nki/youmubot
1
0
Fork 0
mirror of https://github.com/natsukagami/youmubot.git synced 2025-04-20 01:08:55 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions

Add flake module

Browse source
This commit is contained in:
Natsu Kagami 2021-11-03 13:20:22 -04:00
parent 6f84441823
commit cb7202293a
Signed by: nki
GPG key ID: 7306B3D3C3AD6E51
2 changed files with 83 additions and 0 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

3
flake.nix
View file

@ -31,5 +31,8 @@
devShell = pkgs.mkShell { devShell = pkgs.mkShell {
nativeBuildInputs = with pkgs; [ rustc cargo ]; nativeBuildInputs = with pkgs; [ rustc cargo ];
}; };
# module
nixosModule = import ./module.nix defaultPackage;
}); });
} }

80
module.nix Normal file
View file

@ -0,0 +1,80 @@
youmubot: { config, pkgs, lib, ... }:
with lib;
let
cfg = config.services.youmubot;
in
{
options.services.youmubot = {
enable = mkEnableOption "Enable youmubot, the discord bot made with Rust.";
envFile = mkOption {
type = types.path;
description = "Path to the environment variable file, for secrets like TOKEN and OSU_API_KEY.";
};
prefixes = mkOption {
type = types.listOf types.str;
default = [ "y!" "y2!" ];
description = "The prefixes that the bot will listen on";
};
databasePath = mkOption {
type = types.str;
default = "/var/lib/youmubot";
description = "The path to the database directory";
};
};
config = mkIf cfg.enable {
# systemd unit
systemd.services.youmubot = {
after = [ "network.target" ];
wantedBy = [ "multi-user.target" ];
description = "the discord bot made with Rust";
documentation = [ "https://github.com/natsukagami/youmubot" ];
script = "${youmubot}/bin/youmubot";
environment = {
DBPATH = cfg.databasePath;
PREFIX = lib.strings.concatStringsSep "," cfg.prefixes;
};
serviceConfig = {
DynamicUser = true;
WorkingDirectory = "/var/lib/youmubot";
StateDirectory = "youmubot";
EnvironmentFile = cfg.envFile;
# Strict sandboxing. You have no reason to trust code written by strangers from GitHub.
PrivateTmp = true;
ProtectHome = true;
ProtectSystem = "strict";
ProtectKernelTunables = true;
ProtectHostname = true;
ProtectClock = true;
ProtectControlGroups = true;
RestrictAddressFamilies = "AF_UNIX AF_INET AF_INET6";
# Additional sandboxing. You need to disable all of these options
# for privileged helper binaries (for system auth) to work correctly.
NoNewPrivileges = true;
PrivateDevices = true;
DeviceAllow = "/dev/syslog";
RestrictSUIDSGID = true;
ProtectKernelModules = true;
MemoryDenyWriteExecute = true;
RestrictNamespaces = true;
RestrictRealtime = true;
LockPersonality = true;
Restart = "always";
};
};
};
}