use libgit2 to track PRs (#10)v0.2.0

* nix: don't depend on registry for nixpkgs input * use libgit2 to track PRs * nix: don't use ci devShell as defaul * crates: bump serenity from `9ad74d4` to `0.12.2 * nix: fix cross compiled builds * crates: split more from client * bot-jobs: update remote refs more efficiently * git-tracker: account for HEAD commits * bot-config: use nixpkgs branches from environment * bot-commands: don't display branches prs haven't landed in * git-tracker: return false when commits aren't found this is annoying as a hard error since it turns out github will report garbage merge commit SHAs for PRs that *haven't* been merged yet. yay * bot: improve docs in some places * bot-client: display invite link on start * bot-http: add TeawieClientExt * bot-commands: add /about * docs: update readme todos * nix: enable StateDirectory in module * crates: bump to 0.2.0
author: seth <[email protected]> 2024-06-16 07:15:13 -0400
committer: GitHub <[email protected]> 2024-06-16 07:15:13 -0400
commit: d25129d829e0ebd70b4e60e399fe91c0d80aa1ad (patch)
tree: 2a62992f2980f9fed2204ef5ef708a0228998cf1 /nix
parent: a0bfcc1587e3cef1b8f6fa0508a280fc48c82231 (diff)
3 files changed, 31 insertions, 18 deletions
diff --git a/nix/module.nix b/nix/module.nix
index ec9da78..3d23ead 100644
--- a/nix/module.nix
+++ b/nix/module.nix
@@ -47,16 +47,26 @@ in {
         ${getExe cfg.package}
       '';
 
+      environment = {
+        # using `/var/lib/private` as we have `DynamicUser` enabled
+        BOT_NIXPKGS_PATH = "/var/lib/private/${config.systemd.services.nixpkgs-tracker-bot.serviceConfig.StateDirectory}/nixpkgs";
+      };
+
       serviceConfig = {
         Type = "simple";
         Restart = "on-failure";
 
         EnvironmentFile = mkIf (cfg.environmentFile != null) cfg.environmentFile;
 
-        # hardening
+        StateDirectory = "nixpkgs-tracker-bot";
+
+        # hardening settings
         DynamicUser = true;
+        LockPersonality = true;
+        MemoryDenyWriteExecute = true;
         NoNewPrivileges = true;
         PrivateDevices = true;
+        PrivateIPC = true;
         PrivateTmp = true;
         PrivateUsers = true;
         ProtectClock = true;
@@ -66,16 +76,16 @@ in {
         ProtectKernelLogs = true;
         ProtectKernelModules = true;
         ProtectKernelTunables = true;
+        ProtectProc = "invisible";
         ProtectSystem = "strict";
         RestrictNamespaces = "uts ipc pid user cgroup";
+        RestrictRealtime = true;
         RestrictSUIDSGID = true;
         SystemCallArchitectures = "native";
         SystemCallFilter = [
           "@system-service"
-          "~@resources"
-          "~@privileged"
         ];
-        Umask = "0007";
+        UMask = "0077";
       };
     };
   };
diff --git a/nix/package.nix b/nix/package.nix
index 2802233..778fa27 100644
--- a/nix/package.nix
+++ b/nix/package.nix
@@ -1,6 +1,8 @@
 {
   lib,
   rustPlatform,
+  openssl,
+  pkg-config,
   version,
   lto ? true,
   optimizeSize ? false,
@@ -12,16 +14,16 @@ rustPlatform.buildRustPackage {
   src = lib.fileset.toSource {
     root = ../.;
     fileset = lib.fileset.unions [
-      ../src
+      (lib.fileset.gitTracked ../crates)
       ../Cargo.toml
       ../Cargo.lock
     ];
   };
 
-  cargoLock = {
-    lockFile = ../Cargo.lock;
-    allowBuiltinFetchGit = true;
-  };
+  cargoLock.lockFile = ../Cargo.lock;
+
+  nativeBuildInputs = [pkg-config];
+  buildInputs = [openssl];
 
   env = let
     toRustFlags = lib.mapAttrs' (
diff --git a/nix/static.nix b/nix/static.nix
index f79de47..c5e3c57 100644
--- a/nix/static.nix
+++ b/nix/static.nix
@@ -1,16 +1,15 @@
 {
   lib,
-  arch,
-  nixpkgs-tracker-bot,
   fenix,
   pkgsCross,
+  nixpkgs-tracker-bot,
 }: let
-  crossTargetFor = with pkgsCross; {
+  crossPkgsFor = with pkgsCross; {
     x86_64 = musl64.pkgsStatic;
     aarch64 = aarch64-multiplatform;
   };
 
-  rustcTargetFor = lib.mapAttrs (lib.const (pkgs: pkgs.stdenv.hostPlatform.rust.rustcTarget)) crossTargetFor;
+  rustcTargetFor = lib.mapAttrs (lib.const (pkgs: pkgs.stdenv.hostPlatform.rust.rustcTarget)) crossPkgsFor;
   rustStdFor = lib.mapAttrs (lib.const (rustcTarget: fenix.targets.${rustcTarget}.stable.rust-std)) rustcTargetFor;
 
   toolchain = with fenix;
@@ -26,9 +25,11 @@
           lib.genAttrs ["cargo" "rustc"] (lib.const toolchain)
         ))
     )
-    crossTargetFor;
+    crossPkgsFor;
 in
-  nixpkgs-tracker-bot.override {
-    rustPlatform = crossPlatformFor.${arch};
-    optimizeSize = true;
-  }
+  {arch}:
+    nixpkgs-tracker-bot.override {
+      rustPlatform = crossPlatformFor.${arch};
+      inherit (crossPkgsFor.${arch}) openssl;
+      optimizeSize = true;
+    }
author	seth <[email protected]>	2024-06-16 07:15:13 -0400
committer	GitHub <[email protected]>	2024-06-16 07:15:13 -0400
commit	d25129d829e0ebd70b4e60e399fe91c0d80aa1ad (patch)
tree	2a62992f2980f9fed2204ef5ef708a0228998cf1 /nix
parent	a0bfcc1587e3cef1b8f6fa0508a280fc48c82231 (diff)