Harald Hoyer
f820a72b04
Complete implementation across all 13 phases: - vault-core: types, YAML frontmatter parsing, entity classification, filesystem ops, config, prompt composition, validation, search - vault-watch: filesystem watcher with daemon write filtering, event classification - vault-scheduler: cron engine, process executor, task runner with retry logic and concurrency limiting - vault-api: Axum REST API (15 route modules), WebSocket with broadcast, AI assistant proxy, validation, templates - Dashboard: React + TypeScript + Tailwind v4 with kanban, CodeMirror editor, dynamic view system, AI chat sidebar - Nix flake with dev shell and NixOS module - Graceful shutdown, inotify overflow recovery, tracing instrumentation Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
111 lines
2.8 KiB
Nix
111 lines
2.8 KiB
Nix
flake:
|
|
{ config, lib, pkgs, ... }:
|
|
|
|
let
|
|
cfg = config.services.vault-os;
|
|
in
|
|
{
|
|
options.services.vault-os = {
|
|
enable = lib.mkEnableOption "vault-os daemon";
|
|
|
|
package = lib.mkOption {
|
|
type = lib.types.package;
|
|
default = flake.packages.${pkgs.stdenv.hostPlatform.system}.default;
|
|
description = "The vault-os package to use.";
|
|
};
|
|
|
|
vaultPath = lib.mkOption {
|
|
type = lib.types.path;
|
|
description = "Path to the vault directory.";
|
|
};
|
|
|
|
port = lib.mkOption {
|
|
type = lib.types.port;
|
|
default = 8080;
|
|
description = "HTTP port to listen on.";
|
|
};
|
|
|
|
bind = lib.mkOption {
|
|
type = lib.types.str;
|
|
default = "127.0.0.1";
|
|
description = "Address to bind to.";
|
|
};
|
|
|
|
maxParallel = lib.mkOption {
|
|
type = lib.types.int;
|
|
default = 4;
|
|
description = "Maximum parallel agent task executions.";
|
|
};
|
|
|
|
logLevel = lib.mkOption {
|
|
type = lib.types.str;
|
|
default = "info";
|
|
description = "Log level (trace, debug, info, warn, error).";
|
|
};
|
|
|
|
user = lib.mkOption {
|
|
type = lib.types.str;
|
|
default = "vault-os";
|
|
description = "User to run vault-os as.";
|
|
};
|
|
|
|
group = lib.mkOption {
|
|
type = lib.types.str;
|
|
default = "vault-os";
|
|
description = "Group to run vault-os as.";
|
|
};
|
|
|
|
environmentFile = lib.mkOption {
|
|
type = lib.types.nullOr lib.types.path;
|
|
default = null;
|
|
description = "Environment file for secrets (API keys, etc).";
|
|
};
|
|
};
|
|
|
|
config = lib.mkIf cfg.enable {
|
|
users.users.${cfg.user} = {
|
|
isSystemUser = true;
|
|
group = cfg.group;
|
|
home = cfg.vaultPath;
|
|
};
|
|
|
|
users.groups.${cfg.group} = {};
|
|
|
|
systemd.services.vault-os = {
|
|
description = "vault-os daemon";
|
|
wantedBy = [ "multi-user.target" ];
|
|
after = [ "network.target" ];
|
|
|
|
serviceConfig = {
|
|
Type = "simple";
|
|
User = cfg.user;
|
|
Group = cfg.group;
|
|
ExecStart = lib.concatStringsSep " " [
|
|
"${cfg.package}/bin/vault-os"
|
|
"--vault ${cfg.vaultPath}"
|
|
"--port ${toString cfg.port}"
|
|
"--bind ${cfg.bind}"
|
|
"--max-parallel ${toString cfg.maxParallel}"
|
|
"--log-level ${cfg.logLevel}"
|
|
];
|
|
Restart = "on-failure";
|
|
RestartSec = 5;
|
|
|
|
# Hardening
|
|
NoNewPrivileges = true;
|
|
ProtectSystem = "strict";
|
|
ProtectHome = true;
|
|
ReadWritePaths = [ cfg.vaultPath ];
|
|
PrivateTmp = true;
|
|
PrivateDevices = true;
|
|
ProtectKernelTunables = true;
|
|
ProtectKernelModules = true;
|
|
ProtectControlGroups = true;
|
|
RestrictSUIDSGID = true;
|
|
RemoveIPC = true;
|
|
} // lib.optionalAttrs (cfg.environmentFile != null) {
|
|
EnvironmentFile = cfg.environmentFile;
|
|
};
|
|
};
|
|
};
|
|
}
|