Harald Hoyer
5693009488
The file watcher binding (and other node-precompiled .node modules loaded via dlopen) failed with "libstdc++.so.6: cannot open shared object file" because systemd services don't inherit the user shell's LD path. Reuse the nix-ld library list so the service sees the same common libraries unwrapped binaries get globally.
65 lines
1.3 KiB
Nix
65 lines
1.3 KiB
Nix
{
|
|
config,
|
|
pkgs,
|
|
lib,
|
|
...
|
|
}:
|
|
|
|
let
|
|
port = 4196;
|
|
user = "harald";
|
|
homeDir = "/home/harald";
|
|
in
|
|
{
|
|
systemd.services.opencode-serve = {
|
|
description = "OpenCode Web Server";
|
|
after = [ "network.target" ];
|
|
wantedBy = [ "multi-user.target" ];
|
|
|
|
path = with pkgs; [
|
|
git
|
|
bash
|
|
coreutils
|
|
findutils
|
|
gnused
|
|
gnugrep
|
|
gawk
|
|
gnumake
|
|
nix
|
|
nodejs
|
|
ripgrep
|
|
fd
|
|
curl
|
|
which
|
|
];
|
|
|
|
environment = {
|
|
HOME = homeDir;
|
|
LD_LIBRARY_PATH = lib.makeLibraryPath config.programs.nix-ld.libraries;
|
|
};
|
|
|
|
serviceConfig = {
|
|
Type = "simple";
|
|
User = user;
|
|
Group = "users";
|
|
WorkingDirectory = homeDir;
|
|
ExecStart = "${pkgs.opencode}/bin/opencode serve --hostname 127.0.0.1 --port ${toString port}";
|
|
Restart = "always";
|
|
RestartSec = 5;
|
|
EnvironmentFile = config.sops.secrets.opencode-web-password.path;
|
|
|
|
# Security hardening
|
|
PrivateTmp = true;
|
|
ProtectSystem = "strict";
|
|
ProtectHome = false;
|
|
NoNewPrivileges = true;
|
|
ReadWritePaths = [ homeDir ];
|
|
};
|
|
};
|
|
|
|
sops.secrets.opencode-web-password = {
|
|
sopsFile = ../../../.secrets/amd/opencode-web.yaml;
|
|
owner = user;
|
|
restartUnits = [ "opencode-serve.service" ];
|
|
};
|
|
}
|