add nix configurations for building and running `goget`

4 files changed, 107 insertions, 0 deletions

diff --git a/nix/modules/goget.nix b/nix/modules/goget.nix
new file mode 100644
index 0000000..3ed5e04
--- /dev/null
+++ b/nix/modules/goget.nix
@@ -0,0 +1,66 @@
+{
+  config,
+  lib,
+  pkgs,
+  ...
+}:
+
+with lib;
+
+let
+  cfg = config.services.goget;
+in
+{
+  options.services.goget = {
+    enable = mkEnableOption "goget service";
+
+    package = mkPackageOption pkgs "goget" { };
+
+    port = mkOption {
+      type = types.port;
+      default = 8070;
+      description = "Port to listen on";
+    };
+
+    openFirewall = mkOption {
+      type = types.bool;
+      default = false;
+      description = "Whether to open the firewall for the goget service";
+    };
+  };
+
+  config = mkIf cfg.enable {
+    systemd.services.goget = {
+      description = "goget service";
+      wantedBy = [ "multi-user.target" ];
+      after = [ "network.target" ];
+      wants = [ "network.target" ];
+
+      serviceConfig = {
+        Type = "exec";
+        DynamicUser = true;
+        ExecStart = "${cfg.package}/bin/goget";
+        Restart = "always";
+        RestartSec = "5";
+
+        # Security settings
+        NoNewPrivileges = true;
+        ProtectSystem = "strict";
+        ProtectHome = true;
+        PrivateTmp = true;
+        ProtectKernelTunables = true;
+        ProtectKernelModules = true;
+        ProtectControlGroups = true;
+        RestrictSUIDSGID = true;
+        RestrictRealtime = true;
+        RestrictNamespaces = true;
+        LockPersonality = true;
+        MemoryDenyWriteExecute = true;
+      };
+    };
+
+    networking.firewall = mkIf cfg.openFirewall {
+      allowedTCPPorts = [ cfg.port ];
+    };
+  };
+}
diff --git a/nix/overlay.nix b/nix/overlay.nix
new file mode 100644
index 0000000..6789627
--- /dev/null
+++ b/nix/overlay.nix
@@ -0,0 +1,5 @@
+final: prev:
+let
+  packages = import ./packages { pkgs = final; };
+in
+packages
diff --git a/nix/packages/default.nix b/nix/packages/default.nix
new file mode 100644
index 0000000..e598fa1
--- /dev/null
+++ b/nix/packages/default.nix
@@ -0,0 +1,5 @@
+{ pkgs }:
+
+{
+  goget = pkgs.callPackage ./goget.nix { };
+}
diff --git a/nix/packages/goget.nix b/nix/packages/goget.nix
new file mode 100644
index 0000000..c767740
--- /dev/null
+++ b/nix/packages/goget.nix
@@ -0,0 +1,31 @@
+{
+  lib,
+  buildGoModule,
+}:
+
+buildGoModule rec {
+  pname = "goget";
+  version = "0.1.0"; # Consider deriving from git tags: version = builtins.substring 0 8 self.rev;
+
+  src = ../..;
+
+  vendorHash = "sha256-pStRgjhjjZdsYSnYMcWNbHSF7CJ3+7ZQradZgBfi5Gw=";
+
+  subPackages = [ "cmd/goget" ];
+
+  ldflags = [
+    "-s"
+    "-w"
+  ];
+
+  doCheck = false;
+
+  meta = with lib; {
+    description = "A Go tool for getting things"; # Update with actual description
+    homepage = "https://github.com/yourusername/yourrepo"; # Update with your repo
+    license = licenses.mit;
+    maintainers = with maintainers; [ fcuny ];
+    platforms = platforms.unix;
+    mainProgram = "goget";
+  };
+}