79 lines
2.0 KiB
Nix
79 lines
2.0 KiB
Nix
|
{ config, lib, pkgs, ... }:
|
||
|
|
||
|
let
|
||
|
cfg = config.services.caveman;
|
||
|
|
||
|
hunterDefaultSettings = {
|
||
|
redis = "redis://127.0.0.1:${toString cfg.redis.port}/";
|
||
|
hosts = [ "mastodon.social" "fosstodon.org" "chaos.social" "dresden.network" ];
|
||
|
interval_after_error = 7200;
|
||
|
max_workers = 16;
|
||
|
};
|
||
|
|
||
|
hunterConfigFile = builtins.toFile "hunter.yaml" (
|
||
|
builtins.toJSON (
|
||
|
lib.recursiveUpdate hunterDefaultSettings cfg.hunter.settings
|
||
|
)
|
||
|
);
|
||
|
|
||
|
in
|
||
|
{
|
||
|
options.services.caveman = with lib; {
|
||
|
redis.port = mkOption {
|
||
|
type = types.int;
|
||
|
default = 6379;
|
||
|
};
|
||
|
redis.maxmemory = mkOption {
|
||
|
type = types.int;
|
||
|
default = 1024 * 1024 * 1024;
|
||
|
};
|
||
|
redis.maxmemory-samples = mkOption {
|
||
|
type = types.int;
|
||
|
default = 8;
|
||
|
};
|
||
|
|
||
|
hunter.enable = mkEnableOption "caveman hunter";
|
||
|
|
||
|
hunter.settings = mkOption {
|
||
|
type = types.anything;
|
||
|
default = hunterDefaultSettings;
|
||
|
};
|
||
|
};
|
||
|
|
||
|
config = {
|
||
|
services.redis.servers.caveman = lib.mkIf cfg.hunter.enable {
|
||
|
enable = true;
|
||
|
port = cfg.redis.port;
|
||
|
settings = {
|
||
|
inherit (cfg.redis) maxmemory maxmemory-samples;
|
||
|
maxmemory-policy = "allkeys-lru";
|
||
|
};
|
||
|
};
|
||
|
|
||
|
systemd.services.caveman-hunter = lib.mkIf cfg.hunter.enable {
|
||
|
wantedBy = [ "multi-user.target" ];
|
||
|
requires = [ "redis-caveman.service" ];
|
||
|
after = [ "redis-caveman.service" "network-online.target" ];
|
||
|
serviceConfig = {
|
||
|
ExecStart = "${pkgs.caveman-hunter}/bin/caveman-hunter ${hunterConfigFile}";
|
||
|
Type = "notify";
|
||
|
WatchdogSec = 60;
|
||
|
Restart = "always";
|
||
|
RestartSec = 10;
|
||
|
DynamicUser = true;
|
||
|
User = "caveman-hunter";
|
||
|
ProtectSystem = "strict";
|
||
|
ProtectHome = true;
|
||
|
ProtectHostname = true;
|
||
|
ProtectKernelLogs = true;
|
||
|
ProtectKernelModules = true;
|
||
|
ProtectKernelTunables = true;
|
||
|
RestrictNamespaces = true;
|
||
|
RestrictRealtime = true;
|
||
|
LockPersonality = true;
|
||
|
MemoryDenyWriteExecute = true;
|
||
|
};
|
||
|
};
|
||
|
};
|
||
|
}
|