Added eko module and replaced it with the systemd service for eko

2025-07-22 17:37:54 +03:00
parent 6583952fe0
commit df8fa7a95f
3 changed files with 172 additions and 65 deletions
--- a/flake.lock
+++ b/flake.lock
@@ -7,11 +7,11 @@
        ]
      },
      "locked": {
-        "lastModified": 1750903843,
-        "narHash": "sha256-Ng9+f0H5/dW+mq/XOKvB9uwvGbsuiiO6HrPdAcVglCs=",
+        "lastModified": 1753140376,
+        "narHash": "sha256-7lrVrE0jSvZHrxEzvnfHFE/Wkk9DDqb+mYCodI5uuB8=",
        "owner": "nix-community",
        "repo": "disko",
-        "rev": "83c4da299c1d7d300f8c6fd3a72ac46cb0d59aae",
+        "rev": "545aba02960caa78a31bd9a8709a0ad4b6320a5c",
        "type": "github"
      },
      "original": {
@@ -20,18 +20,88 @@
        "type": "github"
      }
    },
-    "nixpkgs": {
+    "eko": {
+      "inputs": {
+        "flake-compat": "flake-compat",
+        "flake-utils": "flake-utils",
+        "nix-filter": "nix-filter",
+        "nixpkgs": "nixpkgs"
+      },
      "locked": {
-        "lastModified": 1751349533,
-        "narHash": "sha256-5XRh0mB06/7WYDLu9ZXsx1GhyvvNVZDtPyg34sUCLJs=",
-        "owner": "NixOS",
-        "repo": "nixpkgs",
-        "rev": "bdfd0f2afcf764e531d0960c821ab070a6174b15",
+        "lastModified": 1753195028,
+        "narHash": "sha256-vtRYW8RaxK3ldRT8HIueIEyfbPtUQW2aqH2jMEqLj2E=",
+        "owner": "kyren223",
+        "repo": "eko",
+        "rev": "4a3adc88c27260cf941dee1f243badd84b7abd7b",
        "type": "github"
      },
      "original": {
-        "owner": "NixOS",
-        "ref": "nixpkgs-unstable",
+        "owner": "kyren223",
+        "ref": "dev",
+        "repo": "eko",
+        "type": "github"
+      }
+    },
+    "flake-compat": {
+      "flake": false,
+      "locked": {
+        "lastModified": 1747046372,
+        "narHash": "sha256-CIVLLkVgvHYbgI2UpXvIIBJ12HWgX+fjA8Xf8PUmqCY=",
+        "owner": "edolstra",
+        "repo": "flake-compat",
+        "rev": "9100a0f413b0c601e0533d1d94ffd501ce2e7885",
+        "type": "github"
+      },
+      "original": {
+        "owner": "edolstra",
+        "repo": "flake-compat",
+        "type": "github"
+      }
+    },
+    "flake-utils": {
+      "inputs": {
+        "systems": "systems"
+      },
+      "locked": {
+        "lastModified": 1731533236,
+        "narHash": "sha256-l0KFg5HjrsfsO/JpG+r7fRrqm12kzFHyUHqHCVpMMbI=",
+        "owner": "numtide",
+        "repo": "flake-utils",
+        "rev": "11707dc2f618dd54ca8739b309ec4fc024de578b",
+        "type": "github"
+      },
+      "original": {
+        "owner": "numtide",
+        "repo": "flake-utils",
+        "type": "github"
+      }
+    },
+    "nix-filter": {
+      "locked": {
+        "lastModified": 1731533336,
+        "narHash": "sha256-oRam5PS1vcrr5UPgALW0eo1m/5/pls27Z/pabHNy2Ms=",
+        "owner": "numtide",
+        "repo": "nix-filter",
+        "rev": "f7653272fd234696ae94229839a99b73c9ab7de0",
+        "type": "github"
+      },
+      "original": {
+        "owner": "numtide",
+        "repo": "nix-filter",
+        "type": "github"
+      }
+    },
+    "nixpkgs": {
+      "locked": {
+        "lastModified": 1753100475,
+        "narHash": "sha256-FF53JgK0MHjCkaac+GMnikfnK9dJkwHaqXfgKrtDkhs=",
+        "owner": "nixos",
+        "repo": "nixpkgs",
+        "rev": "bb65d58d5f5a779df1d018b0e3418969ba530628",
+        "type": "github"
+      },
+      "original": {
+        "owner": "nixos",
        "repo": "nixpkgs",
        "type": "github"
      }
@@ -53,6 +123,22 @@
      }
    },
    "nixpkgs_2": {
+      "locked": {
+        "lastModified": 1753091883,
+        "narHash": "sha256-oVZt8VRJkO2Gytc7D2Pfqqy7wTnSECzdKPnoL9z8iFA=",
+        "owner": "NixOS",
+        "repo": "nixpkgs",
+        "rev": "2baf8e1658cba84a032c3a8befb1e7b06629242a",
+        "type": "github"
+      },
+      "original": {
+        "owner": "NixOS",
+        "ref": "nixpkgs-unstable",
+        "repo": "nixpkgs",
+        "type": "github"
+      }
+    },
+    "nixpkgs_3": {
      "locked": {
        "lastModified": 1689413807,
        "narHash": "sha256-exuzOvOhGAEKWQKwDuZAL4N8a1I837hH5eocaTcIbLc=",
@@ -71,13 +157,14 @@
    "root": {
      "inputs": {
        "disko": "disko",
-        "nixpkgs": "nixpkgs",
+        "eko": "eko",
+        "nixpkgs": "nixpkgs_2",
        "sops-nix": "sops-nix"
      }
    },
    "sops-nix": {
      "inputs": {
-        "nixpkgs": "nixpkgs_2",
+        "nixpkgs": "nixpkgs_3",
        "nixpkgs-stable": "nixpkgs-stable"
      },
      "locked": {
@@ -94,6 +181,21 @@
        "rev": "bd695cc4d0a5e1bead703cc1bec5fa3094820a81",
        "type": "github"
      }
+    },
+    "systems": {
+      "locked": {
+        "lastModified": 1681028828,
+        "narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=",
+        "owner": "nix-systems",
+        "repo": "default",
+        "rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e",
+        "type": "github"
+      },
+      "original": {
+        "owner": "nix-systems",
+        "repo": "default",
+        "type": "github"
+      }
    }
  },
  "root": "root",
--- a/flake.nix
+++ b/flake.nix
@@ -4,14 +4,16 @@
    disko.url = "github:nix-community/disko";
    disko.inputs.nixpkgs.follows = "nixpkgs";
    sops-nix.url = "github:Mic92/sops-nix/bd695cc4d0a5e1bead703cc1bec5fa3094820a81";
+    eko.url = "github:kyren223/eko/dev";
  };

-  outputs = { nixpkgs, disko, sops-nix, ... }: {
+  outputs = { nixpkgs, disko, sops-nix, eko, ... }: {
    nixosConfigurations.default = nixpkgs.lib.nixosSystem {
      system = "x86_64-linux";
      modules = [
        disko.nixosModules.disko
        sops-nix.nixosModules.sops
+        eko.nixosModules.eko
        ./host/configuration.nix
        ./host/hardware-configuration.nix
      ];
--- a/nixosModules/eko.nix
+++ b/nixosModules/eko.nix
@@ -21,62 +21,65 @@

    sops.secrets.eko-server-cert-key = { owner = "eko"; };

+    services.eko.enable = true;
+    services.eko.certFile = config.sops.secrets.eko-server-cert-key.path;
+
    environment.etc = {
      "eko/tos.md".text = builtins.readFile ./eko-tos.md;
      "eko/privacy.md".text = builtins.readFile ./eko-privacy.md;
    };

-    systemd.services.eko = {
-      description = "Eko - a secure terminal-based social media";
-
-      wants = [ "network-online.target" ];
-      after = [ "network-online.target" ];
-      wantedBy = [ "multi-user.target" ];
-
-      # restartTriggers = [ "/var/lib/eko/eko-server" ];
-      reloadTriggers = lib.mapAttrsToList (_: v: v.source or null) (
-        lib.filterAttrs (n: _: lib.hasPrefix "eko/" n) config.environment.etc
-      );
-
-      environment = {
-        EKO_SERVER_CERT_FILE = config.sops.secrets.eko-server-cert-key.path;
-        EKO_SERVER_LOG_DIR = "/var/log/eko";
-        EKO_SERVER_TOS_FILE = "/etc/eko/tos.md";
-        EKO_SERVER_PRIVACY_FILE = "/etc/eko/privacy.md";
-      };
-
-      serviceConfig = {
-        Restart = "on-failure";
-        RestartSec = "10s";
-
-        ExecStart = "%S/eko/eko-server";
-        ExecReload = "${pkgs.coreutils}/bin/kill -SIGHUP $MAINPID";
-
-        ConfigurationDirectory = "eko";
-        StateDirectory = "eko";
-        LogsDirectory = "eko";
-        WorkingDirectory = "%S/eko";
-        Type = "simple";
-
-        User = "eko";
-        Group = "eko";
-
-        # Hardening
-        ProtectHostname = true;
-        ProtectKernelLogs = true;
-        ProtectKernelModules = true;
-        ProtectKernelTunables = true;
-        ProtectProc = "invisible";
-        RestrictAddressFamilies = [
-          "AF_INET"
-          "AF_INET6"
-          "AF_UNIX"
-        ];
-        RestrictNamespaces = true;
-        RestrictRealtime = true;
-        RestrictSUIDSGID = true;
-      };
-    };
+    # systemd.services.eko = {
+    #   description = "Eko - a secure terminal-based social media";
+    #
+    #   wants = [ "network-online.target" ];
+    #   after = [ "network-online.target" ];
+    #   wantedBy = [ "multi-user.target" ];
+    #
+    #   # restartTriggers = [ "/var/lib/eko/eko-server" ];
+    #   reloadTriggers = lib.mapAttrsToList (_: v: v.source or null) (
+    #     lib.filterAttrs (n: _: lib.hasPrefix "eko/" n) config.environment.etc
+    #   );
+    #
+    #   environment = {
+    #     EKO_SERVER_CERT_FILE = config.sops.secrets.eko-server-cert-key.path;
+    #     EKO_SERVER_LOG_DIR = "/var/log/eko";
+    #     EKO_SERVER_TOS_FILE = "/etc/eko/tos.md";
+    #     EKO_SERVER_PRIVACY_FILE = "/etc/eko/privacy.md";
+    #   };
+    #
+    #   serviceConfig = {
+    #     Restart = "on-failure";
+    #     RestartSec = "10s";
+    #
+    #     ExecStart = "%S/eko/eko-server";
+    #     ExecReload = "${pkgs.coreutils}/bin/kill -SIGHUP $MAINPID";
+    #
+    #     ConfigurationDirectory = "eko";
+    #     StateDirectory = "eko";
+    #     LogsDirectory = "eko";
+    #     WorkingDirectory = "%S/eko";
+    #     Type = "simple";
+    #
+    #     User = "eko";
+    #     Group = "eko";
+    #
+    #     # Hardening
+    #     ProtectHostname = true;
+    #     ProtectKernelLogs = true;
+    #     ProtectKernelModules = true;
+    #     ProtectKernelTunables = true;
+    #     ProtectProc = "invisible";
+    #     RestrictAddressFamilies = [
+    #       "AF_INET"
+    #       "AF_INET6"
+    #       "AF_UNIX"
+    #     ];
+    #     RestrictNamespaces = true;
+    #     RestrictRealtime = true;
+    #     RestrictSUIDSGID = true;
+    #   };
+    # };

    # Enable metrics/logging
    grafana.enable = true;