Mystara/refraction
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
refraction/nix/module.nix
TheKodeToad 9d0c022c68
Many fixes and tweaks 
* Fix tags (again?)

* Make tag names more consistent

* Remove prefix commands (not implemented well and not worth fixing)

* Allow '-'s in tags

* Fix /joke

* Fix /members

* Fix intel_hd issue match

* Fix log analysis reply

* Clearer log analysis messages

It's weird to say the process failed when no issues were found.

* Clippy

* Final doc cleanup

* Fix link expanding

* Fix duplicate event filtering

The other code simply does not work. ChannelId does have a method to grab members but I'm not sure whether it would work either.

* Remove message resolution

It's surprisingly hard to create an bug-free implementation.

* Fix pluralkit detection

* simplify tag codegen

* commands: improve error handling in members

unwrap() bad!!!11!!

* events: use debug logs for pk checks

* Revert "Remove message resolution"

This reverts commit 0d9f224a81917212adafdeb2213f3cc11b44cf88.

* Bring back prefix commands with "."

(it's easier to type)

* Add help

* Fix messsage resolution

* utils: factor out message resolution

* Improve tag message

* Disable VC support for message resolution for now

* Improve prefix command usage

Update on edit, display additional tip with wrong usage.

* Check invoke_on_edit to display tip

* Add defer in commands which make http requests

* Apply tag sorting to slash commands too

* handlers::error: `+=` -> `writeln!`

* handlers::event: ignore own new messages

* help: remove unneeded format!

* optimize for size in release builds

* nix: cleanup deployment expressions

* nix: use treefmt

* nix: update flake.lock

Flake lock file updates:

• Updated input 'fenix':
    'github:nix-community/fenix/eb683549b7d76b12d1a009f888b91b70ed34485f' (2024-01-27)
  → 'github:nix-community/fenix/c53bb4a32f2fce7acf4e8e160a54779c4460ffdb' (2024-03-17)
• Updated input 'fenix/rust-analyzer-src':
    'github:rust-lang/rust-analyzer/596e5c77cf5b2b660b3ac2ce732fa0596c246d9b' (2024-01-26)
  → 'github:rust-lang/rust-analyzer/5ecace48f693afaa6adf8cb23086b651db3aec96' (2024-03-16)
• Updated input 'nixpkgs':
    'github:nixos/nixpkgs/4fddc9be4eaf195d631333908f2a454b03628ee5' (2024-01-25)
  → 'github:nixos/nixpkgs/34ad8c9f29a18b4dd97a9ad40ceb16954f24afe7' (2024-03-17)
• Updated input 'pre-commit-hooks':
    'github:cachix/pre-commit-hooks.nix/f56597d53fd174f796b5a7d3ee0b494f9e2285cc' (2024-01-20)
  → 'github:cachix/pre-commit-hooks.nix/5df5a70ad7575f6601d91f0efec95dd9bc619431' (2024-02-15)
• Updated input 'procfile-nix':
    'github:getchoo/procfile-nix/31a33e4264e5c6214844993c5b508fb3500ef5cd' (2024-01-27)
  → 'github:getchoo/procfile-nix/7a0ab379a4ab71c9deccaca9fb463e9aaea363d8' (2024-03-14)

---------

Co-authored-by: seth <getchoo@tuta.io>
2024-03-18 01:01:46 +00:00

151 lines
3.6 KiB
Nix
Raw Blame History

{withSystem, ...}: {
config,
lib,
pkgs,
...
}: let
cfg = config.services.refraction;
defaultUser = "refraction";
inherit
(lib)
getExe
literalExpression
mdDoc
mkEnableOption
mkIf
mkOption
mkPackageOption
optionals
types
;
in {
options.services.refraction = {
enable = mkEnableOption "refraction";
package = mkPackageOption (
withSystem pkgs.stdenv.hostPlatform.system ({pkgs, ...}: pkgs)
) "refraction" {};
user = mkOption {
description = mdDoc ''
User under which the service should run. If this is the default value,
the user will be created, with the specified group as the primary
group.
'';
type = types.str;
default = defaultUser;
example = literalExpression ''
"bob"
'';
};
group = mkOption {
description = mdDoc ''
Group under which the service should run. If this is the default value,
the group will be created.
'';
type = types.str;
default = defaultUser;
example = literalExpression ''
"discordbots"
'';
};
redisUrl = mkOption {
description = mdDoc ''
Connection to a redis server. If this needs to include credentials
that shouldn't be world-readable in the Nix store, set environmentFile
and override the `REDIS_URL` entry.
Pass the string `local` to setup a local Redis database.
'';
type = types.str;
default = "local";
example = literalExpression ''
"redis://localhost/"
'';
};
environmentFile = mkOption {
description = mdDoc ''
Environment file as defined in {manpage}`systemd.exec(5)`
'';
type = types.nullOr types.path;
default = null;
example = literalExpression ''
"/run/agenix.d/1/refraction"
'';
};
};
config = mkIf cfg.enable {
services.redis.servers.refraction = mkIf (cfg.redisUrl == "local") {
enable = true;
inherit (cfg) user;
port = 0; # disable tcp listener
};
systemd.services."refraction" = {
enable = true;
wantedBy = ["multi-user.target"];
after =
["network.target"]
++ optionals (cfg.redisUrl == "local") ["redis-refraction.service"];
script = ''
${getExe cfg.package}
'';
environment = {
REDIS_URL =
if cfg.redisUrl == "local"
then "unix:${config.services.redis.servers.refraction.unixSocket}"
else cfg.redisUrl;
};
serviceConfig = {
Type = "simple";
Restart = "on-failure";
EnvironmentFile = mkIf (cfg.environmentFile != null) cfg.environmentFile;
User = cfg.user;
Group = cfg.group;
# hardening
NoNewPrivileges = true;
PrivateDevices = true;
PrivateTmp = true;
PrivateUsers = true;
ProtectClock = true;
ProtectControlGroups = true;
ProtectHome = true;
ProtectHostname = true;
ProtectKernelLogs = true;
ProtectKernelModules = true;
ProtectKernelTunables = true;
ProtectSystem = "strict";
RestrictNamespaces = true;
RestrictSUIDSGID = true;
SystemCallArchitectures = "native";
SystemCallFilter = [
"@system-service"
"~@resources"
"~@privileged"
];
};
};
users = {
users = mkIf (cfg.user == defaultUser) {
${defaultUser} = {
isSystemUser = true;
inherit (cfg) group;
};
};
groups = mkIf (cfg.group == defaultUser) {
${defaultUser} = {};
};
};
};
}
Reference in a new issue View git blame Copy permalink