nixos-module: add sieve
This commit is contained in:
parent
f4dbad281c
commit
60478dbf27
11
flake.nix
11
flake.nix
|
@ -11,7 +11,8 @@
|
||||||
overlay = final: prev: {
|
overlay = final: prev: {
|
||||||
inherit (self.packages.${prev.system})
|
inherit (self.packages.${prev.system})
|
||||||
caveman-hunter caveman-butcher
|
caveman-hunter caveman-butcher
|
||||||
caveman-gatherer caveman-smokestack;
|
caveman-gatherer caveman-sieve
|
||||||
|
caveman-smokestack;
|
||||||
};
|
};
|
||||||
|
|
||||||
nixosModule = self.nixosModules.caveman;
|
nixosModule = self.nixosModules.caveman;
|
||||||
|
@ -100,6 +101,14 @@
|
||||||
cp -rv gatherer/{templates,assets} $out/share/caveman/gatherer/
|
cp -rv gatherer/{templates,assets} $out/share/caveman/gatherer/
|
||||||
'';
|
'';
|
||||||
};
|
};
|
||||||
|
packages.caveman-sieve = naersk-lib.buildPackage rec {
|
||||||
|
pname = "caveman-sieve";
|
||||||
|
version = self.lastModifiedDate;
|
||||||
|
inherit src;
|
||||||
|
targets = [ pname ];
|
||||||
|
nativeBuildInputs = with pkgs; [ pkg-config ];
|
||||||
|
buildInputs = with pkgs; [ openssl systemd ];
|
||||||
|
};
|
||||||
packages.caveman-smokestack = naersk-lib.buildPackage rec {
|
packages.caveman-smokestack = naersk-lib.buildPackage rec {
|
||||||
pname = "caveman-smokestack";
|
pname = "caveman-smokestack";
|
||||||
version = self.lastModifiedDate;
|
version = self.lastModifiedDate;
|
||||||
|
|
|
@ -50,6 +50,19 @@ let
|
||||||
builtins.toJSON gathererSettings
|
builtins.toJSON gathererSettings
|
||||||
);
|
);
|
||||||
|
|
||||||
|
sieveDefaultSettings = {
|
||||||
|
redis = "redis://127.0.0.1:${toString cfg.redis.port}/";
|
||||||
|
redis_password_file = cfg.redis.passwordFile;
|
||||||
|
in_topic = "relay-in";
|
||||||
|
prometheus_port = 9102;
|
||||||
|
};
|
||||||
|
|
||||||
|
sieveSettings = lib.recursiveUpdate sieveDefaultSettings cfg.sieve.settings;
|
||||||
|
|
||||||
|
sieveConfigFile = builtins.toFile "sieve.yaml" (
|
||||||
|
builtins.toJSON sieveSettings
|
||||||
|
);
|
||||||
|
|
||||||
smokestackDefaultSettings = {
|
smokestackDefaultSettings = {
|
||||||
redis = "redis://127.0.0.1:${toString cfg.redis.port}/";
|
redis = "redis://127.0.0.1:${toString cfg.redis.port}/";
|
||||||
redis_password_file = cfg.redis.passwordFile;
|
redis_password_file = cfg.redis.passwordFile;
|
||||||
|
@ -119,6 +132,18 @@ in
|
||||||
default = "DEBUG";
|
default = "DEBUG";
|
||||||
};
|
};
|
||||||
|
|
||||||
|
sieve.enable = mkEnableOption "caveman sieve";
|
||||||
|
|
||||||
|
sieve.settings = mkOption {
|
||||||
|
type = types.anything;
|
||||||
|
default = sieveDefaultSettings;
|
||||||
|
};
|
||||||
|
|
||||||
|
sieve.logLevel = mkOption {
|
||||||
|
type = types.enum [ "ERROR" "WARN" "INFO" "DEBUG" "TRACE" ];
|
||||||
|
default = "DEBUG";
|
||||||
|
};
|
||||||
|
|
||||||
smokestack.enable = mkEnableOption "caveman smokestack";
|
smokestack.enable = mkEnableOption "caveman smokestack";
|
||||||
|
|
||||||
smokestack.settings = mkOption {
|
smokestack.settings = mkOption {
|
||||||
|
@ -139,6 +164,7 @@ in
|
||||||
|
|
||||||
networking.firewall.allowedTCPPorts = [
|
networking.firewall.allowedTCPPorts = [
|
||||||
hunterSettings.prometheus_port
|
hunterSettings.prometheus_port
|
||||||
|
sieveSettings.prometheus_port
|
||||||
];
|
];
|
||||||
|
|
||||||
systemd.tmpfiles.rules = [
|
systemd.tmpfiles.rules = [
|
||||||
|
@ -305,6 +331,34 @@ in
|
||||||
'';
|
'';
|
||||||
};
|
};
|
||||||
|
|
||||||
|
systemd.services.caveman-sieve = lib.mkIf cfg.sieve.enable {
|
||||||
|
wantedBy = [ "multi-user.target" ];
|
||||||
|
requires = [ "redis-caveman.service" ];
|
||||||
|
after = [ "redis-caveman.service" "network-online.target" ];
|
||||||
|
environment.RUST_LOG = "caveman=${cfg.sieve.logLevel}";
|
||||||
|
serviceConfig = {
|
||||||
|
ExecStart = "${pkgs.caveman-sieve}/bin/caveman-sieve ${sieveConfigFile}";
|
||||||
|
Type = "notify";
|
||||||
|
WatchdogSec = 300;
|
||||||
|
Restart = "always";
|
||||||
|
RestartSec = 1;
|
||||||
|
DynamicUser = true;
|
||||||
|
User = "caveman-sieve";
|
||||||
|
ProtectSystem = "strict";
|
||||||
|
ProtectHome = true;
|
||||||
|
ProtectHostname = true;
|
||||||
|
ProtectKernelLogs = true;
|
||||||
|
ProtectKernelModules = true;
|
||||||
|
ProtectKernelTunables = true;
|
||||||
|
RestrictNamespaces = true;
|
||||||
|
RestrictRealtime = true;
|
||||||
|
LockPersonality = true;
|
||||||
|
MemoryDenyWriteExecute = true;
|
||||||
|
LimitNOFile = limitNOFILE;
|
||||||
|
LimitRSS = "128M:256M";
|
||||||
|
};
|
||||||
|
};
|
||||||
|
|
||||||
systemd.services.caveman-smokestack = lib.mkIf cfg.smokestack.enable {
|
systemd.services.caveman-smokestack = lib.mkIf cfg.smokestack.enable {
|
||||||
wantedBy = [ "multi-user.target" ];
|
wantedBy = [ "multi-user.target" ];
|
||||||
requires = [ "redis-caveman.service" "caveman-hunter.service" ];
|
requires = [ "redis-caveman.service" "caveman-hunter.service" ];
|
||||||
|
|
|
@ -173,10 +173,12 @@ async fn main() {
|
||||||
Ok(true) => {
|
Ok(true) => {
|
||||||
tracing::info!("Post was new: {id}");
|
tracing::info!("Post was new: {id}");
|
||||||
metrics::counter!("sieve_activity", 1, "type" => "post_new");
|
metrics::counter!("sieve_activity", 1, "type" => "post_new");
|
||||||
|
cave::systemd::watchdog();
|
||||||
}
|
}
|
||||||
Ok(false) => {
|
Ok(false) => {
|
||||||
tracing::info!("Post was already known: {id}");
|
tracing::info!("Post was already known: {id}");
|
||||||
metrics::counter!("sieve_activity", 1, "type" => "post_known");
|
metrics::counter!("sieve_activity", 1, "type" => "post_known");
|
||||||
|
cave::systemd::watchdog();
|
||||||
}
|
}
|
||||||
Err(e) => {
|
Err(e) => {
|
||||||
tracing::error!("Error forwarding post {id}: {e:?}");
|
tracing::error!("Error forwarding post {id}: {e:?}");
|
||||||
|
|
Loading…
Reference in New Issue