85 lines
2.4 KiB
Nix
85 lines
2.4 KiB
Nix
{ pkgs, config, lib, ... }:
|
|
let
|
|
package = pkgs.callPackage ./package.nix { };
|
|
cfg = config.services.gerrit-linkbot;
|
|
|
|
inherit (lib) types;
|
|
in
|
|
{
|
|
options = {
|
|
services.gerrit-linkbot = {
|
|
enable = lib.mkEnableOption "gerrit link bot";
|
|
# n.b. is not a mkPackageOption because we don't shove it into nixpkgs
|
|
# via overlay.
|
|
package = lib.mkOption {
|
|
type = types.package;
|
|
description = "Package for gerrit-linkbot";
|
|
default = package;
|
|
};
|
|
extraFlags = lib.mkOption {
|
|
type = types.listOf types.str;
|
|
};
|
|
environmentFile = lib.mkOption {
|
|
type = types.nullOr types.path;
|
|
description = ''
|
|
Environment file for gerrit-linkbot. Requires FORGEJO_API_KEY set.
|
|
Use agenix or similar for this.
|
|
'';
|
|
};
|
|
};
|
|
};
|
|
|
|
config = lib.mkIf cfg.enable {
|
|
environment.systemPackages = [ cfg.package ];
|
|
|
|
systemd.services.gerrit-linkbot =
|
|
let
|
|
serviceDeps = lib.optionals config.services.gerrit.enable [ "gerrit.service" ]
|
|
++ lib.optionals config.services.forgejo.enable [ "forgejo.service" ] ++
|
|
[ "network-online.target" ];
|
|
in
|
|
{
|
|
after = serviceDeps;
|
|
wants = serviceDeps;
|
|
wantedBy = [ "multi-user.target" ];
|
|
|
|
serviceConfig = {
|
|
Restart = "on-failure";
|
|
RestartSec = "5s";
|
|
RestartSteps = 10;
|
|
RestartMaxDelaySec = "600s";
|
|
|
|
DynamicUser = true;
|
|
CapabilityBoundingSet = "";
|
|
NoNewPrivileges = true;
|
|
PrivateTmp = true;
|
|
PrivateUsers = true;
|
|
PrivateDevices = true;
|
|
ProtectHome = true;
|
|
ProtectClock = true;
|
|
ProtectProc = "noaccess";
|
|
ProcSubset = "pid";
|
|
UMask = "0077";
|
|
ProtectKernelLogs = true;
|
|
ProtectKernelModules = true;
|
|
ProtectKernelTunables = true;
|
|
ProtectControlGroups = true;
|
|
ProtectHostname = true;
|
|
RestrictSUIDSGID = true;
|
|
RestrictRealtime = true;
|
|
RestrictNamespaces = true;
|
|
LockPersonality = true;
|
|
RemoveIPC = true;
|
|
SystemCallFilter = [ "@system-service" "~@privileged" ];
|
|
RestrictAddressFamilies = [ "AF_INET" "AF_INET6" ];
|
|
MemoryDenyWriteExecute = true;
|
|
SystemCallArchitectures = "native";
|
|
|
|
EnvironmentFile = cfg.environmentFile;
|
|
|
|
ExecStart = "${lib.getExe cfg.package}";
|
|
};
|
|
};
|
|
};
|
|
}
|