mirror of
https://github.com/Noratrieb/vps.git
synced 2026-01-14 16:55:00 +01:00
58 lines
1.7 KiB
Nix
58 lines
1.7 KiB
Nix
{ config, pkgs, lib, my-projects-versions, ... }:
|
|
let
|
|
widetom = pkgs.rustPlatform.buildRustPackage {
|
|
src = pkgs.fetchFromGitHub my-projects-versions.widetom.fetchFromGitHub;
|
|
pname = "widetom";
|
|
version = "0.1.0";
|
|
cargoHash = "sha256-AWbdPcDc+QOW7U/FYbqlIsg+3MwfggKCTCw1z/ZbSEE=";
|
|
meta = {
|
|
mainProgram = "widertom";
|
|
};
|
|
RUSTFLAGS = "-Cforce-frame-pointers=true";
|
|
};
|
|
in
|
|
{
|
|
age.secrets.widetom_bot_token = {
|
|
file = ../../secrets/widetom_bot_token.age;
|
|
owner = config.users.users.widetom.name;
|
|
};
|
|
age.secrets.widetom_config_toml = {
|
|
file = ../../secrets/widetom_config_toml.age;
|
|
owner = config.users.users.widetom.name;
|
|
};
|
|
|
|
systemd.services.widetom = {
|
|
description = "widetom, the extremely funny discord bot";
|
|
wantedBy = [ "multi-user.target" ];
|
|
after = [ "network.target" ];
|
|
environment = {
|
|
BOT_TOKEN_PATH = config.age.secrets.widetom_bot_token.path;
|
|
CONFIG_PATH = config.age.secrets.widetom_config_toml.path;
|
|
};
|
|
serviceConfig = {
|
|
DynamicUser = true;
|
|
ExecStart = lib.getExe widetom;
|
|
PrivateDevices = true;
|
|
ProtectHome = true;
|
|
ProtectClock = true;
|
|
ProtectKernelLogs = true;
|
|
ProtectHostname = true;
|
|
ProtectKernelTunables = true;
|
|
CapabilityBoundingSet = "";
|
|
ProtectProc = "noaccess";
|
|
RestrictNamespaces = true;
|
|
MemoryDenyWriteExecute = true;
|
|
ProtectControlGroups = true;
|
|
ProtectKernelModules = true;
|
|
SystemCallArchitectures = "";
|
|
SystemCallFilter = "@system-service";
|
|
RestrictAddressFamilies = [ "AF_INET" "AF_INET6" ];
|
|
};
|
|
};
|
|
|
|
users.users.widetom = {
|
|
group = "widetom";
|
|
isSystemUser = true;
|
|
};
|
|
users.groups.widetom = { };
|
|
}
|