Moved eko from /srv/eko to /var/lib/eko and changed alloy to accept any

configs in /etc/alloy
2025-07-03 14:20:48 +03:00
parent 3641f7c786
commit c829ac0ed1
1 changed files with 20 additions and 29 deletions
--- a/nixosModules/eko.nix
+++ b/nixosModules/eko.nix
@@ -16,29 +16,31 @@
      ];
    };

-    # Make sure the "eko" user has access to /srv/eko
-    systemd.tmpfiles.rules = [
-      "d /srv/eko 0750 eko eko"
-    ];
-
    # Open port for the server to listen on
    networking.firewall.allowedTCPPorts = [ 7223 ];

    sops.secrets.eko-server-cert-key = { owner = "eko"; };

    systemd.services.eko = {
-      description = "Eko (a secure terminal-based social media)";
+      description = "Eko - a secure terminal-based social media";

      wants = [ "network-online.target" ];
      after = [ "network-online.target" ];
      wantedBy = [ "multi-user.target" ];

-      script = ''
-        cd /srv/eko
-        SERVER_CERT_KEY_FILE=${config.sops.secrets.eko-server-cert-key.path} ./eko-server --stdout
-      '';
-
      serviceConfig = {
+        Restart = "on-failure";
+        RestartSec = "10s";
+
+        Environment = "SERVER_CERT_KEY_FILE=${config.sops.secrets.eko-server-cert-key.path}";
+        ExecStart = "%S/eko/eko-server --logs /var/log/eko";
+
+        ConfigurationDirectory = "eko";
+        StateDirectory = "eko";
+        LogsDirectory = "eko";
+        WorkingDirectory = "%S/eko";
+        Type = "simple";
+
        User = "eko";
        Group = "eko";

@@ -48,8 +50,6 @@
        ProtectKernelModules = true;
        ProtectKernelTunables = true;
        ProtectProc = "invisible";
-        ProtectSystem = "strict";
-        ReadWritePaths = [ "/srv/eko" ];
        RestrictAddressFamilies = [
          "AF_INET"
          "AF_INET6"
@@ -58,9 +58,6 @@
        RestrictNamespaces = true;
        RestrictRealtime = true;
        RestrictSUIDSGID = true;
-
-        Restart = "always";
-        RestartSec = "10s";
      };
    };

@@ -75,16 +72,6 @@
      grafana-alloy
    ];

-    users.groups.alloy = { };
-    users.users.alloy = {
-      createHome = false;
-      isNormalUser = true;
-      group = "alloy";
-      openssh.authorizedKeys.keys = [
-        "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIO7P9K9D5RkBk+JCRRS6AtHuTAc6cRpXfRfRMg/Kyren"
-        "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGbntLELS9l2auPVZtCtQ6KYQNka72qDbTdkDtX9rkyJ"
-      ];
-    };
    systemd.services.alloy = {
      description = "Alloy";

@@ -92,11 +79,15 @@
      after = [ "network-online.target" ];
      wantedBy = [ "multi-user.target" ];

+      reloadTriggers = lib.mapAttrsToList (_: v: v.source or null) (
+        lib.filterAttrs (n: _: lib.hasPrefix "alloy/" n && lib.hasSuffix ".alloy" n) config.environment.etc
+      );
+
      serviceConfig = {
        Restart = "always";
        RestartSec = "2s";

-        User = "root";
+        User = "root"; # TODO: make these not root?
        Group = "root";

        SupplementaryGroups = [
@@ -109,13 +100,13 @@
        WorkingDirectory = "%S/alloy";
        Type = "simple";

-        ExecStart = "${lib.getExe pkgs.grafana-alloy} run /etc/alloy/config.alloy";
+        ExecStart = "${lib.getExe pkgs.grafana-alloy} run /etc/alloy/";
        ExecReload = "${pkgs.coreutils}/bin/kill -SIGHUP $MAINPID";
      };
    };

    environment.etc = {
-      "alloy/config.alloy".text = builtins.readFile ./eko-config.alloy;
+      "alloy/eko-config.alloy".text = builtins.readFile ./eko-config.alloy;
    };

  };