From e2359b5cc6ea7698f5698536968996de7029fcef Mon Sep 17 00:00:00 2001
From: twoneis <git@chpu.eu>
Date: Sun, 11 May 2025 18:01:21 +0200
Subject: [PATCH] service done, needs config and reverse proxy

---
 modules/fedi/iceshrimp/default.nix   | 118 ++++++++++++++++++++++++++-
 modules/fedi/iceshrimp/iceshrimp.nix |   9 +-
 modules/fedi/iceshrimp/option.nix    |  33 --------
 3 files changed, 118 insertions(+), 42 deletions(-)
 delete mode 100644 modules/fedi/iceshrimp/option.nix

diff --git a/modules/fedi/iceshrimp/default.nix b/modules/fedi/iceshrimp/default.nix
index 42696c5..2ffe691 100644
--- a/modules/fedi/iceshrimp/default.nix
+++ b/modules/fedi/iceshrimp/default.nix
@@ -4,11 +4,121 @@
   config,
   ...
 }: let
-  inherit (lib) mkIf;
+  inherit (lib) mkIf mkOption;
+  inherit (lib.generators) toINI;
   inherit (config) versions;
+  inherit (lib.types) attrs package;
   cfg = config.conf.fedi.iceshrimp;
   iceshrimp = pkgs.callPackage ./iceshrimp.nix {version = versions.iceshrimp;};
-in
-  mkIf cfg.enable {
+  settings = pkgs.writeTextFile {
+    name = "configuration.overrides.ini";
+    text = toINI {} config.services.iceshrimp.settings;
+  };
+in {
+  options = {
+    services.iceshrimp = {
+      package = mkOption {
+        type = package;
+        default = iceshrimp;
+      };
+
+      settings = mkOption {
+        type = attrs;
+        default = {};
+      };
+    };
+  };
+  config = mkIf cfg.enable {
     environment.systemPackages = [iceshrimp];
-  }
+
+    services.iceshrimp = {
+      settings = {
+        Instance = {
+          ListenPort = 3000;
+          ListenHost = "localhost";
+
+          WebDomain = cfg.domain.full;
+          AccountDomain = cfg.domain.full;
+        };
+        Security = {
+        };
+      };
+    };
+
+    systemd.services.iceshrimp = {
+      enable = true;
+      description = "Iceshrimp.NET daemon";
+
+      environment = {
+        ICESHRIMP_CONFIG_OVERRIDES = settings;
+        MALLOC_TRIM_TRESHOLD = "131072";
+      };
+
+      after = ["postgresql.service"];
+      requires = ["postgresql.service"];
+      wantedBy = ["multi-user.target"];
+
+      serviceConfig = {
+        Type = "simple";
+        Restart = "on-failure";
+
+        User = "iceshrimp";
+        Group = "iceshrimp";
+
+        WorkingDirectory = "${iceshrimp}/usr/share";
+        SysLogIdentifier = "iceshrimp.net";
+        ExecStart = "${iceshrimp}/usr/share/Iceshrimp.Backend --migrate-and-start";
+
+        ReadOnlyPaths = [
+          "${iceshrimp}/usr/share"
+          "${iceshrimp}/etc/configuration.ini"
+          "${settings}"
+        ];
+
+        ReadWritePaths = [
+          "/var/lib/iceshrimp.net/files"
+          "/var/lib/iceshrimp/iceshrimp.net.sock"
+        ];
+
+        NoExecPaths = [
+          "/var/lib/iceshrimp.net/files"
+        ];
+
+        RestrictSUIDSGID = true;
+        RestrictNamespaces = true;
+
+        PrivateTmp = true;
+        PrivateDevices = true;
+        PrivateUsers = true;
+
+        ProtectHostname = true;
+        ProtectClock = true;
+        ProtectKernelTunables = true;
+        ProtectKernelModules = true;
+        ProtectKernelLogs = true;
+        ProtectControlGroups = true;
+        ProtectSystem = "strict";
+        ProtectHome = true;
+        ProtectProc = "invisible";
+
+        SystemCallArchitectures = "native";
+        SystemCallFilter = "@system-service";
+        SystemCallErrorNumber = "EPERM";
+
+        LockPersonality = true;
+        NoNewPrivileges = true;
+      };
+    };
+
+    services.postgresql = {
+      enable = true;
+      ensureDatabases = ["iceshrimp"];
+      ensureUsers = [
+        {
+          name = "iceshrimp";
+          ensureDBOwnership = true;
+        }
+      ];
+    };
+  };
+}
diff --git a/modules/fedi/iceshrimp/iceshrimp.nix b/modules/fedi/iceshrimp/iceshrimp.nix
index 57f753f..74a17aa 100644
--- a/modules/fedi/iceshrimp/iceshrimp.nix
+++ b/modules/fedi/iceshrimp/iceshrimp.nix
@@ -32,21 +32,20 @@ stdenv.mkDerivation {
   unpackPhase = ''
     runHook preUnpack
 
-    mkdir -p $out $out/etc
+    mkdir -p $out $out/etc $out/usr
 
     tar xf $src -C $out
 
-    mv $out/Iceshrimp.NET-v${version.version}-linux-amd64-glibc $out/lib
+    mv $out/Iceshrimp.NET-v${version.version}-linux-amd64-glibc $out/usr/share
 
-    mv $out/lib/configuration.ini $out/etc
+    mv $out/usr/share/configuration.ini $out/etc/
 
     runHook postUnpack
   '';
 
   postFixup = ''
-    makeWrapper $out/lib/Iceshrimp.Backend $out/bin/iceshrimp \
+    makeWrapper $out/usr/share/Iceshrimp.Backend $out/bin/iceshrimp \
       --set DOTNET_ROOT ${dotnetCorePackages.sdk_9_0}/share/dotnet/ \
       --set ICESHRIMP_CONFIG $out/etc/configuration.ini \
-      --set ICESHRIMP_CONFIG_OVERRIDES $out/etc/configuration.overrides.ini
   '';
 }
diff --git a/modules/fedi/iceshrimp/option.nix b/modules/fedi/iceshrimp/option.nix
deleted file mode 100644
index 3db2b6d..0000000
--- a/modules/fedi/iceshrimp/option.nix
+++ /dev/null
@@ -1,33 +0,0 @@
-{
-  pkgs,
-  lib,
-  ...
-}: let
-  inherit
-    (lib)
-    mkOption
-    mkPackageOption
-    ;
-  inherit (lib.types) nonEmptyStr attrsOf str;
-in {
-  options = {
-    services.iceshrimp = {
-      user = mkOption {
-        type = nonEmptyStr;
-        default = "iceshrimp";
-      };
-
-      group = mkOption {
-        type = nonEmptyStr;
-        default = "iceshrimp";
-      };
-
-      package = mkPackageOption pkgs "iceshrimp" {};
-
-      config = mkOption {
-        type = attrsOf str;
-        default = ./default_config.nix;
-      };
-    };
-  };
-}