{ description = "MusicLink Bot - Matrix-native music link converter"; inputs = { nixpkgs.url = "github:NixOS/nixpkgs/nixos-24.11"; utils.url = "github:numtide/flake-utils"; }; outputs = { self, nixpkgs, utils }: utils.lib.eachDefaultSystem (system: let pkgs = import nixpkgs { inherit system; }; in { packages.default = pkgs.buildGoModule { pname = "musiclink"; version = "0.1.0"; src = ./.; # Run 'nix build' and update this hash if dependencies change vendorHash = null; subPackages = [ "cmd/musiclink" ]; meta = with pkgs.lib; { description = "Matrix-native music link converter bot"; homepage = "https://github.com/dan/musiclink"; license = licenses.mit; maintainers = [ ]; }; }; devShells.default = pkgs.mkShell { buildInputs = with pkgs; [ go_1_24 gopls gotools ]; }; } ) // { nixosModules.default = { config, lib, pkgs, ... }: with lib; let cfg = config.services.musiclink; in { options.services.musiclink = { enable = mkEnableOption "MusicLink Bot"; configFile = mkOption { type = types.Path; description = "Path to the config.toml file"; }; }; config = mkIf cfg.enable { systemd.services.musiclink = { description = "MusicLink Bot"; wantedBy = [ "multi-user.target" ]; after = [ "network.target" ]; serviceConfig = { Type = "simple"; ExecStart = "${self.packages.${pkgs.system}.default}/bin/musiclink -config ${cfg.configFile}"; Restart = "always"; RestartSec = "5s"; # Hardening DynamicUser = true; StateDirectory = "musiclink"; ProtectSystem = "strict"; ProtectHome = true; NoNewPrivileges = true; ProtectKernelTunables = true; ProtectKernelModules = true; ProtectControlGroups = true; RestrictNamespaces = true; LockPersonality = true; MemoryDenyWriteExecute = true; RestrictRealtime = true; RestrictSUIDSGID = true; PrivateMounts = true; SystemCallFilter = [ "@system-service" "~@privileged" "~@resources" ]; }; }; }; }; }; }