migrate nix package build process to crane (#876)

* update dependencies

* try out crane for caching nix builds

* cleanup system service

* nix package cleanup

* remove runtime-only deps from buildInputs

* expose pnpmDeps via passthru

* replace with lib; with explicit lib. prefixes

* scope rust-overlay to devShells, add checks

* fix nix dev shell craneLib wiring

* package cleanup & service hardening

* update dependencies

---------

Co-authored-by: Jacek Chmielewski <jacek@defguard.net>

Author: wojcik91

flake.lock

@@ -3,6 +3,7 @@
     nixpkgs.url = "nixpkgs";
     flake-utils.url = "github:numtide/flake-utils";
     rust-overlay.url = "github:oxalica/rust-overlay";
+    crane.url = "github:ipetkov/crane";
 
     # let git manage submodules
     self.submodules = true;
@@ -25,26 +26,36 @@
     nixpkgs,
     flake-utils,
     rust-overlay,
+    crane,
     ...
   }:
     flake-utils.lib.eachDefaultSystem (system: let
-      # add rust overlay
-      pkgs = import nixpkgs {
+      # Plain nixpkgs — used for packages and checks.
+      pkgs = import nixpkgs {inherit system;};
+
+      # nixpkgs with rust-overlay — only needed for the dev shell, which uses
+      # pkgs.rust-bin to get a customised Rust toolchain.
+      devPkgs = import nixpkgs {
         inherit system;
         overlays = [rust-overlay.overlays.default];
       };
+
+      craneLib = crane.mkLib pkgs;
     in {
       devShells.default = import ./nix/shell.nix {
-        inherit pkgs;
+        pkgs = devPkgs;
+        inherit crane;
       };
 
       packages.default = pkgs.callPackage ./nix/package.nix {
-        inherit pkgs;
+        inherit pkgs craneLib;
       };
 
+      checks.default = self.packages.${system}.default;
+
       formatter = pkgs.alejandra;
     })
     // {
-      nixosModules.default = import ./nix/nixos-module.nix;
+      nixosModules.default = import ./nix/nixos-module.nix {mkCraneLib = crane.mkLib;};
     };
 }

flake.nix

@@ -1,61 +1,66 @@
-{
+{mkCraneLib}: {
   config,
   lib,
   pkgs,
   ...
-}:
-with lib; let
-  defguard-client = pkgs.callPackage ./package.nix {};
+}: let
+  craneLib = mkCraneLib pkgs;
+  defguard-client = pkgs.callPackage ./package.nix {inherit pkgs craneLib;};
   cfg = config.programs.defguard-client;
 in {
   options.programs.defguard-client = {
-    enable = mkEnableOption "Defguard VPN client and service";
+    enable = lib.mkEnableOption "Defguard VPN client and service";
 
-    package = mkOption {
-      type = types.package;
+    package = lib.mkOption {
+      type = lib.types.package;
       default = defguard-client;
       description = "defguard-client package to use";
     };
 
-    logLevel = mkOption {
-      type = types.str;
+    logLevel = lib.mkOption {
+      type = lib.types.str;
       default = "info";
       description = "Log level for defguard-service";
     };
 
-    statsPeriod = mkOption {
-      type = types.int;
+    statsPeriod = lib.mkOption {
+      type = lib.types.int;
       default = 30;
       description = "Interval in seconds for interface statistics updates";
     };
   };
 
-  config = mkIf cfg.enable {
-    # Add client package
+  config = lib.mkIf cfg.enable {
     environment.systemPackages = [cfg.package];
 
-    # Setup systemd service for the intrerface management daemon
     systemd.services.defguard-service = {
       description = "Defguard VPN Service";
+      documentation = ["https://docs.defguard.net"];
       wantedBy = ["multi-user.target"];
       wants = ["network-online.target"];
       after = ["network-online.target"];
       serviceConfig = {
-        ExecStart = "${cfg.package}/bin/defguard-service --log-level ${cfg.logLevel} --stats-period ${toString cfg.statsPeriod}";
-        ExecReload = "/bin/kill -HUP $MAINPID";
         Group = "defguard";
-        Restart = "on-failure";
-        RestartSec = 2;
+        ExecStart = "${cfg.package}/bin/defguard-service --log-level ${cfg.logLevel} --stats-period ${toString cfg.statsPeriod}";
+        ExecReload = "kill -HUP $MAINPID";
         KillMode = "process";
         KillSignal = "SIGINT";
         LimitNOFILE = 65536;
         LimitNPROC = "infinity";
+        Restart = "on-failure";
+        RestartSec = 2;
         TasksMax = "infinity";
         OOMScoreAdjust = -1000;
+        # Security hardening
+        NoNewPrivileges = true;
+        PrivateTmp = true;
+        ProtectControlGroups = true;
+        ProtectKernelModules = true;
+        RestrictRealtime = true;
+        LockPersonality = true;
       };
     };
 
-    # Make sure the defguard group exists
     users.groups.defguard = {};
   };
 }