From 4547dacc7e3315055fc9c47be21e82f4ad5e8626 Mon Sep 17 00:00:00 2001
From: centra <p@centraworks.net>
Date: Fri, 12 Dec 2025 08:35:20 +0900
Subject: [PATCH] feat(nix): Add creditservice module for NixOS deployment
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

- Add creditservice.nix module for credit service deployment
- Update default.nix to import creditservice module
- Required for T039.S3 NixOS provisioning

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
---
 nix/modules/creditservice.nix | 76 +++++++++++++++++++++++++++++++++++
 nix/modules/default.nix       |  1 +
 2 files changed, 77 insertions(+)
 create mode 100644 nix/modules/creditservice.nix

diff --git a/nix/modules/creditservice.nix b/nix/modules/creditservice.nix
new file mode 100644
index 0000000..fcb8174
--- /dev/null
+++ b/nix/modules/creditservice.nix
@@ -0,0 +1,76 @@
+{ config, lib, pkgs, ... }:
+
+let
+  cfg = config.services.creditservice;
+in
+{
+  options.services.creditservice = {
+    enable = lib.mkEnableOption "creditservice service";
+
+    port = lib.mkOption {
+      type = lib.types.port;
+      default = 3010;
+      description = "Port for creditservice gRPC API";
+    };
+
+    dataDir = lib.mkOption {
+      type = lib.types.path;
+      default = "/var/lib/creditservice";
+      description = "Data directory for creditservice";
+    };
+
+    settings = lib.mkOption {
+      type = lib.types.attrs;
+      default = {};
+      description = "Additional configuration settings";
+    };
+
+    package = lib.mkOption {
+      type = lib.types.package;
+      default = pkgs.creditservice-server or (throw "creditservice-server package not found");
+      description = "Package to use for creditservice";
+    };
+  };
+
+  config = lib.mkIf cfg.enable {
+    # Create system user
+    users.users.creditservice = {
+      isSystemUser = true;
+      group = "creditservice";
+      description = "CreditService quota/billing user";
+      home = cfg.dataDir;
+    };
+
+    users.groups.creditservice = {};
+
+    # Create systemd service
+    systemd.services.creditservice = {
+      description = "CreditService Quota and Billing Management";
+      wantedBy = [ "multi-user.target" ];
+      after = [ "network.target" "chainfire.service" "nightlight.service" ];
+      wants = [ "chainfire.service" "nightlight.service" ];
+
+      serviceConfig = {
+        Type = "simple";
+        User = "creditservice";
+        Group = "creditservice";
+        Restart = "on-failure";
+        RestartSec = "10s";
+
+        # State directory management
+        StateDirectory = "creditservice";
+        StateDirectoryMode = "0750";
+
+        # Security hardening
+        NoNewPrivileges = true;
+        PrivateTmp = true;
+        ProtectSystem = "strict";
+        ProtectHome = true;
+        ReadWritePaths = [ cfg.dataDir ];
+
+        # Start command
+        ExecStart = "${cfg.package}/bin/creditservice-server --port ${toString cfg.port} --data-dir ${cfg.dataDir}";
+      };
+    };
+  };
+}
diff --git a/nix/modules/default.nix b/nix/modules/default.nix
index e327edb..38219ea 100644
--- a/nix/modules/default.nix
+++ b/nix/modules/default.nix
@@ -1,6 +1,7 @@
 {
   imports = [
     ./chainfire.nix
+    ./creditservice.nix
     ./flaredb.nix
     ./iam.nix
     ./plasmavmc.nix