feat: add cyber-tux module

flake.lock

@@ -112,6 +112,26 @@
         "type": "github"
       }
     },
+    "cyber-tux": {
+      "inputs": {
+        "nixpkgs": [
+          "nixpkgs"
+        ]
+      },
+      "locked": {
+        "lastModified": 1739652548,
+        "narHash": "sha256-J4mL4DyRFTsEKlratZsbC9tm2i6Mzr6dEhetKk4jABM=",
+        "ref": "refs/heads/main",
+        "rev": "4ada9e2f0d3b6639627601d3f06128c953c2b446",
+        "revCount": 11,
+        "type": "git",
+        "url": "ssh://git@github.com/tuxdotrs/cyber-tux.git"
+      },
+      "original": {
+        "type": "git",
+        "url": "ssh://git@github.com/tuxdotrs/cyber-tux.git"
+      }
+    },
     "deploy-rs": {
       "inputs": {
         "flake-compat": "flake-compat_2",
@@ -1236,6 +1256,7 @@
     "root": {
       "inputs": {
         "awww": "awww",
+        "cyber-tux": "cyber-tux",
         "deploy-rs": "deploy-rs",
         "disko": "disko",
         "flake-parts": "flake-parts",

flake.nix

@@ -29,6 +29,11 @@
       inputs.nixpkgs.follows = "nixpkgs";
     };
 
+    cyber-tux = {
+      url = "git+ssh://git@github.com/tuxdotrs/cyber-tux.git";
+      inputs.nixpkgs.follows = "nixpkgs";
+    };
+
     wezterm-flake = {
       url = "github:wez/wezterm/main?dir=nix";
       inputs.nixpkgs.follows = "nixpkgs";

modules/flake/overlays.nix

@@ -7,6 +7,7 @@
     modifications = final: prev: {
       tnvim = inputs.tnvim.packages.${prev.stdenv.hostPlatform.system}.default;
       tpanel = inputs.tpanel.packages.${prev.stdenv.hostPlatform.system}.default;
+      cyber-tux = inputs.cyber-tux.packages.${prev.stdenv.hostPlatform.system}.default;
       ags = inputs.tpanel.packages.${prev.stdenv.hostPlatform.system}.ags.default;
       wezterm-git = inputs.wezterm-flake.packages.${prev.stdenv.hostPlatform.system}.default;
       hyprland-git = inputs.hyprland.packages.${prev.stdenv.hostPlatform.system};

modules/hosts/arcturus/config.nix

@@ -6,13 +6,14 @@
       hostName,
       userName,
       ...
-    }:
+    }@innerArgs:
     {
       imports = with config.flake.modules.nixos; [
         boot
         hardware
         networking
         virtualisation
+        services
       ];
 
       tnix = {
@@ -20,6 +21,13 @@
         boot.impermanence.enable = true;
         networking.openssh.enable = true;
 
+        services = {
+          cyber-tux = {
+            enable = true;
+            environmentFile = innerArgs.config.sops.secrets.discord-token.path;
+          };
+        };
+
         virtualisation = {
           docker.enable = true;
         };

modules/nixos/services/cyber-tux.nix

@@ -0,0 +1,105 @@
+{
+  flake.modules.nixos.services =
+    {
+      config,
+      lib,
+      pkgs,
+      ...
+    }:
+    with lib;
+    let
+      cfg = config.tnix.services.cyber-tux;
+    in
+    {
+      options.tnix.services.cyber-tux = {
+        enable = mkEnableOption "CyberTux Discord bot";
+
+        user = mkOption {
+          type = types.str;
+          default = "cyber-tux";
+          description = "User under which the CyberTux service runs.";
+        };
+
+        group = mkOption {
+          type = types.str;
+          default = "cyber-tux";
+          description = "Group under which the CyberTux service runs.";
+        };
+
+        dataDir = mkOption {
+          type = types.path;
+          default = "/var/lib/cyber-tux";
+          description = "Directory where CyberTux stores its data.";
+        };
+
+        environmentFile = mkOption {
+          type = types.path;
+          description = "Environment file containing the Discord bot token.";
+        };
+      };
+
+      config = mkIf cfg.enable {
+        systemd.services.cyber-tux = {
+          description = "CyberTux Discord bot";
+          after = [ "network.target" ];
+          wantedBy = [ "multi-user.target" ];
+
+          serviceConfig = {
+            Type = "simple";
+            User = cfg.user;
+            Group = cfg.group;
+            EnvironmentFile = cfg.environmentFile;
+            ExecStart = getExe pkgs.cyber-tux;
+            Restart = "always";
+            RestartSec = 5;
+            WorkingDirectory = cfg.dataDir;
+            StateDirectory = baseNameOf cfg.dataDir;
+            StateDirectoryMode = "0700";
+
+            LockPersonality = true;
+            MemoryDenyWriteExecute = true;
+            NoNewPrivileges = true;
+            PrivateDevices = true;
+            PrivateIPC = true;
+            PrivateTmp = true;
+            PrivateUsers = true;
+            ProtectClock = true;
+            ProtectControlGroups = true;
+            ProtectHome = true;
+            ProtectHostname = true;
+            ProtectKernelLogs = true;
+            ProtectKernelModules = true;
+            ProtectKernelTunables = true;
+            ProtectProc = "invisible";
+            ProtectSystem = "strict";
+            RestrictNamespaces = [
+              "uts"
+              "ipc"
+              "pid"
+              "user"
+              "cgroup"
+            ];
+            RestrictRealtime = true;
+            RestrictSUIDSGID = true;
+            SystemCallArchitectures = "native";
+            SystemCallFilter = [ "@system-service" ];
+            UMask = "0077";
+          };
+        };
+
+        users.users = mkIf (cfg.user == "cyber-tux") {
+          ${cfg.user} = {
+            isSystemUser = true;
+            group = cfg.group;
+            description = "CyberTux service user";
+            home = cfg.dataDir;
+            createHome = true;
+          };
+        };
+
+        users.groups = mkIf (cfg.group == "cyber-tux") {
+          ${cfg.group} = { };
+        };
+      };
+    };
+}