yandexgpt_tg_bot/nixos/default.nix

{ config, lib, pkgs, ... }:

let
  cfg = config.services.yandexgpt_telegram_bot;
  package = import ../bot.nix { inherit pkgs; };
in
{
  options.services.yandexgpt_telegram_bot = {
    enabled = lib.mkEnableOption (lib.doc ''
      The Telegram bot to describe article with link by YandexGPT.
    '');
    environment = lib.mkOption {
      default = { };
      type = lib.types.attrsOf lib.types.str;
      example = lib.literalExpression ''
        TELEGRAM_BOT_TOKEN='xxxxxxxxxx:xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx'
        YANDEX_GPT_API_TOKEN='xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx'
      '';
      description = lib.doc "Config enviraonemnt variables for the YandexGPT telegram bot";
    };
    environmentFile = lib.mkOption {
      type = lib.types.nullOr lib.types.path;
      default = null;
      example = "/root/yandexgpt_telegram_bot.env";
      description = lib.mdDoc ''
        File to load environment variables
        from. This is helpful for specifying secrets.
        Example content of environmentFile:
        ```
        TELEGRAM_BOT_TOKEN='xxxxxxxxxx:xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx'
        YANDEX_GPT_API_TOKEN='xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx'
        ```
      '';
    };
  };

  config = lib.mkIf cfg.enabled {
    systemd.services = {
      yandexgpt_telegram_bot = {
        description = "YandexGPT Telegram bot Service";
        wantedBy = [ "multi-user.target" ];
        after = [ "network-online.target" ];
        wants = [ "network-online.target" ];
        serviceConfig = {
          EnvironmentFile = lib.optional (cfg.environmentFile != null) cfg.environmentFile;
          ExecStart = "${package}/bin/yandexgpt_tg_bot";
          Restart = "on-failure";
          RestartSec = 10;

          # Hardening
          CapabilityBoundingSet = [ "" ];
          DeviceAllow = [ "" ];
          LockPersonality = true;
          PrivateDevices = true;
          PrivateUsers = true;
          ProcSubset = "pid";
          ProtectClock = true;
          ProtectControlGroups = true;
          ProtectHome = true;
          ProtectHostname = true;
          ProtectKernelLogs = true;
          ProtectKernelModules = true;
          ProtectKernelTunables = true;
          ProtectProc = "invisible";
          RestrictAddressFamilies = [ "AF_INET" "AF_INET6" ];
          RestrictNamespaces = true;
          RestrictRealtime = true;
          SystemCallArchitectures = "native";
          # See: https://www.freedesktop.org/software/systemd/man/systemd.exec.html#System%20Call%20Filtering
          SystemCallFilter = [
            "@basic-io"
            "@file-system"
            "@io-event"
            "@ipc"
            "@network-io"
            "@process"
            "@resources"
            "@signal"
            "@timer"
            "@known"
          ];
          UMask = "0077";
        };
        inherit (cfg) environment;
      };
    };

  };
}
add nixos module 2023-06-28 15:46:52 +03:00			`{ config, lib, pkgs, ... }:`

			`let`
			`cfg = config.services.yandexgpt_telegram_bot;`
			`package = import ../bot.nix { inherit pkgs; };`
			`in`
			`{`
			`options.services.yandexgpt_telegram_bot = {`
			`enabled = lib.mkEnableOption (lib.doc ''`
			`The Telegram bot to describe article with link by YandexGPT.`
			`'');`
			`environment = lib.mkOption {`
			`default = { };`
			`type = lib.types.attrsOf lib.types.str;`
			`example = lib.literalExpression ''`
			`TELEGRAM_BOT_TOKEN='xxxxxxxxxx:xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx'`
			`YANDEX_GPT_API_TOKEN='xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx'`
			`'';`
			`description = lib.doc "Config enviraonemnt variables for the YandexGPT telegram bot";`
			`};`
			`environmentFile = lib.mkOption {`
			`type = lib.types.nullOr lib.types.path;`
			`default = null;`
			`example = "/root/yandexgpt_telegram_bot.env";`
			`description = lib.mdDoc ''`
			`File to load environment variables`
			`from. This is helpful for specifying secrets.`
			`Example content of environmentFile:`
			```
			`TELEGRAM_BOT_TOKEN='xxxxxxxxxx:xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx'`
			`YANDEX_GPT_API_TOKEN='xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx'`
			```
			`'';`
			`};`
			`};`

			`config = lib.mkIf cfg.enabled {`
			`systemd.services = {`
			`yandexgpt_telegram_bot = {`
			`description = "YandexGPT Telegram bot Service";`
			`wantedBy = [ "multi-user.target" ];`
			`after = [ "network-online.target" ];`
			`wants = [ "network-online.target" ];`
			`serviceConfig = {`
			`EnvironmentFile = lib.optional (cfg.environmentFile != null) cfg.environmentFile;`
			`ExecStart = "${package}/bin/yandexgpt_tg_bot";`
			`Restart = "on-failure";`
			`RestartSec = 10;`

			`# Hardening`
			`CapabilityBoundingSet = [ "" ];`
			`DeviceAllow = [ "" ];`
			`LockPersonality = true;`
			`PrivateDevices = true;`
			`PrivateUsers = true;`
			`ProcSubset = "pid";`
			`ProtectClock = true;`
			`ProtectControlGroups = true;`
			`ProtectHome = true;`
			`ProtectHostname = true;`
			`ProtectKernelLogs = true;`
			`ProtectKernelModules = true;`
			`ProtectKernelTunables = true;`
			`ProtectProc = "invisible";`
			`RestrictAddressFamilies = [ "AF_INET" "AF_INET6" ];`
			`RestrictNamespaces = true;`
			`RestrictRealtime = true;`
			`SystemCallArchitectures = "native";`
			`# See: https://www.freedesktop.org/software/systemd/man/systemd.exec.html#System%20Call%20Filtering`
			`SystemCallFilter = [`
			`"@basic-io"`
			`"@file-system"`
			`"@io-event"`
			`"@ipc"`
			`"@network-io"`
			`"@process"`
			`"@resources"`
			`"@signal"`
			`"@timer"`
			`"@known"`
			`];`
			`UMask = "0077";`
			`};`
			`inherit (cfg) environment;`
			`};`
			`};`

			`};`
			`}`