smokestack: nixify

flake.nix

@@ -9,7 +9,7 @@
 
   outputs = { self, nixpkgs, utils, fenix, naersk }: {
     overlay = final: prev: {
-      inherit (self.packages.${prev.system}) caveman-hunter caveman-gatherer;
+      inherit (self.packages.${prev.system}) caveman-hunter caveman-gatherer caveman-smokestack;
     };
 
     nixosModule = self.nixosModules.caveman;
@@ -69,6 +69,14 @@
         cp -rv gatherer/{templates,assets} $out/share/caveman/gatherer/
       '';
     };
+    packages.caveman-smokestack = naersk-lib.buildPackage rec {
+      pname = "caveman-smokestack";
+      version = self.lastModifiedDate;
+      src = ./.;
+      targets = [ pname ];
+      nativeBuildInputs = with pkgs; [ pkg-config ];
+      buildInputs = with pkgs; [ openssl systemd ];
+    };
 
     # `nix develop`
     devShells.default = pkgs.mkShell {

nixos-module.nix

@@ -26,6 +26,17 @@ let
     builtins.toJSON gathererSettings
   );
 
+  smokestackDefaultSettings = {
+    redis = "redis://127.0.0.1:${toString cfg.redis.port}/";
+    listen_port = 23;
+  };
+
+  smokestackSettings = lib.recursiveUpdate smokestackDefaultSettings cfg.smokestack.settings;
+
+  smokestackConfigFile = builtins.toFile "smokestack.yaml" (
+    builtins.toJSON smokestackSettings
+  );
+
   limitNOFILE = 1000000;
 
 in
@@ -67,6 +78,18 @@ in
       type = types.enum [ "ERROR" "WARN" "INFO" "DEBUG" "TRACE" ];
       default = "DEBUG";
     };
+
+    smokestack.enable = mkEnableOption "caveman smokestack";
+
+    smokestack.settings = mkOption {
+      type = types.anything;
+      default = smokestackDefaultSettings;
+    };
+
+    smokestack.logLevel = mkOption {
+      type = types.enum [ "ERROR" "WARN" "INFO" "DEBUG" "TRACE" ];
+      default = "DEBUG";
+    };
   };
 
   config = {
@@ -155,5 +178,35 @@ in
         wget -O /dev/null --user-agent=caveman-gatherer-probe 127.0.0.1:${toString gathererSettings.listen_port}/
       '';
     };
+
+    systemd.services.caveman-smokestack = lib.mkIf cfg.smokestack.enable {
+      wantedBy = [ "multi-user.target" ];
+      requires = [ "redis-caveman.service" ];
+      after = [ "redis-caveman.service" "network-online.target" ];
+      environment.RUST_LOG = "caveman=${cfg.smokestack.logLevel}";
+      serviceConfig = {
+        ExecStart = "${pkgs.caveman-smokestack}/bin/caveman-smokestack ${smokestackConfigFile}";
+        Type = "notify";
+        WatchdogSec = 10;
+        Restart = "always";
+        RestartSec = 10;
+        DynamicUser = true;
+        User = "caveman-smokestack";
+        ProtectSystem = "strict";
+        ProtectHome = true;
+        ProtectHostname = true;
+        ProtectKernelLogs = true;
+        ProtectKernelModules = true;
+        ProtectKernelTunables = true;
+        RestrictNamespaces = true;
+        RestrictRealtime = true;
+        LockPersonality = true;
+        MemoryDenyWriteExecute = true;
+        LimitNOFile = limitNOFILE;
+        LimitRSS = "64M:256M";
+        # Allow listening on ports <1024
+        AmbientCapabilities = "CAP_NET_BIND_SERVICE";
+      };
+    };
   };
 }

smokestack/src/main.rs

@@ -143,6 +143,8 @@ async fn publisher(state: State, firehose: impl Stream<Item = Vec<u8>>) {
             if let Some(msg) = msg {
                 state.broadcast(Arc::new(msg.into_bytes())).await;
             }
+
+            cave::systemd::watchdog();
         }
     }).await;
 }