autopush-rs: add modular service

nixos/tests/all-tests.nix

@@ -245,6 +245,7 @@ in
   authelia = runTest ./authelia.nix;
   auto-cpufreq = runTest ./auto-cpufreq.nix;
   autobrr = runTest ./autobrr.nix;
+  autopush-rs = runTest ./autopush-rs.nix;
   autosuspend = runTest ./autosuspend.nix;
   avahi = runTest {
     imports = [ ./avahi.nix ];

nixos/tests/autopush-rs.nix

@@ -0,0 +1,60 @@
+{ lib, ... }:
+{
+  _class = "nixosTest";
+  name = "autopush-rs";
+
+  nodes = {
+    machine =
+      { pkgs, config, ... }:
+      {
+        environment.systemPackages = [
+          pkgs.curl
+        ];
+
+        services.redis.servers.autopush-rs = {
+          enable = true;
+          port = 6000;
+        };
+        system.services.autopush-autoconnect = {
+          imports = [
+            pkgs.autopush-rs.services.autoconnect
+          ];
+          autoconnect.settings = {
+            #do not use this key in production!!!
+            crypto_key = "[fZQX8jgdESUYFTYfWw3Dv5RRMuwYJPPaaPcbUgHM69Q=]";
+            db_dsn = "redis://localhost:${toString config.services.redis.servers.autopush-rs.port}";
+            port = 8000;
+          };
+        };
+        system.services.autopush-autoendpoint = {
+          imports = [
+            pkgs.autopush-rs.services.autoendpoint
+          ];
+          autoendpoint.settings = {
+            #do not use this key in production!!!
+            crypto_key = "[fZQX8jgdESUYFTYfWw3Dv5RRMuwYJPPaaPcbUgHM69Q=]";
+            db_dsn = "redis://localhost:${toString config.services.redis.servers.autopush-rs.port}";
+            port = 8080;
+          };
+        };
+
+        networking.firewall.allowedTCPPorts = [
+          8080
+          8000
+        ];
+      };
+  };
+
+  testScript = ''
+    start_all()
+    machine.wait_for_unit("multi-user.target")
+    machine.wait_for_unit("autopush-autoconnect.service")
+    machine.wait_for_unit("autopush-autoendpoint.service")
+    machine.wait_for_open_port(8080)
+    machine.wait_for_open_port(8000)
+    machine.succeed("curl -s -f http://localhost:8080/health")
+    machine.succeed("curl -s -f http://localhost:8000/health")
+  '';
+
+  meta.maintainers = with lib.maintainers; [ zimward ];
+}

pkgs/by-name/au/autopush-rs/package.nix

@@ -1,5 +1,7 @@
 {
   lib,
+  pkgs,
+  nixosTests,
   fetchFromGitHub,
   rustPlatform,
   stdenv,
@@ -99,6 +101,20 @@ rustPlatform.buildRustPackage (finalAttrs: {
   '';
 
   passthru = {
+    tests = nixosTests.autopush-rs;
+    services.autoconnect = {
+      imports = [
+        (lib.modules.importApply ./service-autoconnect.nix { inherit pkgs; })
+      ];
+      package = finalAttrs.finalPackage.out;
+    };
+    services.autoendpoint = {
+      imports = [
+        (lib.modules.importApply ./service-autoendpoint.nix { inherit pkgs; })
+      ];
+      package = finalAttrs.finalPackage.out;
+    };
+
     updateScript = nix-update-script { };
   };
 

pkgs/by-name/au/autopush-rs/service-autoconnect.nix

@@ -0,0 +1,96 @@
+#v Non-module dependencies (`importApply`)
+{ pkgs }:
+
+# Service module
+{
+  lib,
+  options,
+  config,
+  ...
+}:
+let
+  cfg = config.autoconnect;
+  tomlFmt = pkgs.formats.toml { };
+in
+{
+  _class = "service";
+  options = {
+    package = lib.mkPackageOption pkgs "autopush-rs.out" { };
+    autoconnect.settings = lib.mkOption {
+      type = lib.types.submodule {
+        freeformType = tomlFmt.type;
+        options = {
+          db_dsn = lib.mkOption {
+            description = "Endpoint of the database server.";
+            type = lib.types.str;
+            default = "";
+            example = lib.literalExpression "redis+socket://${config.services.redis.servers.autopush-rs.unixSocket}";
+          };
+        };
+      };
+      default = { };
+      description = "";
+    };
+  };
+  config =
+    let
+      configFile = tomlFmt.generate "autoconnect.toml" cfg.settings;
+    in
+    {
+      process.argv = [
+        "${config.package}/bin/autoconnect"
+        "-c"
+        (toString configFile)
+      ];
+    }
+    // lib.optionalAttrs (options ? systemd) {
+      systemd.service = {
+        after = [ "network.target" ];
+        wants = [ "network.target" ];
+        wantedBy = [ "multi-user.target" ];
+        serviceConfig = {
+          Restart = "on-failure";
+
+          #hardening
+          MemoryDenyWriteExecute = true;
+          StateDirectoryMode = 0700;
+          UMask = 077;
+          DynamicUser = true;
+          PrivateUsers = true;
+          PrivateTmp = true;
+          PrivateDevices = true;
+          ProtectSystem = "full";
+          ProtectHome = true;
+          NoNewPrivileges = true;
+          RuntimeDirectoryMode = 755;
+          ProtectHostname = true;
+          ProtectClock = true;
+          ProtectKernelTunables = true;
+          ProtectKernelModules = true;
+          ProtectKernelLogs = true;
+          ProtectControlGroups = true;
+          RestrictNamespaces = true;
+          LockPersonality = true;
+          RestrictRealtime = true;
+          RestrictSUIDSGID = true;
+          RemoveIPC = true;
+          SystemCallArchitectures = "native";
+
+          ProtectProc = "invisible";
+          ProcSubset = "pid";
+
+          SystemCallFilter = [
+            "~@clock"
+            "~@cpu-emulation"
+            "~@debug"
+            "~@module"
+            "~@mount"
+            "~@obsolete"
+            "~@raw-io"
+            "~@reboot"
+            "~@swap"
+          ];
+        };
+      };
+    };
+}

pkgs/by-name/au/autopush-rs/service-autoendpoint.nix

@@ -0,0 +1,98 @@
+# Non-module dependencies (`importApply`)
+{ pkgs }:
+
+# Service module
+{
+  lib,
+  config,
+  options,
+  ...
+}:
+let
+  cfg = config.autoendpoint;
+  tomlFmt = pkgs.formats.toml { };
+in
+{
+  _class = "service";
+  options = {
+    package = lib.mkPackageOption pkgs "autopush-rs.out" { };
+    autoendpoint = {
+      settings = lib.mkOption {
+        type = lib.types.submodule {
+          freeformType = tomlFmt.type;
+          options = {
+            db_dsn = lib.mkOption {
+              description = "Endpoint of the database server.";
+              type = lib.types.str;
+              default = "";
+              example = lib.literalExpression "redis+socket://${config.services.redis.servers.autopush-rs.unixSocket}";
+            };
+          };
+        };
+        default = { };
+        description = "";
+      };
+    };
+  };
+  config =
+    let
+      configFile = tomlFmt.generate "autoendpoint.toml" cfg.settings;
+    in
+    {
+      process.argv = [
+        "${config.package}/bin/autoendpoint"
+        "-c"
+        (toString configFile)
+      ];
+    }
+    // lib.optionalAttrs (options ? systemd) {
+      systemd.service = {
+        after = [ "network.target" ];
+        wants = [ "network.target" ];
+        wantedBy = [ "multi-user.target" ];
+        serviceConfig = {
+          Restart = "on-failure";
+
+          #hardening
+          MemoryDenyWriteExecute = true;
+          StateDirectoryMode = 0700;
+          UMask = 077;
+          DynamicUser = true;
+          PrivateUsers = true;
+          PrivateTmp = true;
+          PrivateDevices = true;
+          ProtectSystem = "full";
+          ProtectHome = true;
+          NoNewPrivileges = true;
+          RuntimeDirectoryMode = 755;
+          ProtectHostname = true;
+          ProtectClock = true;
+          ProtectKernelTunables = true;
+          ProtectKernelModules = true;
+          ProtectKernelLogs = true;
+          ProtectControlGroups = true;
+          RestrictNamespaces = true;
+          LockPersonality = true;
+          RestrictRealtime = true;
+          RestrictSUIDSGID = true;
+          RemoveIPC = true;
+          SystemCallArchitectures = "native";
+
+          ProtectProc = "invisible";
+          ProcSubset = "pid";
+
+          SystemCallFilter = [
+            "~@clock"
+            "~@cpu-emulation"
+            "~@debug"
+            "~@module"
+            "~@mount"
+            "~@obsolete"
+            "~@raw-io"
+            "~@reboot"
+            "~@swap"
+          ];
+        };
+      };
+    };
+}