migrate nix package build process to crane

flake.nix

@@ -3,6 +3,7 @@
     nixpkgs.url = "nixpkgs";
     flake-utils.url = "github:numtide/flake-utils";
     rust-overlay.url = "github:oxalica/rust-overlay";
+    crane.url = "github:ipetkov/crane";
 
     # let git manage submodules
     self.submodules = true;
@@ -25,26 +26,33 @@
     nixpkgs,
     flake-utils,
     rust-overlay,
+    crane,
     ...
   }:
     flake-utils.lib.eachDefaultSystem (system: let
-      # add rust overlay
-      pkgs = import nixpkgs {
+      # Plain nixpkgs — used for packages and checks.
+      pkgs = import nixpkgs {inherit system;};
+
+      # nixpkgs with rust-overlay — only needed for the dev shell, which uses
+      # pkgs.rust-bin to get a customised Rust toolchain.
+      devPkgs = import nixpkgs {
         inherit system;
         overlays = [rust-overlay.overlays.default];
       };
+
+      craneLib = crane.mkLib pkgs;
     in {
-      devShells.default = import ./nix/shell.nix {
-        inherit pkgs;
-      };
+      devShells.default = import ./nix/shell.nix {pkgs = devPkgs; inherit craneLib;};
 
       packages.default = pkgs.callPackage ./nix/package.nix {
-        inherit pkgs;
+        inherit pkgs craneLib;
       };
 
+      checks.default = self.packages.${system}.default;
+
       formatter = pkgs.alejandra;
     })
     // {
-      nixosModules.default = import ./nix/nixos-module.nix;
+      nixosModules.default = import ./nix/nixos-module.nix {mkCraneLib = crane.mkLib;};
     };
 }

nix/nixos-module.nix

@@ -1,61 +1,59 @@
-{
+{mkCraneLib}: {
   config,
   lib,
   pkgs,
   ...
-}:
-with lib; let
-  defguard-client = pkgs.callPackage ./package.nix {};
+}: let
+  craneLib = mkCraneLib pkgs;
+  defguard-client = pkgs.callPackage ./package.nix {inherit pkgs craneLib;};
   cfg = config.programs.defguard-client;
 in {
   options.programs.defguard-client = {
-    enable = mkEnableOption "Defguard VPN client and service";
+    enable = lib.mkEnableOption "Defguard VPN client and service";
 
-    package = mkOption {
-      type = types.package;
+    package = lib.mkOption {
+      type = lib.types.package;
       default = defguard-client;
       description = "defguard-client package to use";
     };
 
-    logLevel = mkOption {
-      type = types.str;
+    logLevel = lib.mkOption {
+      type = lib.types.str;
       default = "info";
       description = "Log level for defguard-service";
     };
 
-    statsPeriod = mkOption {
-      type = types.int;
+    statsPeriod = lib.mkOption {
+      type = lib.types.int;
       default = 30;
       description = "Interval in seconds for interface statistics updates";
     };
   };
 
-  config = mkIf cfg.enable {
-    # Add client package
+  config = lib.mkIf cfg.enable {
     environment.systemPackages = [cfg.package];
 
-    # Setup systemd service for the intrerface management daemon
     systemd.services.defguard-service = {
       description = "Defguard VPN Service";
+      documentation = ["https://docs.defguard.net"];
       wantedBy = ["multi-user.target"];
       wants = ["network-online.target"];
       after = ["network-online.target"];
       serviceConfig = {
+        Group = "defguard";
         ExecStart = "${cfg.package}/bin/defguard-service --log-level ${cfg.logLevel} --stats-period ${toString cfg.statsPeriod}";
         ExecReload = "/bin/kill -HUP $MAINPID";
-        Group = "defguard";
-        Restart = "on-failure";
-        RestartSec = 2;
         KillMode = "process";
         KillSignal = "SIGINT";
         LimitNOFILE = 65536;
         LimitNPROC = "infinity";
+        Restart = "on-failure";
+        RestartSec = 2;
         TasksMax = "infinity";
         OOMScoreAdjust = -1000;
       };
     };
 
-    # Make sure the defguard group exists
     users.groups.defguard = {};
   };
 }