diff options
author | sternenseemann <0rpkxez4ksa01gb3typccl0i@systemli.org> | 2021-01-09 19:20:37 +0100 |
---|---|---|
committer | sternenseemann <0rpkxez4ksa01gb3typccl0i@systemli.org> | 2021-01-09 19:20:37 +0100 |
commit | 1b92104084c2649aead512e124e1a7e320da2966 (patch) | |
tree | 42bf1e98c334b51a9bc27c4a8126a99bd913a0dd | |
parent | d905d84ba5be14699b1cffedaf45c50e4c98f4d8 (diff) |
likely-music-service.nix: add nixos service
-rw-r--r-- | default.nix | 4 | ||||
-rw-r--r-- | likely-music-service.nix | 63 |
2 files changed, 66 insertions, 1 deletions
diff --git a/default.nix b/default.nix index 007bec0..7314cbd 100644 --- a/default.nix +++ b/default.nix @@ -1 +1,3 @@ -(import ./pkgs.nix { pkgs = import <nixpkgs> {}; }) +{ pkgs ? import <nixpkgs> {}; }: + +import ./pkgs.nix { inherit pkgs; } diff --git a/likely-music-service.nix b/likely-music-service.nix new file mode 100644 index 0000000..baa821a --- /dev/null +++ b/likely-music-service.nix @@ -0,0 +1,63 @@ +{ config, lib, pkgs, ... }: + +let + + lpkgs = import ./pkgs.nix { + inherit pkgs; + }; + + cfg = config.services.likely-music; + +in { + options.services.likely-music = { + enable = lib.mkEnableOption "likely-music"; + virtualHost = lib.mkOption { + type = lib.types.str; + default = "localhost"; + }; + }; + + config = lib.mkIf cfg.enable { + systemd.services.likely-music = { + description = "likely-music web server"; + after = [ "network.target" ]; + wantedBy = [ "multi-user.target" ]; + + serviceConfig = { + Type = "simple"; + ExecStart = "${lpkgs.likely-music}/bin/likely-music"; + + PrivateTmp = true; + TemporaryFileSystem= "/:ro"; + BindReadOnlyPaths = "/nix"; + + NoNewPrivileges = true; + RestrictRealtime = true; + LockPersonality = true; + + DynamicUser = true; + + ProtectSystem = "strict"; + ProtectHome = true; + PrivateUsers = true; + ProtectKernelTunables = true; + ProtectKernelModules = true; + ProtectControlGroups = true; + ProtectKernelLogs = true; + MemoryDenyWriteExecute = true; + PrivateDevices = true; + PrivateMounts = true; + }; + }; + + services.nginx.virtualHosts."${cfg.virtualHost}" = { + enableACME = true; + forceSSL = true; + extraConfig = '' + location / { + proxy_pass http://localhost:8081/; + } + ''; + }; + }; +} |