diff --git a/flake.nix b/flake.nix index d6f8ecb..b0b8f36 100644 --- a/flake.nix +++ b/flake.nix @@ -11,7 +11,8 @@ overlay = final: prev: { inherit (self.packages.${prev.system}) caveman-hunter caveman-butcher - caveman-gatherer caveman-smokestack; + caveman-gatherer caveman-sieve + caveman-smokestack; }; nixosModule = self.nixosModules.caveman; @@ -100,6 +101,14 @@ cp -rv gatherer/{templates,assets} $out/share/caveman/gatherer/ ''; }; + packages.caveman-sieve = naersk-lib.buildPackage rec { + pname = "caveman-sieve"; + version = self.lastModifiedDate; + inherit src; + targets = [ pname ]; + nativeBuildInputs = with pkgs; [ pkg-config ]; + buildInputs = with pkgs; [ openssl systemd ]; + }; packages.caveman-smokestack = naersk-lib.buildPackage rec { pname = "caveman-smokestack"; version = self.lastModifiedDate; diff --git a/nixos-module.nix b/nixos-module.nix index 9c07604..b6fa9d9 100644 --- a/nixos-module.nix +++ b/nixos-module.nix @@ -50,6 +50,19 @@ let builtins.toJSON gathererSettings ); + sieveDefaultSettings = { + redis = "redis://127.0.0.1:${toString cfg.redis.port}/"; + redis_password_file = cfg.redis.passwordFile; + in_topic = "relay-in"; + prometheus_port = 9102; + }; + + sieveSettings = lib.recursiveUpdate sieveDefaultSettings cfg.sieve.settings; + + sieveConfigFile = builtins.toFile "sieve.yaml" ( + builtins.toJSON sieveSettings + ); + smokestackDefaultSettings = { redis = "redis://127.0.0.1:${toString cfg.redis.port}/"; redis_password_file = cfg.redis.passwordFile; @@ -119,6 +132,18 @@ in default = "DEBUG"; }; + sieve.enable = mkEnableOption "caveman sieve"; + + sieve.settings = mkOption { + type = types.anything; + default = sieveDefaultSettings; + }; + + sieve.logLevel = mkOption { + type = types.enum [ "ERROR" "WARN" "INFO" "DEBUG" "TRACE" ]; + default = "DEBUG"; + }; + smokestack.enable = mkEnableOption "caveman smokestack"; smokestack.settings = mkOption { @@ -139,6 +164,7 @@ in networking.firewall.allowedTCPPorts = [ hunterSettings.prometheus_port + sieveSettings.prometheus_port ]; systemd.tmpfiles.rules = [ @@ -305,6 +331,34 @@ in ''; }; + systemd.services.caveman-sieve = lib.mkIf cfg.sieve.enable { + wantedBy = [ "multi-user.target" ]; + requires = [ "redis-caveman.service" ]; + after = [ "redis-caveman.service" "network-online.target" ]; + environment.RUST_LOG = "caveman=${cfg.sieve.logLevel}"; + serviceConfig = { + ExecStart = "${pkgs.caveman-sieve}/bin/caveman-sieve ${sieveConfigFile}"; + Type = "notify"; + WatchdogSec = 300; + Restart = "always"; + RestartSec = 1; + DynamicUser = true; + User = "caveman-sieve"; + ProtectSystem = "strict"; + ProtectHome = true; + ProtectHostname = true; + ProtectKernelLogs = true; + ProtectKernelModules = true; + ProtectKernelTunables = true; + RestrictNamespaces = true; + RestrictRealtime = true; + LockPersonality = true; + MemoryDenyWriteExecute = true; + LimitNOFile = limitNOFILE; + LimitRSS = "128M:256M"; + }; + }; + systemd.services.caveman-smokestack = lib.mkIf cfg.smokestack.enable { wantedBy = [ "multi-user.target" ]; requires = [ "redis-caveman.service" "caveman-hunter.service" ]; diff --git a/sieve/src/main.rs b/sieve/src/main.rs index 8a4829e..496837d 100644 --- a/sieve/src/main.rs +++ b/sieve/src/main.rs @@ -173,10 +173,12 @@ async fn main() { Ok(true) => { tracing::info!("Post was new: {id}"); metrics::counter!("sieve_activity", 1, "type" => "post_new"); + cave::systemd::watchdog(); } Ok(false) => { tracing::info!("Post was already known: {id}"); metrics::counter!("sieve_activity", 1, "type" => "post_known"); + cave::systemd::watchdog(); } Err(e) => { tracing::error!("Error forwarding post {id}: {e:?}");