jahanson/mochi
1
0
Fork 0
Code Issues 1 Pull requests 1 Projects Releases Packages Wiki Activity Actions
mochi/nixos/lib/default.nix
Joseph Hanson 2b6d062d16
All checks were successful
Build / nix-build (native-x86_64, telperion) (push) Successful in 2m13s
Details
Build / nix-build (native-x86_64, gandalf) (push) Successful in 3m23s
Details
Build / nix-build (native-x86_64, shadowfax) (push) Successful in 4m38s
Details
reformat
2024-12-27 21:30:25 -06:00

63 lines
2.4 KiB
Nix
Raw Blame History

{ lib, ... }:
with lib;
rec {
firstOrDefault = first: default: if first != null then first else default;
existsOrDefault =
x: set: default:
if builtins.hasAttr x set then builtins.getAttr x set else default;
# main service builder
mkService =
options:
(
let
user = existsOrDefault "user" options "568";
group = existsOrDefault "group" options "568";
enableBackups =
(lib.attrsets.hasAttrByPath [ "persistence" "folder" ] options)
&& (lib.attrsets.attrByPath [ "persistence" "enable" ] true options);
# Security options for containers
containerExtraOptions =
lib.optionals (lib.attrsets.attrByPath [ "container" "caps" "privileged" ] false options) [
"--privileged"
]
++ lib.optionals (lib.attrsets.attrByPath [ "container" "caps" "readOnly" ] false options) [
"--read-only"
]
++ lib.optionals (lib.attrsets.attrByPath [ "container" "caps" "tmpfs" ] false options) [
(map (folders: "--tmpfs=${folders}") tmpfsFolders)
]
++ lib.optionals (lib.attrsets.attrByPath [ "container" "caps" "noNewPrivileges" ] false options) [
"--security-opt=no-new-privileges"
]
++ lib.optionals (lib.attrsets.attrByPath [ "container" "caps" "dropAll" ] false options) [
"--cap-drop=ALL"
];
in
{
virtualisation.oci-containers.containers.${options.app} = mkIf options.container.enable {
image = "${options.container.image}";
user = "${user}:${group}";
environment = {
TZ = options.timeZone;
} // options.container.env;
environmentFiles = lib.attrsets.attrByPath [ "container" "envFiles" ] [ ] options;
volumes =
[ "/etc/localtime:/etc/localtime:ro" ]
++ lib.optionals (lib.attrsets.hasAttrByPath [ "container" "persistentFolderMount" ] options) [
"${options.persistence.folder}:${options.container.persistentFolderMount}:rw"
]
++ lib.attrsets.attrByPath [ "container" "volumes" ] [ ] options;
extraOptions = containerExtraOptions;
};
systemd.tmpfiles.rules = lib.optionals (lib.attrsets.hasAttrByPath [
"persistence"
"folder"
] options) [ "d ${options.persistence.folder} 0750 ${user} ${group} -" ];
}
);
}
Reference in a new issue View git blame Copy permalink