nixify

2022-09-19 23:37:34 +02:00 · 2022-09-19 23:37:34 +02:00 · 2668c878b0
parent 32fafa7c20
commit 2668c878b0
3 changed files with 202 additions and 0 deletions
--- a/flake.lock
+++ b/flake.lock
@ -0,0 +1,101 @@
+{
+  "nodes": {
+    "fenix": {
+      "inputs": {
+        "nixpkgs": [
+          "nixpkgs"
+        ],
+        "rust-analyzer-src": "rust-analyzer-src"
+      },
+      "locked": {
+        "lastModified": 1663570974,
+        "narHash": "sha256-ncUdRdY70VdJIX6Mi+820xeD7FutADd3NbQR0BKkFYA=",
+        "owner": "nix-community",
+        "repo": "fenix",
+        "rev": "02093d3aca186135da78b76ac28ec58031391076",
+        "type": "github"
+      },
+      "original": {
+        "owner": "nix-community",
+        "repo": "fenix",
+        "type": "github"
+      }
+    },
+    "naersk": {
+      "inputs": {
+        "nixpkgs": [
+          "nixpkgs"
+        ]
+      },
+      "locked": {
+        "lastModified": 1662220400,
+        "narHash": "sha256-9o2OGQqu4xyLZP9K6kNe1pTHnyPz0Wr3raGYnr9AIgY=",
+        "owner": "nmattia",
+        "repo": "naersk",
+        "rev": "6944160c19cb591eb85bbf9b2f2768a935623ed3",
+        "type": "github"
+      },
+      "original": {
+        "owner": "nmattia",
+        "repo": "naersk",
+        "type": "github"
+      }
+    },
+    "nixpkgs": {
+      "locked": {
+        "lastModified": 1663578619,
+        "narHash": "sha256-kNgJXZIr4pi2NbDUfjj4APa+LlCmRUM4Ly2Xf70PVaw=",
+        "owner": "NixOS",
+        "repo": "nixpkgs",
+        "rev": "a13d59408da1108fc6c9ffe4750ab7a33c581d24",
+        "type": "github"
+      },
+      "original": {
+        "id": "nixpkgs",
+        "type": "indirect"
+      }
+    },
+    "root": {
+      "inputs": {
+        "fenix": "fenix",
+        "naersk": "naersk",
+        "nixpkgs": "nixpkgs",
+        "utils": "utils"
+      }
+    },
+    "rust-analyzer-src": {
+      "flake": false,
+      "locked": {
+        "lastModified": 1662896065,
+        "narHash": "sha256-1LkSsXzI1JTAmP/GMTz4fTJd8y/tw8R79l96q+h7mu8=",
+        "owner": "rust-lang",
+        "repo": "rust-analyzer",
+        "rev": "2e9f1204ca01c3e20898d4a67c8b84899d394a88",
+        "type": "github"
+      },
+      "original": {
+        "owner": "rust-lang",
+        "ref": "nightly",
+        "repo": "rust-analyzer",
+        "type": "github"
+      }
+    },
+    "utils": {
+      "locked": {
+        "lastModified": 1659877975,
+        "narHash": "sha256-zllb8aq3YO3h8B/U0/J1WBgAL8EX5yWf5pMj3G0NAmc=",
+        "owner": "numtide",
+        "repo": "flake-utils",
+        "rev": "c0e246b9b83f637f4681389ecabcb2681b4f3af0",
+        "type": "github"
+      },
+      "original": {
+        "owner": "numtide",
+        "repo": "flake-utils",
+        "type": "github"
+      }
+    }
+  },
+  "root": "root",
+  "version": 7
+}
--- a/flake.nix
+++ b/flake.nix
@ -0,0 +1,37 @@
+{
+  inputs = {
+    utils.url = "github:numtide/flake-utils";
+    naersk.url = "github:nmattia/naersk";
+    naersk.inputs.nixpkgs.follows = "nixpkgs";
+    fenix.url = "github:nix-community/fenix";
+    fenix.inputs.nixpkgs.follows = "nixpkgs";
+  };
+
+  outputs = { self, nixpkgs, utils, fenix, naersk }: {
+    nixosModule = self.nixosModules.sshlogd;
+    nixosModules.sshlogd = import ./nixos-module.nix { inherit self; };
+  } //
+  utils.lib.eachSystem (with utils.lib.system; [ x86_64-linux aarch64-linux ]) (system: let
+    pkgs = nixpkgs.legacyPackages."${system}";
+
+    rust = fenix.packages.${system}.stable.withComponents [
+      "cargo"
+      "rustc"
+      "rust-src"  # just for rust-analyzer
+      "clippy"
+    ];
+
+    # Override the version used in naersk
+    naersk-lib = naersk.lib."${system}".override {
+      cargo = rust;
+      rustc = rust;
+    };
+
+  in {
+    defaultPackage = self.packages.sshlogd;
+
+    packages.sshlogd = naersk-lib.buildPackage {
+      src = ./.;
+    };
+  });
+}
--- a/nixos-module.nix
+++ b/nixos-module.nix
@ -0,0 +1,64 @@
+{ self }:
+{ config, lib, pkgs, ... }: {
+  options.services.sshlogd = with lib; {
+    enable = mkEnableOption "sshlogd";
+    listenAddr = mkOption {
+      type = types.str;
+      default = "0.0.0.0";
+    };
+    listenPort = mkOption {
+      type = types.int;
+      default = 22;
+    };
+    outputDir = mkOption {
+      type = types.path;
+      default = "/var/lib/sshlogd";
+    };
+    user = mkOption {
+      type = types.str;
+      default = "sshlogd";
+    };
+    group = mkOption {
+      type = types.str;
+      default = "sshlogd";
+    };
+  };
+
+  config =
+    let
+      cfg = config.services.sshlogd;
+    in
+      lib.mkIf cfg.enable {
+        users = {
+          users.${cfg.user} = {
+            isSystemUser = true;
+            home = "/home/sshlogd";
+            createHome = true;
+            group = cfg.group;
+          };
+          groups.${cfg.group} = {};
+        };
+
+        systemd.tmpfiles.rules = [
+          "d ${cfg.outputDir} 0755 ${cfg.user} ${cfg.group} -"
+        ];
+
+        systemd.services.sshlogd = {
+          wantedBy = [ "multi-user.target" ];
+          after = [ "network.target" ];
+          serviceConfig = {
+            Type = "simple";
+            User = cfg.user;
+            Group = cfg.group;
+            ExecStart = "${self.packages.${pkgs.system}.sshlogd}/bin/sshlogd ${toString cfg.listenPort}";
+            WorkingDirectory = cfg.outputDir;
+            ReadWritePaths = cfg.outputDir;
+            ProtectSystem = "full";
+            Restart = "always";
+            RestartSec = "60s";
+            # Allow binding ports <1024
+            AmbientCapabilities = "CAP_NET_BIND_SERVICE";
+          };
+        };
+      };
+}