From 33e7a46b5385ea9035c9d13c6775d63e5626a4c7 Mon Sep 17 00:00:00 2001
From: Charles Hall <charles@computer.surgery>
Date: Tue, 30 Apr 2024 16:53:20 -0700
Subject: [PATCH] add a nixos module

---
 flake.nix                       |   6 +-
 nix/modules/default/default.nix | 116 ++++++++++++++++++++++++++++++++
 2 files changed, 121 insertions(+), 1 deletion(-)
 create mode 100644 nix/modules/default/default.nix

diff --git a/flake.nix b/flake.nix
index 5ed0022d..8021b3de 100644
--- a/flake.nix
+++ b/flake.nix
@@ -94,5 +94,9 @@
 
         devShells.default = (mkScope pkgs).shell;
       }
-    );
+    )
+    //
+    {
+      nixosModules.default = import ./nix/modules/default inputs;
+    };
 }
diff --git a/nix/modules/default/default.nix b/nix/modules/default/default.nix
new file mode 100644
index 00000000..9085a616
--- /dev/null
+++ b/nix/modules/default/default.nix
@@ -0,0 +1,116 @@
+inputs:
+
+{ config
+, lib
+, pkgs
+, ...
+}:
+
+let
+  inherit (lib) types;
+
+  cfg = config.services.grapevine;
+  configFile = format.generate "config.toml" cfg.settings;
+  format = pkgs.formats.toml {};
+in
+
+{
+  options.services.grapevine = {
+    enable = lib.mkEnableOption "grapevine";
+    package = lib.mkPackageOption
+      inputs.self.packages.${pkgs.system}
+      "grapevine"
+      {
+        default = "default";
+        pkgsText = "inputs.grapevine.packages.\${pkgs.system}";
+      };
+
+    extraEnvironment = lib.mkOption {
+      type = types.attrsOf types.str;
+      description = ''
+        Extra environment variables to set for the process.
+      '';
+      default = {};
+      example = { RUST_BACKTRACE="yes"; };
+    };
+
+    settings = lib.mkOption {
+      type = types.submodule {
+        freeformType = format.type;
+        options = {
+          global.address = lib.mkOption {
+            type = types.nonEmptyStr;
+            description = ''
+              The local IP address to bind to.
+            '';
+            default = "::1";
+          };
+          global.database_path = lib.mkOption {
+            type = types.nonEmptyStr;
+            readOnly = true;
+            description = ''
+              The path to store persistent data in.
+
+              Note that this is read-only because this module makes use of
+              systemd's `StateDirectory` option.
+            '';
+            default = "/var/lib/grapevine";
+          };
+          global.port = lib.mkOption {
+            type = types.port;
+            description = ''
+              The local port to bind to.
+            '';
+            default = 6167;
+          };
+        };
+      };
+      default = {};
+      description = ''
+        The TOML configuration file is generated from this attribute set.
+      '';
+    };
+  };
+
+  config = lib.mkIf cfg.enable {
+    systemd.services.grapevine = {
+      description = "Grapevine (Matrix homeserver)";
+      wantedBy = [ "multi-user.target" ];
+      environment = lib.mkMerge [
+        {
+          GRAPEVINE_CONFIG = configFile;
+        }
+        cfg.extraEnvironment
+      ];
+
+      # Keep sorted
+      serviceConfig = {
+        DynamicUser = true;
+        ExecStart = "${lib.getExe cfg.package}";
+        LockPersonality = true;
+        MemoryDenyWriteExecute = true;
+        PrivateDevices = true;
+        PrivateMounts = true;
+        PrivateUsers = true;
+        ProtectClock = true;
+        ProtectControlGroups = true;
+        ProtectHostname = true;
+        ProtectKernelLogs = true;
+        ProtectKernelModules = true;
+        ProtectKernelTunables = true;
+        Restart = "on-failure";
+        RestartSec = 10;
+        RestrictAddressFamilies = [ "AF_INET" "AF_INET6" ];
+        RestrictNamespaces = true;
+        RestrictRealtime = true;
+        StartLimitBurst = 5;
+        StateDirectory = "grapevine";
+        StateDirectoryMode = "0700";
+        SystemCallArchitectures = "native";
+        SystemCallFilter = [ "@system-service" "~@privileged" ];
+        UMask = "077";
+        User = "grapevine";
+      };
+    };
+  };
+}