From de1bf48711ca27f3d6e57e46085df1f667d1bf31 Mon Sep 17 00:00:00 2001 From: Franck Cuny Date: Sat, 15 Nov 2025 12:11:43 -0800 Subject: remove goget as a package and switch to fcuny-net instead --- nix/modules/fcuny.net.nix | 66 +++++++++++++++++++++++++++++++++++++++++++++++ nix/modules/goget.nix | 66 ----------------------------------------------- 2 files changed, 66 insertions(+), 66 deletions(-) create mode 100644 nix/modules/fcuny.net.nix delete mode 100644 nix/modules/goget.nix (limited to 'nix/modules') diff --git a/nix/modules/fcuny.net.nix b/nix/modules/fcuny.net.nix new file mode 100644 index 0000000..39f5bef --- /dev/null +++ b/nix/modules/fcuny.net.nix @@ -0,0 +1,66 @@ +{ + config, + lib, + pkgs, + ... +}: + +with lib; + +let + cfg = config.services.fcuny-net; +in +{ + options.services.fcuny-net = { + enable = mkEnableOption "fcuny.net service"; + + package = mkPackageOption pkgs "fcuny.net" { }; + + port = mkOption { + type = types.port; + default = 8070; + description = "Port to listen on"; + }; + + openFirewall = mkOption { + type = types.bool; + default = false; + description = "Whether to open the firewall for the goget service"; + }; + }; + + config = mkIf cfg.enable { + systemd.services.fcuny.net = { + description = "fcuny.net service"; + wantedBy = [ "multi-user.target" ]; + after = [ "network.target" ]; + wants = [ "network.target" ]; + + serviceConfig = { + Type = "exec"; + DynamicUser = true; + ExecStart = "${cfg.package}/bin/fcuny-net"; + Restart = "always"; + RestartSec = "5"; + + # Security settings + NoNewPrivileges = true; + ProtectSystem = "strict"; + ProtectHome = true; + PrivateTmp = true; + ProtectKernelTunables = true; + ProtectKernelModules = true; + ProtectControlGroups = true; + RestrictSUIDSGID = true; + RestrictRealtime = true; + RestrictNamespaces = true; + LockPersonality = true; + MemoryDenyWriteExecute = true; + }; + }; + + networking.firewall = mkIf cfg.openFirewall { + allowedTCPPorts = [ cfg.port ]; + }; + }; +} diff --git a/nix/modules/goget.nix b/nix/modules/goget.nix deleted file mode 100644 index 3ed5e04..0000000 --- a/nix/modules/goget.nix +++ /dev/null @@ -1,66 +0,0 @@ -{ - config, - lib, - pkgs, - ... -}: - -with lib; - -let - cfg = config.services.goget; -in -{ - options.services.goget = { - enable = mkEnableOption "goget service"; - - package = mkPackageOption pkgs "goget" { }; - - port = mkOption { - type = types.port; - default = 8070; - description = "Port to listen on"; - }; - - openFirewall = mkOption { - type = types.bool; - default = false; - description = "Whether to open the firewall for the goget service"; - }; - }; - - config = mkIf cfg.enable { - systemd.services.goget = { - description = "goget service"; - wantedBy = [ "multi-user.target" ]; - after = [ "network.target" ]; - wants = [ "network.target" ]; - - serviceConfig = { - Type = "exec"; - DynamicUser = true; - ExecStart = "${cfg.package}/bin/goget"; - Restart = "always"; - RestartSec = "5"; - - # Security settings - NoNewPrivileges = true; - ProtectSystem = "strict"; - ProtectHome = true; - PrivateTmp = true; - ProtectKernelTunables = true; - ProtectKernelModules = true; - ProtectControlGroups = true; - RestrictSUIDSGID = true; - RestrictRealtime = true; - RestrictNamespaces = true; - LockPersonality = true; - MemoryDenyWriteExecute = true; - }; - }; - - networking.firewall = mkIf cfg.openFirewall { - allowedTCPPorts = [ cfg.port ]; - }; - }; -} -- cgit v1.2.3