feat(modules,package): playit.gg service module

2026-05-14 19:40:45 -03:00
parent 0c8ede8b6d
commit f653cc9f7c
3 changed files with 99 additions and 0 deletions
--- a/flake.nix
+++ b/flake.nix
@@ -192,6 +192,7 @@

    nixosModules = {
      neovim = inputs.neovim.nixosModules.default;
+      playit = ./modules/playit.nix;
    };

    homeManagerModules = {
@@ -210,6 +211,7 @@
      pkgs,
      ...
    }: {
+      playit-agent = pkgs.callPackage ./packages/playit-agent.nix {};
      audacity = pkgs.callPackage ./packages/audacity.nix {};
      cal-sans = pkgs.callPackage ./packages/cal-sans.nix {};
      devkit = {
--- a/modules/playit.nix
+++ b/modules/playit.nix
@@ -0,0 +1,66 @@
+{
+  config,
+  lib,
+  pkgs,
+  self,
+  ...
+}:
+with lib; let
+  cfg = config.services.playit;
+in {
+  options.services.playit = {
+    enable = lib.mkEnableOption "Playit Service";
+    package = mkOption {
+      type = with types; package;
+      default = self.packages.${pkgs.stdenv.hostPlatform.system}.playit-agent;
+      description = "playit binary to run";
+    };
+    secretPath = mkOption {
+      type = with types; path;
+      description = "Path to TOML file containing secret";
+    };
+  };
+  config = mkIf cfg.enable {
+    environment.systemPackages = [cfg.package];
+
+    systemd.services.playit = {
+      description = "Playit.gg agent";
+      wantedBy = ["multi-user.target"];
+      wants = ["network-online.target"];
+      after = ["network-online.target"];
+      environment = {
+        SECRET_PATH = "%d/secret";
+      };
+      serviceConfig = {
+        ExecStart = ''${lib.getExe cfg.package} --stdout --secret_wait --secret_path "''${SECRET_PATH}" start'';
+        Restart = "on-failure";
+        StateDirectory = "playit";
+        LoadCredential = [
+          "secret:${cfg.secretPath}"
+        ];
+        RestrictAddressFamilies = [
+          "AF_INET"
+          "AF_INET6"
+        ];
+        DeviceAllow = [""];
+        LockPersonality = true;
+        PrivateDevices = true;
+        PrivateTmp = true;
+        PrivateUsers = true;
+        DynamicUser = true;
+        ProtectKernelModules = true;
+        ProtectKernelTunables = true;
+        ProtectKernelLogs = true;
+        ProtectControlGroups = true;
+        ProtectSystem = "strict";
+        ProtectHome = "read-only";
+        RestrictSUIDSGID = true;
+        RestrictNamespaces = true;
+        RestrictRealtime = true;
+        ProtectClock = true;
+        NoNewPrivileges = true;
+        CapabilityBoundingSet = [];
+      };
+    };
+  };
+}
--- a/packages/playit-agent.nix
+++ b/packages/playit-agent.nix
@@ -0,0 +1,31 @@
+{
+  fetchFromGitHub,
+  rustPlatform,
+  lib,
+  ...
+}:
+with lib;
+  rustPlatform.buildRustPackage rec {
+    pname = "playit-agent";
+    version = "0.17.1";
+
+    src = cleanSource (fetchFromGitHub {
+      owner = "playit-cloud";
+      repo = "playit-agent";
+      rev = "v${version}";
+      hash = "sha256-kT7NLUcgGM/hxwK4PUDZ71PtYJqjR8i4yj/LhbXX1i0=";
+    });
+    cargoLock = {
+      lockFile = "${src}/Cargo.lock";
+    };
+
+    strictDeps = true;
+    # Requires internet access
+    doCheck = false;
+
+    meta = {
+      description = "The playit program";
+      license = licenses.bsd2;
+      mainProgram = "playit-cli";
+    };
+  }