Merge branch 'nix-flake'

.gitignore

@@ -1,3 +1,4 @@
 /target
 /files
-/previews
+/previews
+result

default.nix

@@ -0,0 +1,55 @@
+{ lib
+, rustPlatform
+, pkg-config
+, libgit2
+, openssl
+, zlib
+, stdenv
+, darwin
+, pandoc
+, texlive
+, makeWrapper
+}:
+
+rustPlatform.buildRustPackage rec {
+  pname = "remote-text-server";
+  version = (builtins.fromTOML (builtins.readFile ./Cargo.toml)).package.version;
+
+  src = ./.;
+
+  cargoHash = "sha256-g6QiGH9eqC/mrGzeZOJ5wqm5V5D2xsDm4OOyzmE4sqM=";
+
+  nativeBuildInputs = [
+    pkg-config
+  ];
+
+  buildInputs = [
+    libgit2
+    openssl
+    zlib
+    makeWrapper
+  ] ++ lib.optionals stdenv.isDarwin [
+    darwin.apple_sdk.frameworks.IOKit
+    darwin.apple_sdk.frameworks.Security
+  ];
+
+  postFixup = ''
+    wrapProgram $out/bin/remote-text-server \
+      --set PATH ${lib.makeBinPath [
+        pandoc
+        texlive
+      ]}
+  '';
+
+  env = {
+    OPENSSL_NO_VENDOR = true;
+    VERGEN_IDEMPOTENT = true;
+  };
+
+  meta = with lib; {
+    description = "The server-side software for Remote Text";
+    homepage = "https://github.com/Remote-Text/remote-text-server";
+    license = with licenses; [ ];
+    maintainers = with maintainers; [ ];
+  };
+}

flake.nix

@@ -0,0 +1,31 @@
+{
+  description = "The server-side software for Remote Text";
+
+  inputs = {
+    # nixpkgs.url = "github:NixOS/nixpkgs";
+    flockenzeit.url = "github:balsoft/Flockenzeit";
+  };
+
+  outputs = { self, flockenzeit, nixpkgs, ... }:
+    let
+      forAllSystems = gen:
+        nixpkgs.lib.genAttrs nixpkgs.lib.systems.flakeExposed
+        (system: gen nixpkgs.legacyPackages.${system});
+    in {
+      packages = forAllSystems (pkgs: rec {
+        remote-text-server = pkgs.callPackage ./. { texlive = pkgs.texliveFull; };
+        default = remote-text-server;
+        dockerImage = pkgs.dockerTools.buildImage {
+          name = "remote-text-server";
+          created = flockenzeit.lib.ISO-8601 self.lastModified;
+          config = {
+            Cmd = [ "${remote-text-server}/bin/remote-text-server" ];
+          };
+        };
+      });
+      nixosModules = rec {
+        remote-text-server = import ./module.nix;
+        default = remote-text-server;
+      };
+    };
+}

module.nix

@@ -0,0 +1,58 @@
+{ config, pkgs, lib, ... }:
+
+with lib;
+
+let
+  cfg = config.services.remote-text-server;
+in
+{
+  options.services.remote-text-server = {
+    enable = mkEnableOption "remote-text-server";
+    package = mkOption {
+      default = pkgs.callPackage ./. { texlive = pkgs.texliveFull; };
+      defaultText = "remote-text-server";
+      example = "inputs.remote-text-server.packages.${pkgs.system}.default.override { texlive = pkgs.texliveMinimal; }";
+      description = "The remote-text-server package to use";
+      type = types.package;
+    };
+    port = mkOption {
+      type = types.port;
+      default = 7870;
+      example = 46264;
+      description = "The port to listen on. Currently ignored and always uses 3030";
+    };
+  };
+
+  config = mkIf cfg.enable {
+    systemd.services.remote-text-server = {
+      description = "RemoteText Server";
+
+      script = ''
+        cd $STATE_DIRECTORY
+        ${cfg.package}/bin/remote-text-server --port ${toString cfg.port}
+      '';
+
+      serviceConfig = {
+        DynamicUser = true;
+        # EnvironmentFile = "/etc/jekyll-comments-env";
+        StateDirectory = "remote-text-server";
+
+        PrivateDevices = true;
+        PrivateMounts = true;
+        PrivateUsers = true;
+        ProtectControlGroups = true;
+        ProtectHome = true;
+        ProtectHostname = true;
+        ProtectKernelLogs = true;
+        ProtectKernelModules = true;
+        ProtectKernelTunables = true;
+      };
+
+      wantedBy = [ "multi-user.target" ];
+      after = [ "network-online.target" ];
+      wants = [ "network-online.target" ];
+    };
+    # unnecessary bc tailscale is open. also should be set by the end user
+    # networking.firewall.interfaces."tailscale0".allowedTCPPorts = [ cfg.port ];
+  };
+}