add nixos module

bot.nix

@@ -9,9 +9,4 @@ pkgs.buildNpmPackage {
   npmDepsHash = "sha256-hkdmHBAXSTrEMzBas1Tz/ucElc1e6Z81wWQG7J0pSBM=";
 
   dontBuild = true;
-
-  # The prepack script runs the build script, which we'd rather do in the build phase.
-  # npmPackFlags = [ "--ignore-scripts" ];
-
-  # NODE_OPTIONS = "--openssl-legacy-provider";
 }

flake.nix

@@ -5,7 +5,12 @@
   };
 
   outputs = { self, nixpkgs, flake-utils, ... }:
-    flake-utils.lib.eachDefaultSystem (system:
+    {
+      nixosModules = rec {
+        yandexgpt_telegram_bot = import ./nixos;
+        default = yandexgpt_telegram_bot;
+      };
+    } // flake-utils.lib.eachDefaultSystem (system:
       let
         pkgs = import nixpkgs { inherit system; };
       in

nixos/default.nix

@@ -0,0 +1,89 @@
+{ config, lib, pkgs, ... }:
+
+let
+  cfg = config.services.yandexgpt_telegram_bot;
+  package = import ../bot.nix { inherit pkgs; };
+in
+{
+  options.services.yandexgpt_telegram_bot = {
+    enabled = lib.mkEnableOption (lib.doc ''
+      The Telegram bot to describe article with link by YandexGPT.
+    '');
+    environment = lib.mkOption {
+      default = { };
+      type = lib.types.attrsOf lib.types.str;
+      example = lib.literalExpression ''
+        TELEGRAM_BOT_TOKEN='xxxxxxxxxx:xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx'
+        YANDEX_GPT_API_TOKEN='xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx'
+      '';
+      description = lib.doc "Config enviraonemnt variables for the YandexGPT telegram bot";
+    };
+    environmentFile = lib.mkOption {
+      type = lib.types.nullOr lib.types.path;
+      default = null;
+      example = "/root/yandexgpt_telegram_bot.env";
+      description = lib.mdDoc ''
+        File to load environment variables
+        from. This is helpful for specifying secrets.
+        Example content of environmentFile:
+        ```
+        TELEGRAM_BOT_TOKEN='xxxxxxxxxx:xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx'
+        YANDEX_GPT_API_TOKEN='xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx'
+        ```
+      '';
+    };
+  };
+
+  config = lib.mkIf cfg.enabled {
+    systemd.services = {
+      yandexgpt_telegram_bot = {
+        description = "YandexGPT Telegram bot Service";
+        wantedBy = [ "multi-user.target" ];
+        after = [ "network-online.target" ];
+        wants = [ "network-online.target" ];
+        serviceConfig = {
+          EnvironmentFile = lib.optional (cfg.environmentFile != null) cfg.environmentFile;
+          ExecStart = "${package}/bin/yandexgpt_tg_bot";
+          Restart = "on-failure";
+          RestartSec = 10;
+
+          # Hardening
+          CapabilityBoundingSet = [ "" ];
+          DeviceAllow = [ "" ];
+          LockPersonality = true;
+          PrivateDevices = true;
+          PrivateUsers = true;
+          ProcSubset = "pid";
+          ProtectClock = true;
+          ProtectControlGroups = true;
+          ProtectHome = true;
+          ProtectHostname = true;
+          ProtectKernelLogs = true;
+          ProtectKernelModules = true;
+          ProtectKernelTunables = true;
+          ProtectProc = "invisible";
+          RestrictAddressFamilies = [ "AF_INET" "AF_INET6" ];
+          RestrictNamespaces = true;
+          RestrictRealtime = true;
+          SystemCallArchitectures = "native";
+          # See: https://www.freedesktop.org/software/systemd/man/systemd.exec.html#System%20Call%20Filtering
+          SystemCallFilter = [
+            "@basic-io"
+            "@file-system"
+            "@io-event"
+            "@ipc"
+            "@network-io"
+            "@process"
+            "@resources"
+            "@signal"
+            "@timer"
+            "@known"
+          ];
+          UMask = "0077";
+        };
+        inherit (cfg) environment;
+      };
+    };
+
+  };
+}