-
Notifications
You must be signed in to change notification settings - Fork 2
/
Copy pathmodule.nix
88 lines (85 loc) · 2.38 KB
/
module.nix
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
# SPDX-FileCopyrightText: 2023 Serokell <https://serokell.io>
#
# SPDX-License-Identifier: MPL-2.0
{ self, serokell-nix, ... }@inputs: { config, pkgs, lib, ... }:
let
inherit (lib) mkEnableOption mkOption types mkIf mkDefault;
inherit (serokell-nix.lib.systemd) hardeningProfiles withHardeningProfile;
in
{
options.services.tzbot = {
enable = mkEnableOption "tzbot";
package = mkOption {
type = types.path;
default = self.packages.x86_64-linux.tzbot;
};
botConfig = mkOption {
type = types.attrs;
description = ''
tzbot config without slack-related tokens
'';
default = {
maxRetries = 3;
cacheUsersInfo = "3m";
cacheConversationMembers = "3m";
feedbackFile = "/var/lib/tzbot/feedback.log";
cacheReportDialog = "1h";
inverseHelpUsageChance = 15;
logLevel = "Info";
};
};
slackAppToken = mkOption {
type = types.str;
description = ''
Slack application token
'';
};
slackBotToken = mkOption {
type = types.str;
description = ''
Bot authentication token
'';
};
};
config = let cfg = config.services.tzbot; in mkIf cfg.enable {
systemd.services.tzbot = {
after = [ "network.target" ];
wantedBy = [ "multi-user.target" ];
unitConfig.ConditionPathExists = [ cfg.package ];
script = ''
export SLACK_TZ_APP_TOKEN="${cfg.slackAppToken}"
export SLACK_TZ_BOT_TOKEN="${cfg.slackBotToken}"
${cfg.package}/bin/tzbot-exe --config ${pkgs.writeText "config.yml" (builtins.toJSON cfg.botConfig)}
'';
startLimitBurst = mkDefault 5;
startLimitIntervalSec = mkDefault 300;
serviceConfig = withHardeningProfile hardeningProfiles.backend {
User = "tzbot";
Group = "tzbot";
StateDirectory = "tzbot";
Restart = mkDefault "on-failure";
RestartSec = mkDefault 10;
SystemCallFilter = [
"~@clock"
"~@debug"
"~@module"
"~@mount"
"~@raw-io"
"~@reboot"
"~@swap"
"~@privileged"
"~@resources"
"~@cpu-emulation"
"~@obsolete"
# override hardening profile
"set_mempolicy"
];
};
};
users.users.tzbot = {
group = "tzbot";
isSystemUser = true;
};
users.groups.tzbot = {};
};
}