From 3d07413690c551d9f034c93af85ae8da5a495e14 Mon Sep 17 00:00:00 2001
From: seth <getchoo@tuta.io>
Date: Sat, 20 Apr 2024 02:31:40 +0000
Subject: spring cleaning (#165)

* treewide: lightly refactor everything

* once_cell -> std::sync

* remove build.rs

we can get our target at runtime

* commands::copypasta: refactor selection

* drop owo_colors

* reactboard: always remove author from count

* commands: better handle behavior outside of guilds

* ci: garnix -> gha

* nix: drop flake-parts & pre-commit-hooks

* nix: fix rust flags in derivation

* add gha badge to readme

* ci: fail when format changes are made

* ci: only run on push to main

* nix: fix nil script

* nix: add libiconv to darwin deps

* ci: disable fail-fast

* nix: fix actionlint & static checks

* ci: add release gates

* nix: fix nil check again

* ci: give release gates unique names

* ci: only build static packages in docker workflow

* nix: move dev outputs to subflake

* fix some typos

* nix: cleanup checks & dev shell

* add editorconfig
---
 nix/module.nix | 148 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 148 insertions(+)
 create mode 100644 nix/module.nix

(limited to 'nix/module.nix')

diff --git a/nix/module.nix b/nix/module.nix
new file mode 100644
index 0000000..c129e68
--- /dev/null
+++ b/nix/module.nix
@@ -0,0 +1,148 @@
+self: {
+  config,
+  lib,
+  pkgs,
+  ...
+}: let
+  cfg = config.services.teawiebot;
+  defaultUser = "teawiebot";
+
+  inherit
+    (lib)
+    getExe
+    literalExpression
+    mdDoc
+    mkEnableOption
+    mkIf
+    mkOption
+    mkPackageOption
+    optionals
+    types
+    ;
+
+  inherit (pkgs.stdenv.hostPlatform) system;
+in {
+  options.services.teawiebot = {
+    enable = mkEnableOption "teawiebot";
+    package = mkPackageOption (
+      self.packages.${system} or (builtins.throw "${system} is not supported!")
+    ) "teawiebot" {};
+
+    user = mkOption {
+      description = mdDoc ''
+        User under which the service should run. If this is the default value,
+            the user will be created, with the specified group as the primary
+            group.
+      '';
+      type = types.str;
+      default = defaultUser;
+      example = literalExpression ''
+        "bob"
+      '';
+    };
+
+    group = mkOption {
+      description = mdDoc ''
+        Group under which the service should run. If this is the default value,
+        the group will be created.
+      '';
+      type = types.str;
+      default = defaultUser;
+      example = literalExpression ''
+        "discordbots"
+      '';
+    };
+
+    redisUrl = mkOption {
+      description = mdDoc ''
+        Connection to a redis server. If this needs to include credentials
+        that shouldn't be world-readable in the Nix store, set environmentFile
+        and override the `REDIS_URL` entry.
+        Pass the string `local` to setup a local Redis database.
+      '';
+      type = types.str;
+      default = "local";
+      example = literalExpression ''
+        "redis://localhost/"
+      '';
+    };
+
+    environmentFile = mkOption {
+      description = mdDoc ''
+        Environment file as defined in {manpage}`systemd.exec(5)`
+      '';
+      type = types.nullOr types.path;
+      default = null;
+      example = literalExpression ''
+        "/run/agenix.d/1/teawieBot"
+      '';
+    };
+  };
+
+  config = mkIf cfg.enable {
+    services.redis.servers.teawiebot = mkIf (cfg.redisUrl == "local") {
+      enable = true;
+      inherit (cfg) user;
+      port = 0; # disable tcp listener
+    };
+
+    systemd.services."teawiebot" = {
+      enable = true;
+      wantedBy = ["multi-user.target"];
+      after =
+        ["network.target"]
+        ++ optionals (cfg.redisUrl == "local") ["redis-teawiebot.service"];
+
+      script = ''
+        ${getExe cfg.package}
+      '';
+
+      environment = {
+        REDIS_URL =
+          if cfg.redisUrl == "local"
+          then "unix:${config.services.redis.servers.teawiebot.unixSocket}"
+          else cfg.redisUrl;
+      };
+
+      serviceConfig = {
+        Type = "simple";
+        Restart = "always";
+
+        EnvironmentFile = mkIf (cfg.environmentFile != null) cfg.environmentFile;
+
+        User = cfg.user;
+        Group = cfg.group;
+
+        # hardening
+        NoNewPrivileges = true;
+        PrivateDevices = true;
+        PrivateTmp = true;
+        PrivateUsers = true;
+        ProtectClock = true;
+        ProtectControlGroups = true;
+        ProtectHome = true;
+        ProtectHostname = true;
+        ProtectKernelLogs = true;
+        ProtectKernelModules = true;
+        ProtectKernelTunables = true;
+        ProtectSystem = "strict";
+        RestrictNamespaces = "uts ipc pid user cgroup";
+        RestrictSUIDSGID = true;
+        Umask = "0007";
+      };
+    };
+
+    users = {
+      users = mkIf (cfg.user == defaultUser) {
+        ${defaultUser} = {
+          isSystemUser = true;
+          inherit (cfg) group;
+        };
+      };
+
+      groups = mkIf (cfg.group == defaultUser) {
+        ${defaultUser} = {};
+      };
+    };
+  };
+}
-- 
cgit v1.2.3