nix: initial tooling; add NixOS module

Signed-off-by: NotAShelf <raf@notashelf.dev> Change-Id: I5ff8dfa450ec405e2ead5d16e0de90856a6a6964
2026-01-31 01:52:29 +03:00 · 2026-01-31 01:52:29 +03:00 · 05b3dea1c6
commit 05b3dea1c6
parent 978cddb862
4 changed files with 217 additions and 0 deletions
--- a/nix/modules/nixos.nix
+++ b/nix/modules/nixos.nix
@ -0,0 +1,83 @@
+self: {
+  config,
+  pkgs,
+  lib,
+  ...
+}: let
+  inherit (lib.modules) mkIf;
+  inherit (lib.options) mkOption mkEnableOption literalExpression;
+  inherit (lib.types) nullOr str port package;
+
+  defaultPackage = self.packages.${pkgs.stdenv.hostPlatform.system}.troutbot;
+  cfg = config.services.troutbot;
+in {
+  options.services.troutbot = {
+    enable = mkEnableOption "troutbot";
+
+    package = mkOption {
+      type = nullOr package;
+      default = defaultPackage;
+      defaultText = literalExpression "inputs.troutbot.packages.${pkgs.stdenv.hostPlatform.system}.troutbot";
+      description = ''
+        The Troutbot package to use.
+
+        By default, this option will use the `packages.default` as exposed by this flake.
+      '';
+    };
+
+    user = mkOption {
+      type = str;
+      default = "troutbot";
+    };
+
+    group = mkOption {
+      type = str;
+      default = "troutbot";
+    };
+
+    port = mkOption {
+      type = port;
+      default = 3000;
+    };
+
+    environmentFile = mkOption {
+      type = nullOr str;
+      default = null;
+    };
+
+    configPath = mkOption {
+      type = nullOr str;
+      default = null;
+    };
+  };
+
+  config = mkIf cfg.enable {
+    users.users.${cfg.user} = {
+      isSystemUser = true;
+      group = cfg.group;
+    };
+
+    users.groups.${cfg.group} = {};
+
+    systemd.services.troutbot = {
+      description = "Troutbot";
+      after = ["network.target"];
+      wantedBy = ["multi-user.target"];
+      serviceConfig = {
+        Type = "simple";
+        User = cfg.user;
+        Group = cfg.group;
+        ExecStart = "${lib.getExe cfg.package}";
+        Restart = "on-failure";
+        EnvironmentFile = cfg.environmentFile;
+        NODE_ENV = "production";
+        CONFIG_PATH = cfg.configPath;
+        PORT = toString cfg.port;
+        ProtectSystem = "strict";
+        ProtectHome = true;
+        PrivateTmp = true;
+        NoNewPrivileges = true;
+      };
+    };
+  };
+}
--- a/nix/package.nix
+++ b/nix/package.nix
@ -0,0 +1,71 @@
+{
+  lib,
+  stdenv,
+  nodejs,
+  pnpmConfigHook,
+  fetchPnpmDeps,
+  pnpm,
+  makeBinaryWrapper,
+}:
+stdenv.mkDerivation (finalAttrs: {
+  pname = "troutbot";
+  version = "0-unstable-2026-01-30";
+
+  src = lib.fileset.toSource {
+    root = ../.;
+    fileset = lib.fileset.unions [
+      ../src
+      ../config.example.ts
+      ../package.json
+      ../pnpm-lock.yaml
+      ../tsconfig.json
+    ];
+  };
+
+  strictDeps = true;
+  nativeBuildInputs = [
+    nodejs # in case scripts are run outside of a pnpm call
+    pnpmConfigHook
+    pnpm # at least required by pnpmConfigHook, if not other (custom) phases
+
+    makeBinaryWrapper
+  ];
+
+  pnpmDeps = fetchPnpmDeps {
+    inherit (finalAttrs) pname version src;
+    fetcherVersion = 3;
+    hash = "sha256-y8LV1D+EgGcZ79lmxS20dqYBPEfk4atma+RWf7pJI30=";
+  };
+
+  buildPhase = ''
+    runHook preBuild
+
+    pnpm run build --outDir dist
+
+    runHook postBuild
+  '';
+
+  installPhase = ''
+    runHook preInstall
+
+    mkdir -p $out/{bin,share}
+
+    # Copy transpiled result
+    cp -rv dist/* $out/share
+
+    # Copy the example config
+    install -Dm755 config.example.ts $out/share
+
+    makeWrapper ${lib.getExe nodejs} $out/bin/troutbot \
+      --set-default NODE_ENV production \
+      --add-flags "$out/share/index.js"
+
+    runHook postInstall
+  '';
+
+  meta = {
+    description = "The ultimate trout population helper";
+    license = lib.licenses.eupl12;
+    maintainers = with lib.maintainers; [NotAShelf];
+  };
+})