tmpfiles/flake.nix

{
  inputs = {
    utils.url = "github:numtide/flake-utils";
    naersk.url = "github:nix-community/naersk";
    nixpkgs.url = "github:NixOS/nixpkgs/nixpkgs-unstable";
  };

  outputs = { self, utils, naersk, nixpkgs }:
    utils.lib.eachSystem [
      "x86_64-linux"
      "aarch64-linux"
    ] (system:
      let
        pkgs = (import nixpkgs) {
          inherit system;
        };

        naersk' = pkgs.callPackage naersk {};
        
      in {
        packages = {
          default = naersk'.buildPackage {
            nativeBuildInputs = with pkgs; [ glib gexiv2 pkg-config ];
            src = ./.;
          };
        };

        # For `nix develop` (optional, can be skipped):
        devShell = pkgs.mkShell {
          nativeBuildInputs = with pkgs; [ rustc cargo ];
        };
      }
    ) // {
      nixosModule = {config, lib, pkgs, ... }:
        with lib;
        let cfg = config.ashe.services.tmpfiles;

        in {
          options.ashe.services.tmpfiles = {
            enable = mkEnableOption "Enables the tmpfiles HTTP service";

            port = mkOption rec {
              type = types.int;
              default = 8000;
              example = default;
              description = "The port for this service to listen on";

            };

            domain = mkOption rec {
              type = types.str;
              default = "files.tempest.dev";
              example = default;
              description = "The domain name for tmpfiles";
            };
          };

          config = mkIf cfg.enable {
            systemd.services."ashe.tmpfiles" = {
              wantedBy = [ "multi-user.target" ];

              serviceConfig = let pkg = self.packages.${pkgs.system}.default;
              in {
                Restart = "on-failure";
                ExecStart = "${pkg}/bin/tempest-tmp";
                DynamicUser = "yes";
                StateDirectory = "ashe.tmpfiles";
                StateDirectoryMode = "0700";
                WorkingDirectory = "/var/lib/private/ashe.tmpfiles";
                Environment = [
                  "ROCKET_LIMITS={file=15000000,data-form=15000000,form=15000000}"
                  "ROCKET_PORT=${toString cfg.port}"
                ];
              };
            };

            services.nginx.virtualHosts.${cfg.domain} = {
              locations."/" = { proxyPass = "http://127.0.0.1:${toString cfg.port}"; };
              forceSSL = true;
              enableACME = true;
            };
          };
        };
    };
}