nixos-module: add sieve
This commit is contained in:
parent
f4dbad281c
commit
60478dbf27
11
flake.nix
11
flake.nix
|
@ -11,7 +11,8 @@
|
|||
overlay = final: prev: {
|
||||
inherit (self.packages.${prev.system})
|
||||
caveman-hunter caveman-butcher
|
||||
caveman-gatherer caveman-smokestack;
|
||||
caveman-gatherer caveman-sieve
|
||||
caveman-smokestack;
|
||||
};
|
||||
|
||||
nixosModule = self.nixosModules.caveman;
|
||||
|
@ -100,6 +101,14 @@
|
|||
cp -rv gatherer/{templates,assets} $out/share/caveman/gatherer/
|
||||
'';
|
||||
};
|
||||
packages.caveman-sieve = naersk-lib.buildPackage rec {
|
||||
pname = "caveman-sieve";
|
||||
version = self.lastModifiedDate;
|
||||
inherit src;
|
||||
targets = [ pname ];
|
||||
nativeBuildInputs = with pkgs; [ pkg-config ];
|
||||
buildInputs = with pkgs; [ openssl systemd ];
|
||||
};
|
||||
packages.caveman-smokestack = naersk-lib.buildPackage rec {
|
||||
pname = "caveman-smokestack";
|
||||
version = self.lastModifiedDate;
|
||||
|
|
|
@ -50,6 +50,19 @@ let
|
|||
builtins.toJSON gathererSettings
|
||||
);
|
||||
|
||||
sieveDefaultSettings = {
|
||||
redis = "redis://127.0.0.1:${toString cfg.redis.port}/";
|
||||
redis_password_file = cfg.redis.passwordFile;
|
||||
in_topic = "relay-in";
|
||||
prometheus_port = 9102;
|
||||
};
|
||||
|
||||
sieveSettings = lib.recursiveUpdate sieveDefaultSettings cfg.sieve.settings;
|
||||
|
||||
sieveConfigFile = builtins.toFile "sieve.yaml" (
|
||||
builtins.toJSON sieveSettings
|
||||
);
|
||||
|
||||
smokestackDefaultSettings = {
|
||||
redis = "redis://127.0.0.1:${toString cfg.redis.port}/";
|
||||
redis_password_file = cfg.redis.passwordFile;
|
||||
|
@ -119,6 +132,18 @@ in
|
|||
default = "DEBUG";
|
||||
};
|
||||
|
||||
sieve.enable = mkEnableOption "caveman sieve";
|
||||
|
||||
sieve.settings = mkOption {
|
||||
type = types.anything;
|
||||
default = sieveDefaultSettings;
|
||||
};
|
||||
|
||||
sieve.logLevel = mkOption {
|
||||
type = types.enum [ "ERROR" "WARN" "INFO" "DEBUG" "TRACE" ];
|
||||
default = "DEBUG";
|
||||
};
|
||||
|
||||
smokestack.enable = mkEnableOption "caveman smokestack";
|
||||
|
||||
smokestack.settings = mkOption {
|
||||
|
@ -139,6 +164,7 @@ in
|
|||
|
||||
networking.firewall.allowedTCPPorts = [
|
||||
hunterSettings.prometheus_port
|
||||
sieveSettings.prometheus_port
|
||||
];
|
||||
|
||||
systemd.tmpfiles.rules = [
|
||||
|
@ -305,6 +331,34 @@ in
|
|||
'';
|
||||
};
|
||||
|
||||
systemd.services.caveman-sieve = lib.mkIf cfg.sieve.enable {
|
||||
wantedBy = [ "multi-user.target" ];
|
||||
requires = [ "redis-caveman.service" ];
|
||||
after = [ "redis-caveman.service" "network-online.target" ];
|
||||
environment.RUST_LOG = "caveman=${cfg.sieve.logLevel}";
|
||||
serviceConfig = {
|
||||
ExecStart = "${pkgs.caveman-sieve}/bin/caveman-sieve ${sieveConfigFile}";
|
||||
Type = "notify";
|
||||
WatchdogSec = 300;
|
||||
Restart = "always";
|
||||
RestartSec = 1;
|
||||
DynamicUser = true;
|
||||
User = "caveman-sieve";
|
||||
ProtectSystem = "strict";
|
||||
ProtectHome = true;
|
||||
ProtectHostname = true;
|
||||
ProtectKernelLogs = true;
|
||||
ProtectKernelModules = true;
|
||||
ProtectKernelTunables = true;
|
||||
RestrictNamespaces = true;
|
||||
RestrictRealtime = true;
|
||||
LockPersonality = true;
|
||||
MemoryDenyWriteExecute = true;
|
||||
LimitNOFile = limitNOFILE;
|
||||
LimitRSS = "128M:256M";
|
||||
};
|
||||
};
|
||||
|
||||
systemd.services.caveman-smokestack = lib.mkIf cfg.smokestack.enable {
|
||||
wantedBy = [ "multi-user.target" ];
|
||||
requires = [ "redis-caveman.service" "caveman-hunter.service" ];
|
||||
|
|
|
@ -173,10 +173,12 @@ async fn main() {
|
|||
Ok(true) => {
|
||||
tracing::info!("Post was new: {id}");
|
||||
metrics::counter!("sieve_activity", 1, "type" => "post_new");
|
||||
cave::systemd::watchdog();
|
||||
}
|
||||
Ok(false) => {
|
||||
tracing::info!("Post was already known: {id}");
|
||||
metrics::counter!("sieve_activity", 1, "type" => "post_known");
|
||||
cave::systemd::watchdog();
|
||||
}
|
||||
Err(e) => {
|
||||
tracing::error!("Error forwarding post {id}: {e:?}");
|
||||
|
|
Loading…
Reference in New Issue