home-server/services/dicebot.nix

{ config, dicebot, ... }:

let
  dicebotPkg = dicebot.packages.x86_64-linux.default;
in
{
  sops.secrets."dicebot/password" = {
    sopsFile = ./secrets/dicebot.yaml;
  };

  # Assemble the env file from the sops-decrypted password. systemd reads
  # EnvironmentFile at start time, so the secret never touches /nix/store.
  sops.templates."dicebot.env" = {
    content = ''
      DICEBOT_PASSWORD=${config.sops.placeholder."dicebot/password"}
    '';
    owner = "dicebot";
  };

  users.users.dicebot = {
    isSystemUser = true;
    group = "dicebot";
    home = "/var/lib/dicebot";
  };
  users.groups.dicebot = { };

  systemd.services.dicebot = {
    description = "Matrix dice-rolling bot";
    after = [ "network-online.target" ];
    wants = [ "network-online.target" ];
    wantedBy = [ "multi-user.target" ];

    environment = {
      DICEBOT_HOMESERVER = "http://10.10.0.2:8008";
      DICEBOT_USERNAME = "@dicebot:ellie.town";
      DICEBOT_ALLOW_LIST = "@.*:ellie\\.town";
      DICEBOT_STATE_DIR = "/var/lib/dicebot";
      RUST_LOG = "info,headjack=info";
    };

    serviceConfig = {
      ExecStart = "${dicebotPkg}/bin/dicebot";
      EnvironmentFile = config.sops.templates."dicebot.env".path;
      User = "dicebot";
      Group = "dicebot";
      StateDirectory = "dicebot";
      StateDirectoryMode = "0700";
      Restart = "on-failure";
      RestartSec = "10s";

      ProtectSystem = "strict";
      ProtectHome = true;
      PrivateTmp = true;
      NoNewPrivileges = true;
      ProtectKernelTunables = true;
      ProtectKernelModules = true;
      ProtectControlGroups = true;
      RestrictSUIDSGID = true;
      LockPersonality = true;
    };
  };
}
dicebot 2026-04-19 22:14:48 -07:00			`{ config, dicebot, ... }:`

			`let`
			`dicebotPkg = dicebot.packages.x86_64-linux.default;`
			`in`
			`{`
			`sops.secrets."dicebot/password" = {`
			`sopsFile = ./secrets/dicebot.yaml;`
			`};`

			`# Assemble the env file from the sops-decrypted password. systemd reads`
			`# EnvironmentFile at start time, so the secret never touches /nix/store.`
			`sops.templates."dicebot.env" = {`
			`content = ''`
			`DICEBOT_PASSWORD=${config.sops.placeholder."dicebot/password"}`
			`'';`
			`owner = "dicebot";`
			`};`

			`users.users.dicebot = {`
			`isSystemUser = true;`
			`group = "dicebot";`
			`home = "/var/lib/dicebot";`
			`};`
			`users.groups.dicebot = { };`

			`systemd.services.dicebot = {`
			`description = "Matrix dice-rolling bot";`
			`after = [ "network-online.target" ];`
			`wants = [ "network-online.target" ];`
			`wantedBy = [ "multi-user.target" ];`

			`environment = {`
			`DICEBOT_HOMESERVER = "http://10.10.0.2:8008";`
			`DICEBOT_USERNAME = "@dicebot:ellie.town";`
			`DICEBOT_ALLOW_LIST = "@.*:ellie\\.town";`
			`DICEBOT_STATE_DIR = "/var/lib/dicebot";`
			`RUST_LOG = "info,headjack=info";`
			`};`

			`serviceConfig = {`
			`ExecStart = "${dicebotPkg}/bin/dicebot";`
			`EnvironmentFile = config.sops.templates."dicebot.env".path;`
			`User = "dicebot";`
			`Group = "dicebot";`
			`StateDirectory = "dicebot";`
			`StateDirectoryMode = "0700";`
			`Restart = "on-failure";`
			`RestartSec = "10s";`

			`ProtectSystem = "strict";`
			`ProtectHome = true;`
			`PrivateTmp = true;`
			`NoNewPrivileges = true;`
			`ProtectKernelTunables = true;`
			`ProtectKernelModules = true;`
			`ProtectControlGroups = true;`
			`RestrictSUIDSGID = true;`
			`LockPersonality = true;`
			`};`
			`};`
			`}`