mira/nix-config
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

service done, needs config and reverse proxy

Browse source
This commit is contained in:
twoneis 2025-05-11 18:01:21 +02:00
parent 6ff3ae49ec
commit e2359b5cc6
3 changed files with 118 additions and 42 deletions
Download patch file Download diff file Expand all files Collapse all files

118
modules/fedi/iceshrimp/default.nix
View file

@ -4,11 +4,121 @@
config,
...
}: let
inherit (lib) mkIf;
inherit (lib) mkIf mkOption;
inherit (lib.generators) toINI;
inherit (config) versions;
inherit (lib.types) attrs package;
cfg = config.conf.fedi.iceshrimp;
iceshrimp = pkgs.callPackage ./iceshrimp.nix {version = versions.iceshrimp;};
in
mkIf cfg.enable {
settings = pkgs.writeTextFile {
name = "configuration.overrides.ini";
text = toINI {} config.services.iceshrimp.settings;
};
in {
options = {
services.iceshrimp = {
package = mkOption {
type = package;
default = iceshrimp;
};
settings = mkOption {
type = attrs;
default = {};
};
};
};
config = mkIf cfg.enable {
environment.systemPackages = [iceshrimp];
}
services.iceshrimp = {
settings = {
Instance = {
ListenPort = 3000;
ListenHost = "localhost";
WebDomain = cfg.domain.full;
AccountDomain = cfg.domain.full;
};
Security = {
};
};
};
systemd.services.iceshrimp = {
enable = true;
description = "Iceshrimp.NET daemon";
environment = {
ICESHRIMP_CONFIG_OVERRIDES = settings;
MALLOC_TRIM_TRESHOLD = "131072";
};
after = ["postgresql.service"];
requires = ["postgresql.service"];
wantedBy = ["multi-user.target"];
serviceConfig = {
Type = "simple";
Restart = "on-failure";
User = "iceshrimp";
Group = "iceshrimp";
WorkingDirectory = "${iceshrimp}/usr/share";
SysLogIdentifier = "iceshrimp.net";
ExecStart = "${iceshrimp}/usr/share/Iceshrimp.Backend --migrate-and-start";
ReadOnlyPaths = [
"${iceshrimp}/usr/share"
"${iceshrimp}/etc/configuration.ini"
"${settings}"
];
ReadWritePaths = [
"/var/lib/iceshrimp.net/files"
"/var/lib/iceshrimp/iceshrimp.net.sock"
];
NoExecPaths = [
"/var/lib/iceshrimp.net/files"
];
RestrictSUIDSGID = true;
RestrictNamespaces = true;
PrivateTmp = true;
PrivateDevices = true;
PrivateUsers = true;
ProtectHostname = true;
ProtectClock = true;
ProtectKernelTunables = true;
ProtectKernelModules = true;
ProtectKernelLogs = true;
ProtectControlGroups = true;
ProtectSystem = "strict";
ProtectHome = true;
ProtectProc = "invisible";
SystemCallArchitectures = "native";
SystemCallFilter = "@system-service";
SystemCallErrorNumber = "EPERM";
LockPersonality = true;
NoNewPrivileges = true;
};
};
services.postgresql = {
enable = true;
ensureDatabases = ["iceshrimp"];
ensureUsers = [
{
name = "iceshrimp";
ensureDBOwnership = true;
}
];
};
};
}

9
modules/fedi/iceshrimp/iceshrimp.nix
View file

@ -32,21 +32,20 @@ stdenv.mkDerivation {
unpackPhase = ''
runHook preUnpack
mkdir -p $out $out/etc
mkdir -p $out $out/etc $out/usr
tar xf $src -C $out
mv $out/Iceshrimp.NET-v${version.version}-linux-amd64-glibc $out/lib
mv $out/Iceshrimp.NET-v${version.version}-linux-amd64-glibc $out/usr/share
mv $out/lib/configuration.ini $out/etc
mv $out/usr/share/configuration.ini $out/etc/
runHook postUnpack
'';
postFixup = ''
makeWrapper $out/lib/Iceshrimp.Backend $out/bin/iceshrimp \
makeWrapper $out/usr/share/Iceshrimp.Backend $out/bin/iceshrimp \
--set DOTNET_ROOT ${dotnetCorePackages.sdk_9_0}/share/dotnet/ \
--set ICESHRIMP_CONFIG $out/etc/configuration.ini \
--set ICESHRIMP_CONFIG_OVERRIDES $out/etc/configuration.overrides.ini
'';
}

33
modules/fedi/iceshrimp/option.nix
View file

@ -1,33 +0,0 @@
{
pkgs,
lib,
...
}: let
inherit
(lib)
mkOption
mkPackageOption
;
inherit (lib.types) nonEmptyStr attrsOf str;
in {
options = {
services.iceshrimp = {
user = mkOption {
type = nonEmptyStr;
default = "iceshrimp";
};
group = mkOption {
type = nonEmptyStr;
default = "iceshrimp";
};
package = mkPackageOption pkgs "iceshrimp" {};
config = mkOption {
type = attrsOf str;
default = ./default_config.nix;
};
};
};
}