From 60aa3ad42200d68bff33b31cd7083250449c33ff Mon Sep 17 00:00:00 2001
From: Polen <polensky@pm.me>
Date: Thu, 2 Apr 2026 11:42:32 -0400
Subject: [PATCH] nixos module

---
 flake.nix        |  4 ++-
 nixos-module.nix | 69 ++++++++++++++++++++++++++++++++++++++++++++++++
 2 files changed, 72 insertions(+), 1 deletion(-)
 create mode 100644 nixos-module.nix

diff --git a/flake.nix b/flake.nix
index 1d65345..8378b0c 100644
--- a/flake.nix
+++ b/flake.nix
@@ -27,5 +27,7 @@
           vendorHash = null; # Will need updating after go mod tidy
         };
       }
-    );
+    ) // {
+      nixosModules.default = import ./nixos-module.nix { inherit self; };
+    };
 }
diff --git a/nixos-module.nix b/nixos-module.nix
new file mode 100644
index 0000000..0bdb3c4
--- /dev/null
+++ b/nixos-module.nix
@@ -0,0 +1,69 @@
+{ self }:
+{ config, lib, pkgs, ... }:
+
+let
+  cfg = config.services.essence;
+in
+{
+  options.services.essence = {
+    enable = lib.mkEnableOption "Essence Quebec gas price map";
+
+    port = lib.mkOption {
+      type = lib.types.port;
+      default = 8080;
+      description = "Port the Essence web server listens on.";
+    };
+
+    openFirewall = lib.mkOption {
+      type = lib.types.bool;
+      default = false;
+      description = "Whether to open the firewall for the Essence web server port.";
+    };
+
+    package = lib.mkOption {
+      type = lib.types.package;
+      default = self.packages.${pkgs.system}.default;
+      defaultText = lib.literalExpression "self.packages.\${pkgs.system}.default";
+      description = "The Essence package to use.";
+    };
+  };
+
+  config = lib.mkIf cfg.enable {
+    systemd.services.essence = {
+      description = "Essence Quebec - Gas price map";
+      wantedBy = [ "multi-user.target" ];
+      after = [ "network-online.target" ];
+      wants = [ "network-online.target" ];
+
+      environment = {
+        PORT = toString cfg.port;
+      };
+
+      serviceConfig = {
+        ExecStart = lib.getExe cfg.package;
+        Restart = "on-failure";
+        RestartSec = 5;
+
+        DynamicUser = true;
+
+        # Hardening
+        NoNewPrivileges = true;
+        ProtectSystem = "strict";
+        ProtectHome = true;
+        PrivateTmp = true;
+        PrivateDevices = true;
+        ProtectKernelTunables = true;
+        ProtectKernelModules = true;
+        ProtectControlGroups = true;
+        RestrictSUIDSGID = true;
+        RestrictNamespaces = true;
+        LockPersonality = true;
+        MemoryDenyWriteExecute = true;
+        RestrictRealtime = true;
+        SystemCallFilter = [ "@system-service" "~@privileged" ];
+      };
+    };
+
+    networking.firewall.allowedTCPPorts = lib.mkIf cfg.openFirewall [ cfg.port ];
+  };
+}