91 lines
2.7 KiB
Nix
91 lines
2.7 KiB
Nix
{
|
|
description = "MusicLink Bot - Matrix-native music link converter";
|
|
|
|
inputs = {
|
|
nixpkgs.url = "github:NixOS/nixpkgs/nixos-24.11";
|
|
utils.url = "github:numtide/flake-utils";
|
|
};
|
|
|
|
outputs = { self, nixpkgs, utils }:
|
|
utils.lib.eachDefaultSystem (system:
|
|
let
|
|
pkgs = import nixpkgs { inherit system; };
|
|
in
|
|
{
|
|
packages.default = pkgs.buildGoModule {
|
|
pname = "musiclink";
|
|
version = "0.1.0";
|
|
src = ./.;
|
|
|
|
# Run 'nix build' and update this hash if dependencies change
|
|
vendorHash = "sha256-Upjt0Q2G6x5vGf0bG0TS9uWrHBow8/cQsZexhMgVb2I=";
|
|
|
|
subPackages = [ "cmd/musiclink" ];
|
|
|
|
meta = with pkgs.lib; {
|
|
description = "Matrix-native music link converter bot";
|
|
homepage = "https://github.com/dan/musiclink";
|
|
license = licenses.mit;
|
|
maintainers = [ ];
|
|
};
|
|
};
|
|
|
|
devShells.default = pkgs.mkShell {
|
|
buildInputs = with pkgs; [
|
|
go
|
|
gopls
|
|
gotools
|
|
];
|
|
};
|
|
}
|
|
) // {
|
|
nixosModules.default = { config, lib, pkgs, ... }:
|
|
with lib;
|
|
let
|
|
cfg = config.services.musiclink;
|
|
in
|
|
{
|
|
options.services.musiclink = {
|
|
enable = mkEnableOption "MusicLink Bot";
|
|
|
|
configFile = mkOption {
|
|
type = types.Path;
|
|
description = "Path to the config.toml file";
|
|
};
|
|
};
|
|
|
|
config = mkIf cfg.enable {
|
|
systemd.services.musiclink = {
|
|
description = "MusicLink Bot";
|
|
wantedBy = [ "multi-user.target" ];
|
|
after = [ "network.target" ];
|
|
|
|
serviceConfig = {
|
|
Type = "simple";
|
|
ExecStart = "${self.packages.${pkgs.system}.default}/bin/musiclink -config ${cfg.configFile}";
|
|
Restart = "always";
|
|
RestartSec = "5s";
|
|
|
|
# Hardening
|
|
DynamicUser = true;
|
|
StateDirectory = "musiclink";
|
|
ProtectSystem = "strict";
|
|
ProtectHome = true;
|
|
NoNewPrivileges = true;
|
|
ProtectKernelTunables = true;
|
|
ProtectKernelModules = true;
|
|
ProtectControlGroups = true;
|
|
RestrictNamespaces = true;
|
|
LockPersonality = true;
|
|
MemoryDenyWriteExecute = true;
|
|
RestrictRealtime = true;
|
|
RestrictSUIDSGID = true;
|
|
PrivateMounts = true;
|
|
SystemCallFilter = [ "@system-service" "~@privileged" "~@resources" ];
|
|
};
|
|
};
|
|
};
|
|
};
|
|
};
|
|
}
|