Create a Nix Flake module (#17)

* Add flake module * Add optional openssl dep on linux * Set default sql path * No more deploy!
2025-05-24 01:00:49 +00:00 · 2021-11-03 15:00:18 -04:00 · 2021-11-03 15:00:18 -04:00 · 2449b09cb2
commit 2449b09cb2
parent 6f84441823
3 changed files with 89 additions and 62 deletions
--- a/module.nix
+++ b/module.nix
@ -0,0 +1,81 @@
+youmubot: { config, pkgs, lib, ... }:
+
+with lib;
+let
+  cfg = config.services.youmubot;
+in
+{
+  options.services.youmubot = {
+    enable = mkEnableOption "Enable youmubot, the discord bot made with Rust.";
+
+    envFile = mkOption {
+      type = types.path;
+      description = "Path to the environment variable file, for secrets like TOKEN and OSU_API_KEY.";
+    };
+
+    prefixes = mkOption {
+      type = types.listOf types.str;
+      default = [ "y!" "y2!" ];
+      description = "The prefixes that the bot will listen on";
+    };
+
+    databasePath = mkOption {
+      type = types.str;
+      default = "/var/lib/youmubot";
+      description = "The path to the database directory";
+    };
+  };
+
+  config = mkIf cfg.enable {
+    # systemd unit
+    systemd.services.youmubot = {
+      after = [ "network.target" ];
+      wantedBy = [ "multi-user.target" ];
+
+      description = "the discord bot made with Rust";
+      documentation = [ "https://github.com/natsukagami/youmubot" ];
+
+      script = "${youmubot}/bin/youmubot";
+
+      environment = {
+        DBPATH = cfg.databasePath;
+        SQLPATH = cfg.databasePath + "/youmubot.db";
+        PREFIX = lib.strings.concatStringsSep "," cfg.prefixes;
+      };
+
+      serviceConfig = {
+        DynamicUser = true;
+
+        WorkingDirectory = "/var/lib/youmubot";
+
+        StateDirectory = "youmubot";
+
+        EnvironmentFile = cfg.envFile;
+
+        # Strict sandboxing. You have no reason to trust code written by strangers from GitHub.
+        PrivateTmp = true;
+        ProtectHome = true;
+        ProtectSystem = "strict";
+        ProtectKernelTunables = true;
+        ProtectHostname = true;
+        ProtectClock = true;
+        ProtectControlGroups = true;
+        RestrictAddressFamilies = "AF_UNIX AF_INET AF_INET6";
+
+        # Additional sandboxing. You need to disable all of these options
+        # for privileged helper binaries (for system auth) to work correctly.
+        NoNewPrivileges = true;
+        PrivateDevices = true;
+        DeviceAllow = "/dev/syslog";
+        RestrictSUIDSGID = true;
+        ProtectKernelModules = true;
+        MemoryDenyWriteExecute = true;
+        RestrictNamespaces = true;
+        RestrictRealtime = true;
+        LockPersonality = true;
+
+        Restart = "always";
+      };
+    };
+  };
+}