{ description = "Skynet LDAP backend"; inputs = { nixpkgs.url = "nixpkgs/nixos-23.05"; naersk.url = "github:nix-community/naersk"; utils.url = "github:numtide/flake-utils"; }; nixConfig = { extra-substituters = "https://nix-cache.skynet.ie/skynet-cache"; extra-trusted-public-keys = "skynet-cache:zMFLzcRZPhUpjXUy8SF8Cf7KGAZwo98SKrzeXvdWABo="; }; outputs = { self, nixpkgs, utils, naersk }: utils.lib.eachDefaultSystem (system: let pkgs = nixpkgs.legacyPackages."${system}"; naersk-lib = naersk.lib."${system}"; package_name = "skynet_ldap_backend"; package_update = "update_groups"; desc = "Skynet LDAP backend"; in rec { # `nix build` packages."${package_name}" = naersk-lib.buildPackage { pname = "${package_name}"; root = ./.; buildInputs = [ pkgs.openssl pkgs.pkg-config ]; }; defaultPackage = packages."${package_name}"; # `nix run` apps."${package_name}" = utils.lib.mkApp { drv = packages."${package_name}"; }; defaultApp = apps."${package_name}"; # `nix develop` devShell = pkgs.mkShell { nativeBuildInputs = with pkgs; [ rustc cargo pkg-config openssl]; }; nixosModule = { lib, pkgs, config, ... }: with lib; let cfg = config.services."${package_name}"; # secret options are in the env file loaded separately environment_config = { # basic server stuff HOME = cfg.home; DATABASE = "database.db"; HOST_PORT = cfg.host_port; SSH_ROOT = "skynet_old"; # special categories of users USERS_ADMIN = lib.strings.concatStringsSep "," cfg.users.admin; USERS_COMMITTEE = lib.strings.concatStringsSep "," cfg.users.committee; USERS_TRAINEE = lib.strings.concatStringsSep "," cfg.users.trainee; USERS_LIFETIME = lib.strings.concatStringsSep "," cfg.users.lifetime; USERS_BANNED = lib.strings.concatStringsSep "," cfg.users.banned; USERS_RESTRICTED = lib.strings.concatStringsSep "," cfg.users.restricted; USERS_CLUBS_SOCIETIES = lib.strings.concatStringsSep "," cfg.users.clubs_societies; }; service_name = script: lib.strings.sanitizeDerivationName("${cfg.user}@${script}"); # oneshot scripts to run serviceGenerator = mapAttrs' (script: time: nameValuePair (service_name script) { description = "Service for ${desc} ${script}"; wantedBy = [ ]; after = [ "network-online.target" ]; environment = environment_config; serviceConfig = { Type = "oneshot"; User = "${cfg.user}"; Group = "${cfg.user}"; ExecStart = "${self.defaultPackage."${system}"}/bin/${script}"; EnvironmentFile = [ "${cfg.env.ldap}" "${cfg.env.mail}" "${cfg.env.wolves}" ]; }; }); # each timer will run the above service timerGenerator = mapAttrs' (script: time: nameValuePair (service_name script) { description = "Timer for ${desc} ${script}"; wantedBy = [ "timers.target" ]; partOf = [ "${service_name script}.service" ]; timerConfig = { OnCalendar = time; Unit = "${service_name script}.service"; Persistent = true; }; }); # modify these scripts = { # every 15 min "update_data" = "*:0,15,30,45"; #"new_users" = "*:5,20,35,50"; # groups are updated every 8 hours "update_groups" = "00,08,16:00:00"; }; in { options.services."${package_name}" = { enable = mkEnableOption "enable ${package_name}"; # keep really secret stuff in this env = { ldap = mkOption rec { type = types.str; description = "Auth for the LDAP, has LDAP_HOST, LDAP_ADMIN, LDAP_ADMIN_PW"; }; mail = mkOption rec { type = types.str; description = "Mail details, has EMAIL_SMTP, EMAIL_USER, EMAIL_PASS"; }; wolves = mkOption rec { type = types.str; description = "Mail details, has WOLVES_URL, WOLVES_KEY"; }; }; users = { admin = mkOption rec { type = types.listOf types.str; default = []; description = "array of admins"; }; committee = mkOption rec { type = types.listOf types.str; default = []; description = "array of committee members"; }; trainee = mkOption rec { type = types.listOf types.str; default = []; description = "array of trainee admins"; }; lifetime = mkOption rec { type = types.listOf types.str; default = []; description = "array of lifetime users"; }; banned = mkOption rec { type = types.listOf types.str; default = []; description = "array of banned users"; }; restricted = mkOption rec { type = types.listOf types.str; default = []; description = "array of restricted user accounts"; }; clubs_societies = mkOption rec { type = types.listOf types.str; default = []; description = "array of accounts for Clubs and Societies"; }; }; host_port = mkOption rec { type = types.str; default = "127.0.0.1:8087"; description = "host/port for teh server tro run on"; }; # specific for teh program running user = mkOption rec { type = types.str; default = "${package_name}"; description = "The user to run the service"; }; home = mkOption rec { type = types.str; default = "/etc/${cfg.prefix}${package_name}"; description = "The home for the user"; }; prefix = mkOption rec { type = types.str; default = "skynet_"; example = default; description = "The prefix used to name service/folders"; }; }; config = mkIf cfg.enable { users.groups."${cfg.user}" = { }; users.users."${cfg.user}" = { createHome = true; isSystemUser = true; home = "${cfg.home}"; group = "${cfg.user}"; }; systemd.services = { # main service "${cfg.user}" = { description = desc; wantedBy = [ "multi-user.target" ]; after = [ "network-online.target" ]; wants = [ ]; environment = environment_config; serviceConfig = { # because we are storing data we need a home for it User = "${cfg.user}"; Group = "${cfg.user}"; Restart = "always"; ExecStart = "${self.defaultPackage."${system}"}/bin/${package_name}"; # multiple files EnvironmentFile = [ "${cfg.env.ldap}" "${cfg.env.mail}" "${cfg.env.wolves}" ]; }; restartTriggers = [ "${cfg.env.ldap}" "${cfg.env.mail}" "${cfg.env.wolves}" ]; }; } // serviceGenerator scripts; # timers to run the above services systemd.timers = timerGenerator scripts; }; }; }); }