server/nix/module.nix

{
  config,
  lib,
  pkgs,
  ...
}: let
  cfg = config.services.versia-server;
  configFormat = pkgs.formats.toml {};
  name = "versia-server";

  inherit (lib.options) mkOption;
  inherit (lib.modules) mkIf;
in {
  options = {
    services.versia-server = {
      enable = mkOption {
        type = lib.types.bool;
        default = false;
        description = ''
          Enable the Versia Server services.
        '';
      };

      user = mkOption {
        type = lib.types.str;
        default = name;
        description = ''
          User under which the server will run.
        '';
      };

      group = mkOption {
        type = lib.types.str;
        default = name;
        description = ''
          Group under which the server will run.
        '';
      };

      nodes = {
        api = mkOption {
          type = lib.types.attrsOf (lib.types.submodule {
            options = {
              configOverrides = mkOption {
                type = lib.types.submodule {
                  freeformType = configFormat.type;
                  options = {};
                };
                default = {};
                description = "Overrides for the node's configuration file.";
              };
            };
          });
        };
        worker = mkOption {
          type = lib.types.attrsOf (lib.types.submodule {
            options = {
              configOverrides = mkOption {
                type = lib.types.submodule {
                  freeformType = configFormat.type;
                  options = {};
                };
                default = {};
                description = "Overrides for the node's configuration file.";
              };
            };
          });
        };
      };

      config = mkOption {
        type = lib.types.submodule {
          freeformType = configFormat.type;
          options = {};
        };
        description = "Contents of the config file, which is serialized to TOML. Check the Versia Server documentation for information on its contents.";
      };
    };
  };

  config = mkIf cfg.enable {
    assertions = [
      {
        assertion = cfg.nodes.api != [];
        message = "At least one API node must be defined.";
      }
      {
        assertion = cfg.nodes.worker != [];
        message = "At least one worker node must be defined.";
      }
    ];

    systemd.services =
      lib.mapAttrs' (nodeName: node: let
        type = "api";
        exe = lib.getExe pkgs.versia-server;
        config = lib.recursiveUpdate cfg.config node.configOverrides;
        configFile = configFormat.generate "config-${nodeName}.toml" config;
      in
        lib.nameValuePair "${name}-${type}-${nodeName}" {
          description = "Versia Server ${nodeName} (${type})";

          wantedBy = ["versia-server-root.target"];
          partOf = ["versia-server-root.target"];

          serviceConfig = {
            ExecStart = "${exe}";
            Type = "simple";
            Restart = "always";

            User = cfg.user;
            Group = cfg.group;

            StateDirectory = "${name}";
            StateDirectoryMode = "0700";
            RuntimeDirectory = "${name}";
            RuntimeDirectoryMode = "0700";

            # Set the working directory to the data directory
            WorkingDirectory = "${pkgs.versia-server}/versia-server";

            StandardOutput = "journal";
            StandardError = "journal";
            SyslogIdentifier = "${name}";

            # Hardening
            CapabilityBoundingSet = [""];
            LockPersonality = true;
            PrivateMounts = true;
            PrivateTmp = true;
            ProcSubset = "pid";
            ProtectClock = true;
            ProtectControlGroups = true;
            ProtectHome = true;
            ProtectHostname = true;
            ProtectKernelLogs = true;
            ProtectKernelModules = true;
            ProtectKernelTunables = true;
            ProtectProc = "invisible";
            ProtectSystem = "strict";
            RestrictNamespaces = true;
            RestrictRealtime = true;
            RestrictSUIDSGID = true;
            SystemCallArchitectures = "native";
            RemoveIPC = true;
            NoNewPrivileges = true;

            Environment = [
              "CONFIG_LOCATION=${configFile}"
            ];
          };
        }) (cfg.nodes.api)
      // lib.mapAttrs' (nodeName: node: let
        type = "worker";
        exe = lib.getExe pkgs.versia-server-worker;
        config = lib.recursiveUpdate cfg.config node.configOverrides;
        configFile = configFormat.generate "config-${nodeName}.toml" config;
      in
        lib.nameValuePair "${name}-${type}-${nodeName}" {
          description = "Versia Server ${nodeName} (${type})";

          wantedBy = ["versia-server-root.target"];
          partOf = ["versia-server-root.target"];

          serviceConfig = {
            ExecStart = "${exe}";
            Type = "simple";
            Restart = "always";

            User = cfg.user;
            Group = cfg.group;

            StateDirectory = "${name}";
            StateDirectoryMode = "0700";
            RuntimeDirectory = "${name}";
            RuntimeDirectoryMode = "0700";

            # Set the working directory to the data directory
            WorkingDirectory = "${pkgs.versia-server-worker}/versia-server-worker";

            StandardOutput = "journal";
            StandardError = "journal";
            SyslogIdentifier = "${name}";

            Environment = [
              "CONFIG_LOCATION=${configFile}"
            ];
          };
        }) (cfg.nodes.worker);

    systemd.targets.versia-server-root = {
      description = "Versia Server root target, starts and stop all the child nodes.";
      wantedBy = ["multi-user.target"];
    };

    users = {
      groups = {
        "${cfg.group}" = {};
      };

      users = {
        "${cfg.user}" = {
          isSystemUser = true;
          group = cfg.group;
          packages = [pkgs.versia-server pkgs.versia-server-worker];
        };
      };
    };
  };
}
feat: :sparkles: Add NixOS module 2025-04-15 11:15:17 +02:00			`{`
			`config,`
			`lib,`
			`pkgs,`
fix: :bug: Fix Nix module errors when importing 2025-04-15 14:15:36 +02:00			`...`
feat: :sparkles: Add NixOS module 2025-04-15 11:15:17 +02:00			`}: let`
			`cfg = config.services.versia-server;`
			`configFormat = pkgs.formats.toml {};`
			`name = "versia-server";`

			`inherit (lib.options) mkOption;`
			`inherit (lib.modules) mkIf;`
			`in {`
			`options = {`
			`services.versia-server = {`
			`enable = mkOption {`
			`type = lib.types.bool;`
			`default = false;`
			`description = ''`
			`Enable the Versia Server services.`
			`'';`
			`};`

			`user = mkOption {`
			`type = lib.types.str;`
			`default = name;`
			`description = ''`
			`User under which the server will run.`
			`'';`
			`};`

			`group = mkOption {`
			`type = lib.types.str;`
			`default = name;`
			`description = ''`
			`Group under which the server will run.`
			`'';`
			`};`

			`nodes = {`
			`api = mkOption {`
fix: :bug: Fix NixOS module definitions 2025-04-15 18:11:14 +02:00			`type = lib.types.attrsOf (lib.types.submodule {`
feat: :sparkles: Add NixOS module 2025-04-15 11:15:17 +02:00			`options = {`
			`configOverrides = mkOption {`
			`type = lib.types.submodule {`
			`freeformType = configFormat.type;`
			`options = {};`
			`};`
fix: :bug: Fix more errors in NixOS module definition 2025-04-15 20:19:24 +02:00			`default = {};`
feat: :sparkles: Add NixOS module 2025-04-15 11:15:17 +02:00			`description = "Overrides for the node's configuration file.";`
			`};`
			`};`
fix: :bug: Fix NixOS module definitions 2025-04-15 18:11:14 +02:00			`});`
feat: :sparkles: Add NixOS module 2025-04-15 11:15:17 +02:00			`};`
			`worker = mkOption {`
fix: :bug: Fix NixOS module definitions 2025-04-15 18:11:14 +02:00			`type = lib.types.attrsOf (lib.types.submodule {`
feat: :sparkles: Add NixOS module 2025-04-15 11:15:17 +02:00			`options = {`
			`configOverrides = mkOption {`
			`type = lib.types.submodule {`
			`freeformType = configFormat.type;`
			`options = {};`
			`};`
fix: :bug: Fix more errors in NixOS module definition 2025-04-15 20:19:24 +02:00			`default = {};`
feat: :sparkles: Add NixOS module 2025-04-15 11:15:17 +02:00			`description = "Overrides for the node's configuration file.";`
			`};`
			`};`
fix: :bug: Fix NixOS module definitions 2025-04-15 18:11:14 +02:00			`});`
feat: :sparkles: Add NixOS module 2025-04-15 11:15:17 +02:00			`};`
			`};`

			`config = mkOption {`
			`type = lib.types.submodule {`
			`freeformType = configFormat.type;`
			`options = {};`
			`};`
docs: :memo: Document Nix installation 2025-04-15 13:03:52 +02:00			`description = "Contents of the config file, which is serialized to TOML. Check the Versia Server documentation for information on its contents.";`
feat: :sparkles: Add NixOS module 2025-04-15 11:15:17 +02:00			`};`
			`};`
			`};`

			`config = mkIf cfg.enable {`
			`assertions = [`
			`{`
			`assertion = cfg.nodes.api != [];`
			`message = "At least one API node must be defined.";`
			`}`
			`{`
			`assertion = cfg.nodes.worker != [];`
			`message = "At least one worker node must be defined.";`
			`}`
			`];`

fix: :bug: Fix Nix module errors when importing 2025-04-15 14:15:36 +02:00			`systemd.services =`
fix: :bug: Fix more errors in NixOS module definition 2025-04-15 20:19:24 +02:00			`lib.mapAttrs' (nodeName: node: let`
fix: :bug: Fix Nix module errors when importing 2025-04-15 14:15:36 +02:00			`type = "api";`
			`exe = lib.getExe pkgs.versia-server;`
fix: :bug: Fix more errors in NixOS module definition 2025-04-15 20:19:24 +02:00			`config = lib.recursiveUpdate cfg.config node.configOverrides;`
			`configFile = configFormat.generate "config-${nodeName}.toml" config;`
			`in`
			`lib.nameValuePair "${name}-${type}-${nodeName}" {`
			`description = "Versia Server ${nodeName} (${type})";`

fix: :bug: Fix NixOS module incorrect systemd definitions 2025-04-15 20:27:50 +02:00			`wantedBy = ["versia-server-root.target"];`
fix: :bug: Fix more errors in NixOS module definition 2025-04-15 20:19:24 +02:00			`partOf = ["versia-server-root.target"];`

			`serviceConfig = {`
			`ExecStart = "${exe}";`
			`Type = "simple";`
			`Restart = "always";`

			`User = cfg.user;`
			`Group = cfg.group;`

			`StateDirectory = "${name}";`
			`StateDirectoryMode = "0700";`
			`RuntimeDirectory = "${name}";`
			`RuntimeDirectoryMode = "0700";`

			`# Set the working directory to the data directory`
fix: :bug: Replace dataDir with module path 2025-04-15 21:07:47 +02:00			`WorkingDirectory = "${pkgs.versia-server}/versia-server";`
fix: :bug: Fix more errors in NixOS module definition 2025-04-15 20:19:24 +02:00
			`StandardOutput = "journal";`
			`StandardError = "journal";`
			`SyslogIdentifier = "${name}";`

feat: :lock: Harden Systemd unit config 2025-08-09 17:15:05 +02:00			`# Hardening`
			`CapabilityBoundingSet = [""];`
			`LockPersonality = true;`
			`PrivateMounts = true;`
			`PrivateTmp = true;`
			`ProcSubset = "pid";`
			`ProtectClock = true;`
			`ProtectControlGroups = true;`
			`ProtectHome = true;`
			`ProtectHostname = true;`
			`ProtectKernelLogs = true;`
			`ProtectKernelModules = true;`
			`ProtectKernelTunables = true;`
			`ProtectProc = "invisible";`
			`ProtectSystem = "strict";`
			`RestrictNamespaces = true;`
			`RestrictRealtime = true;`
			`RestrictSUIDSGID = true;`
			`SystemCallArchitectures = "native";`
			`RemoveIPC = true;`
			`NoNewPrivileges = true;`

fix: :bug: Fix more errors in NixOS module definition 2025-04-15 20:19:24 +02:00			`Environment = [`
fix: :bug: Fix NixOS module passing incorrect environment variable 2025-04-15 20:31:25 +02:00			`"CONFIG_LOCATION=${configFile}"`
fix: :bug: Fix more errors in NixOS module definition 2025-04-15 20:19:24 +02:00			`];`
			`};`
			`}) (cfg.nodes.api)`
			`// lib.mapAttrs' (nodeName: node: let`
fix: :bug: Fix Nix module errors when importing 2025-04-15 14:15:36 +02:00			`type = "worker";`
			`exe = lib.getExe pkgs.versia-server-worker;`
fix: :bug: Fix more errors in NixOS module definition 2025-04-15 20:19:24 +02:00			`config = lib.recursiveUpdate cfg.config node.configOverrides;`
			`configFile = configFormat.generate "config-${nodeName}.toml" config;`
			`in`
			`lib.nameValuePair "${name}-${type}-${nodeName}" {`
			`description = "Versia Server ${nodeName} (${type})";`

fix: :bug: Fix NixOS module incorrect systemd definitions 2025-04-15 20:27:50 +02:00			`wantedBy = ["versia-server-root.target"];`
fix: :bug: Fix more errors in NixOS module definition 2025-04-15 20:19:24 +02:00			`partOf = ["versia-server-root.target"];`

			`serviceConfig = {`
			`ExecStart = "${exe}";`
			`Type = "simple";`
			`Restart = "always";`

			`User = cfg.user;`
			`Group = cfg.group;`

			`StateDirectory = "${name}";`
			`StateDirectoryMode = "0700";`
			`RuntimeDirectory = "${name}";`
			`RuntimeDirectoryMode = "0700";`

			`# Set the working directory to the data directory`
fix: :bug: Replace dataDir with module path 2025-04-15 21:07:47 +02:00			`WorkingDirectory = "${pkgs.versia-server-worker}/versia-server-worker";`
fix: :bug: Fix more errors in NixOS module definition 2025-04-15 20:19:24 +02:00
			`StandardOutput = "journal";`
			`StandardError = "journal";`
			`SyslogIdentifier = "${name}";`

			`Environment = [`
fix: :bug: Fix NixOS module passing incorrect environment variable 2025-04-15 20:31:25 +02:00			`"CONFIG_LOCATION=${configFile}"`
fix: :bug: Fix more errors in NixOS module definition 2025-04-15 20:19:24 +02:00			`];`
			`};`
			`}) (cfg.nodes.worker);`

			`systemd.targets.versia-server-root = {`
			`description = "Versia Server root target, starts and stop all the child nodes.";`
			`wantedBy = ["multi-user.target"];`
			`};`
fix: :bug: Fix Nix module errors when importing 2025-04-15 14:15:36 +02:00
feat: :sparkles: Add NixOS module 2025-04-15 11:15:17 +02:00			`users = {`
fix: :bug: Fix Nix module errors when importing 2025-04-15 14:15:36 +02:00			`groups = {`
fix: :bug: Fix more errors in NixOS module definition 2025-04-15 20:19:24 +02:00			`"${cfg.group}" = {};`
fix: :bug: Fix Nix module errors when importing 2025-04-15 14:15:36 +02:00			`};`

			`users = {`
			`"${cfg.user}" = {`
			`isSystemUser = true;`
			`group = cfg.group;`
			`packages = [pkgs.versia-server pkgs.versia-server-worker];`
			`};`
feat: :sparkles: Add NixOS module 2025-04-15 11:15:17 +02:00			`};`
			`};`
			`};`
			`}`