62 lines
1.6 KiB
Nix
62 lines
1.6 KiB
Nix
{ config, dicebot, ... }:
|
|
|
|
let
|
|
dicebotPkg = dicebot.packages.x86_64-linux.default;
|
|
in
|
|
{
|
|
sops.secrets."dicebot/password" = {
|
|
sopsFile = ./secrets/dicebot.yaml;
|
|
};
|
|
|
|
# Assemble the env file from the sops-decrypted password. systemd reads
|
|
# EnvironmentFile at start time, so the secret never touches /nix/store.
|
|
sops.templates."dicebot.env" = {
|
|
content = ''
|
|
DICEBOT_PASSWORD=${config.sops.placeholder."dicebot/password"}
|
|
'';
|
|
owner = "dicebot";
|
|
};
|
|
|
|
users.users.dicebot = {
|
|
isSystemUser = true;
|
|
group = "dicebot";
|
|
home = "/var/lib/dicebot";
|
|
};
|
|
users.groups.dicebot = { };
|
|
|
|
systemd.services.dicebot = {
|
|
description = "Matrix dice-rolling bot";
|
|
after = [ "network-online.target" ];
|
|
wants = [ "network-online.target" ];
|
|
wantedBy = [ "multi-user.target" ];
|
|
|
|
environment = {
|
|
DICEBOT_HOMESERVER = "http://10.10.0.2:8008";
|
|
DICEBOT_USERNAME = "@dicebot:ellie.town";
|
|
DICEBOT_ALLOW_LIST = "@.*:ellie\\.town";
|
|
DICEBOT_STATE_DIR = "/var/lib/dicebot";
|
|
RUST_LOG = "info,headjack=info";
|
|
};
|
|
|
|
serviceConfig = {
|
|
ExecStart = "${dicebotPkg}/bin/dicebot";
|
|
EnvironmentFile = config.sops.templates."dicebot.env".path;
|
|
User = "dicebot";
|
|
Group = "dicebot";
|
|
StateDirectory = "dicebot";
|
|
StateDirectoryMode = "0700";
|
|
Restart = "on-failure";
|
|
RestartSec = "10s";
|
|
|
|
ProtectSystem = "strict";
|
|
ProtectHome = true;
|
|
PrivateTmp = true;
|
|
NoNewPrivileges = true;
|
|
ProtectKernelTunables = true;
|
|
ProtectKernelModules = true;
|
|
ProtectControlGroups = true;
|
|
RestrictSUIDSGID = true;
|
|
LockPersonality = true;
|
|
};
|
|
};
|
|
}
|