vinzenz/servicepoint-tanks
0
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

Compare commits

merge into: vinzenz:main
Branches Tags
vinzenz:main
vinzenz:service-improvements
...
pull from: vinzenz:service-improvements
Branches Tags
vinzenz:service-improvements
vinzenz:main
Sign in to create a new pull request.

1 commit
main ... service-im

Author SHA1 Message Date
Vinzenz Schroeter
1bb73d664d add configurable service to nixosModule 2025-10-12 19:03:04 +02:00
2 changed files with 132 additions and 3 deletions
Download patch file Download diff file Expand all files Collapse all files

132
flake.nix
View file

@ -135,13 +135,139 @@
"--set-default TANKSSERVER_CLIENT ${selfPkgs.servicepoint-tanks-frontend}"
"--set-default TANKSSERVER_ASSETS ${selfPkgs.servicepoint-tanks-assets}"
];
meta = {
mainProgram = "TanksServer";
};
};
}
);
nixosModules.default = {
nixpkgs.overlays = [ self.overlays.default ];
};
nixosModules.default =
{
pkgs,
config,
lib,
...
}:
let
cfg = config.services.servicepoint-tanks;
default-user-name = "servicepoint-tanks";
in
{
options.services.servicepoint-tanks = {
enable = lib.mkEnableOption "servicepoint-tanks";
package = lib.mkPackageOption pkgs "servicepoint-tanks" { };
urls = lib.mkOption {
default = [ "http://localhost:5000" ];
description = ''
Configures which protocol to bind on which host:port combination.
'';
type = lib.types.listOf lib.types.str;
example = [
"http://0.0.0.0"
"http://localhost:5000"
# TODO: allow HTTPS
];
};
user = lib.mkOption {
default = default-user-name;
description = ''
The user under which servicepoint-tanks is run.
This module utilizes systemd's DynamicUser feature. See the corresponding section in
{manpage}`systemd.exec(5)` for more details.
'';
type = lib.types.str;
};
group = lib.mkOption {
default = default-user-name;
description = ''
The group under which servicepoint-tanks is run.
This module utilizes systemd's DynamicUser feature. See the corresponding section in
{manpage}`systemd.exec(5)` for more details.
'';
type = lib.types.str;
};
};
config = lib.mkIf cfg.enable {
nixpkgs.overlays = [ self.overlays.default ];
users = {
users = lib.mkIf (cfg.user == default-user-name) {
"${default-user-name}" = {
isSystemUser = true;
group = cfg.group;
};
};
groups = lib.mkIf (cfg.group == default-user-name) {
"${default-user-name}" = { };
};
};
systemd.services.sericepoint-tanks = {
description = "Run the servicepoint-tanks server";
wantedBy = [ "multi-user.target" ];
after = [ "network-online.target" ];
wants = [ "network-online.target" ];
environment = {
ASPNETCORE_URLS = "${lib.strings.concatStringsSep ";" cfg.urls}";
};
serviceConfig = {
User = cfg.user;
Group = cfg.group;
DynamicUser = true;
Type = "exec";
ExecStart = lib.getExe cfg.package;
# hardening
NoNewPrivileges = true;
CapabilityBoundingSet = null;
SystemCallFilter = [
"@system-service"
"~@privileged"
];
SystemCallArchitectures = "native";
AmbientCapabilities = "";
PrivateMounts = true;
PrivateUsers = true;
PrivateTmp = true;
PrivateDevices = true;
ProtectHome = true;
ProtectClock = true;
ProtectHostname = true;
ProtectKernelLogs = true;
ProtectKernelModules = true;
ProtectKernelTunables = true;
ProtectProc = "invisible";
ProtectSystem = "strict";
ProtectControlGroups = "strict";
LockPersonality = true;
RemoveIPC = true;
RestrictRealtime = true;
RestrictSUIDSGID = true;
RestrictNamespaces = true;
RestrictAddressFamilies = [
"AF_INET"
"AF_INET6"
# TODO: enable unix domain socket bind
# "AF_UNIX"
];
# TODO: try fully AOT build with:
#MemoryDenyWriteExecute = true;
};
};
};
};
overlays.default = final: prev: {
servicepoint-tanks = self.packages."${prev.system}".servicepoint-tanks;

3
tanks-backend/TanksServer/Program.cs
View file

@ -133,6 +133,9 @@ public static class Program
app.UseWebSockets();
app.UseHttpLogging();
// TODO add domain socket support
// TODO Call UseKestrelHttpsConfiguration() on IWebHostBuilder to automatically enable HTTPS when an https:// address is used
return app;
}