diff options
| author | Nathan Perry <np@npry.dev> | 2025-12-18 07:04:29 -0500 |
|---|---|---|
| committer | Nathan Perry <np@npry.dev> | 2025-12-18 07:09:14 -0500 |
| commit | df320f78fb5fa740041f87cc1d2e8faa086ff95c (patch) | |
| tree | e58376f4463e3a6e51960e0e4697b8b89c1771fe | |
| parent | d0a4253e7c9d5334d2b9b71dd0dc10c2fa603507 (diff) | |
nix: move module to own file
| -rw-r--r-- | flake.nix | 165 | ||||
| -rw-r--r-- | nix/module.nix | 166 |
2 files changed, 167 insertions, 164 deletions
@@ -184,170 +184,7 @@ ]; }; - nixosModules.default = { pkgs, lib, config, ... }: let - cfg = config.services.thulani; - in { - options.services.thulani = with lib; with lib.types; { - enable = mkEnableOption "thulani"; - - package = mkOption { - description = "thulani derivation to use"; - type = package; - default = pkgs.thulani; - }; - - environment = mkOption { - description = "literal environment to include"; - type = attrs; - }; - - envFiles = mkOption { - description = "environment files to include"; - type = listOf path; - default = []; - }; - - user = mkOption { - description = "user to run service as"; - type = str; - default = "thulani"; - }; - - group = mkOption { - description = "group to run service as"; - type = str; - default = "thulani"; - }; - - userIdMappingFile = mkOption { - description = "user id mapping file"; - type = nullOr path; - default = null; - }; - - restrictFile = mkOption { - description = "restrict file"; - type = nullOr path; - default = null; - }; - - postgres = mkOption { - description = "local postgres server with automatic setup"; - - type = submodule { - options = { - enable = mkEnableOption "postgres"; - - db = mkOption { - description = "db name"; - type = str; - default = "memes"; - }; - }; - }; - }; - }; - - config = lib.mkIf cfg.enable { - environment.systemPackages = [ - cfg.package - ]; - - services.thulani.environment = { - RUST_BACKTRACE = lib.mkDefault "1"; - MAX_HIST = lib.mkDefault "30"; - DEFAULT_HIST = lib.mkDefault "5"; - MAX_SHEET_COLUMN = lib.mkDefault "ZZZ"; - YTDL = lib.mkDefault "${pkgs.yt-dlp}/bin/yt-dlp"; - FFMPEG = lib.mkDefault "${pkgs.ffmpeg_4}/bin/ffmpeg"; - - RESTRICT = lib.mkIf (cfg.restrictFile != null) "${cfg.restrictFile}"; - USER_ID_MAPPING = lib.mkIf (cfg.userIdMappingFile != null) "${cfg.userIdMappingFile}"; - - DATABASE_URL = lib.mkIf cfg.postgres.enable "postgres:///${cfg.postgres.db}?user=${cfg.user}&host=/var/run/postgresql"; - }; - - systemd.services.thulani = { - description = "thulani bot"; - - wantedBy = [ - "multi-user.target" - ]; - - bindsTo = [ - "network-online.target" - ] ++ lib.optional cfg.postgres.enable "postgresql.service"; - - after = [ - "network-online.target" - ] ++ lib.optional cfg.postgres.enable "postgresql.service"; - - inherit (cfg) environment; - - unitConfig = { - StartLimitBurst = 3; - StartLimitIntervalSec = "1m"; - }; - - serviceConfig = { - Type = "exec"; - ExecStart = "${cfg.package}/bin/thulani"; - ExecStartPre = let - inherit (self.packages.${pkgs.system}) dbInit; - - in lib.mkIf cfg.postgres.enable "+${pkgs.sudo}/bin/sudo -u ${config.services.postgresql.superUser} -- ${dbInit} ${config.services.postgresql.package}/bin/psql ${cfg.postgres.db} ${cfg.user}"; - - EnvironmentFile = cfg.envFiles; - - DynamicUser = true; - User = cfg.user; - Group = cfg.group; - - Restart = "always"; - RestartSec = "10s"; - - TimeoutStopSec = "10s"; - - MemoryHigh = "200M"; - MemoryMax = "300M"; - - ProtectSystem = "strict"; - ProtectProc = "noaccess"; - ProtectHome = true; - ProtectHostname = true; - ProtectClock = true; - ProtectKernelTunables = true; - ProtectKernelModules = true; - ProtectKernelLogs = true; - ProtectControlGroups = true; - - PrivateDevices = true; - PrivateUsers = true; - PrivateMounts = true; - - RestrictNamespaces = true; - RestrictRealtime = true; - RestrictSUIDSGID = true; - - MemoryDenyWriteExecute = true; - LockPersonality = true; - NoNewPrivileges = true; - KeyringMode = "private"; - - SystemCallFilter = "@system-service"; - SystemCallErrorNumber = "EPERM"; - }; - }; - - services.postgresql = lib.mkIf cfg.postgres.enable { - enable = true; - - authentication = '' - local ${cfg.postgres.db} ${cfg.user} ident - ''; - }; - }; - }; + nixosModules.default = import ./nix/module.nix self; } ); } diff --git a/nix/module.nix b/nix/module.nix new file mode 100644 index 0000000..5b59937 --- /dev/null +++ b/nix/module.nix @@ -0,0 +1,166 @@ +self: + +{ pkgs, lib, config, ... }: let + cfg = config.services.thulani; +in { + options.services.thulani = with lib; with lib.types; { + enable = mkEnableOption "thulani"; + + package = mkOption { + description = "thulani derivation to use"; + type = package; + default = pkgs.thulani; + }; + + environment = mkOption { + description = "literal environment to include"; + type = attrs; + }; + + envFiles = mkOption { + description = "environment files to include"; + type = listOf path; + default = []; + }; + + user = mkOption { + description = "user to run service as"; + type = str; + default = "thulani"; + }; + + group = mkOption { + description = "group to run service as"; + type = str; + default = "thulani"; + }; + + userIdMappingFile = mkOption { + description = "user id mapping file"; + type = nullOr path; + default = null; + }; + + restrictFile = mkOption { + description = "restrict file"; + type = nullOr path; + default = null; + }; + + postgres = mkOption { + description = "local postgres server with automatic setup"; + + type = submodule { + options = { + enable = mkEnableOption "postgres"; + + db = mkOption { + description = "db name"; + type = str; + default = "memes"; + }; + }; + }; + }; + }; + + config = lib.mkIf cfg.enable { + environment.systemPackages = [ + cfg.package + ]; + + services.thulani.environment = { + RUST_BACKTRACE = lib.mkDefault "1"; + MAX_HIST = lib.mkDefault "30"; + DEFAULT_HIST = lib.mkDefault "5"; + MAX_SHEET_COLUMN = lib.mkDefault "ZZZ"; + YTDL = lib.mkDefault "${pkgs.yt-dlp}/bin/yt-dlp"; + FFMPEG = lib.mkDefault "${pkgs.ffmpeg_4}/bin/ffmpeg"; + + RESTRICT = lib.mkIf (cfg.restrictFile != null) "${cfg.restrictFile}"; + USER_ID_MAPPING = lib.mkIf (cfg.userIdMappingFile != null) "${cfg.userIdMappingFile}"; + + DATABASE_URL = lib.mkIf cfg.postgres.enable "postgres:///${cfg.postgres.db}?user=${cfg.user}&host=/var/run/postgresql"; + }; + + systemd.services.thulani = { + description = "thulani bot"; + + wantedBy = [ + "multi-user.target" + ]; + + bindsTo = [ + "network-online.target" + ] ++ lib.optional cfg.postgres.enable "postgresql.service"; + + after = [ + "network-online.target" + ] ++ lib.optional cfg.postgres.enable "postgresql.service"; + + inherit (cfg) environment; + + unitConfig = { + StartLimitBurst = 3; + StartLimitIntervalSec = "1m"; + }; + + serviceConfig = { + Type = "exec"; + ExecStart = "${cfg.package}/bin/thulani"; + ExecStartPre = let + inherit (self.packages.${pkgs.system}) dbInit; + + in lib.mkIf cfg.postgres.enable "+${pkgs.sudo}/bin/sudo -u ${config.services.postgresql.superUser} -- ${dbInit} ${config.services.postgresql.package}/bin/psql ${cfg.postgres.db} ${cfg.user}"; + + EnvironmentFile = cfg.envFiles; + + DynamicUser = true; + User = cfg.user; + Group = cfg.group; + + Restart = "always"; + RestartSec = "10s"; + + TimeoutStopSec = "10s"; + + MemoryHigh = "200M"; + MemoryMax = "300M"; + + ProtectSystem = "strict"; + ProtectProc = "noaccess"; + ProtectHome = true; + ProtectHostname = true; + ProtectClock = true; + ProtectKernelTunables = true; + ProtectKernelModules = true; + ProtectKernelLogs = true; + ProtectControlGroups = true; + + PrivateDevices = true; + PrivateUsers = true; + PrivateMounts = true; + + RestrictNamespaces = true; + RestrictRealtime = true; + RestrictSUIDSGID = true; + + MemoryDenyWriteExecute = true; + LockPersonality = true; + NoNewPrivileges = true; + KeyringMode = "private"; + + SystemCallFilter = "@system-service"; + SystemCallErrorNumber = "EPERM"; + }; + }; + + services.postgresql = lib.mkIf cfg.postgres.enable { + enable = true; + + authentication = '' + local ${cfg.postgres.db} ${cfg.user} ident + ''; + }; + }; +} |