From 0cd6576cdfd78103cf97aa7f6a281995846fcb53 Mon Sep 17 00:00:00 2001 From: tux Date: Sat, 15 Feb 2025 18:44:41 +0530 Subject: [PATCH] feat: add systemd module for cyber tux --- .sops.yaml | 5 +++ hosts/homelab/default.nix | 13 ++++++ hosts/homelab/secrets.yaml | 30 +++++++++++++ modules/nixos/cyber-tux.nix | 86 +++++++++++++++++++++++++++++++++++++ 4 files changed, 134 insertions(+) create mode 100644 hosts/homelab/secrets.yaml create mode 100644 modules/nixos/cyber-tux.nix diff --git a/.sops.yaml b/.sops.yaml index 00b7ddb..c967869 100644 --- a/.sops.yaml +++ b/.sops.yaml @@ -48,3 +48,8 @@ creation_rules: - age: - *tux - *capella + - path_regex: hosts/homelab/secrets.yaml$ + key_groups: + - age: + - *tux + - *homelab diff --git a/hosts/homelab/default.nix b/hosts/homelab/default.nix index b7326fd..ea01a54 100755 --- a/hosts/homelab/default.nix +++ b/hosts/homelab/default.nix @@ -3,6 +3,7 @@ username, pkgs, lib, + config, ... }: { imports = [ @@ -15,8 +16,20 @@ ../../modules/nixos/desktop ../../modules/nixos/virtualisation/docker.nix ../../modules/nixos/open-webui.nix + ../../modules/nixos/cyber-tux.nix ]; + sops.secrets = { + discord_token = { + sopsFile = ./secrets.yaml; + }; + }; + + tux.services.cyber-tux = { + enable = true; + environmentFile = config.sops.secrets.discord_token.path; + }; + networking = { hostName = "homelab"; networkmanager = { diff --git a/hosts/homelab/secrets.yaml b/hosts/homelab/secrets.yaml new file mode 100644 index 0000000..89be44f --- /dev/null +++ b/hosts/homelab/secrets.yaml @@ -0,0 +1,30 @@ +discord_token: ENC[AES256_GCM,data:fZqz6LD3+Svtton5gNCXO5ddWAqW1IyxP3M2DAIXZEIYRHUfAq8h9LES2IHWepjl5qKimxB35zacE/TYK2fitngWtRGVoMDBzzU6VTKNulNV3yFWrPA=,iv:YOplYld+c9vHVC0Srfm89qrh4yUygDiW67X2TdwHKMc=,tag:Ioc2wNLX818fRQ/2PSO7Sw==,type:str] +sops: + kms: [] + gcp_kms: [] + azure_kv: [] + hc_vault: [] + age: + - recipient: age14vktfes95f33vuefwnmuvryas7az04u76dsgyhfvsx73czkvmp2q7njkl4 + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB2YktFRE9KS0h0T0hDTlpF + ZEk0VzNTcVE0ampsWVRtSzJ3UHBXL2NlUUh3Cjk5ZnFKVENmTTJHQjgrVWlyOUE1 + THUrTUFzdWhKejNUNXpsNVpvZVdJWm8KLS0tIDZ5bmYzSVBUVlVORHAzSGtCQmVo + a2JuSWVtMi9FMkova3BCd2F0U2VCRzQKonG/AkEn2X2l3vyr0UlJprGW2ZSwrczq + xHafyGiU/I1AO/HoB3BXyP8t/Sgn/dy42lspqZ3MoLLlmx7dQeTd+g== + -----END AGE ENCRYPTED FILE----- + - recipient: age1jg642q775gmnmxeu29gcf3lph8vem4xr8t84cxe809dpd0myrussh49h60 + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBxWUowUlB2cWVOclpRMENn + TU5za0Y2UHZ5eFNZMEdQWm9xdTZFYkVwS2hNCnRBUU1ndFdiQ09sQjBDb1greC93 + ejl2OVZTTEtIcWpxUk5RRngrbjRWREEKLS0tIDVrSHhxbmJFdWwyQS9xeWlFZitJ + Y1RHaFdXaE9DODJtSTFCSVZWb0xVeUEK4qeBKg3u+vhBIM1dQ7BaOWi/C7Q8hk60 + vu9Zr075n0+kb5Ab+RH24ZmEoP5PJXjwEfbAnmRTjn0reYn1nfcNYA== + -----END AGE ENCRYPTED FILE----- + lastmodified: "2025-02-15T12:45:59Z" + mac: ENC[AES256_GCM,data:NLGe7L/oiG62x4PmQ6FobnuisFmMxYoGhxfqQ4qZdy9emYL/+FnrtFsKTKqZ9IHjrNnCmbk7y+Cds/azC1xGVcaj50jEox87vtqIZ3z0XsD1mJjCAdHkBVzzpQGwHas/5y0Inyj+oKsvQrqVacqYHVA/ES+zMvou8nD+EWIH2LE=,iv:fBVOnwih+QFkYZ8IfMBpQiT1XwSZtzo3VYaBOL3I5o4=,tag:p+ePQsrmcLcnLr2fgWQXQg==,type:str] + pgp: [] + unencrypted_suffix: _unencrypted + version: 3.9.4 diff --git a/modules/nixos/cyber-tux.nix b/modules/nixos/cyber-tux.nix new file mode 100644 index 0000000..5f3ebc2 --- /dev/null +++ b/modules/nixos/cyber-tux.nix @@ -0,0 +1,86 @@ +{ + config, + lib, + pkgs, + ... +}: +with lib; let + cfg = config.tux.services.cyber-tux; +in { + options.tux.services.cyber-tux = { + enable = mkEnableOption "Enable CyberTux Discord bot"; + + user = mkOption { + type = types.str; + default = "cyber-tux"; + description = "User under which the CyberTux service runs."; + }; + + group = mkOption { + type = types.str; + default = "cyber-tux"; + description = "Group under which the CyberTux service runs."; + }; + + environmentFile = mkOption { + type = types.path; + description = "Environment file containing DISCORD_TOKEN"; + }; + }; + + config = mkIf cfg.enable { + systemd.services = { + cyber-tux = { + description = "A discord bot for my server"; + after = ["network.target"]; + wantedBy = ["multi-user.target"]; + + serviceConfig = { + Type = "simple"; + User = "cyber-tux"; + Group = "cyber-tux"; + EnvironmentFile = cfg.environmentFile; + ExecStart = getExe pkgs.cyber-tux; + Restart = "always"; + + LockPersonality = true; + MemoryDenyWriteExecute = true; + NoNewPrivileges = true; + PrivateDevices = true; + PrivateIPC = true; + PrivateTmp = true; + PrivateUsers = true; + ProtectClock = true; + ProtectControlGroups = true; + ProtectHome = true; + ProtectHostname = true; + ProtectKernelLogs = true; + ProtectKernelModules = true; + ProtectKernelTunables = true; + ProtectProc = "invisible"; + ProtectSystem = "strict"; + RestrictNamespaces = "uts ipc pid user cgroup"; + RestrictRealtime = true; + RestrictSUIDSGID = true; + SystemCallArchitectures = "native"; + SystemCallFilter = ["@system-service"]; + UMask = "0077"; + }; + }; + }; + # Ensure the user and group exist + users.users = mkIf (cfg.user == "cyber-tux") { + ${cfg.user} = { + isSystemUser = true; + group = cfg.group; + description = "CyberTux service user"; + home = "/var/lib/cyber-tux"; + createHome = true; + }; + }; + + users.groups = mkIf (cfg.group == "cyber-tux") { + ${cfg.group} = {}; + }; + }; +}