diff --git a/bot.nix b/bot.nix index 3f1031e..8e4aef3 100644 --- a/bot.nix +++ b/bot.nix @@ -9,9 +9,4 @@ pkgs.buildNpmPackage { npmDepsHash = "sha256-hkdmHBAXSTrEMzBas1Tz/ucElc1e6Z81wWQG7J0pSBM="; dontBuild = true; - - # The prepack script runs the build script, which we'd rather do in the build phase. - # npmPackFlags = [ "--ignore-scripts" ]; - - # NODE_OPTIONS = "--openssl-legacy-provider"; } diff --git a/flake.nix b/flake.nix index b97010d..1cb0750 100644 --- a/flake.nix +++ b/flake.nix @@ -5,7 +5,12 @@ }; outputs = { self, nixpkgs, flake-utils, ... }: - flake-utils.lib.eachDefaultSystem (system: + { + nixosModules = rec { + yandexgpt_telegram_bot = import ./nixos; + default = yandexgpt_telegram_bot; + }; + } // flake-utils.lib.eachDefaultSystem (system: let pkgs = import nixpkgs { inherit system; }; in diff --git a/nixos/default.nix b/nixos/default.nix new file mode 100644 index 0000000..3118235 --- /dev/null +++ b/nixos/default.nix @@ -0,0 +1,89 @@ +{ config, lib, pkgs, ... }: + +let + cfg = config.services.yandexgpt_telegram_bot; + package = import ../bot.nix { inherit pkgs; }; +in +{ + options.services.yandexgpt_telegram_bot = { + enabled = lib.mkEnableOption (lib.doc '' + The Telegram bot to describe article with link by YandexGPT. + ''); + environment = lib.mkOption { + default = { }; + type = lib.types.attrsOf lib.types.str; + example = lib.literalExpression '' + TELEGRAM_BOT_TOKEN='xxxxxxxxxx:xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx' + YANDEX_GPT_API_TOKEN='xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx' + ''; + description = lib.doc "Config enviraonemnt variables for the YandexGPT telegram bot"; + }; + environmentFile = lib.mkOption { + type = lib.types.nullOr lib.types.path; + default = null; + example = "/root/yandexgpt_telegram_bot.env"; + description = lib.mdDoc '' + File to load environment variables + from. This is helpful for specifying secrets. + Example content of environmentFile: + ``` + TELEGRAM_BOT_TOKEN='xxxxxxxxxx:xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx' + YANDEX_GPT_API_TOKEN='xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx' + ``` + ''; + }; + }; + + config = lib.mkIf cfg.enabled { + systemd.services = { + yandexgpt_telegram_bot = { + description = "YandexGPT Telegram bot Service"; + wantedBy = [ "multi-user.target" ]; + after = [ "network-online.target" ]; + wants = [ "network-online.target" ]; + serviceConfig = { + EnvironmentFile = lib.optional (cfg.environmentFile != null) cfg.environmentFile; + ExecStart = "${package}/bin/yandexgpt_tg_bot"; + Restart = "on-failure"; + RestartSec = 10; + + # Hardening + CapabilityBoundingSet = [ "" ]; + DeviceAllow = [ "" ]; + LockPersonality = true; + PrivateDevices = true; + PrivateUsers = true; + ProcSubset = "pid"; + ProtectClock = true; + ProtectControlGroups = true; + ProtectHome = true; + ProtectHostname = true; + ProtectKernelLogs = true; + ProtectKernelModules = true; + ProtectKernelTunables = true; + ProtectProc = "invisible"; + RestrictAddressFamilies = [ "AF_INET" "AF_INET6" ]; + RestrictNamespaces = true; + RestrictRealtime = true; + SystemCallArchitectures = "native"; + # See: https://www.freedesktop.org/software/systemd/man/systemd.exec.html#System%20Call%20Filtering + SystemCallFilter = [ + "@basic-io" + "@file-system" + "@io-event" + "@ipc" + "@network-io" + "@process" + "@resources" + "@signal" + "@timer" + "@known" + ]; + UMask = "0077"; + }; + inherit (cfg) environment; + }; + }; + + }; +}