From 28f8e3b7b276105430945d64cbe6f82443167785 Mon Sep 17 00:00:00 2001
From: grabowski <berwn@buildfor.life>
Date: Tue, 7 Apr 2026 10:04:14 +0700
Subject: [PATCH] Add NixOS flake with dev shell, package, and systemd module

Includes nix develop shell (node, pg, vips), buildNpmPackage derivation,
and a NixOS module for deploying as a systemd service with hardening,
dedicated user, and configurable secrets via environmentFile.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
---
 .envrc     |   1 +
 .gitignore |   2 +
 README.md  |  71 +++++++++++++++++++
 flake.nix  | 202 +++++++++++++++++++++++++++++++++++++++++++++++++++++
 4 files changed, 276 insertions(+)
 create mode 100644 .envrc
 create mode 100644 flake.nix

diff --git a/.envrc b/.envrc
new file mode 100644
index 0000000..3550a30
--- /dev/null
+++ b/.envrc
@@ -0,0 +1 @@
+use flake
diff --git a/.gitignore b/.gitignore
index 96ee1ad..7364942 100644
--- a/.gitignore
+++ b/.gitignore
@@ -5,3 +5,5 @@ build
 static/uploads/**
 !static/uploads/.gitkeep
 *.db
+result
+.direnv
diff --git a/README.md b/README.md
index 5b262ff..87a8015 100644
--- a/README.md
+++ b/README.md
@@ -98,6 +98,77 @@ npm run build
 npm run preview
 ```
 
+## NixOS
+
+This project includes a Nix flake with a dev shell, package, and NixOS module.
+
+### Development shell
+
+```bash
+nix develop
+npm install
+npm run dev
+```
+
+Or with direnv (`.envrc` is included):
+
+```bash
+direnv allow
+npm install
+npm run dev
+```
+
+### Build with Nix
+
+```bash
+nix build
+```
+
+### NixOS module (deploy as a service)
+
+Add this flake to your NixOS configuration inputs, then:
+
+```nix
+# flake.nix
+{
+  inputs.buildfor-life-repair.url = "git+https://git.b4l.co.th/B4L/buildfor_life_repair.git";
+}
+```
+
+```nix
+# configuration.nix
+{ inputs, ... }:
+{
+  imports = [ inputs.buildfor-life-repair.nixosModules.default ];
+
+  services.buildfor-life-repair = {
+    enable = true;
+    port = 3000;
+    databaseUrl = "postgresql://bflr:password@localhost:5432/buildfor_life_repair";
+    baseUrl = "https://repair.example.com";
+    openFirewall = true;
+  };
+}
+```
+
+Or use an environment file for secrets:
+
+```nix
+services.buildfor-life-repair = {
+  enable = true;
+  port = 3000;
+  environmentFile = "/run/secrets/bflr-env";  # contains DATABASE_URL=...
+  baseUrl = "https://repair.example.com";
+};
+```
+
+The module creates a systemd service with:
+- Dedicated `bflr` user/group
+- Upload directory at `/var/lib/buildfor-life-repair/uploads`
+- Systemd hardening (NoNewPrivileges, ProtectSystem, PrivateTmp)
+- Auto-restart on failure
+- Optional firewall rule
+
 ## Tech stack
 
 - **Frontend:** SvelteKit 5, Svelte 5 (runes), Tailwind CSS v4
diff --git a/flake.nix b/flake.nix
new file mode 100644
index 0000000..82d2da4
--- /dev/null
+++ b/flake.nix
@@ -0,0 +1,202 @@
+{
+  description = "buildfor_life_repair - Vintage equipment inventory & repair tracker";
+
+  inputs = {
+    nixpkgs.url = "github:NixOS/nixpkgs/nixos-unstable";
+    flake-utils.url = "github:numtide/flake-utils";
+  };
+
+  outputs = { self, nixpkgs, flake-utils }:
+    flake-utils.lib.eachDefaultSystem (system:
+      let
+        pkgs = import nixpkgs { inherit system; };
+        nodejs = pkgs.nodejs_20;
+      in
+      {
+        # Development shell: `nix develop`
+        devShells.default = pkgs.mkShell {
+          buildInputs = [
+            nodejs
+            pkgs.postgresql_16
+            pkgs.pkg-config
+            pkgs.vips # required by sharp
+          ];
+
+          shellHook = ''
+            echo "buildfor_life_repair dev shell"
+            echo "  node: $(node --version)"
+            echo "  npm:  $(npm --version)"
+            echo ""
+            echo "Run 'npm install' then 'npm run dev' to start."
+          '';
+        };
+
+        # Production package: `nix build`
+        packages.default = pkgs.buildNpmPackage rec {
+          pname = "buildfor_life_repair";
+          version = "0.1.0";
+
+          src = ./.;
+
+          npmDepsHash = "";  # Run `nix build` once to get the correct hash
+
+          nativeBuildInputs = [
+            pkgs.pkg-config
+            pkgs.python3 # needed by some native modules
+          ];
+
+          buildInputs = [
+            pkgs.vips     # sharp
+            pkgs.glib
+            pkgs.expat
+          ];
+
+          npmBuildScript = "build";
+
+          installPhase = ''
+            runHook preInstall
+
+            mkdir -p $out/lib/buildfor_life_repair
+            cp -r build/* $out/lib/buildfor_life_repair/
+            cp -r node_modules $out/lib/buildfor_life_repair/
+            cp package.json $out/lib/buildfor_life_repair/
+
+            mkdir -p $out/bin
+            cat > $out/bin/buildfor_life_repair <<EOF
+            #!/usr/bin/env bash
+            exec ${nodejs}/bin/node $out/lib/buildfor_life_repair/index.js "\$@"
+            EOF
+            chmod +x $out/bin/buildfor_life_repair
+
+            runHook postInstall
+          '';
+
+          meta = with pkgs.lib; {
+            description = "Vintage equipment inventory & repair tracker";
+            license = licenses.mit;
+            platforms = platforms.linux;
+          };
+        };
+      }
+    ) // {
+      # NixOS module for easy deployment
+      nixosModules.default = { config, lib, pkgs, ... }:
+        let
+          cfg = config.services.buildfor-life-repair;
+        in
+        {
+          options.services.buildfor-life-repair = {
+            enable = lib.mkEnableOption "buildfor_life_repair inventory system";
+
+            port = lib.mkOption {
+              type = lib.types.port;
+              default = 3000;
+              description = "Port to listen on";
+            };
+
+            host = lib.mkOption {
+              type = lib.types.str;
+              default = "0.0.0.0";
+              description = "Host to bind to";
+            };
+
+            databaseUrl = lib.mkOption {
+              type = lib.types.str;
+              description = "PostgreSQL connection string";
+              example = "postgresql://bflr:password@localhost:5432/buildfor_life_repair";
+            };
+
+            environmentFile = lib.mkOption {
+              type = lib.types.nullOr lib.types.path;
+              default = null;
+              description = "Path to environment file with secrets (DATABASE_URL, etc). Overrides databaseUrl if set.";
+            };
+
+            baseUrl = lib.mkOption {
+              type = lib.types.str;
+              default = "http://localhost:${toString cfg.port}";
+              description = "Public base URL for QR code generation";
+            };
+
+            uploadDir = lib.mkOption {
+              type = lib.types.str;
+              default = "/var/lib/buildfor-life-repair/uploads";
+              description = "Directory for uploaded images and documents";
+            };
+
+            user = lib.mkOption {
+              type = lib.types.str;
+              default = "bflr";
+              description = "System user to run the service as";
+            };
+
+            group = lib.mkOption {
+              type = lib.types.str;
+              default = "bflr";
+              description = "System group to run the service as";
+            };
+
+            openFirewall = lib.mkOption {
+              type = lib.types.bool;
+              default = false;
+              description = "Open the firewall port";
+            };
+          };
+
+          config = lib.mkIf cfg.enable {
+            users.users.${cfg.user} = {
+              isSystemUser = true;
+              group = cfg.group;
+              home = "/var/lib/buildfor-life-repair";
+              createHome = true;
+            };
+
+            users.groups.${cfg.group} = {};
+
+            systemd.services.buildfor-life-repair = {
+              description = "buildfor_life_repair inventory system";
+              wantedBy = [ "multi-user.target" ];
+              after = [ "network.target" "postgresql.service" ];
+
+              environment = {
+                NODE_ENV = "production";
+                PORT = toString cfg.port;
+                HOST = cfg.host;
+                BASE_URL = cfg.baseUrl;
+                UPLOAD_DIR = cfg.uploadDir;
+              } // lib.optionalAttrs (cfg.environmentFile == null) {
+                DATABASE_URL = cfg.databaseUrl;
+              };
+
+              serviceConfig = {
+                Type = "simple";
+                User = cfg.user;
+                Group = cfg.group;
+                WorkingDirectory = "/var/lib/buildfor-life-repair";
+                ExecStart = "${self.packages.${pkgs.system}.default}/bin/buildfor_life_repair";
+                Restart = "on-failure";
+                RestartSec = 5;
+
+                # Hardening
+                NoNewPrivileges = true;
+                ProtectSystem = "strict";
+                ProtectHome = true;
+                ReadWritePaths = [ cfg.uploadDir "/var/lib/buildfor-life-repair" ];
+                PrivateTmp = true;
+              } // lib.optionalAttrs (cfg.environmentFile != null) {
+                EnvironmentFile = cfg.environmentFile;
+              };
+            };
+
+            systemd.tmpfiles.rules = [
+              "d ${cfg.uploadDir} 0750 ${cfg.user} ${cfg.group} -"
+              "d ${cfg.uploadDir}/devices 0750 ${cfg.user} ${cfg.group} -"
+              "d ${cfg.uploadDir}/components 0750 ${cfg.user} ${cfg.group} -"
+              "d ${cfg.uploadDir}/documents 0750 ${cfg.user} ${cfg.group} -"
+            ];
+
+            networking.firewall.allowedTCPPorts = lib.mkIf cfg.openFirewall [ cfg.port ];
+          };
+        };
+    };
+}