Add nixosModule

2025-05-24 03:11:56 +02:00 · 2025-05-24 03:11:56 +02:00 · ed25eca79f
commit ed25eca79f
parent a85b9221dc
3 changed files with 73 additions and 1 deletions
--- a/flake.nix
+++ b/flake.nix
@ -26,6 +26,9 @@
        labmon = self.packages.${prev.system}.default;
      };

+      nixosModules.labmon = import ./nix/module.nix;
+      nixosModules.default = self.nixosModules.labmon;
+
      packages = forAllSystems (
        { pkgs }:
        {
--- a/main.go
+++ b/main.go
@ -18,7 +18,11 @@ import (
 const Version = "0.1.0"

 func LoadConfig() (*config.Config, error) {
-	config, err := config.FromFile("labmon.toml")
+	path := "labmon.toml"
+	if len(os.Args) > 1 {
+		path = os.Args[1]
+	}
+	config, err := config.FromFile(path)
 	if err != nil {
 		return nil, err
 	}
--- a/nix/module.nix
+++ b/nix/module.nix
@ -0,0 +1,65 @@
+{
+  lib,
+  pkgs,
+  config,
+  ...
+}:
+let
+  settingsFormat = pkgs.format.toml { };
+
+  settingsFile = settingsFormat.generate "labmon.toml" config.labmon.settings;
+in
+{
+  options.labmon = {
+    enable = lib.mkEnableOption "Enable labmon";
+
+    settings = lib.mkOption {
+      type = lib.types.attrs;
+      description = ''
+        Settings for labmon.
+      '';
+    };
+  };
+
+  systemd.services.labmon = {
+    wantedBy = [ "multi-user.target" ];
+    after = [ "network.target" ];
+
+    serviceConfig = {
+      ExecStart = "${pkgs.labmon}/bin/labmon ${settingsFile}";
+      DynamicUser = true;
+      Restart = "always";
+
+      # Hardening
+      DevicePolicy = "strict";
+      LockPersonality = true;
+      MemoryDenyWriteExecute = true;
+      NoNewPrivileges = true;
+      PrivateDevices = true;
+      PrivateTmp = true;
+      PrivateUsers = true;
+      ProtectClock = true;
+      ProtectControlGroups = true;
+      ProtectHome = true;
+      ProtectHostname = true;
+      ProtectKernelLogs = true;
+      ProtectKernelModules = true;
+      ProtectKernelTunables = true;
+      ProtectProc = "invisible";
+      ProtectSystem = "full";
+      RemoveIPC = true;
+      RestrictAddressFamilies = [
+        "AF_INET"
+        "AF_INET6"
+      ];
+      RestrictNamespaces = true;
+      RestrictRealtime = true;
+      RestrictSUIDSGID = true;
+      SystemCallArchitectures = "native";
+      SystemCallFilter = [
+        "@system-service"
+        "~@privileged"
+      ];
+    };
+  };
+}