
isSystemUser = true;
description = "SWHR webhook runner user";
group = cfg.group;
};
};
users.groups = lib.mkIf (cfg.group == "swhr") {
swhr = {};
};
# Define the systemd service
systemd.services.swhr = {
description = "Simple Webhook Runner";
wantedBy = [ "multi-user.target" ];
after = [ "network.target" ];
serviceConfig = {
ExecStart = "${swhrPackage}/bin/swhr --config ${configFile} --listen ${cfg.listenAddress} --log-level ${cfg.logLevel}";
Restart = "on-failure";
RestartSec = "5s";
# Security settings
User = cfg.user;
Group = cfg.group;
ProtectSystem = "strict";
ProtectHome = true;
PrivateTmp = true;
NoNewPrivileges = true;
# Ensure the service has access to its configuration
ReadWritePaths = "";
ReadOnlyPaths = [ "${configFile}" ];
};
};
};
};
in flake-utils.lib.eachDefaultSystem (system: let
pkgs = import nixpkgs {inherit system;};
lib = pkgs.lib;
buildInputs = with pkgs; [
rustc
cargo
rustfmt
clippy
rust-analyzer
pkg-config
openssl
zlib
];
in {
# Development shell for Rust and Node.js (node 23 + pnpm)
devShells.default = pkgs.mkShell {
inherit buildInputs;
RUST_SRC_PATH = "${pkgs.rust.packages.stable.rustPlatform.rustLibSrc}";
};
packages.swhr = pkgs.rustPlatform.buildRustPackage {
pname = "swhr";
version = "0.1.0";
src = ./.;
cargoLock.lockFile = ./Cargo.lock;
cargoSha256 = lib.fakeSha256;
buildInputs = buildInputs;
nativeBuildInputs = buildInputs;
};
# NixOS module for the systemd service for this specific system
nixosModules.default = mkNixosModule system;
}) // {
# Make the NixOS module available at the flake level - platform independent module
nixosModule = { pkgs, ... }: {
imports = [ (mkNixosModule pkgs.stdenv.hostPlatform.system) ];
};
};
}