nixos-module: add sieve

flake.nix

@@ -11,7 +11,8 @@
     overlay = final: prev: {
       inherit (self.packages.${prev.system})
         caveman-hunter caveman-butcher
-        caveman-gatherer caveman-smokestack;
+        caveman-gatherer caveman-sieve
+        caveman-smokestack;
     };
 
     nixosModule = self.nixosModules.caveman;
@@ -100,6 +101,14 @@
         cp -rv gatherer/{templates,assets} $out/share/caveman/gatherer/
       '';
     };
+    packages.caveman-sieve = naersk-lib.buildPackage rec {
+      pname = "caveman-sieve";
+      version = self.lastModifiedDate;
+      inherit src;
+      targets = [ pname ];
+      nativeBuildInputs = with pkgs; [ pkg-config ];
+      buildInputs = with pkgs; [ openssl systemd ];
+    };
     packages.caveman-smokestack = naersk-lib.buildPackage rec {
       pname = "caveman-smokestack";
       version = self.lastModifiedDate;

nixos-module.nix

@@ -50,6 +50,19 @@ let
     builtins.toJSON gathererSettings
   );
 
+  sieveDefaultSettings = {
+    redis = "redis://127.0.0.1:${toString cfg.redis.port}/";
+    redis_password_file = cfg.redis.passwordFile;
+    in_topic = "relay-in";
+    prometheus_port = 9102;
+  };
+
+  sieveSettings = lib.recursiveUpdate sieveDefaultSettings cfg.sieve.settings;
+
+  sieveConfigFile = builtins.toFile "sieve.yaml" (
+    builtins.toJSON sieveSettings
+  );
+
   smokestackDefaultSettings = {
     redis = "redis://127.0.0.1:${toString cfg.redis.port}/";
     redis_password_file = cfg.redis.passwordFile;
@@ -119,6 +132,18 @@ in
       default = "DEBUG";
     };
 
+    sieve.enable = mkEnableOption "caveman sieve";
+
+    sieve.settings = mkOption {
+      type = types.anything;
+      default = sieveDefaultSettings;
+    };
+
+    sieve.logLevel = mkOption {
+      type = types.enum [ "ERROR" "WARN" "INFO" "DEBUG" "TRACE" ];
+      default = "DEBUG";
+    };
+
     smokestack.enable = mkEnableOption "caveman smokestack";
 
     smokestack.settings = mkOption {
@@ -139,6 +164,7 @@ in
 
     networking.firewall.allowedTCPPorts = [
       hunterSettings.prometheus_port
+      sieveSettings.prometheus_port
     ];
 
     systemd.tmpfiles.rules = [
@@ -305,6 +331,34 @@ in
       '';
     };
 
+    systemd.services.caveman-sieve = lib.mkIf cfg.sieve.enable {
+      wantedBy = [ "multi-user.target" ];
+      requires = [ "redis-caveman.service" ];
+      after = [ "redis-caveman.service" "network-online.target" ];
+      environment.RUST_LOG = "caveman=${cfg.sieve.logLevel}";
+      serviceConfig = {
+        ExecStart = "${pkgs.caveman-sieve}/bin/caveman-sieve ${sieveConfigFile}";
+        Type = "notify";
+        WatchdogSec = 300;
+        Restart = "always";
+        RestartSec = 1;
+        DynamicUser = true;
+        User = "caveman-sieve";
+        ProtectSystem = "strict";
+        ProtectHome = true;
+        ProtectHostname = true;
+        ProtectKernelLogs = true;
+        ProtectKernelModules = true;
+        ProtectKernelTunables = true;
+        RestrictNamespaces = true;
+        RestrictRealtime = true;
+        LockPersonality = true;
+        MemoryDenyWriteExecute = true;
+        LimitNOFile = limitNOFILE;
+        LimitRSS = "128M:256M";
+      };
+    };
+
     systemd.services.caveman-smokestack = lib.mkIf cfg.smokestack.enable {
       wantedBy = [ "multi-user.target" ];
       requires = [ "redis-caveman.service" "caveman-hunter.service" ];

sieve/src/main.rs

@@ -173,10 +173,12 @@ async fn main() {
                 Ok(true) => {
                     tracing::info!("Post was new: {id}");
                     metrics::counter!("sieve_activity", 1, "type" => "post_new");
+                    cave::systemd::watchdog();
                 }
                 Ok(false) => {
                     tracing::info!("Post was already known: {id}");
                     metrics::counter!("sieve_activity", 1, "type" => "post_known");
+                    cave::systemd::watchdog();
                 }
                 Err(e) => {
                     tracing::error!("Error forwarding post {id}: {e:?}");