wizzy/home-server
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

dicebot

Browse source
This commit is contained in:
Ellie 2026-04-19 22:14:48 -07:00
parent 46f7149f95
commit 879cad57e1
4 changed files with 108 additions and 1 deletions
Download patch file Download diff file Expand all files Collapse all files

21
flake.lock generated
View file

@ -55,6 +55,26 @@
"type": "github" "type": "github"
} }
}, },
"dicebot": {
"inputs": {
"nixpkgs": [
"nixpkgs"
]
},
"locked": {
"lastModified": 1776661561,
"narHash": "sha256-D8oHASAaW9xTYiysrBz3gsG+Gz+OC25ILOM9sq0pt1M=",
"ref": "refs/heads/main",
"rev": "86e4751dcc86aa3fa1fa1cdd648bac9be790e6b5",
"revCount": 1,
"type": "git",
"url": "https://forgejo.ellie.town/wizzy/dicebot.git"
},
"original": {
"type": "git",
"url": "https://forgejo.ellie.town/wizzy/dicebot.git"
}
},
"disko": { "disko": {
"inputs": { "inputs": {
"nixpkgs": [ "nixpkgs": [
@ -182,6 +202,7 @@
"root": { "root": {
"inputs": { "inputs": {
"continuwuity": "continuwuity", "continuwuity": "continuwuity",
"dicebot": "dicebot",
"disko": "disko", "disko": "disko",
"nixpkgs": "nixpkgs_2", "nixpkgs": "nixpkgs_2",
"sops-nix": "sops-nix" "sops-nix": "sops-nix"

9
flake.nix
View file

@ -15,6 +15,11 @@
continuwuity = { continuwuity = {
url = "git+https://forgejo.ellis.link/continuwuation/continuwuity"; url = "git+https://forgejo.ellis.link/continuwuation/continuwuity";
}; };
dicebot = {
url = "git+https://forgejo.ellie.town/wizzy/dicebot.git";
inputs.nixpkgs.follows = "nixpkgs";
};
}; };
outputs = outputs =
@ -23,6 +28,7 @@
disko, disko,
sops-nix, sops-nix,
continuwuity, continuwuity,
dicebot,
... ...
}: }:
let let
@ -35,7 +41,7 @@
{ {
nixosConfigurations.home-server = nixpkgs.lib.nixosSystem { nixosConfigurations.home-server = nixpkgs.lib.nixosSystem {
inherit system; inherit system;
specialArgs = { inherit continuwuity; }; specialArgs = { inherit continuwuity dicebot; };
modules = [ modules = [
disko.nixosModules.disko disko.nixosModules.disko
@ -56,6 +62,7 @@
./services/website.nix ./services/website.nix
./services/wireguard-inner.nix ./services/wireguard-inner.nix
./services/matrix.nix ./services/matrix.nix
./services/dicebot.nix
./services/ergo.nix ./services/ergo.nix
./services/forgejo.nix ./services/forgejo.nix
./services/forgejo-runner.nix ./services/forgejo-runner.nix

62
services/dicebot.nix Normal file
View file

@ -0,0 +1,62 @@
{ config, dicebot, ... }:
let
dicebotPkg = dicebot.packages.x86_64-linux.default;
in
{
sops.secrets."dicebot/password" = {
sopsFile = ./secrets/dicebot.yaml;
};
# Assemble the env file from the sops-decrypted password. systemd reads
# EnvironmentFile at start time, so the secret never touches /nix/store.
sops.templates."dicebot.env" = {
content = ''
DICEBOT_PASSWORD=${config.sops.placeholder."dicebot/password"}
'';
owner = "dicebot";
};
users.users.dicebot = {
isSystemUser = true;
group = "dicebot";
home = "/var/lib/dicebot";
};
users.groups.dicebot = { };
systemd.services.dicebot = {
description = "Matrix dice-rolling bot";
after = [ "network-online.target" ];
wants = [ "network-online.target" ];
wantedBy = [ "multi-user.target" ];
environment = {
DICEBOT_HOMESERVER = "http://10.10.0.2:8008";
DICEBOT_USERNAME = "@dicebot:ellie.town";
DICEBOT_ALLOW_LIST = "@.*:ellie\\.town";
DICEBOT_STATE_DIR = "/var/lib/dicebot";
RUST_LOG = "info,headjack=info";
};
serviceConfig = {
ExecStart = "${dicebotPkg}/bin/dicebot";
EnvironmentFile = config.sops.templates."dicebot.env".path;
User = "dicebot";
Group = "dicebot";
StateDirectory = "dicebot";
StateDirectoryMode = "0700";
Restart = "on-failure";
RestartSec = "10s";
ProtectSystem = "strict";
ProtectHome = true;
PrivateTmp = true;
NoNewPrivileges = true;
ProtectKernelTunables = true;
ProtectKernelModules = true;
ProtectControlGroups = true;
RestrictSUIDSGID = true;
LockPersonality = true;
};
};
}

17
services/secrets/dicebot.yaml Normal file
View file

@ -0,0 +1,17 @@
dicebot:
password: ENC[AES256_GCM,data:hZvsxbxTUaHk6UFQlhvJuvvfkVcvCmx9Iw==,iv:lXSag76kLJ3l7uvv0zPBhXG090FsBzMGdJCBeTh4TX8=,tag:1kpYwiy1UHgaP0a0yq4MJA==,type:str]
sops:
age:
- recipient: age126v48dgev6pu3uhe7dtpdhax2yes2ff9u42ke2k2h97e90z8d4psedau7u
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBpOHpZOGhhSzFDVzdMS09h
UnJXR3didFVsUHBqd1lzMExJYmdTVEJCdlRjCitBQVRBMmtkVFFZRFN2dlVlUG9h
ZXg5RGkyRnQ4aTg2djVab0RHdnBwV3cKLS0tIEJLUkZva3Q5aGtNTURJOHhwbnZ5
UHFPejQ0QWZkV0N6RUVna0FjU3pLdEUKJAsgu2KwPICpDz75yHALUkOykMs+DGQf
+BG37m/berZhD+iXldSG7c2uIzQfK9SLYDmaxn+tuqdkXa5OfFuPEQ==
-----END AGE ENCRYPTED FILE-----
lastmodified: "2026-04-20T05:14:16Z"
mac: ENC[AES256_GCM,data:1I8HbOnlO6DeQsuhKff+LGV5CCdisFMynsludXB3zHCG4MMpjZf7uhMsVbPLANtBCzz5pgU6lthcoA7oBAlNrGEyoRN0P6W7lrQerMrUDs9acFX1BHZt5+i9Y3FtXxKwCxAgbPhRFRUBYWLRYS8WDMWxQ+5Te27ETWrkF9XP+4k=,iv:XunfIVyxIyiLgvuc2faQnriuqVVIjdjjdmYd9AalwAU=,tag:cgJMMP35XMdTlC+fVW7L2A==,type:str]
unencrypted_suffix: _unencrypted
version: 3.12.1