Merge pull request #284419 from ocfox/realm

2025-06-11 12:15:34 +03:00 · 2024-07-11 10:46:47 +02:00 · 2024-07-11 10:46:47 +02:00 · 24cefb01b3
commit 24cefb01b3
parent 2ee9ed703c f0e2e1d83e
6 changed files with 135 additions and 0 deletions
--- a/nixos/doc/manual/release-notes/rl-2411.section.md
+++ b/nixos/doc/manual/release-notes/rl-2411.section.md
@ -30,6 +30,8 @@

 - [Envision](https://gitlab.com/gabmus/envision), a UI for building, configuring and running Monado, the open source OpenXR runtime. Available as [programs.envision](#opt-programs.envision.enable).

+- [realm](https://github.com/zhboner/realm), a simple, high performance relay server written in rust. Available as [services.realm.enable](#opt-services.realm.enable).
+
 - [Playerctld](https://github.com/altdesktop/playerctl), a daemon to track media player activity. Available as [services.playerctld](option.html#opt-services.playerctld).

 - [Glance](https://github.com/glanceapp/glance), a self-hosted dashboard that puts all your feeds in one place. Available as [services.glance](option.html#opt-services.glance).
--- a/nixos/modules/module-list.nix
+++ b/nixos/modules/module-list.nix
@ -1151,6 +1151,7 @@
  ./services/networking/radicale.nix
  ./services/networking/radvd.nix
  ./services/networking/rdnssd.nix
+  ./services/networking/realm.nix
  ./services/networking/redsocks.nix
  ./services/networking/resilio.nix
  ./services/networking/robustirc-bridge.nix
--- a/nixos/modules/services/networking/realm.nix
+++ b/nixos/modules/services/networking/realm.nix
@ -0,0 +1,50 @@
+{ config
+, lib
+, pkgs
+, ...
+}:
+let
+  cfg = config.services.realm;
+  configFormat = pkgs.formats.json { };
+  configFile = configFormat.generate "config.json" cfg.config;
+  inherit (lib)
+    mkEnableOption mkPackageOption mkOption mkIf types getExe;
+in
+{
+
+  meta.maintainers = with lib.maintainers; [ ocfox ];
+
+  options = {
+    services.realm = {
+      enable = mkEnableOption "A simple, high performance relay server written in rust";
+      package = mkPackageOption pkgs "realm" { };
+      config = mkOption {
+        type = types.submodule {
+          freeformType = configFormat.type;
+        };
+        default = { };
+        description = ''
+          The realm configuration, see <https://github.com/zhboner/realm#overview> for documentation.
+        '';
+      };
+    };
+  };
+
+  config = mkIf cfg.enable {
+    systemd.services.realm = {
+      serviceConfig = {
+        DynamicUser = true;
+        MemoryDenyWriteExecute = true;
+        PrivateDevices = true;
+        ProtectClock = true;
+        ProtectKernelLogs = true;
+        ProtectKernelModules = true;
+        ProtectProc = "invisible";
+        ProtectKernelTunables = true;
+        ExecStart = "${getExe cfg.package} --config ${configFile}";
+        AmbientCapabilities = [ "CAP_NET_ADMIN" "CAP_NET_BIND_SERVICE" ];
+      };
+      wantedBy = [ "multi-user.target" ];
+    };
+  };
+}
--- a/nixos/tests/all-tests.nix
+++ b/nixos/tests/all-tests.nix
@ -811,6 +811,7 @@ in {
  ragnarwm = handleTest ./ragnarwm.nix {};
  rasdaemon = handleTest ./rasdaemon.nix {};
  readarr = handleTest ./readarr.nix {};
+  realm = handleTest ./realm.nix {};
  redis = handleTest ./redis.nix {};
  redlib = handleTest ./redlib.nix {};
  redmine = handleTest ./redmine.nix {};
--- a/nixos/tests/realm.nix
+++ b/nixos/tests/realm.nix
@ -0,0 +1,39 @@
+import ./make-test-python.nix ({ lib, pkgs, ... }: {
+  name = "realm";
+
+  meta = {
+    maintainers = with lib.maintainers; [ ocfox ];
+  };
+
+  nodes.machine = { pkgs, ... }: {
+    services.nginx = {
+      enable = true;
+      statusPage = true;
+    };
+    # realm need DNS resolv server to run or use config.dns.nameserver
+    services.resolved.enable = true;
+
+    services.realm = {
+      enable = true;
+      config = {
+        endpoints = [
+          {
+            listen = "0.0.0.0:1000";
+            remote = "127.0.0.1:80";
+          }
+        ];
+      };
+    };
+  };
+
+  testScript = ''
+    machine.wait_for_unit("nginx.service")
+    machine.wait_for_unit("realm.service")
+
+    machine.wait_for_open_port(80)
+    machine.wait_for_open_port(1000)
+
+    machine.succeed("curl --fail http://localhost:1000/")
+  '';
+
+})
--- a/pkgs/by-name/re/realm/package.nix
+++ b/pkgs/by-name/re/realm/package.nix
@ -0,0 +1,42 @@
+{ lib
+, rustPlatform
+, fetchFromGitHub
+, stdenv
+, darwin
+, nix-update-script
+, nixosTests
+}:
+
+rustPlatform.buildRustPackage rec {
+  pname = "realm";
+  version = "2.6.0";
+
+  src = fetchFromGitHub {
+    owner = "zhboner";
+    repo = "realm";
+    rev = "v${version}";
+    hash = "sha256-G3scFSOxbmR3Q2fkRdg115WN/GCYpys/8Y4JC4YMGdY=";
+  };
+
+  cargoHash = "sha256-EvXafTujqTdQwfK4NXgT7lGKGnrpyP9ouplD6DmJUKU=";
+
+  buildInputs = lib.optionals stdenv.isDarwin [
+    darwin.apple_sdk.frameworks.Security
+  ];
+
+  env.RUSTC_BOOTSTRAP = 1;
+
+  passthru = {
+    updateScript = nix-update-script { };
+    tests = { inherit (nixosTests) realm; };
+  };
+
+
+  meta = with lib; {
+    description = "A simple, high performance relay server written in rust";
+    homepage = "https://github.com/zhboner/realm";
+    mainProgram = "realm";
+    license = licenses.mit;
+    maintainers = with maintainers; [ ocfox ];
+  };
+}