use libgit2 to track PRs (#10)v0.2.0

* nix: don't depend on registry for nixpkgs input

* use libgit2 to track PRs

* nix: don't use ci devShell as defaul

* crates: bump serenity from `9ad74d4` to `0.12.2

* nix: fix cross compiled builds

* crates: split more from client

* bot-jobs: update remote refs more efficiently

* git-tracker: account for HEAD commits

* bot-config: use nixpkgs branches from environment

* bot-commands: don't display branches prs haven't landed in

* git-tracker: return false when commits aren't found

this is annoying as a hard error since it turns out github will report
garbage merge commit SHAs for PRs that *haven't* been merged yet. yay

* bot: improve docs in some places

* bot-client: display invite link on start

* bot-http: add TeawieClientExt

* bot-commands: add /about

* docs: update readme todos

* nix: enable StateDirectory in module

* crates: bump to 0.2.0

1 files changed, 14 insertions, 4 deletions

diff --git a/nix/module.nix b/nix/module.nix
index ec9da78..3d23ead 100644
--- a/nix/module.nix
+++ b/nix/module.nix
@@ -47,16 +47,26 @@ in {
         ${getExe cfg.package}
       '';
 
+      environment = {
+        # using `/var/lib/private` as we have `DynamicUser` enabled
+        BOT_NIXPKGS_PATH = "/var/lib/private/${config.systemd.services.nixpkgs-tracker-bot.serviceConfig.StateDirectory}/nixpkgs";
+      };
+
       serviceConfig = {
         Type = "simple";
         Restart = "on-failure";
 
         EnvironmentFile = mkIf (cfg.environmentFile != null) cfg.environmentFile;
 
-        # hardening
+        StateDirectory = "nixpkgs-tracker-bot";
+
+        # hardening settings
         DynamicUser = true;
+        LockPersonality = true;
+        MemoryDenyWriteExecute = true;
         NoNewPrivileges = true;
         PrivateDevices = true;
+        PrivateIPC = true;
         PrivateTmp = true;
         PrivateUsers = true;
         ProtectClock = true;
@@ -66,16 +76,16 @@ in {
         ProtectKernelLogs = true;
         ProtectKernelModules = true;
         ProtectKernelTunables = true;
+        ProtectProc = "invisible";
         ProtectSystem = "strict";
         RestrictNamespaces = "uts ipc pid user cgroup";
+        RestrictRealtime = true;
         RestrictSUIDSGID = true;
         SystemCallArchitectures = "native";
         SystemCallFilter = [
           "@system-service"
-          "~@resources"
-          "~@privileged"
         ];
-        Umask = "0007";
+        UMask = "0077";
       };
     };
   };