Refactor NixOS module

nix/deploy/qs/default.nix

@@ -1,4 +1,7 @@
 { pkgs, localArchtikaPackage, ... }:
+let
+  domain = "qs.archtika.com";
+in
 {
   imports = [
     ./hardware-configuration.nix
@@ -11,14 +14,23 @@
   services.archtika = {
     enable = true;
     package = localArchtikaPackage;
-    domain = "qs.archtika.com";
+    inherit domain;
-    acmeEmail = "thilo.hohlt@tutanota.com";
-    dnsProvider = "porkbun";
-    dnsEnvironmentFile = /var/lib/porkbun.env;
     settings = {
       disableRegistration = true;
-      maxWebsiteStorageSize = 250;
+      maxWebsiteStorageSize = 50;
-      maxUserWebsites = 3;
+      maxUserWebsites = 2;
+    };
+  };
+
+  security.acme = {
+    acceptTerms = true;
+    defaults.email = "thilo.hohlt@tutanota.com";
+    certs."${domain}" = {
+      inherit domain;
+      extraDomainNames = [ "*.${domain}" ];
+      dnsProvider = "porkbun";
+      environmentFile = /var/lib/porkbun.env;
+      group = "nginx";
     };
   };
 }

nix/module.nix

@@ -5,41 +5,19 @@
   ...
 }:
 
-with lib;
-
 let
+  inherit (lib)
+    mkEnableOption
+    mkOption
+    mkIf
+    mkPackageOption
+    types
+    ;
   cfg = config.services.archtika;
-  baseHardenedSystemdOptions = {
-    CapabilityBoundingSet = "";
-    LockPersonality = true;
-    NoNewPrivileges = true;
-    PrivateDevices = true;
-    PrivateTmp = true;
-    ProtectClock = true;
-    ProtectControlGroups = true;
-    ProtectHome = true;
-    ProtectHostname = true;
-    ProtectKernelLogs = true;
-    ProtectKernelModules = true;
-    ProtectKernelTunables = true;
-    ProtectSystem = "strict";
-    RemoveIPC = true;
-    RestrictNamespaces = true;
-    RestrictRealtime = true;
-    RestrictSUIDSGID = true;
-    SystemCallArchitectures = "native";
-    SystemCallFilter = [
-      "@system-service"
-      "~@privileged"
-      "~@resources"
-    ];
-
-    ReadWritePaths = [ "/var/www/archtika-websites" ];
-  };
 in
 {
   options.services.archtika = {
-    enable = mkEnableOption "archtika service";
+    enable = mkEnableOption "Whether to enable the archtika service";
 
     package = mkPackageOption pkgs "archtika" { };
 
@@ -81,29 +59,11 @@ in
 
     domain = mkOption {
       type = types.str;
-      default = null;
       description = "Domain to use for the application.";
     };
 
-    acmeEmail = mkOption {
-      type = types.str;
-      default = null;
-      description = "Email to notify for the SSL certificate renewal process.";
-    };
-
-    dnsProvider = mkOption {
-      type = types.str;
-      default = null;
-      description = "DNS provider for the DNS-01 challenge (required for wildcard domains).";
-    };
-
-    dnsEnvironmentFile = mkOption {
-      type = types.path;
-      default = null;
-      description = "API secrets for the DNS-01 challenge (required for wildcard domains).";
-    };
-
     settings = mkOption {
+      description = "Settings for the running archtika application.";
       type = types.submodule {
         options = {
           disableRegistration = mkOption {
@@ -112,13 +72,13 @@ in
             description = "By default any user can create an account. That behavior can be disabled by using this option.";
           };
           maxUserWebsites = mkOption {
-            type = types.int;
+            type = types.ints.positive;
             default = 2;
             description = "Maximum number of websites allowed per user by default.";
           };
           maxWebsiteStorageSize = mkOption {
-            type = types.int;
+            type = types.ints.positive;
-            default = 500;
+            default = 50;
             description = "Maximum amount of disk space in MB allowed per user website by default.";
           };
         };
@@ -126,7 +86,36 @@ in
     };
   };
 
-  config = mkIf cfg.enable {
+  config = mkIf cfg.enable (
+    let
+      baseHardenedSystemdOptions = {
+        CapabilityBoundingSet = "";
+        LockPersonality = true;
+        NoNewPrivileges = true;
+        PrivateDevices = true;
+        PrivateTmp = true;
+        ProtectClock = true;
+        ProtectControlGroups = true;
+        ProtectHome = true;
+        ProtectHostname = true;
+        ProtectKernelLogs = true;
+        ProtectKernelModules = true;
+        ProtectKernelTunables = true;
+        ProtectSystem = "strict";
+        RemoveIPC = true;
+        RestrictNamespaces = true;
+        RestrictRealtime = true;
+        RestrictSUIDSGID = true;
+        SystemCallArchitectures = "native";
+        SystemCallFilter = [
+          "@system-service"
+          "~@privileged"
+          "~@resources"
+        ];
+        ReadWritePaths = [ "/var/www/archtika-websites" ];
+      };
+    in
+    {
       users.users.${cfg.user} = {
         isSystemUser = true;
         group = cfg.group;
@@ -139,10 +128,24 @@ in
         ];
       };
 
-    systemd.tmpfiles.rules = [
+      systemd.tmpfiles.settings = {
-      "d /var/www 0755 root root -"
+        "10-archtika" = {
-      "d /var/www/archtika-websites 0770 ${cfg.user} ${cfg.group} -"
+          "/var/www" = {
-    ];
+            d = {
+              mode = "0755";
+              user = "root";
+              group = "root";
+            };
+          };
+          "/var/www/archtika-websites" = {
+            d = {
+              mode = "0770";
+              user = cfg.user;
+              group = cfg.group;
+            };
+          };
+        };
+      };
 
       systemd.services.archtika-api = {
         description = "archtika API service";
@@ -152,6 +155,8 @@ in
           "postgresql.service"
         ];
 
+        path = [ config.services.postgresql.package ];
+
         serviceConfig = baseHardenedSystemdOptions // {
           User = cfg.user;
           Group = cfg.group;
@@ -165,16 +170,31 @@ in
           ];
         };
 
-      script = ''
+        script =
-        JWT_SECRET=$(tr -dc 'A-Za-z0-9' < /dev/urandom | head -c64)
+          let
+            dbUrl =
+              user:
+              "postgres://${user}@127.0.0.1:${toString config.services.postgresql.settings.port}/${cfg.databaseName}";
+          in
+          ''
+            JWT_SECRET=$(tr -dc "A-Za-z0-9" < /dev/urandom | head -c64)
 
-        ${pkgs.postgresql_16}/bin/psql postgres://postgres@localhost:5432/${cfg.databaseName} -c "ALTER DATABASE ${cfg.databaseName} SET \"app.jwt_secret\" TO '$JWT_SECRET'"
+            psql ${dbUrl "postgres"} \
-        ${pkgs.postgresql_16}/bin/psql postgres://postgres@localhost:5432/${cfg.databaseName} -c "ALTER DATABASE ${cfg.databaseName} SET \"app.website_max_storage_size\" TO ${toString cfg.settings.maxWebsiteStorageSize}"
+              -c "ALTER DATABASE ${cfg.databaseName} SET \"app.jwt_secret\" TO '$JWT_SECRET'" \
-        ${pkgs.postgresql_16}/bin/psql postgres://postgres@localhost:5432/${cfg.databaseName} -c "ALTER DATABASE ${cfg.databaseName} SET \"app.website_max_number_user\" TO ${toString cfg.settings.maxUserWebsites}"
+              -c "ALTER DATABASE ${cfg.databaseName} SET \"app.website_max_storage_size\" TO ${toString cfg.settings.maxWebsiteStorageSize}" \
+              -c "ALTER DATABASE ${cfg.databaseName} SET \"app.website_max_number_user\" TO ${toString cfg.settings.maxUserWebsites}"
 
-        ${pkgs.dbmate}/bin/dbmate --url postgres://postgres@localhost:5432/archtika?sslmode=disable --migrations-dir ${cfg.package}/rest-api/db/migrations up
+            dbmate --url ${dbUrl "postgres"}?sslmode=disable --migrations-dir ${cfg.package}/rest-api/db/migrations up
 
-        PGRST_SERVER_CORS_ALLOWED_ORIGINS="https://${cfg.domain}" PGRST_ADMIN_SERVER_PORT=${toString cfg.apiAdminPort} PGRST_SERVER_PORT=${toString cfg.apiPort} PGRST_DB_SCHEMAS="api" PGRST_DB_ANON_ROLE="anon" PGRST_OPENAPI_MODE="ignore-privileges" PGRST_DB_URI="postgres://authenticator@localhost:5432/${cfg.databaseName}" PGRST_JWT_SECRET="$JWT_SECRET" ${pkgs.postgrest}/bin/postgrest
+            PGRST_SERVER_CORS_ALLOWED_ORIGINS="https://${cfg.domain}" \
+            PGRST_ADMIN_SERVER_PORT=${toString cfg.apiAdminPort} \
+            PGRST_SERVER_PORT=${toString cfg.apiPort} \
+            PGRST_DB_SCHEMAS="api" \
+            PGRST_DB_ANON_ROLE="anon" \
+            PGRST_OPENAPI_MODE="ignore-privileges" \
+            PGRST_DB_URI=${dbUrl "authenticator"} \
+            PGRST_JWT_SECRET="$JWT_SECRET" \
+            ${pkgs.postgrest}/bin/postgrest
           '';
       };
 
@@ -195,32 +215,29 @@ in
           ];
         };
 
-      script = ''
+        environment = {
-        REGISTRATION_IS_DISABLED=${toString cfg.settings.disableRegistration} BODY_SIZE_LIMIT=10M ORIGIN=https://${cfg.domain} PORT=${toString cfg.webAppPort} ${pkgs.nodejs_22}/bin/node ${cfg.package}/web-app
+          REGISTRATION_IS_DISABLED = toString cfg.settings.disableRegistration;
-      '';
+          BODY_SIZE_LIMIT = "10M";
+          ORIGIN = "https://${cfg.domain}";
+          PORT = toString cfg.webAppPort;
+        };
+
+        script = "${pkgs.nodejs_22}/bin/node ${cfg.package}/web-app";
       };
 
       services.postgresql = {
         enable = true;
-      package = pkgs.postgresql_16;
         ensureDatabases = [ cfg.databaseName ];
-      authentication = lib.mkForce ''
+        authentication = lib.mkOverride 51 ''
-        # IPv4 local connections:
           host    all    all    127.0.0.1/32    trust
-        # IPv6 local connections:
           host    all    all    ::1/128         trust
-        # Local socket connections:
           local   all    all                    trust
         '';
-      extraPlugins = with pkgs.postgresql16Packages; [ pgjwt ];
+        extensions = ps: with ps; [ pgjwt ];
       };
 
-    systemd.services.postgresql = {
+      systemd.services.postgresql.path = builtins.attrValues {
-      path = with pkgs; [
+        inherit (pkgs) gnutar gzip;
-        # Tar and gzip are needed for tar.gz exports
-        gnutar
-        gzip
-      ];
       };
 
       services.nginx = {
@@ -231,10 +248,6 @@ in
         recommendedOptimisation = true;
 
         appendHttpConfig = ''
-        limit_req_zone $binary_remote_addr zone=requestLimit:10m rate=5r/s;
-        limit_req_status 429;
-        limit_req zone=requestLimit burst=20 nodelay;
-
           add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
           add_header X-Frame-Options "SAMEORIGIN" always;
           add_header X-Content-Type-Options "nosniff" always;
@@ -253,7 +266,7 @@ in
             forceSSL = true;
             locations = {
               "/" = {
-              proxyPass = "http://localhost:${toString cfg.webAppPort}";
+                proxyPass = "http://127.0.0.1:${toString cfg.webAppPort}";
               };
               "/previews/" = {
                 alias = "/var/www/archtika-websites/previews/";
@@ -261,14 +274,14 @@ in
                 tryFiles = "$uri $uri/ $uri.html =404";
               };
               "/api/rpc/export_articles_zip" = {
-              proxyPass = "http://localhost:${toString cfg.apiPort}/rpc/export_articles_zip";
+                proxyPass = "http://127.0.0.1:${toString cfg.apiPort}/rpc/export_articles_zip";
                 extraConfig = ''
                   default_type application/json;
                   proxy_set_header Authorization $auth_header;
                 '';
               };
               "/api/" = {
-              proxyPass = "http://localhost:${toString cfg.apiPort}/";
+                proxyPass = "http://127.0.0.1:${toString cfg.apiPort}/";
                 extraConfig = ''
                   default_type application/json;
                 '';
@@ -293,17 +306,6 @@ in
           };
         };
       };
-
+    }
-    security.acme = {
+  );
-      acceptTerms = true;
-      defaults.email = cfg.acmeEmail;
-      certs."${cfg.domain}" = {
-        domain = cfg.domain;
-        extraDomainNames = [ "*.${cfg.domain}" ];
-        dnsProvider = cfg.dnsProvider;
-        environmentFile = cfg.dnsEnvironmentFile;
-        group = config.services.nginx.group;
-      };
-    };
-  };
 }

nix/package.nix

@@ -10,8 +10,7 @@ let
   web = buildNpmPackage {
     name = "web-app";
     src = ../web-app;
-    npmDeps = importNpmLock { npmRoot = ../web-app; };
+    npmDepsHash = "sha256-RTyo7K/Hr1hBGtcBKynrziUInl91JqZl84NkJg16ufA=";
-    npmConfigHook = importNpmLock.npmConfigHook;
     npmFlags = [ "--legacy-peer-deps" ];
     installPhase = ''
       mkdir -p $out/web-app
@@ -34,18 +33,9 @@ in
 symlinkJoin {
   name = "archtika";
   pname = "archtika";
-  version = "1.0.0";
 
   paths = [
     web
     api
   ];
-
-  meta = with lib; {
-    description = "A modern, performant and lightweight CMS";
-    homepage = "https://archtika.com";
-    license = licenses.mit;
-    maintainers = with maintainers; [ thiloho ];
-    platforms = platforms.unix;
-  };
 }