aboutsummaryrefslogtreecommitdiff
diff options
context:
space:
mode:
Diffstat
-rw-r--r--flake.nix165
-rw-r--r--nix/module.nix166
2 files changed, 167 insertions, 164 deletions
diff --git a/flake.nix b/flake.nix
index 0cd8261..10b7b4f 100644
--- a/flake.nix
+++ b/flake.nix
@@ -184,170 +184,7 @@
];
};
- nixosModules.default = { pkgs, lib, config, ... }: let
- cfg = config.services.thulani;
- in {
- options.services.thulani = with lib; with lib.types; {
- enable = mkEnableOption "thulani";
-
- package = mkOption {
- description = "thulani derivation to use";
- type = package;
- default = pkgs.thulani;
- };
-
- environment = mkOption {
- description = "literal environment to include";
- type = attrs;
- };
-
- envFiles = mkOption {
- description = "environment files to include";
- type = listOf path;
- default = [];
- };
-
- user = mkOption {
- description = "user to run service as";
- type = str;
- default = "thulani";
- };
-
- group = mkOption {
- description = "group to run service as";
- type = str;
- default = "thulani";
- };
-
- userIdMappingFile = mkOption {
- description = "user id mapping file";
- type = nullOr path;
- default = null;
- };
-
- restrictFile = mkOption {
- description = "restrict file";
- type = nullOr path;
- default = null;
- };
-
- postgres = mkOption {
- description = "local postgres server with automatic setup";
-
- type = submodule {
- options = {
- enable = mkEnableOption "postgres";
-
- db = mkOption {
- description = "db name";
- type = str;
- default = "memes";
- };
- };
- };
- };
- };
-
- config = lib.mkIf cfg.enable {
- environment.systemPackages = [
- cfg.package
- ];
-
- services.thulani.environment = {
- RUST_BACKTRACE = lib.mkDefault "1";
- MAX_HIST = lib.mkDefault "30";
- DEFAULT_HIST = lib.mkDefault "5";
- MAX_SHEET_COLUMN = lib.mkDefault "ZZZ";
- YTDL = lib.mkDefault "${pkgs.yt-dlp}/bin/yt-dlp";
- FFMPEG = lib.mkDefault "${pkgs.ffmpeg_4}/bin/ffmpeg";
-
- RESTRICT = lib.mkIf (cfg.restrictFile != null) "${cfg.restrictFile}";
- USER_ID_MAPPING = lib.mkIf (cfg.userIdMappingFile != null) "${cfg.userIdMappingFile}";
-
- DATABASE_URL = lib.mkIf cfg.postgres.enable "postgres:///${cfg.postgres.db}?user=${cfg.user}&host=/var/run/postgresql";
- };
-
- systemd.services.thulani = {
- description = "thulani bot";
-
- wantedBy = [
- "multi-user.target"
- ];
-
- bindsTo = [
- "network-online.target"
- ] ++ lib.optional cfg.postgres.enable "postgresql.service";
-
- after = [
- "network-online.target"
- ] ++ lib.optional cfg.postgres.enable "postgresql.service";
-
- inherit (cfg) environment;
-
- unitConfig = {
- StartLimitBurst = 3;
- StartLimitIntervalSec = "1m";
- };
-
- serviceConfig = {
- Type = "exec";
- ExecStart = "${cfg.package}/bin/thulani";
- ExecStartPre = let
- inherit (self.packages.${pkgs.system}) dbInit;
-
- in lib.mkIf cfg.postgres.enable "+${pkgs.sudo}/bin/sudo -u ${config.services.postgresql.superUser} -- ${dbInit} ${config.services.postgresql.package}/bin/psql ${cfg.postgres.db} ${cfg.user}";
-
- EnvironmentFile = cfg.envFiles;
-
- DynamicUser = true;
- User = cfg.user;
- Group = cfg.group;
-
- Restart = "always";
- RestartSec = "10s";
-
- TimeoutStopSec = "10s";
-
- MemoryHigh = "200M";
- MemoryMax = "300M";
-
- ProtectSystem = "strict";
- ProtectProc = "noaccess";
- ProtectHome = true;
- ProtectHostname = true;
- ProtectClock = true;
- ProtectKernelTunables = true;
- ProtectKernelModules = true;
- ProtectKernelLogs = true;
- ProtectControlGroups = true;
-
- PrivateDevices = true;
- PrivateUsers = true;
- PrivateMounts = true;
-
- RestrictNamespaces = true;
- RestrictRealtime = true;
- RestrictSUIDSGID = true;
-
- MemoryDenyWriteExecute = true;
- LockPersonality = true;
- NoNewPrivileges = true;
- KeyringMode = "private";
-
- SystemCallFilter = "@system-service";
- SystemCallErrorNumber = "EPERM";
- };
- };
-
- services.postgresql = lib.mkIf cfg.postgres.enable {
- enable = true;
-
- authentication = ''
- local ${cfg.postgres.db} ${cfg.user} ident
- '';
- };
- };
- };
+ nixosModules.default = import ./nix/module.nix self;
}
);
}
diff --git a/nix/module.nix b/nix/module.nix
new file mode 100644
index 0000000..5b59937
--- /dev/null
+++ b/nix/module.nix
@@ -0,0 +1,166 @@
+self:
+
+{ pkgs, lib, config, ... }: let
+ cfg = config.services.thulani;
+in {
+ options.services.thulani = with lib; with lib.types; {
+ enable = mkEnableOption "thulani";
+
+ package = mkOption {
+ description = "thulani derivation to use";
+ type = package;
+ default = pkgs.thulani;
+ };
+
+ environment = mkOption {
+ description = "literal environment to include";
+ type = attrs;
+ };
+
+ envFiles = mkOption {
+ description = "environment files to include";
+ type = listOf path;
+ default = [];
+ };
+
+ user = mkOption {
+ description = "user to run service as";
+ type = str;
+ default = "thulani";
+ };
+
+ group = mkOption {
+ description = "group to run service as";
+ type = str;
+ default = "thulani";
+ };
+
+ userIdMappingFile = mkOption {
+ description = "user id mapping file";
+ type = nullOr path;
+ default = null;
+ };
+
+ restrictFile = mkOption {
+ description = "restrict file";
+ type = nullOr path;
+ default = null;
+ };
+
+ postgres = mkOption {
+ description = "local postgres server with automatic setup";
+
+ type = submodule {
+ options = {
+ enable = mkEnableOption "postgres";
+
+ db = mkOption {
+ description = "db name";
+ type = str;
+ default = "memes";
+ };
+ };
+ };
+ };
+ };
+
+ config = lib.mkIf cfg.enable {
+ environment.systemPackages = [
+ cfg.package
+ ];
+
+ services.thulani.environment = {
+ RUST_BACKTRACE = lib.mkDefault "1";
+ MAX_HIST = lib.mkDefault "30";
+ DEFAULT_HIST = lib.mkDefault "5";
+ MAX_SHEET_COLUMN = lib.mkDefault "ZZZ";
+ YTDL = lib.mkDefault "${pkgs.yt-dlp}/bin/yt-dlp";
+ FFMPEG = lib.mkDefault "${pkgs.ffmpeg_4}/bin/ffmpeg";
+
+ RESTRICT = lib.mkIf (cfg.restrictFile != null) "${cfg.restrictFile}";
+ USER_ID_MAPPING = lib.mkIf (cfg.userIdMappingFile != null) "${cfg.userIdMappingFile}";
+
+ DATABASE_URL = lib.mkIf cfg.postgres.enable "postgres:///${cfg.postgres.db}?user=${cfg.user}&host=/var/run/postgresql";
+ };
+
+ systemd.services.thulani = {
+ description = "thulani bot";
+
+ wantedBy = [
+ "multi-user.target"
+ ];
+
+ bindsTo = [
+ "network-online.target"
+ ] ++ lib.optional cfg.postgres.enable "postgresql.service";
+
+ after = [
+ "network-online.target"
+ ] ++ lib.optional cfg.postgres.enable "postgresql.service";
+
+ inherit (cfg) environment;
+
+ unitConfig = {
+ StartLimitBurst = 3;
+ StartLimitIntervalSec = "1m";
+ };
+
+ serviceConfig = {
+ Type = "exec";
+ ExecStart = "${cfg.package}/bin/thulani";
+ ExecStartPre = let
+ inherit (self.packages.${pkgs.system}) dbInit;
+
+ in lib.mkIf cfg.postgres.enable "+${pkgs.sudo}/bin/sudo -u ${config.services.postgresql.superUser} -- ${dbInit} ${config.services.postgresql.package}/bin/psql ${cfg.postgres.db} ${cfg.user}";
+
+ EnvironmentFile = cfg.envFiles;
+
+ DynamicUser = true;
+ User = cfg.user;
+ Group = cfg.group;
+
+ Restart = "always";
+ RestartSec = "10s";
+
+ TimeoutStopSec = "10s";
+
+ MemoryHigh = "200M";
+ MemoryMax = "300M";
+
+ ProtectSystem = "strict";
+ ProtectProc = "noaccess";
+ ProtectHome = true;
+ ProtectHostname = true;
+ ProtectClock = true;
+ ProtectKernelTunables = true;
+ ProtectKernelModules = true;
+ ProtectKernelLogs = true;
+ ProtectControlGroups = true;
+
+ PrivateDevices = true;
+ PrivateUsers = true;
+ PrivateMounts = true;
+
+ RestrictNamespaces = true;
+ RestrictRealtime = true;
+ RestrictSUIDSGID = true;
+
+ MemoryDenyWriteExecute = true;
+ LockPersonality = true;
+ NoNewPrivileges = true;
+ KeyringMode = "private";
+
+ SystemCallFilter = "@system-service";
+ SystemCallErrorNumber = "EPERM";
+ };
+ };
+
+ services.postgresql = lib.mkIf cfg.postgres.enable {
+ enable = true;
+
+ authentication = ''
+ local ${cfg.postgres.db} ${cfg.user} ident
+ '';
+ };
+ };
+}
generated by cgit v1.3.1 (git 2.54.0) at 2026-06-10 18:04:34 -0400