diff --git a/flake.nix b/flake.nix index 9594ad1..177c04e 100644 --- a/flake.nix +++ b/flake.nix @@ -9,7 +9,7 @@ outputs = { self, nixpkgs, utils, fenix, naersk }: { overlay = final: prev: { - inherit (self.packages.${prev.system}) caveman-hunter; + inherit (self.packages.${prev.system}) caveman-hunter caveman-gatherer; }; nixosModule = self.nixosModules.caveman; diff --git a/nixos-module.nix b/nixos-module.nix index 2ff89dc..1f5e18f 100644 --- a/nixos-module.nix +++ b/nixos-module.nix @@ -15,6 +15,17 @@ let builtins.toJSON hunterSettings ); + gathererDefaultSettings = { + redis = "redis://127.0.0.1:${toString cfg.redis.port}/"; + listen_port = 8000; + }; + + gathererSettings = lib.recursiveUpdate gathererDefaultSettings cfg.gatherer.settings; + + gathererConfigFile = builtins.toFile "gatherer.yaml" ( + builtins.toJSON gathererSettings + ); + in { options.services.caveman = with lib; { @@ -42,6 +53,18 @@ in type = types.enum [ "ERROR" "WARN" "INFO" "DEBUG" "TRACE" ]; default = "DEBUG"; }; + + gatherer.enable = mkEnableOption "caveman gatherer"; + + gatherer.settings = mkOption { + type = types.anything; + default = gathererDefaultSettings; + }; + + gatherer.logLevel = mkOption { + type = types.enum [ "ERROR" "WARN" "INFO" "DEBUG" "TRACE" ]; + default = "DEBUG"; + }; }; config = { @@ -77,7 +100,34 @@ in RestrictRealtime = true; LockPersonality = true; MemoryDenyWriteExecute = true; - LimitNOFile = 2 * hunterSettings.max_workers; + LimitNOFile = 100000; + }; + }; + + systemd.services.caveman-gatherer = lib.mkIf cfg.gatherer.enable { + wantedBy = [ "multi-user.target" ]; + requires = [ "redis-caveman.service" ]; + after = [ "redis-caveman.service" "network-online.target" ]; + environment.RUST_LOG = "caveman=${cfg.gatherer.logLevel}"; + serviceConfig = { + ExecStart = "${pkgs.caveman-gatherer}/bin/caveman-gatherer ${gathererConfigFile}"; + Type = "notify"; + Restart = "always"; + RestartSec = 10; + DynamicUser = true; + User = "caveman-gatherer"; + ProtectSystem = "strict"; + ProtectHome = true; + ProtectHostname = true; + ProtectKernelLogs = true; + ProtectKernelModules = true; + ProtectKernelTunables = true; + RestrictNamespaces = true; + RestrictRealtime = true; + LockPersonality = true; + MemoryDenyWriteExecute = true; + LimitNOFile = 100000; + WorkingDirectory = "${pkgs.caveman-gatherer}/share/caveman/gatherer"; }; }; };