clan-sidebus/flake.nix

{
  inputs = {
    nixpkgs.url = "github:NixOS/nixpkgs/nixos-unstable";
    flake-utils.url = "github:numtide/flake-utils";
    rust-overlay = {
      url = "github:oxalica/rust-overlay";
      inputs.nixpkgs.follows = "nixpkgs";
    };
  };

  outputs = {self, nixpkgs, flake-utils, rust-overlay}:
    flake-utils.lib.eachDefaultSystem (system:
      let
        overlays = [ (import rust-overlay) ];
        pkgs = import nixpkgs {
          inherit system overlays;
        };

        buildEnvVars = {
          BIN_XDG_PERMISSION_STORE = "${pkgs.xdg-desktop-portal}/libexec/xdg-permission-store";
          BIN_XDG_DOCUMENT_PORTAL = "${pkgs.xdg-desktop-portal}/libexec/xdg-document-portal";
          BIN_VIRTIOFSD = "${pkgs.virtiofsd}/bin/virtiofsd";
        };

        rustToolchain = pkgs.pkgsBuildHost.rust-bin.fromRustupToolchainFile ./rust-toolchain.toml;
        rustPlatform = pkgs.makeRustPlatform {
          cargo = rustToolchain;
          rustc = rustToolchain;
        };
        rustPackage = crate:
          let cargoToml = builtins.fromTOML (builtins.readFile ./${crate}/Cargo.toml);
          in rustPlatform.buildRustPackage {
            inherit (cargoToml.package) name version;
            src = ./.;
            cargoLock.lockFile = ./Cargo.lock;
            cargoLock.outputHashes = {
              "zbus-5.9.0" = "sha256-3xaKbf+JmO5yVwPbvA3z9dHvqICh7yCeKk1SIX8zhJA=";
              "busd-0.4.0" = "sha256-UzTclEJ8lRMmiuLJJi+gsm7vkx+MLfnDdi5s9OVT1HE=";
            };
            buildAndTestSubdir = crate;
            env = buildEnvVars;
          };
      in
      {
        devShells.default = pkgs.mkShell {
          buildInputs = [ rustToolchain ];
          env = buildEnvVars;
        };

        packages.sidebus-agent = rustPackage "sidebus-agent";
        packages.sidebus-broker = rustPackage "sidebus-broker";

        nixosModules.sidebus-vm = { ... }: {
          environment.sessionVariables.DBUS_SESSION_BUS_ADDRESS = "unix:path=/run/sidebus.sock";
          systemd.sockets.sidebus-agent = {
            # SocketMode= is 0666 by default
            listenStreams = [ "/run/sidebus.sock" ];
            wantedBy = [ "sockets.target" ];
            documentation = [ "https://git.clan.lol/valpackett/sidebus" ];
          };
          systemd.services.sidebus-agent = {
            # TODO: confinement (can do a lot)
            serviceConfig = {
              ExecStart = "${rustPackage "sidebus-agent"}/bin/sidebus-agent";
              ImportCredential = "sidebus.*";
            };
            documentation = [ "https://git.clan.lol/valpackett/sidebus" ];
          };
          systemd.mounts = [
            {
              type = "virtiofs";
              what = "vm-doc-portal";
              where = "/run/vm-doc-portal";
              wantedBy = [ "multi-user.target" ];
            }
          ];
        };
      }
    );
}