caveman/nixos-module.nix

{ config, lib, pkgs, ... }:

let
  cfg = config.services.caveman;

  blocklistPath = "/etc/caveman.blocklist";
  profanityPath = "/etc/caveman.profanity";

  hunterDefaultSettings = {
    redis = "redis://127.0.0.1:${toString cfg.redis.port}/";
    database = "host=/var/run/postgresql user=caveman-hunter dbname=caveman";
    hosts = [ "mastodon.social" ];
    max_workers = 16;
    prometheus_port = 9101;
    blocklist = blocklistPath;
  };

  hunterSettings = lib.recursiveUpdate hunterDefaultSettings cfg.hunter.settings;

  hunterConfigFile = builtins.toFile "hunter.yaml" (
    builtins.toJSON hunterSettings
  );

  butcherDefaultSettings = {
    redis = "redis://127.0.0.1:${toString cfg.redis.port}/";
    profanity = profanityPath;
  };

  butcherSettings = lib.recursiveUpdate butcherDefaultSettings cfg.butcher.settings;

  butcherConfigFile = builtins.toFile "butcher.yaml" (
    builtins.toJSON butcherSettings
  );

  gathererDefaultSettings = {
    redis = "redis://127.0.0.1:${toString cfg.redis.port}/";
    database = "host=/var/run/postgresql user=caveman-gatherer dbname=caveman";
    listen_port = 8000;
  };

  gathererSettings = lib.recursiveUpdate gathererDefaultSettings cfg.gatherer.settings;

  gathererConfigFile = builtins.toFile "gatherer.yaml" (
    builtins.toJSON gathererSettings
  );

  smokestackDefaultSettings = {
    redis = "redis://127.0.0.1:${toString cfg.redis.port}/";
    listen_port = 23;
  };

  smokestackSettings = lib.recursiveUpdate smokestackDefaultSettings cfg.smokestack.settings;

  smokestackConfigFile = builtins.toFile "smokestack.yaml" (
    builtins.toJSON smokestackSettings
  );

  limitNOFILE = 1000000;

in
{
  options.services.caveman = with lib; {
    redis.port = mkOption {
      type = types.int;
      default = 6379;
    };
    redis.maxmemory = mkOption {
      type = types.int;
      default = 1024 * 1024 * 1024;
    };
    redis.maxmemory-samples = mkOption {
      type = types.int;
      default = 8;
    };

    hunter.enable = mkEnableOption "caveman hunter";

    hunter.settings = mkOption {
      type = types.anything;
      default = hunterDefaultSettings;
    };

    hunter.logLevel = mkOption {
      type = types.enum [ "ERROR" "WARN" "INFO" "DEBUG" "TRACE" ];
      default = "DEBUG";
    };

    butcher.enable = mkEnableOption "caveman butcher";

    butcher.settings = mkOption {
      type = types.anything;
      default = butcherDefaultSettings;
    };

    butcher.logLevel = mkOption {
      type = types.enum [ "ERROR" "WARN" "INFO" "DEBUG" "TRACE" ];
      default = "DEBUG";
    };

    gatherer.enable = mkEnableOption "caveman gatherer";

    gatherer.settings = mkOption {
      type = types.anything;
      default = gathererDefaultSettings;
    };

    gatherer.logLevel = mkOption {
      type = types.enum [ "ERROR" "WARN" "INFO" "DEBUG" "TRACE" ];
      default = "DEBUG";
    };

    smokestack.enable = mkEnableOption "caveman smokestack";

    smokestack.settings = mkOption {
      type = types.anything;
      default = smokestackDefaultSettings;
    };

    smokestack.logLevel = mkOption {
      type = types.enum [ "ERROR" "WARN" "INFO" "DEBUG" "TRACE" ];
      default = "DEBUG";
    };
  };

  config = {
    systemd.extraConfig = ''
      DefaultLimitNOFILE=${toString limitNOFILE}
    '';

    networking.firewall.allowedTCPPorts = [
      hunterSettings.prometheus_port
    ];

    systemd.tmpfiles.rules = [
      "L ${profanityPath} - - - - ${./profanity.txt}"
    ];

    # redis restore can be slow
    systemd.services.redis-caveman.serviceConfig.TimeoutStartSec = "infinity";

    services.redis.servers.caveman = {
      enable = true;
      port = cfg.redis.port;
      settings = {
        inherit (cfg.redis) maxmemory maxmemory-samples;
        maxmemory-policy = "allkeys-lru";
      };
    };
    services.postgresql = {
      enable = true;
      ensureDatabases = [ "caveman" ];
      ensureUsers = [ {
        name = "caveman-gatherer";
        ensurePermissions = {
          "DATABASE caveman" = "ALL PRIVILEGES";
        };
      } {
        name = "caveman-hunter";
        ensurePermissions = {
          "DATABASE caveman" = "ALL PRIVILEGES";
        };
      } ];
    };

    systemd.services.caveman-hunter = lib.mkIf cfg.hunter.enable {
      wantedBy = [ "multi-user.target" ];
      requires = [ "redis-caveman.service" ];
      after = [ "redis-caveman.service" "network-online.target" ];
      environment.RUST_LOG = "caveman=${cfg.hunter.logLevel}";
      serviceConfig = {
        ExecStart = "${pkgs.caveman-hunter}/bin/caveman-hunter ${hunterConfigFile}";
        Type = "notify";
        WatchdogSec = 600;
        Restart = "always";
        RestartSec = 30;
        DynamicUser = true;
        User = "caveman-hunter";
        ProtectSystem = "strict";
        ProtectHome = true;
        ProtectHostname = true;
        ProtectKernelLogs = true;
        ProtectKernelModules = true;
        ProtectKernelTunables = true;
        RestrictNamespaces = true;
        RestrictRealtime = true;
        LockPersonality = true;
        MemoryDenyWriteExecute = true;
        LimitNOFile = limitNOFILE;
        LimitRSS = "4G:6G";
      };
    };

    systemd.services.caveman-butcher = lib.mkIf cfg.butcher.enable {
      wantedBy = [ "multi-user.target" ];
      requires = [ "redis-caveman.service" ];
      after = [ "redis-caveman.service" "network-online.target" ];
      environment.RUST_LOG = "caveman=${cfg.butcher.logLevel}";
      serviceConfig = {
        ExecStart = "${pkgs.caveman-butcher}/bin/caveman-butcher ${butcherConfigFile}";
        Type = "notify";
        WatchdogSec = 600;
        Restart = "always";
        RestartSec = 30;
        DynamicUser = true;
        User = "caveman-butcher";
        ProtectSystem = "strict";
        ProtectHome = true;
        ProtectHostname = true;
        ProtectKernelLogs = true;
        ProtectKernelModules = true;
        ProtectKernelTunables = true;
        RestrictNamespaces = true;
        RestrictRealtime = true;
        LockPersonality = true;
        MemoryDenyWriteExecute = true;
        LimitNOFile = limitNOFILE;
        LimitRSS = "4G:6G";
      };
    };

    systemd.services.caveman-gatherer = lib.mkIf cfg.gatherer.enable {
      wantedBy = [ "multi-user.target" ];
      requires = [ "redis-caveman.service" ];
      after = [ "redis-caveman.service" "network-online.target" ];
      environment.RUST_LOG = "caveman=${cfg.gatherer.logLevel}";
      serviceConfig = {
        ExecStart = "${pkgs.caveman-gatherer}/bin/caveman-gatherer ${gathererConfigFile}";
        Type = "notify";
        WatchdogSec = 90;
        Restart = "always";
        RestartSec = 1;
        DynamicUser = true;
        User = "caveman-gatherer";
        ProtectSystem = "strict";
        ProtectHome = true;
        ProtectHostname = true;
        ProtectKernelLogs = true;
        ProtectKernelModules = true;
        ProtectKernelTunables = true;
        RestrictNamespaces = true;
        RestrictRealtime = true;
        LockPersonality = true;
        MemoryDenyWriteExecute = true;
        LimitNOFile = limitNOFILE;
        WorkingDirectory = "${pkgs.caveman-gatherer}/share/caveman/gatherer";
        LimitRSS = "512M:1G";
      };
    };

    systemd.timers.caveman-gatherer-probe = lib.mkIf cfg.gatherer.enable {
      wantedBy = [ "timers.target" ];
      timerConfig.OnCalendar = "minutely";
    };
    systemd.services.caveman-gatherer-probe = lib.mkIf cfg.gatherer.enable {
      requires = [ "caveman-gatherer.service" ];
      serviceConfig = {
        Type = "oneshot";
        User = "caveman-gatherer-probe";
        DynamicUser = true;
        ProtectSystem = "full";
      };
      path = with pkgs; [ wget ];
      script = ''
        wget -O /dev/null --user-agent=caveman-gatherer-probe 127.0.0.1:${toString gathererSettings.listen_port}/
      '';
    };

    systemd.services.caveman-smokestack = lib.mkIf cfg.smokestack.enable {
      wantedBy = [ "multi-user.target" ];
      requires = [ "redis-caveman.service" ];
      after = [ "redis-caveman.service" "network-online.target" ];
      environment.RUST_LOG = "caveman=${cfg.smokestack.logLevel}";
      serviceConfig = {
        ExecStart = "${pkgs.caveman-smokestack}/bin/caveman-smokestack ${smokestackConfigFile}";
        Type = "notify";
        WatchdogSec = 10;
        Restart = "always";
        RestartSec = 10;
        DynamicUser = true;
        User = "caveman-smokestack";
        ProtectSystem = "strict";
        ProtectHome = true;
        ProtectHostname = true;
        ProtectKernelLogs = true;
        ProtectKernelModules = true;
        ProtectKernelTunables = true;
        RestrictNamespaces = true;
        RestrictRealtime = true;
        LockPersonality = true;
        MemoryDenyWriteExecute = true;
        LimitNOFile = limitNOFILE;
        LimitRSS = "64M:256M";
        # Allow listening on ports <1024
        AmbientCapabilities = "CAP_NET_BIND_SERVICE";
      };
    };

    systemd.services.blocklist-update = lib.mkIf cfg.hunter.enable {
      after = [ "network.target" ];
      path = with pkgs; [ coreutils wget ];
      script = ''
        T=$(mktemp blocklistXXXX)
        wget -O $T https://raw.githubusercontent.com/gardenfence/blocklist/main/gardenfence.txt
        chmod a+r $T
        mv $T ${lib.escapeShellArg blocklistPath}
      '';
      serviceConfig = {
        Type = "oneshot";
        Restart = "on-failure";
        RestartSec = 600;
      };
    };
    systemd.timers.blocklist-update = lib.mkIf cfg.hunter.enable {
      wantedBy = [ "timers.target" ];
      timerConfig.OnCalendar = "hourly";
    };
  };
}
add nixos-module 2022-11-03 19:49:00 +01:00			`{ config, lib, pkgs, ... }:`

			`let`
			`cfg = config.services.caveman;`

nixos-module: add blocklist-update 2023-01-26 00:49:00 +01:00			`blocklistPath = "/etc/caveman.blocklist";`
butcher: implement reloadable profanity list 2023-02-24 19:39:30 +01:00			`profanityPath = "/etc/caveman.profanity";`
nixos-module: add blocklist-update 2023-01-26 00:49:00 +01:00
add nixos-module 2022-11-03 19:49:00 +01:00			`hunterDefaultSettings = {`
			`redis = "redis://127.0.0.1:${toString cfg.redis.port}/";`
begin collecting tokens 2023-08-08 18:42:34 +02:00			`database = "host=/var/run/postgresql user=caveman-hunter dbname=caveman";`
			`hosts = [ "mastodon.social" ];`
add nixos-module 2022-11-03 19:49:00 +01:00			`max_workers = 16;`
hunter: add metrics for prometheus 2022-12-26 03:44:42 +01:00			`prometheus_port = 9101;`
nixos-module: add blocklist-update 2023-01-26 00:49:00 +01:00			`blocklist = blocklistPath;`
add nixos-module 2022-11-03 19:49:00 +01:00			`};`

limit connections 2022-11-03 20:48:36 +01:00			`hunterSettings = lib.recursiveUpdate hunterDefaultSettings cfg.hunter.settings;`

add nixos-module 2022-11-03 19:49:00 +01:00			`hunterConfigFile = builtins.toFile "hunter.yaml" (`
limit connections 2022-11-03 20:48:36 +01:00			`builtins.toJSON hunterSettings`
add nixos-module 2022-11-03 19:49:00 +01:00			`);`

hunter: split into butcher 2023-01-22 00:05:10 +01:00			`butcherDefaultSettings = {`
			`redis = "redis://127.0.0.1:${toString cfg.redis.port}/";`
butcher: implement reloadable profanity list 2023-02-24 19:39:30 +01:00			`profanity = profanityPath;`
hunter: split into butcher 2023-01-22 00:05:10 +01:00			`};`

			`butcherSettings = lib.recursiveUpdate butcherDefaultSettings cfg.butcher.settings;`

			`butcherConfigFile = builtins.toFile "butcher.yaml" (`
			`builtins.toJSON butcherSettings`
			`);`

nixos-module: add gatherer 2022-11-10 02:47:46 +01:00			`gathererDefaultSettings = {`
			`redis = "redis://127.0.0.1:${toString cfg.redis.port}/";`
begin collecting tokens 2023-08-08 18:42:34 +02:00			`database = "host=/var/run/postgresql user=caveman-gatherer dbname=caveman";`
nixos-module: add gatherer 2022-11-10 02:47:46 +01:00			`listen_port = 8000;`
			`};`

			`gathererSettings = lib.recursiveUpdate gathererDefaultSettings cfg.gatherer.settings;`

			`gathererConfigFile = builtins.toFile "gatherer.yaml" (`
			`builtins.toJSON gathererSettings`
			`);`

smokestack: nixify 2022-11-17 00:09:46 +01:00			`smokestackDefaultSettings = {`
			`redis = "redis://127.0.0.1:${toString cfg.redis.port}/";`
			`listen_port = 23;`
			`};`

			`smokestackSettings = lib.recursiveUpdate smokestackDefaultSettings cfg.smokestack.settings;`

			`smokestackConfigFile = builtins.toFile "smokestack.yaml" (`
			`builtins.toJSON smokestackSettings`
			`);`

nixos-module: allow LimitNOFILE=100000 2022-11-11 23:19:37 +01:00			`limitNOFILE = 1000000;`

add nixos-module 2022-11-03 19:49:00 +01:00			`in`
			`{`
			`options.services.caveman = with lib; {`
			`redis.port = mkOption {`
			`type = types.int;`
			`default = 6379;`
			`};`
			`redis.maxmemory = mkOption {`
			`type = types.int;`
			`default = 1024 * 1024 * 1024;`
			`};`
			`redis.maxmemory-samples = mkOption {`
			`type = types.int;`
			`default = 8;`
			`};`

			`hunter.enable = mkEnableOption "caveman hunter";`

			`hunter.settings = mkOption {`
			`type = types.anything;`
			`default = hunterDefaultSettings;`
			`};`
nixos-module: add option services.caveman.hunter.logLevel 2022-11-03 19:57:30 +01:00
			`hunter.logLevel = mkOption {`
			`type = types.enum [ "ERROR" "WARN" "INFO" "DEBUG" "TRACE" ];`
			`default = "DEBUG";`
			`};`
nixos-module: add gatherer 2022-11-10 02:47:46 +01:00
hunter: split into butcher 2023-01-22 00:05:10 +01:00			`butcher.enable = mkEnableOption "caveman butcher";`

			`butcher.settings = mkOption {`
			`type = types.anything;`
			`default = butcherDefaultSettings;`
			`};`

			`butcher.logLevel = mkOption {`
			`type = types.enum [ "ERROR" "WARN" "INFO" "DEBUG" "TRACE" ];`
			`default = "DEBUG";`
			`};`

nixos-module: add gatherer 2022-11-10 02:47:46 +01:00			`gatherer.enable = mkEnableOption "caveman gatherer";`

			`gatherer.settings = mkOption {`
			`type = types.anything;`
			`default = gathererDefaultSettings;`
			`};`

			`gatherer.logLevel = mkOption {`
			`type = types.enum [ "ERROR" "WARN" "INFO" "DEBUG" "TRACE" ];`
			`default = "DEBUG";`
			`};`
smokestack: nixify 2022-11-17 00:09:46 +01:00
			`smokestack.enable = mkEnableOption "caveman smokestack";`

			`smokestack.settings = mkOption {`
			`type = types.anything;`
			`default = smokestackDefaultSettings;`
			`};`

			`smokestack.logLevel = mkOption {`
			`type = types.enum [ "ERROR" "WARN" "INFO" "DEBUG" "TRACE" ];`
			`default = "DEBUG";`
			`};`
add nixos-module 2022-11-03 19:49:00 +01:00			`};`

			`config = {`
nixos-module: allow LimitNOFILE=100000 2022-11-11 23:19:37 +01:00			`systemd.extraConfig = ''`
			`DefaultLimitNOFILE=${toString limitNOFILE}`
			`'';`

hunter: add metrics for prometheus 2022-12-26 03:44:42 +01:00			`networking.firewall.allowedTCPPorts = [`
			`hunterSettings.prometheus_port`
			`];`

butcher: implement reloadable profanity list 2023-02-24 19:39:30 +01:00			`systemd.tmpfiles.rules = [`
			`"L ${profanityPath} - - - - ${./profanity.txt}"`
			`];`

nixos-module: lift redis TimeoutStartSec 2023-02-24 20:06:35 +01:00			`# redis restore can be slow`
			`systemd.services.redis-caveman.serviceConfig.TimeoutStartSec = "infinity";`

example vm setup 2023-08-08 22:06:06 +02:00			`services.redis.servers.caveman = {`
add nixos-module 2022-11-03 19:49:00 +01:00			`enable = true;`
			`port = cfg.redis.port;`
			`settings = {`
			`inherit (cfg.redis) maxmemory maxmemory-samples;`
			`maxmemory-policy = "allkeys-lru";`
			`};`
			`};`
begin collecting tokens 2023-08-08 18:42:34 +02:00			`services.postgresql = {`
			`enable = true;`
			`ensureDatabases = [ "caveman" ];`
			`ensureUsers = [ {`
example vm setup 2023-08-08 22:06:06 +02:00			`name = "caveman-gatherer";`
			`ensurePermissions = {`
			`"DATABASE caveman" = "ALL PRIVILEGES";`
			`};`
			`} {`
			`name = "caveman-hunter";`
begin collecting tokens 2023-08-08 18:42:34 +02:00			`ensurePermissions = {`
			`"DATABASE caveman" = "ALL PRIVILEGES";`
			`};`
			`} ];`
			`};`
add nixos-module 2022-11-03 19:49:00 +01:00
			`systemd.services.caveman-hunter = lib.mkIf cfg.hunter.enable {`
			`wantedBy = [ "multi-user.target" ];`
Revert "nixos-module: let caveman-hunter depend on blocklist-update" This reverts commit 8cc44a4c0ddd5639b0af7eb89184225ad8a9c3cc. 2023-01-26 01:26:02 +01:00			`requires = [ "redis-caveman.service" ];`
add nixos-module 2022-11-03 19:49:00 +01:00			`after = [ "redis-caveman.service" "network-online.target" ];`
nixos-module: add option services.caveman.hunter.logLevel 2022-11-03 19:57:30 +01:00			`environment.RUST_LOG = "caveman=${cfg.hunter.logLevel}";`
add nixos-module 2022-11-03 19:49:00 +01:00			`serviceConfig = {`
			`ExecStart = "${pkgs.caveman-hunter}/bin/caveman-hunter ${hunterConfigFile}";`
			`Type = "notify";`
nixos-module: bump WatchdogSec from 60 to 600 2022-11-12 01:02:58 +01:00			`WatchdogSec = 600;`
add nixos-module 2022-11-03 19:49:00 +01:00			`Restart = "always";`
nixos-module.nix: set RestartSec sensibly for both hunter and gatherer 2022-11-16 03:24:24 +01:00			`RestartSec = 30;`
add nixos-module 2022-11-03 19:49:00 +01:00			`DynamicUser = true;`
			`User = "caveman-hunter";`
			`ProtectSystem = "strict";`
			`ProtectHome = true;`
			`ProtectHostname = true;`
			`ProtectKernelLogs = true;`
			`ProtectKernelModules = true;`
			`ProtectKernelTunables = true;`
hunter: split into butcher 2023-01-22 00:05:10 +01:00			`RestrictNamespaces = true;`
			`RestrictRealtime = true;`
			`LockPersonality = true;`
			`MemoryDenyWriteExecute = true;`
			`LimitNOFile = limitNOFILE;`
			`LimitRSS = "4G:6G";`
			`};`
			`};`

			`systemd.services.caveman-butcher = lib.mkIf cfg.butcher.enable {`
			`wantedBy = [ "multi-user.target" ];`
			`requires = [ "redis-caveman.service" ];`
			`after = [ "redis-caveman.service" "network-online.target" ];`
			`environment.RUST_LOG = "caveman=${cfg.butcher.logLevel}";`
			`serviceConfig = {`
			`ExecStart = "${pkgs.caveman-butcher}/bin/caveman-butcher ${butcherConfigFile}";`
			`Type = "notify";`
			`WatchdogSec = 600;`
			`Restart = "always";`
			`RestartSec = 30;`
			`DynamicUser = true;`
			`User = "caveman-butcher";`
			`ProtectSystem = "strict";`
			`ProtectHome = true;`
			`ProtectHostname = true;`
			`ProtectKernelLogs = true;`
			`ProtectKernelModules = true;`
			`ProtectKernelTunables = true;`
add nixos-module 2022-11-03 19:49:00 +01:00			`RestrictNamespaces = true;`
			`RestrictRealtime = true;`
			`LockPersonality = true;`
			`MemoryDenyWriteExecute = true;`
nixos-module: allow LimitNOFILE=100000 2022-11-11 23:19:37 +01:00			`LimitNOFile = limitNOFILE;`
nixos-module: lift LimitRSS for caveman-hunter a bit 2022-12-26 03:50:18 +01:00			`LimitRSS = "4G:6G";`
nixos-module: add gatherer 2022-11-10 02:47:46 +01:00			`};`
			`};`

			`systemd.services.caveman-gatherer = lib.mkIf cfg.gatherer.enable {`
			`wantedBy = [ "multi-user.target" ];`
			`requires = [ "redis-caveman.service" ];`
			`after = [ "redis-caveman.service" "network-online.target" ];`
			`environment.RUST_LOG = "caveman=${cfg.gatherer.logLevel}";`
			`serviceConfig = {`
			`ExecStart = "${pkgs.caveman-gatherer}/bin/caveman-gatherer ${gathererConfigFile}";`
			`Type = "notify";`
gatherer: add watchdog triggered by wget 2022-11-14 21:52:48 +01:00			`WatchdogSec = 90;`
nixos-module: add gatherer 2022-11-10 02:47:46 +01:00			`Restart = "always";`
nixos-module.nix: set RestartSec sensibly for both hunter and gatherer 2022-11-16 03:24:24 +01:00			`RestartSec = 1;`
nixos-module: add gatherer 2022-11-10 02:47:46 +01:00			`DynamicUser = true;`
			`User = "caveman-gatherer";`
			`ProtectSystem = "strict";`
			`ProtectHome = true;`
			`ProtectHostname = true;`
			`ProtectKernelLogs = true;`
			`ProtectKernelModules = true;`
			`ProtectKernelTunables = true;`
			`RestrictNamespaces = true;`
			`RestrictRealtime = true;`
			`LockPersonality = true;`
			`MemoryDenyWriteExecute = true;`
nixos-module: allow LimitNOFILE=100000 2022-11-11 23:19:37 +01:00			`LimitNOFile = limitNOFILE;`
nixos-module: add gatherer 2022-11-10 02:47:46 +01:00			`WorkingDirectory = "${pkgs.caveman-gatherer}/share/caveman/gatherer";`
nixos-modules: set LimitRSS for hunter and gatherer 2022-11-17 00:10:06 +01:00			`LimitRSS = "512M:1G";`
add nixos-module 2022-11-03 19:49:00 +01:00			`};`
			`};`
gatherer: add watchdog triggered by wget 2022-11-14 21:52:48 +01:00
			`systemd.timers.caveman-gatherer-probe = lib.mkIf cfg.gatherer.enable {`
			`wantedBy = [ "timers.target" ];`
			`timerConfig.OnCalendar = "minutely";`
			`};`
			`systemd.services.caveman-gatherer-probe = lib.mkIf cfg.gatherer.enable {`
			`requires = [ "caveman-gatherer.service" ];`
			`serviceConfig = {`
			`Type = "oneshot";`
			`User = "caveman-gatherer-probe";`
			`DynamicUser = true;`
			`ProtectSystem = "full";`
			`};`
			`path = with pkgs; [ wget ];`
			`script = ''`
			`wget -O /dev/null --user-agent=caveman-gatherer-probe 127.0.0.1:${toString gathererSettings.listen_port}/`
			`'';`
			`};`
smokestack: nixify 2022-11-17 00:09:46 +01:00
			`systemd.services.caveman-smokestack = lib.mkIf cfg.smokestack.enable {`
			`wantedBy = [ "multi-user.target" ];`
			`requires = [ "redis-caveman.service" ];`
			`after = [ "redis-caveman.service" "network-online.target" ];`
			`environment.RUST_LOG = "caveman=${cfg.smokestack.logLevel}";`
			`serviceConfig = {`
			`ExecStart = "${pkgs.caveman-smokestack}/bin/caveman-smokestack ${smokestackConfigFile}";`
			`Type = "notify";`
			`WatchdogSec = 10;`
			`Restart = "always";`
			`RestartSec = 10;`
			`DynamicUser = true;`
			`User = "caveman-smokestack";`
			`ProtectSystem = "strict";`
			`ProtectHome = true;`
			`ProtectHostname = true;`
			`ProtectKernelLogs = true;`
			`ProtectKernelModules = true;`
			`ProtectKernelTunables = true;`
			`RestrictNamespaces = true;`
			`RestrictRealtime = true;`
			`LockPersonality = true;`
			`MemoryDenyWriteExecute = true;`
			`LimitNOFile = limitNOFILE;`
			`LimitRSS = "64M:256M";`
			`# Allow listening on ports <1024`
			`AmbientCapabilities = "CAP_NET_BIND_SERVICE";`
			`};`
			`};`
nixos-module: add blocklist-update 2023-01-26 00:49:00 +01:00
			`systemd.services.blocklist-update = lib.mkIf cfg.hunter.enable {`
nixos-module: fix blocklist-update.service network requirement 2023-02-21 03:42:22 +01:00			`after = [ "network.target" ];`
nixos-module: add blocklist-update 2023-01-26 00:49:00 +01:00			`path = with pkgs; [ coreutils wget ];`
			`script = ''`
			`T=$(mktemp blocklistXXXX)`
nixos-module: use gardenfence blocklist 2023-07-25 01:20:28 +02:00			`wget -O $T https://raw.githubusercontent.com/gardenfence/blocklist/main/gardenfence.txt`
nixos-module: fix blocklist permissions 2023-01-26 01:16:24 +01:00			`chmod a+r $T`
nixos-module: add blocklist-update 2023-01-26 00:49:00 +01:00			`mv $T ${lib.escapeShellArg blocklistPath}`
			`'';`
			`serviceConfig = {`
			`Type = "oneshot";`
			`Restart = "on-failure";`
			`RestartSec = 600;`
			`};`
			`};`
			`systemd.timers.blocklist-update = lib.mkIf cfg.hunter.enable {`
			`wantedBy = [ "timers.target" ];`
			`timerConfig.OnCalendar = "hourly";`
			`};`
add nixos-module 2022-11-03 19:49:00 +01:00			`};`
			`}`