blob: b9e43dae001131b817ddacd5d056a4e5385c10cd (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
|
{self, ...}: let
bin = teawiebot-smol: "${teawiebot-smol}/bin/teawiebot";
service = pkgs: cmd:
pkgs.writeTextFile {
name = "teawiebot.service";
text = ''
[Unit]
Description=teawiebot service
[Service]
Environment="TOKEN="
ExecStart="${cmd}"
DynamicUser=yes
ProtectSystem=strict
ProtectHome=yes
ProtectKernelTunables=yes
ProtectKernelModules=yes
ProtectControlGroups=yes
SystemCallFilter=@system-service
SystemCallErrorNumber=EPERM
NoNewPrivileges=yes
PrivateTmp=yes
[Install]
WantedBy=multi-user.target
'';
};
in {
perSystem = {
pkgs,
system,
...
}: let
inherit (pkgs) cacert dockerTools portableService;
inherit (self.packages.${system}) teawiebot teawiebot-smol;
cmd = bin teawiebot-smol;
in {
packages = {
container = dockerTools.buildLayeredImage {
name = "teawiebot";
tag = "latest";
contents = [dockerTools.caCertificates];
config.Cmd = ["${cmd}"];
};
service = portableService {
inherit (teawiebot) pname;
inherit (teawiebot-smol) version;
description = "portable service for teawiebot!";
units = [(service pkgs cmd)];
symlinks = [
{
object = "${cacert}/etc/ssl";
symlink = "/etc/ssl";
}
];
};
};
};
flake = {
nixosModules = {
default = {
config,
lib,
pkgs,
...
}: let
cfg = config.services.teawiebot;
inherit (lib) mkEnableOption mkIf;
in {
options.services.teawiebot.enable = mkEnableOption "teawiebot";
config.systemd.services = mkIf cfg.enable {
teawiebot = {
text = service pkgs (bin pkgs.teawiebot-smol);
};
};
};
};
};
}
|
