nix: initial tooling; add NixOS module

Signed-off-by: NotAShelf <raf@notashelf.dev> Change-Id: I5ff8dfa450ec405e2ead5d16e0de90856a6a6964
2026-01-31 01:52:29 +03:00 · 2026-01-31 01:52:29 +03:00 · 05b3dea1c6
commit 05b3dea1c6
parent 978cddb862
4 changed files with 217 additions and 0 deletions
--- a/nix/modules/nixos.nix
+++ b/nix/modules/nixos.nix
@ -0,0 +1,83 @@
+self: {
+  config,
+  pkgs,
+  lib,
+  ...
+}: let
+  inherit (lib.modules) mkIf;
+  inherit (lib.options) mkOption mkEnableOption literalExpression;
+  inherit (lib.types) nullOr str port package;
+
+  defaultPackage = self.packages.${pkgs.stdenv.hostPlatform.system}.troutbot;
+  cfg = config.services.troutbot;
+in {
+  options.services.troutbot = {
+    enable = mkEnableOption "troutbot";
+
+    package = mkOption {
+      type = nullOr package;
+      default = defaultPackage;
+      defaultText = literalExpression "inputs.troutbot.packages.${pkgs.stdenv.hostPlatform.system}.troutbot";
+      description = ''
+        The Troutbot package to use.
+
+        By default, this option will use the `packages.default` as exposed by this flake.
+      '';
+    };
+
+    user = mkOption {
+      type = str;
+      default = "troutbot";
+    };
+
+    group = mkOption {
+      type = str;
+      default = "troutbot";
+    };
+
+    port = mkOption {
+      type = port;
+      default = 3000;
+    };
+
+    environmentFile = mkOption {
+      type = nullOr str;
+      default = null;
+    };
+
+    configPath = mkOption {
+      type = nullOr str;
+      default = null;
+    };
+  };
+
+  config = mkIf cfg.enable {
+    users.users.${cfg.user} = {
+      isSystemUser = true;
+      group = cfg.group;
+    };
+
+    users.groups.${cfg.group} = {};
+
+    systemd.services.troutbot = {
+      description = "Troutbot";
+      after = ["network.target"];
+      wantedBy = ["multi-user.target"];
+      serviceConfig = {
+        Type = "simple";
+        User = cfg.user;
+        Group = cfg.group;
+        ExecStart = "${lib.getExe cfg.package}";
+        Restart = "on-failure";
+        EnvironmentFile = cfg.environmentFile;
+        NODE_ENV = "production";
+        CONFIG_PATH = cfg.configPath;
+        PORT = toString cfg.port;
+        ProtectSystem = "strict";
+        ProtectHome = true;
+        PrivateTmp = true;
+        NoNewPrivileges = true;
+      };
+    };
+  };
+}