change config format to env vars

2025-03-12 12:14:17 +01:00 · 2025-03-12 12:14:17 +01:00 · bd7144b20b
commit bd7144b20b
parent 80c1c3fe04
3 changed files with 72 additions and 56 deletions
--- a/module.nix
+++ b/module.nix
@ -24,14 +24,14 @@ in
          type = types.submodule {
            freeformType = jsonFormat.type;
            options = {
-              eintopfUrl = mkOption {
+              EINTOPF_URL = mkOption {
                default = "";
                type = types.str;
                description = ''
 		  Base URL of the target Eintopf host.
                '';
              };
-              radarGroupId = mkOption {
+              RADAR_GROUP_ID = mkOption {
                default = "";
                type = types.str;
                description = ''
@ -46,18 +46,29 @@ in
          '';
          example = literalExpression ''
            {
-              eintopfUrl = "eintopf.info";
-    	      radarGroupId = "436012";
+              EINTOPF_URL = "eintopf.info";
+    	      RADAR_GROUP_ID = "436012";
            }
          '';
        };

-        secretFile = mkOption {
-          type = types.nullOr types.str;
-          default = null;
+        secrets = lib.mkOption {
+          type = with types; listOf path;
          description = ''
-            Secret options which will be appended to the Radar sync config, for example
-            `{"redis":{"password":"secret"}}`.
+            A list of files containing the various secrets. Should be in the
+            format expected by systemd's `EnvironmentFile` directory.
+          '';
+          default = [ ];
+        };
+
+        interval = lib.mkOption {
+          type = lib.types.str;
+          default = "*:00,30:00";
+          description = ''
+            How often we run the sync. Default is half an hour.
+  
+            The format is described in
+            {manpage}`systemd.time(7)`.
          '';
        };

@ -69,18 +80,55 @@ in
      systemd.services."eintopf-radar-sync" = {
        description = "eintopf-radar-sync script";
        after = [ "network.target" ];
-        wantedBy = [ "multi-user.target" ];
+        wants = [ "network-online.target" ];
        environment.PYTHONUNBUFFERED = "1";
+	environment = cfg.settings;
        serviceConfig = {
 	  Type = "simple";
          ExecStart = lib.getExe pkgs.eintopf-radar-sync;
-          Restart = "on-failure";
 	  DynamicUser = true;
-          RestartSec = 30;
-	  # TODO hardening
-	  # TODO settings
+	  EnvironmentFile = [ cfg.secrets ];
+
+          # hardening
+          AmbientCapabilities = "";
+          CapabilityBoundingSet = "" ;
+          DevicePolicy = "closed";
+          DynamicUser = true;
+          LockPersonality = true;
+          MemoryDenyWriteExecute = true;
+          NoNewPrivileges = true;
+          PrivateDevices = true;
+          PrivateTmp = true;
+          PrivateUsers = true;
+          ProcSubset = "pid";
+          ProtectClock = true;
+          ProtectControlGroups = true;
+          ProtectHome = true;
+          ProtectHostname = true;
+          ProtectKernelLogs = true;
+          ProtectKernelModules = true;
+          ProtectKernelTunables = true;
+          ProtectProc = "invisible";
+          ProtectSystem = "strict";
+          RemoveIPC = true;
+          RestrictAddressFamilies = [ "AF_INET" "AF_INET6" ];
+          RestrictNamespaces = true;
+          RestrictRealtime = true;
+          RestrictSUIDSGID = true;
+          SystemCallArchitectures = "native";
+          SystemCallFilter = [ "@system-service" "~@privileged" ];
+          UMask = "0077";
        };
-        restartIfChanged = true;
+      };
+
+      systemd.timers.eintopf-radar-sync = {
+        timerConfig = {
+          OnCalendar = [
+            ""
+            cfg.interval
+          ];
+        };
+        wantedBy = [ "timers.target" ];
      };

    };