feat(deploy): add Nix flake + NixOS module

2026-02-15 18:26:10 -08:00
parent e1a6b205d7
commit 2177413833
6 changed files with 280 additions and 1 deletions
@@ -0,0 +1,80 @@
+{ config, lib, pkgs, ... }:
+let
+  cfg = config.services.flynn;
+in
+{
+  options.services.flynn = {
+    enable = lib.mkEnableOption "Flynn daemon";
+
+    package = lib.mkOption {
+      type = lib.types.package;
+      default = pkgs.flynn;
+      defaultText = "pkgs.flynn";
+      description = "Flynn package to run.";
+    };
+
+    configFile = lib.mkOption {
+      type = lib.types.path;
+      description = "Path to Flynn YAML config (exported as FLYNN_CONFIG).";
+    };
+
+    dataDir = lib.mkOption {
+      type = lib.types.str;
+      default = "/var/lib/flynn";
+      description = "Persistent data directory (exported as FLYNN_DATA_DIR).";
+    };
+
+    user = lib.mkOption {
+      type = lib.types.str;
+      default = "flynn";
+      description = "System user for the service.";
+    };
+
+    group = lib.mkOption {
+      type = lib.types.str;
+      default = "flynn";
+      description = "System group for the service.";
+    };
+  };
+
+  config = lib.mkIf cfg.enable {
+    users.groups.${cfg.group} = { };
+    users.users.${cfg.user} = {
+      isSystemUser = true;
+      group = cfg.group;
+      home = cfg.dataDir;
+      createHome = true;
+    };
+
+    systemd.services.flynn = {
+      description = "Flynn AI Assistant Daemon";
+      after = [ "network-online.target" ];
+      wants = [ "network-online.target" ];
+      wantedBy = [ "multi-user.target" ];
+
+      environment = {
+        NODE_ENV = "production";
+        FLYNN_CONFIG = toString cfg.configFile;
+        FLYNN_DATA_DIR = cfg.dataDir;
+      };
+
+      serviceConfig = {
+        Type = "simple";
+        User = cfg.user;
+        Group = cfg.group;
+        WorkingDirectory = cfg.dataDir;
+        ExecStart = "${cfg.package}/bin/flynn start";
+        Restart = "on-failure";
+        RestartSec = 10;
+
+        # Baseline hardening; adjust as needed for your environment.
+        NoNewPrivileges = true;
+        PrivateTmp = true;
+        ProtectSystem = "strict";
+        ProtectHome = true;
+        ReadWritePaths = [ cfg.dataDir ];
+      };
+    };
+  };
+}
+
@@ -0,0 +1,68 @@
+{ pkgs }:
+let
+  lib = pkgs.lib;
+in
+pkgs.buildPnpmPackage rec {
+  pname = "flynn";
+  version = "0.1.0";
+
+  # Keep the source small and deterministic for Nix builds.
+  src = lib.cleanSourceWith {
+    src = ./.;
+    filter =
+      path: type:
+      let
+        baseName = baseNameOf path;
+      in
+      !(
+        baseName == ".git"
+        || baseName == "node_modules"
+        || baseName == "dist"
+        || baseName == ".worktrees"
+        || baseName == "whisper-models"
+      );
+  };
+
+  pnpmLock = ./pnpm-lock.yaml;
+
+  # NOTE: Update this hash after the first `nix build` by copying the
+  # "got: sha256-..." value from the error message.
+  pnpmDepsHash = lib.fakeHash;
+
+  nativeBuildInputs = [
+    pkgs.makeWrapper
+    pkgs.python3
+    pkgs.pkg-config
+  ];
+
+  buildPhase = ''
+    runHook preBuild
+    pnpm build
+    runHook postBuild
+  '';
+
+  installPhase = ''
+    runHook preInstall
+
+    mkdir -p $out/lib/flynn
+    cp -r dist node_modules package.json config $out/lib/flynn/
+    if [ -f SOUL.md ]; then
+      cp SOUL.md $out/lib/flynn/
+    fi
+
+    makeWrapper ${pkgs.nodejs_22}/bin/node $out/bin/flynn \
+      --add-flags $out/lib/flynn/dist/cli/index.js \
+      --set-default NODE_ENV production
+
+    runHook postInstall
+  '';
+
+  meta = with lib; {
+    description = "Self-hosted personal AI agent";
+    homepage = "https://github.com/will666/flynn";
+    license = licenses.mit;
+    platforms = platforms.unix;
+    mainProgram = "flynn";
+  };
+}
+