Mirrors/iocaine
1
0
Fork 0
mirror of https://git.madhouse-project.org/algernon/iocaine.git synced 2025-02-24 10:28:48 +01:00
Code Issues Projects Releases Packages Wiki Activity Actions

nix: Add a NixOS module

Browse source 
Signed-off-by: Gergely Nagy <me@gergo.csillger.hu>
This commit is contained in:
Gergely Nagy 2025-01-16 12:27:10 +01:00
parent a01cb16ae0
commit 0fa4f666f5
No known key found for this signature in database
2 changed files with 92 additions and 0 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

2
flake.nix
View file

@ -89,5 +89,7 @@
"export RUSTFLAGS='--cfg tokio_unstable';" + self.checks.${pkgs.system}.pre-commit-check.shellHook; "export RUSTFLAGS='--cfg tokio_unstable';" + self.checks.${pkgs.system}.pre-commit-check.shellHook;
}; };
}); });
nixosModules.default = import ./nix/nixos-module.nix { inherit self; };
}; };
} }

90
nix/nixos-module.nix Normal file
View file

@ -0,0 +1,90 @@
# SPDX-FileCopyrightText: 2025 Gergely Nagy
# SPDX-FileContributor: Gergely Nagy
#
# SPDX-License-Identifier: MIT
{ self }:
{
config,
lib,
pkgs,
...
}:
let
cfg = config.services.iocaine;
defaultPackage = self.packages.${pkgs.hostPlatform.system}.iocaine;
tomlFormat = pkgs.formats.toml { };
configFile = tomlFormat.generate "iocaine.toml" cfg.config;
in
{
options.services.iocaine = {
enable = lib.mkEnableOption "iocaine, the deadliest poison known to AI";
package = lib.mkOption {
type = lib.types.package;
default = defaultPackage;
description = "The iocaine package to use.";
};
config = lib.mkOption {
inherit (tomlFormat) type;
default = { };
description = "THe configuration for iocaine.";
};
};
config = lib.mkIf cfg.enable {
assertions = [
{
assertion = cfg.config.sources.markov or null != null;
message = ''
You have to define at least one Markov source (`services.iocaine.config.sources.markov`) for iocaine.
'';
}
{
assertion = cfg.config.sources.words or null != null;
message = ''
You have to define a word list source (`services.iocaine.config.sources.words`) for iocaine.
'';
}
];
systemd.services.iocaine = {
description = "iocaine, the deadliest poison known to AI";
restartTriggers = [ configFile ];
wantedBy = [ "multi-user.target" ];
after = [ "network.target" ];
environment = {
HOME = "%S/home";
};
serviceConfig = {
Type = "simple";
ExecStart = "${pkgs.lib.getExe cfg.package} --config-file ${configFile}";
Restart = "on-failure";
DynamicUser = true;
StateDirectory = "iocaine";
WorkingDirectory = "/var/lib/iocaine";
ProtectSystem = "strict";
SystemCallArchitectures = "native";
MemoryDenyWriteExecute = true;
NoNewPrivileges = true;
PrivateTmp = true;
PrivateDevices = true;
RestrictAddressFamilies = [
"AF_INET"
"AF_INET6"
];
RestrictNamespaces = true;
RestrictRealtime = true;
DevicePolicy = "closed";
ProtectClock = true;
ProtectHostname = true;
ProtectProc = "invisible";
ProtectControlGroups = true;
ProtectKernelModules = true;
ProtectKernelTunables = true;
LockPersonality = true;
};
};
};
}