Skip to content

migrate nix package build process to crane #876

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
wojcik91 merged 12 commits into from
May 22, 2026
Merged

migrate nix package build process to crane #876

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
12 commits
Select commit Hold shift + click to select a range
c3bc8ae
update dependencies
wojcik91 May 18, 2026
8a49f49
try out crane for caching nix builds
wojcik91 May 18, 2026
d7a4f18
cleanup system service
wojcik91 May 18, 2026
ee7a015
nix package cleanup
wojcik91 May 18, 2026
562a4fc
remove runtime-only deps from buildInputs
wojcik91 May 18, 2026
4025940
expose pnpmDeps via passthru
wojcik91 May 18, 2026
f27c30f
replace with lib; with explicit lib. prefixes
wojcik91 May 18, 2026
3865c6e
scope rust-overlay to devShells, add checks
wojcik91 May 18, 2026
3cddcaa
fix nix dev shell craneLib wiring
j-chmielewski May 18, 2026
848acbb
package cleanup & service hardening
wojcik91 May 21, 2026
b074fab
Merge branch 'main' into crane_build
wojcik91 May 22, 2026
cd6c8d8
update dependencies
wojcik91 May 22, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
28 changes: 22 additions & 6 deletions flake.lock
View file
Open in desktop

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

21 changes: 16 additions & 5 deletions flake.nix
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -3,6 +3,7 @@
nixpkgs.url = "nixpkgs";
flake-utils.url = "github:numtide/flake-utils";
rust-overlay.url = "github:oxalica/rust-overlay";
crane.url = "github:ipetkov/crane";

# let git manage submodules
self.submodules = true;
Expand All @@ -25,26 +26,36 @@
nixpkgs,
flake-utils,
rust-overlay,
crane,
...
}:
flake-utils.lib.eachDefaultSystem (system: let
# add rust overlay
pkgs = import nixpkgs {
# Plain nixpkgs — used for packages and checks.
pkgs = import nixpkgs {inherit system;};

# nixpkgs with rust-overlay — only needed for the dev shell, which uses
# pkgs.rust-bin to get a customised Rust toolchain.
devPkgs = import nixpkgs {
inherit system;
overlays = [rust-overlay.overlays.default];
};

craneLib = crane.mkLib pkgs;
in {
devShells.default = import ./nix/shell.nix {
inherit pkgs;
pkgs = devPkgs;
inherit crane;
};

packages.default = pkgs.callPackage ./nix/package.nix {
inherit pkgs;
inherit pkgs craneLib;
};

checks.default = self.packages.${system}.default;

formatter = pkgs.alejandra;
})
// {
nixosModules.default = import ./nix/nixos-module.nix;
nixosModules.default = import ./nix/nixos-module.nix {mkCraneLib = crane.mkLib;};
};
}
43 changes: 24 additions & 19 deletions nix/nixos-module.nix
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,61 +1,66 @@
{
{mkCraneLib}: {
config,
lib,
pkgs,
...
}:
with lib; let
defguard-client = pkgs.callPackage ./package.nix {};
}: let
craneLib = mkCraneLib pkgs;
defguard-client = pkgs.callPackage ./package.nix {inherit pkgs craneLib;};
cfg = config.programs.defguard-client;
in {
options.programs.defguard-client = {
enable = mkEnableOption "Defguard VPN client and service";
enable = lib.mkEnableOption "Defguard VPN client and service";

package = mkOption {
type = types.package;
package = lib.mkOption {
type = lib.types.package;
default = defguard-client;
description = "defguard-client package to use";
};

logLevel = mkOption {
type = types.str;
logLevel = lib.mkOption {
type = lib.types.str;
default = "info";
description = "Log level for defguard-service";
};

statsPeriod = mkOption {
type = types.int;
statsPeriod = lib.mkOption {
type = lib.types.int;
default = 30;
description = "Interval in seconds for interface statistics updates";
};
};

config = mkIf cfg.enable {
# Add client package
config = lib.mkIf cfg.enable {
environment.systemPackages = [cfg.package];

# Setup systemd service for the intrerface management daemon
systemd.services.defguard-service = {
description = "Defguard VPN Service";
documentation = ["https://docs.defguard.net"];
wantedBy = ["multi-user.target"];
wants = ["network-online.target"];
after = ["network-online.target"];
serviceConfig = {
ExecStart = "${cfg.package}/bin/defguard-service --log-level ${cfg.logLevel} --stats-period ${toString cfg.statsPeriod}";
ExecReload = "/bin/kill -HUP $MAINPID";
Group = "defguard";
Restart = "on-failure";
RestartSec = 2;
ExecStart = "${cfg.package}/bin/defguard-service --log-level ${cfg.logLevel} --stats-period ${toString cfg.statsPeriod}";
ExecReload = "kill -HUP $MAINPID";
KillMode = "process";
KillSignal = "SIGINT";
LimitNOFILE = 65536;
LimitNPROC = "infinity";
Restart = "on-failure";
RestartSec = 2;
TasksMax = "infinity";
OOMScoreAdjust = -1000;
# Security hardening
NoNewPrivileges = true;
PrivateTmp = true;
ProtectControlGroups = true;
ProtectKernelModules = true;
RestrictRealtime = true;
LockPersonality = true;
};
};

# Make sure the defguard group exists
users.groups.defguard = {};
};
}
Loading
Loading