From a9d91df8cefe74162936278171b48bc1e4d00459 Mon Sep 17 00:00:00 2001 From: tux Date: Sat, 9 May 2026 04:54:32 +0530 Subject: [PATCH] feat: add cyber-tux module --- flake.lock | 21 ++++++ flake.nix | 5 ++ modules/flake/overlays.nix | 1 + modules/hosts/arcturus/config.nix | 10 ++- modules/nixos/services/cyber-tux.nix | 105 +++++++++++++++++++++++++++ 5 files changed, 141 insertions(+), 1 deletion(-) create mode 100644 modules/nixos/services/cyber-tux.nix diff --git a/flake.lock b/flake.lock index 75b372e..06d1697 100644 --- a/flake.lock +++ b/flake.lock @@ -112,6 +112,26 @@ "type": "github" } }, + "cyber-tux": { + "inputs": { + "nixpkgs": [ + "nixpkgs" + ] + }, + "locked": { + "lastModified": 1739652548, + "narHash": "sha256-J4mL4DyRFTsEKlratZsbC9tm2i6Mzr6dEhetKk4jABM=", + "ref": "refs/heads/main", + "rev": "4ada9e2f0d3b6639627601d3f06128c953c2b446", + "revCount": 11, + "type": "git", + "url": "ssh://git@github.com/tuxdotrs/cyber-tux.git" + }, + "original": { + "type": "git", + "url": "ssh://git@github.com/tuxdotrs/cyber-tux.git" + } + }, "deploy-rs": { "inputs": { "flake-compat": "flake-compat_2", @@ -1236,6 +1256,7 @@ "root": { "inputs": { "awww": "awww", + "cyber-tux": "cyber-tux", "deploy-rs": "deploy-rs", "disko": "disko", "flake-parts": "flake-parts", diff --git a/flake.nix b/flake.nix index 3bd1765..8f3ed77 100644 --- a/flake.nix +++ b/flake.nix @@ -29,6 +29,11 @@ inputs.nixpkgs.follows = "nixpkgs"; }; + cyber-tux = { + url = "git+ssh://git@github.com/tuxdotrs/cyber-tux.git"; + inputs.nixpkgs.follows = "nixpkgs"; + }; + wezterm-flake = { url = "github:wez/wezterm/main?dir=nix"; inputs.nixpkgs.follows = "nixpkgs"; diff --git a/modules/flake/overlays.nix b/modules/flake/overlays.nix index ed48899..23798f5 100644 --- a/modules/flake/overlays.nix +++ b/modules/flake/overlays.nix @@ -7,6 +7,7 @@ modifications = final: prev: { tnvim = inputs.tnvim.packages.${prev.stdenv.hostPlatform.system}.default; tpanel = inputs.tpanel.packages.${prev.stdenv.hostPlatform.system}.default; + cyber-tux = inputs.cyber-tux.packages.${prev.stdenv.hostPlatform.system}.default; ags = inputs.tpanel.packages.${prev.stdenv.hostPlatform.system}.ags.default; wezterm-git = inputs.wezterm-flake.packages.${prev.stdenv.hostPlatform.system}.default; hyprland-git = inputs.hyprland.packages.${prev.stdenv.hostPlatform.system}; diff --git a/modules/hosts/arcturus/config.nix b/modules/hosts/arcturus/config.nix index d3accce..12af57d 100644 --- a/modules/hosts/arcturus/config.nix +++ b/modules/hosts/arcturus/config.nix @@ -6,13 +6,14 @@ hostName, userName, ... - }: + }@innerArgs: { imports = with config.flake.modules.nixos; [ boot hardware networking virtualisation + services ]; tnix = { @@ -20,6 +21,13 @@ boot.impermanence.enable = true; networking.openssh.enable = true; + services = { + cyber-tux = { + enable = true; + environmentFile = innerArgs.config.sops.secrets.discord-token.path; + }; + }; + virtualisation = { docker.enable = true; }; diff --git a/modules/nixos/services/cyber-tux.nix b/modules/nixos/services/cyber-tux.nix new file mode 100644 index 0000000..34eebf1 --- /dev/null +++ b/modules/nixos/services/cyber-tux.nix @@ -0,0 +1,105 @@ +{ + flake.modules.nixos.services = + { + config, + lib, + pkgs, + ... + }: + with lib; + let + cfg = config.tnix.services.cyber-tux; + in + { + options.tnix.services.cyber-tux = { + enable = mkEnableOption "CyberTux Discord bot"; + + user = mkOption { + type = types.str; + default = "cyber-tux"; + description = "User under which the CyberTux service runs."; + }; + + group = mkOption { + type = types.str; + default = "cyber-tux"; + description = "Group under which the CyberTux service runs."; + }; + + dataDir = mkOption { + type = types.path; + default = "/var/lib/cyber-tux"; + description = "Directory where CyberTux stores its data."; + }; + + environmentFile = mkOption { + type = types.path; + description = "Environment file containing the Discord bot token."; + }; + }; + + config = mkIf cfg.enable { + systemd.services.cyber-tux = { + description = "CyberTux Discord bot"; + after = [ "network.target" ]; + wantedBy = [ "multi-user.target" ]; + + serviceConfig = { + Type = "simple"; + User = cfg.user; + Group = cfg.group; + EnvironmentFile = cfg.environmentFile; + ExecStart = getExe pkgs.cyber-tux; + Restart = "always"; + RestartSec = 5; + WorkingDirectory = cfg.dataDir; + StateDirectory = baseNameOf cfg.dataDir; + StateDirectoryMode = "0700"; + + LockPersonality = true; + MemoryDenyWriteExecute = true; + NoNewPrivileges = true; + PrivateDevices = true; + PrivateIPC = true; + PrivateTmp = true; + PrivateUsers = true; + ProtectClock = true; + ProtectControlGroups = true; + ProtectHome = true; + ProtectHostname = true; + ProtectKernelLogs = true; + ProtectKernelModules = true; + ProtectKernelTunables = true; + ProtectProc = "invisible"; + ProtectSystem = "strict"; + RestrictNamespaces = [ + "uts" + "ipc" + "pid" + "user" + "cgroup" + ]; + RestrictRealtime = true; + RestrictSUIDSGID = true; + SystemCallArchitectures = "native"; + SystemCallFilter = [ "@system-service" ]; + UMask = "0077"; + }; + }; + + users.users = mkIf (cfg.user == "cyber-tux") { + ${cfg.user} = { + isSystemUser = true; + group = cfg.group; + description = "CyberTux service user"; + home = cfg.dataDir; + createHome = true; + }; + }; + + users.groups = mkIf (cfg.group == "cyber-tux") { + ${cfg.group} = { }; + }; + }; + }; +}