From d25129d829e0ebd70b4e60e399fe91c0d80aa1ad Mon Sep 17 00:00:00 2001
From: seth <getchoo@tuta.io>
Date: Sun, 16 Jun 2024 07:15:13 -0400
Subject: use libgit2 to track PRs (#10)

* nix: don't depend on registry for nixpkgs input

* use libgit2 to track PRs

* nix: don't use ci devShell as defaul

* crates: bump serenity from `9ad74d4` to `0.12.2

* nix: fix cross compiled builds

* crates: split more from client

* bot-jobs: update remote refs more efficiently

* git-tracker: account for HEAD commits

* bot-config: use nixpkgs branches from environment

* bot-commands: don't display branches prs haven't landed in

* git-tracker: return false when commits aren't found

this is annoying as a hard error since it turns out github will report
garbage merge commit SHAs for PRs that *haven't* been merged yet. yay

* bot: improve docs in some places

* bot-client: display invite link on start

* bot-http: add TeawieClientExt

* bot-commands: add /about

* docs: update readme todos

* nix: enable StateDirectory in module

* crates: bump to 0.2.0
---
 nix/module.nix  | 18 ++++++++++++++----
 nix/package.nix | 12 +++++++-----
 nix/static.nix  | 19 ++++++++++---------
 3 files changed, 31 insertions(+), 18 deletions(-)

(limited to 'nix')

diff --git a/nix/module.nix b/nix/module.nix
index ec9da78..3d23ead 100644
--- a/nix/module.nix
+++ b/nix/module.nix
@@ -47,16 +47,26 @@ in {
         ${getExe cfg.package}
       '';
 
+      environment = {
+        # using `/var/lib/private` as we have `DynamicUser` enabled
+        BOT_NIXPKGS_PATH = "/var/lib/private/${config.systemd.services.nixpkgs-tracker-bot.serviceConfig.StateDirectory}/nixpkgs";
+      };
+
       serviceConfig = {
         Type = "simple";
         Restart = "on-failure";
 
         EnvironmentFile = mkIf (cfg.environmentFile != null) cfg.environmentFile;
 
-        # hardening
+        StateDirectory = "nixpkgs-tracker-bot";
+
+        # hardening settings
         DynamicUser = true;
+        LockPersonality = true;
+        MemoryDenyWriteExecute = true;
         NoNewPrivileges = true;
         PrivateDevices = true;
+        PrivateIPC = true;
         PrivateTmp = true;
         PrivateUsers = true;
         ProtectClock = true;
@@ -66,16 +76,16 @@ in {
         ProtectKernelLogs = true;
         ProtectKernelModules = true;
         ProtectKernelTunables = true;
+        ProtectProc = "invisible";
         ProtectSystem = "strict";
         RestrictNamespaces = "uts ipc pid user cgroup";
+        RestrictRealtime = true;
         RestrictSUIDSGID = true;
         SystemCallArchitectures = "native";
         SystemCallFilter = [
           "@system-service"
-          "~@resources"
-          "~@privileged"
         ];
-        Umask = "0007";
+        UMask = "0077";
       };
     };
   };
diff --git a/nix/package.nix b/nix/package.nix
index 2802233..778fa27 100644
--- a/nix/package.nix
+++ b/nix/package.nix
@@ -1,6 +1,8 @@
 {
   lib,
   rustPlatform,
+  openssl,
+  pkg-config,
   version,
   lto ? true,
   optimizeSize ? false,
@@ -12,16 +14,16 @@ rustPlatform.buildRustPackage {
   src = lib.fileset.toSource {
     root = ../.;
     fileset = lib.fileset.unions [
-      ../src
+      (lib.fileset.gitTracked ../crates)
       ../Cargo.toml
       ../Cargo.lock
     ];
   };
 
-  cargoLock = {
-    lockFile = ../Cargo.lock;
-    allowBuiltinFetchGit = true;
-  };
+  cargoLock.lockFile = ../Cargo.lock;
+
+  nativeBuildInputs = [pkg-config];
+  buildInputs = [openssl];
 
   env = let
     toRustFlags = lib.mapAttrs' (
diff --git a/nix/static.nix b/nix/static.nix
index f79de47..c5e3c57 100644
--- a/nix/static.nix
+++ b/nix/static.nix
@@ -1,16 +1,15 @@
 {
   lib,
-  arch,
-  nixpkgs-tracker-bot,
   fenix,
   pkgsCross,
+  nixpkgs-tracker-bot,
 }: let
-  crossTargetFor = with pkgsCross; {
+  crossPkgsFor = with pkgsCross; {
     x86_64 = musl64.pkgsStatic;
     aarch64 = aarch64-multiplatform;
   };
 
-  rustcTargetFor = lib.mapAttrs (lib.const (pkgs: pkgs.stdenv.hostPlatform.rust.rustcTarget)) crossTargetFor;
+  rustcTargetFor = lib.mapAttrs (lib.const (pkgs: pkgs.stdenv.hostPlatform.rust.rustcTarget)) crossPkgsFor;
   rustStdFor = lib.mapAttrs (lib.const (rustcTarget: fenix.targets.${rustcTarget}.stable.rust-std)) rustcTargetFor;
 
   toolchain = with fenix;
@@ -26,9 +25,11 @@
           lib.genAttrs ["cargo" "rustc"] (lib.const toolchain)
         ))
     )
-    crossTargetFor;
+    crossPkgsFor;
 in
-  nixpkgs-tracker-bot.override {
-    rustPlatform = crossPlatformFor.${arch};
-    optimizeSize = true;
-  }
+  {arch}:
+    nixpkgs-tracker-bot.override {
+      rustPlatform = crossPlatformFor.${arch};
+      inherit (crossPkgsFor.${arch}) openssl;
+      optimizeSize = true;
+    }
-- 
cgit v1.2.3