add caps to container and nix

2024-08-08 00:50:33 +02:00 · 2024-08-08 00:50:33 +02:00 · adb0190b3f
parent 1978208b61
commit adb0190b3f
2 changed files with 34 additions and 2 deletions
--- a/sanic.container
+++ b/sanic.container
@ -2,10 +2,11 @@
 Description=sanic - chaos music control

 [Container]
+AddCapability=CAP_NET_BIND_SERVICE
 AutoUpdate=registry
 ContainerName=sanic
 Group=sanic
-HealthCmd=/usr/bin/curl localhost:8080/echo
+HealthCmd=/usr/bin/curl localhost:443/echo
 HealthInterval=2m
 HealthOnFailure=restart
 HealthRetries=5
@ -14,7 +15,7 @@ Image=registry.gitlab.com/xengi/sanic/sanic:latest
 LogDriver=journald
 Network=host
 NoNewPrivileges=true
-PublishPort=8080
+PublishPort=443
 Pull=always
 User=sanic
 Volume=/etc/sanic/config.ini:/config.ini
@ -25,3 +26,4 @@ TimeoutStartSec=900

 [Install]
 WantedBy=multi-user.target default.target
+
--- a/services.nix
+++ b/services.nix
@ -0,0 +1,30 @@
+{ self, ...}: {config, lib, pkgs, ...}:
+
+let
+  cfg = config.services.sanic;
+  format = pkgs.formats.ini { };
+in
+{
+  options.services.sanic = {
+    enable = mkEnableOption (lib.mdDoc "sanic");
+    settings = mkOption {
+      type = format.type;
+      default = { };
+      description = lib.mkDoc ''
+      '';
+    };
+  };
+
+  config = mkIf cfg.enable {
+    systemd.services.sanic = {
+      description = "chaos music control";
+      wantedBy = [ "multi-user.target" "default.target" ];
+      serviceConfig = {
+        DynamicUser = true;
+        ExecStart = "${self.packages.${pkgs.system}.default}/bin/sanic";
+        Restart = "on-failure";
+        AmbientCapabilities = [ "CAP_NET_BIND_SERVICE" ];
+      };
+    };
+  };
+}