initial commit

3 files changed, 166 insertions, 0 deletions

diff --git a/nix/module.nix b/nix/module.nix
new file mode 100644
index 0000000..ec9da78
--- /dev/null
+++ b/nix/module.nix
@@ -0,0 +1,82 @@
+self: {
+  config,
+  lib,
+  pkgs,
+  ...
+}: let
+  cfg = config.services.nixpkgs-tracker-bot;
+
+  inherit
+    (lib)
+    getExe
+    literalExpression
+    mkEnableOption
+    mkIf
+    mkOption
+    mkPackageOption
+    types
+    ;
+
+  inherit (pkgs.stdenv.hostPlatform) system;
+in {
+  options.services.nixpkgs-tracker-bot = {
+    enable = mkEnableOption "nixpkgs-tracker-bot";
+    package = mkPackageOption (
+      self.packages.${system} or (throw "${system} is not supported!")
+    ) "nixpkgs-tracker-bot" {};
+
+    environmentFile = mkOption {
+      description = ''
+        Environment file as defined in {manpage}`systemd.exec(5)`
+      '';
+      type = types.nullOr types.path;
+      default = null;
+      example = literalExpression ''
+        "/run/agenix.d/1/nixpkgs-tracker-bot"
+      '';
+    };
+  };
+
+  config = mkIf cfg.enable {
+    systemd.services.nixpkgs-tracker-bot = {
+      enable = true;
+      wantedBy = ["multi-user.target"];
+      after = ["network.target"];
+
+      script = ''
+        ${getExe cfg.package}
+      '';
+
+      serviceConfig = {
+        Type = "simple";
+        Restart = "on-failure";
+
+        EnvironmentFile = mkIf (cfg.environmentFile != null) cfg.environmentFile;
+
+        # hardening
+        DynamicUser = true;
+        NoNewPrivileges = true;
+        PrivateDevices = true;
+        PrivateTmp = true;
+        PrivateUsers = true;
+        ProtectClock = true;
+        ProtectControlGroups = true;
+        ProtectHome = true;
+        ProtectHostname = true;
+        ProtectKernelLogs = true;
+        ProtectKernelModules = true;
+        ProtectKernelTunables = true;
+        ProtectSystem = "strict";
+        RestrictNamespaces = "uts ipc pid user cgroup";
+        RestrictSUIDSGID = true;
+        SystemCallArchitectures = "native";
+        SystemCallFilter = [
+          "@system-service"
+          "~@resources"
+          "~@privileged"
+        ];
+        Umask = "0007";
+      };
+    };
+  };
+}
diff --git a/nix/package.nix b/nix/package.nix
new file mode 100644
index 0000000..2802233
--- /dev/null
+++ b/nix/package.nix
@@ -0,0 +1,50 @@
+{
+  lib,
+  rustPlatform,
+  version,
+  lto ? true,
+  optimizeSize ? false,
+}:
+rustPlatform.buildRustPackage {
+  pname = "nixpkgs-tracker-bot";
+  inherit version;
+
+  src = lib.fileset.toSource {
+    root = ../.;
+    fileset = lib.fileset.unions [
+      ../src
+      ../Cargo.toml
+      ../Cargo.lock
+    ];
+  };
+
+  cargoLock = {
+    lockFile = ../Cargo.lock;
+    allowBuiltinFetchGit = true;
+  };
+
+  env = let
+    toRustFlags = lib.mapAttrs' (
+      name:
+        lib.nameValuePair
+        "CARGO_BUILD_RELEASE_${lib.toUpper (builtins.replaceStrings ["-"] ["_"] name)}"
+    );
+  in
+    lib.optionalAttrs lto (toRustFlags {
+      lto = "thin";
+    })
+    // lib.optionalAttrs optimizeSize (toRustFlags {
+      codegen-units = 1;
+      opt-level = "s";
+      panic = "abort";
+      strip = "symbols";
+    });
+
+  meta = {
+    description = "A Discord app for tracking nixpkgs pull requests";
+    homepage = "https://github.com/getchoo/nixpkgs-tracker-bot";
+    mainProgram = "nixpkgs-tracker-bot";
+    license = lib.licenses.mit;
+    maintainers = [lib.maintainers.getchoo];
+  };
+}
diff --git a/nix/static.nix b/nix/static.nix
new file mode 100644
index 0000000..f79de47
--- /dev/null
+++ b/nix/static.nix
@@ -0,0 +1,34 @@
+{
+  lib,
+  arch,
+  nixpkgs-tracker-bot,
+  fenix,
+  pkgsCross,
+}: let
+  crossTargetFor = with pkgsCross; {
+    x86_64 = musl64.pkgsStatic;
+    aarch64 = aarch64-multiplatform;
+  };
+
+  rustcTargetFor = lib.mapAttrs (lib.const (pkgs: pkgs.stdenv.hostPlatform.rust.rustcTarget)) crossTargetFor;
+  rustStdFor = lib.mapAttrs (lib.const (rustcTarget: fenix.targets.${rustcTarget}.stable.rust-std)) rustcTargetFor;
+
+  toolchain = with fenix;
+    combine (
+      [stable.cargo stable.rustc]
+      ++ lib.attrValues rustStdFor
+    );
+
+  crossPlatformFor =
+    lib.mapAttrs (
+      lib.const (pkgs:
+        pkgs.makeRustPlatform (
+          lib.genAttrs ["cargo" "rustc"] (lib.const toolchain)
+        ))
+    )
+    crossTargetFor;
+in
+  nixpkgs-tracker-bot.override {
+    rustPlatform = crossPlatformFor.${arch};
+    optimizeSize = true;
+  }