min
/
breeze
1
0
Fork 0
Code Issues 2 Pull Requests Packages Projects Releases Wiki Activity

Merge branch 'main' of git.min.rip:min/breeze

This commit is contained in:
minish 2024-10-20 01:42:54 -04:00
parent ec050b19a5 495aee464d
commit 2e65f3744b
Signed by: min
GPG Key ID: FEECFF24EF0CE9E9
3 changed files with 162 additions and 242 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

12
flake.lock
View File

@ -20,11 +20,11 @@
"systems": "systems" "systems": "systems"
}, },
"locked": { "locked": {
"lastModified": 1710146030, "lastModified": 1726560853,
"narHash": "sha256-SZ5L6eA7HJ/nmkzGG7/ISclqe6oZdOZTNoesiInkXPQ=", "narHash": "sha256-X6rJYSESBVr3hBoH0WbKE5KvhPU5bloyZ2L4K60/fPQ=",
"owner": "numtide", "owner": "numtide",
"repo": "flake-utils", "repo": "flake-utils",
"rev": "b1d9ab70662946ef0850d488da1c9019f3a9752a", "rev": "c1dfcf08411b08f6b8615f7d8971a2bfa81d5e8a",
"type": "github" "type": "github"
}, },
"original": { "original": {
@ -35,11 +35,11 @@
}, },
"nixpkgs": { "nixpkgs": {
"locked": { "locked": {
"lastModified": 1725534445, "lastModified": 1726871744,
"narHash": "sha256-Yd0FK9SkWy+ZPuNqUgmVPXokxDgMJoGuNpMEtkfcf84=", "narHash": "sha256-V5LpfdHyQkUF7RfOaDPrZDP+oqz88lTJrMT1+stXNwo=",
"owner": "NixOS", "owner": "NixOS",
"repo": "nixpkgs", "repo": "nixpkgs",
"rev": "9bb1e7571aadf31ddb4af77fc64b2d59580f9a39", "rev": "a1d92660c6b3b7c26fb883500a80ea9d33321be2",
"type": "github" "type": "github"
}, },
"original": { "original": {

87
flake.nix
View File

@ -7,15 +7,14 @@
flake-utils.url = "github:numtide/flake-utils"; flake-utils.url = "github:numtide/flake-utils";
}; };
outputs = outputs = {
{ self self,
, nixpkgs nixpkgs,
, crane crane,
, flake-utils flake-utils,
, ... ...
}: }:
flake-utils.lib.eachDefaultSystem (system: flake-utils.lib.eachDefaultSystem (system: let
let
pkgs = nixpkgs.legacyPackages.${system}; pkgs = nixpkgs.legacyPackages.${system};
craneLib = crane.mkLib pkgs; craneLib = crane.mkLib pkgs;
@ -44,8 +43,7 @@
# here *without* rebuilding all dependency crates # here *without* rebuilding all dependency crates
# MY_CUSTOM_VAR = "some value"; # MY_CUSTOM_VAR = "some value";
}); });
in in {
{
checks = { checks = {
inherit breeze; inherit breeze;
}; };
@ -70,17 +68,16 @@
]; ];
}; };
nixosModules.breeze = nixosModules.breeze = {
{ config config,
, pkgs pkgs,
, lib lib,
, ... ...
}: }:
with lib; let with lib; let
cfg = config.services.breeze; cfg = config.services.breeze;
settingsFormat = pkgs.formats.toml { }; settingsFormat = pkgs.formats.toml {};
in in {
{
options = { options = {
services.breeze = { services.breeze = {
enable = mkEnableOption "breeze file server"; enable = mkEnableOption "breeze file server";
@ -105,18 +102,36 @@
extraGroups = mkOption { extraGroups = mkOption {
type = types.listOf types.str; type = types.listOf types.str;
default = [ ]; default = [];
description = "Supplementary groups"; description = "Any supplementary groups for `breeze` to run under";
}; };
settings = mkOption { settings = mkOption {
type = settingsFormat.type; type = settingsFormat.type;
default = { }; default = {};
description = '' description = ''
The *.toml configuration to run `breeze` with. The *.toml configuration to run `breeze` with.
There is no formal documentation, but there is an example in the [readme](https://git.min.rip/min/breeze/src/branch/main/README.md). There is no formal documentation, but there is an example in the [readme](https://git.min.rip/min/breeze/src/branch/main/README.md).
''; '';
}; };
configDir = mkOption {
type = types.path;
default = "/etc/breeze";
description = ''
The directory on disk to store the `breeze` config file in.
This does not load pre-existing config files, it only defines where the generated config is saved.
'';
};
uploadKeyFile = mkOption {
type = types.nullOr types.path;
default = null;
description = ''
File to load the `engine.upload_key` from, if desired.
This is useful for loading it from a secret management system.
'';
};
}; };
}; };
@ -126,12 +141,30 @@
inherit (cfg) group; inherit (cfg) group;
}; };
users.groups.${cfg.group} = { }; users.groups.${cfg.group} = {};
systemd.services.breeze = { systemd.tmpfiles.rules = [
"d '${cfg.configDir}' 0750 ${cfg.user} ${cfg.group} - -"
];
services.breeze.settings = mkMerge [
(mkIf (cfg.uploadKeyFile != null) {engine.upload_key = "@UPLOAD_KEY@";})
];
systemd.services.breeze = let
cfgFile = "${cfg.configDir}/breeze.toml";
in {
description = "breeze file server"; description = "breeze file server";
after = [ "local-fs.target" "network.target" ]; after = ["local-fs.target" "network.target"];
wantedBy = [ "multi-user.target" ]; wantedBy = ["multi-user.target"];
preStart =
''
install -m 660 ${settingsFormat.generate "breeze.toml" cfg.settings} ${cfgFile}
''
+ lib.optionalString (cfg.uploadKeyFile != null) ''
${pkgs.replace-secret}/bin/replace-secret '@UPLOAD_KEY@' "${cfg.uploadKeyFile}" ${cfgFile}
'';
serviceConfig = rec { serviceConfig = rec {
User = cfg.user; User = cfg.user;
@ -143,7 +176,7 @@
ExecStart = escapeShellArgs [ ExecStart = escapeShellArgs [
"${cfg.package}/bin/breeze" "${cfg.package}/bin/breeze"
"--config" "--config"
(settingsFormat.generate "breeze.toml" cfg.settings) cfgFile
]; ];
Restart = "on-failure"; Restart = "on-failure";
@ -171,7 +204,7 @@
ProtectKernelTunables = true; ProtectKernelTunables = true;
RestrictNamespaces = true; RestrictNamespaces = true;
RestrictAddressFamilies = [ "AF_INET" "AF_INET6" "AF_UNIX" ]; RestrictAddressFamilies = ["AF_INET" "AF_INET6" "AF_UNIX"];
RestrictRealtime = true; RestrictRealtime = true;
RestrictSUIDSGID = true; # implied by DynamicUser RestrictSUIDSGID = true; # implied by DynamicUser

113
nix/module.nix
View File

@ -1,113 +0,0 @@
{ config
, pkgs
, lib
, ...
}:
with lib; let
cfg = config.services.breeze;
settingsFormat = pkgs.formats.toml { };
in
{
options = {
services.breeze = {
enable = mkEnableOption "breeze file server";
package = mkPackageOption self.packages.${system} "breeze";
user = mkOption {
type = types.str;
default = "breeze";
description = "User that `breeze` will run under";
};
group = mkOption {
type = types.str;
default = "breeze";
description = "Group that `breeze` will run under";
};
extraGroups = mkOption {
type = types.listOf types.str;
default = [ ];
description = "Supplementary groups";
};
settings = mkOption {
type = settingsFormat.type;
default = { };
description = ''
The *.toml configuration to run `breeze` with.
There is no formal documentation, but there is an example in the [readme](https://git.min.rip/min/breeze/src/branch/main/README.md).
'';
};
};
};
config = mkIf cfg.enable {
users.users.${cfg.user} = {
isSystemUser = true;
inherit (cfg) group;
};
users.groups.${cfg.group} = { };
systemd.services.breeze = {
description = "breeze file server";
after = [ "local-fs.target" "network.target" ];
wantedBy = [ "multi-user.target" ];
serviceConfig = rec {
User = cfg.user;
Group = cfg.group;
DynamicUser = false; # we write files, so don't do that
SupplementaryGroups = cfg.extraGroups;
StateDirectory = "breeze";
CacheDirectory = "breeze";
ExecStart = escapeShellArgs [
"${cfg.package}/bin/breeze"
"--config"
(settingsFormat.generate "breeze.toml" cfg.settings)
];
Restart = "on-failure";
# Security Options #
NoNewPrivileges = true; # implied by DynamicUser
RemoveIPC = true; # implied by DynamicUser
AmbientCapabilities = "";
CapabilityBoundingSet = "";
DeviceAllow = "";
LockPersonality = true;
PrivateTmp = true; # implied by DynamicUser
PrivateDevices = true;
PrivateUsers = true;
ProtectClock = true;
ProtectControlGroups = true;
ProtectHostname = true;
ProtectKernelLogs = true;
ProtectKernelModules = true;
ProtectKernelTunables = true;
RestrictNamespaces = true;
RestrictAddressFamilies = [ "AF_INET" "AF_INET6" "AF_UNIX" ];
RestrictRealtime = true;
RestrictSUIDSGID = true; # implied by DynamicUser
SystemCallArchitectures = "native";
SystemCallErrorNumber = "EPERM";
SystemCallFilter = [
"@system-service"
"~@keyring"
"~@memlock"
"~@privileged"
"~@setuid"
];
};
};
};
}