a

2025-07-08 22:16:57 +03:00
parent 4a86718e8a
commit b6b49c2738
1 changed files with 94 additions and 94 deletions
--- a/nixosModules/eko.nix
+++ b/nixosModules/eko.nix
@@ -27,100 +27,100 @@
    #   "eko/privacy.md".text = builtins.readFile ./eko-privacy.md;
    # };

-    # systemd.services.eko = {
-    #   description = "Eko - a secure terminal-based social media";
-    #
-    #   wants = [ "network-online.target" ];
-    #   after = [ "network-online.target" ];
-    #   wantedBy = [ "multi-user.target" ];
-    #
-    #   # restartTriggers = [ "/var/lib/eko/eko-server" ];
-    #   reloadTriggers = lib.mapAttrsToList (_: v: v.source or null) (
-    #     lib.filterAttrs (n: _: lib.hasPrefix "eko/" n) config.environment.etc
-    #   );
-    #
-    #   environment = {
-    #     EKO_SERVER_CERT_FILE = config.sops.secrets.eko-server-cert-key.path;
-    #     EKO_SERVER_LOG_DIR = "/var/log/eko";
-    #   };
-    #
-    #   serviceConfig = {
-    #     Restart = "on-failure";
-    #     RestartSec = "10s";
-    #
-    #     ExecStart = "%S/eko/eko-server";
-    #     ExecReload = "${pkgs.coreutils}/bin/kill -SIGHUP $MAINPID";
-    #
-    #     ConfigurationDirectory = "eko";
-    #     StateDirectory = "eko";
-    #     LogsDirectory = "eko";
-    #     WorkingDirectory = "%S/eko";
-    #     Type = "simple";
-    #
-    #     User = "eko";
-    #     Group = "eko";
-    #
-    #     # Hardening
-    #     ProtectHostname = true;
-    #     ProtectKernelLogs = true;
-    #     ProtectKernelModules = true;
-    #     ProtectKernelTunables = true;
-    #     ProtectProc = "invisible";
-    #     RestrictAddressFamilies = [
-    #       "AF_INET"
-    #       "AF_INET6"
-    #       "AF_UNIX"
-    #     ];
-    #     RestrictNamespaces = true;
-    #     RestrictRealtime = true;
-    #     RestrictSUIDSGID = true;
-    #   };
-    # };
-    #
-    # # Enable metrics/logging
-    # grafana.enable = true;
-    # loki.enable = true;
-    #
-    # environment.systemPackages = with pkgs; [
-    #   grafana-alloy
-    # ];
-    #
-    # systemd.services.alloy = {
-    #   description = "Alloy";
-    #
-    #   wants = [ "network-online.target" ];
-    #   after = [ "network-online.target" ];
-    #   wantedBy = [ "multi-user.target" ];
-    #
-    #   reloadTriggers = lib.mapAttrsToList (_: v: v.source or null) (
-    #     lib.filterAttrs (n: _: lib.hasPrefix "alloy/" n && lib.hasSuffix ".alloy" n) config.environment.etc
-    #   );
-    #
-    #   serviceConfig = {
-    #     Restart = "always";
-    #     RestartSec = "2s";
-    #
-    #     User = "root"; # TODO: make these not root?
-    #     Group = "root";
-    #
-    #     SupplementaryGroups = [
-    #       # allow to read the systemd journal for loki log forwarding
-    #       "systemd-journal"
-    #     ];
-    #
-    #     ConfigurationDirectory = "alloy";
-    #     StateDirectory = "alloy";
-    #     WorkingDirectory = "%S/alloy";
-    #     Type = "simple";
-    #
-    #     ExecStart = "${lib.getExe pkgs.grafana-alloy} run /etc/alloy/";
-    #     ExecReload = "${pkgs.coreutils}/bin/kill -SIGHUP $MAINPID";
-    #   };
-    # };
-    #
-    # environment.etc = {
-    #   "alloy/eko-config.alloy".text = builtins.readFile ./eko-config.alloy;
-    # };
+    systemd.services.eko = {
+      description = "Eko - a secure terminal-based social media";
+
+      wants = [ "network-online.target" ];
+      after = [ "network-online.target" ];
+      wantedBy = [ "multi-user.target" ];
+
+      # restartTriggers = [ "/var/lib/eko/eko-server" ];
+      reloadTriggers = lib.mapAttrsToList (_: v: v.source or null) (
+        lib.filterAttrs (n: _: lib.hasPrefix "eko/" n) config.environment.etc
+      );
+
+      environment = {
+        EKO_SERVER_CERT_FILE = config.sops.secrets.eko-server-cert-key.path;
+        EKO_SERVER_LOG_DIR = "/var/log/eko";
+      };
+
+      serviceConfig = {
+        Restart = "on-failure";
+        RestartSec = "10s";
+
+        ExecStart = "%S/eko/eko-server";
+        ExecReload = "${pkgs.coreutils}/bin/kill -SIGHUP $MAINPID";
+
+        ConfigurationDirectory = "eko";
+        StateDirectory = "eko";
+        LogsDirectory = "eko";
+        WorkingDirectory = "%S/eko";
+        Type = "simple";
+
+        User = "eko";
+        Group = "eko";
+
+        # Hardening
+        ProtectHostname = true;
+        ProtectKernelLogs = true;
+        ProtectKernelModules = true;
+        ProtectKernelTunables = true;
+        ProtectProc = "invisible";
+        RestrictAddressFamilies = [
+          "AF_INET"
+          "AF_INET6"
+          "AF_UNIX"
+        ];
+        RestrictNamespaces = true;
+        RestrictRealtime = true;
+        RestrictSUIDSGID = true;
+      };
+    };
+
+    # Enable metrics/logging
+    grafana.enable = true;
+    loki.enable = true;
+
+    environment.systemPackages = with pkgs; [
+      grafana-alloy
+    ];
+
+    systemd.services.alloy = {
+      description = "Alloy";
+
+      wants = [ "network-online.target" ];
+      after = [ "network-online.target" ];
+      wantedBy = [ "multi-user.target" ];
+
+      reloadTriggers = lib.mapAttrsToList (_: v: v.source or null) (
+        lib.filterAttrs (n: _: lib.hasPrefix "alloy/" n && lib.hasSuffix ".alloy" n) config.environment.etc
+      );
+
+      serviceConfig = {
+        Restart = "always";
+        RestartSec = "2s";
+
+        User = "root"; # TODO: make these not root?
+        Group = "root";
+
+        SupplementaryGroups = [
+          # allow to read the systemd journal for loki log forwarding
+          "systemd-journal"
+        ];
+
+        ConfigurationDirectory = "alloy";
+        StateDirectory = "alloy";
+        WorkingDirectory = "%S/alloy";
+        Type = "simple";
+
+        ExecStart = "${lib.getExe pkgs.grafana-alloy} run /etc/alloy/";
+        ExecReload = "${pkgs.coreutils}/bin/kill -SIGHUP $MAINPID";
+      };
+    };
+
+    environment.etc = {
+      "alloy/eko-config.alloy".text = builtins.readFile ./eko-config.alloy;
+    };

    # # Make sure acme module is active for the "kyren.codes" ssl cert
    # acme.enable = true;