From a74e5753fafcfe0a9f20ac2e2c625e458c4dc329 Mon Sep 17 00:00:00 2001 From: Jet Pham Date: Tue, 10 Mar 2026 17:29:15 -0700 Subject: [PATCH] feat: write these as modules --- remote/cache-service/flake.nix | 2 + remote/cache-service/module.nix | 146 ++++++++++++++++++ remote/configuration.nix | 57 ------- remote/discord-bot/flake.nix | 2 + remote/discord-bot/module.nix | 81 ++++++++++ remote/flake.nix | 243 ++---------------------------- remote/hardware-configuration.nix | 13 -- remote/rss-service/flake.nix | 2 + remote/rss-service/module.nix | 78 ++++++++++ remote/secrets/secrets.nix | 10 -- 10 files changed, 323 insertions(+), 311 deletions(-) create mode 100644 remote/cache-service/module.nix delete mode 100644 remote/configuration.nix create mode 100644 remote/discord-bot/module.nix delete mode 100644 remote/hardware-configuration.nix create mode 100644 remote/rss-service/module.nix delete mode 100644 remote/secrets/secrets.nix diff --git a/remote/cache-service/flake.nix b/remote/cache-service/flake.nix index b8ee502..1906a9e 100644 --- a/remote/cache-service/flake.nix +++ b/remote/cache-service/flake.nix @@ -38,6 +38,8 @@ { packages.${system}.default = noisebell-cache; + nixosModules.default = import ./module.nix self; + devShells.${system}.default = craneLib.devShell { packages = [ pkgs.rust-analyzer ]; }; diff --git a/remote/cache-service/module.nix b/remote/cache-service/module.nix new file mode 100644 index 0000000..ba4a1c5 --- /dev/null +++ b/remote/cache-service/module.nix @@ -0,0 +1,146 @@ +self: +{ config, lib, ... }: + +let + cfg = config.services.noisebell-cache; + bin = "${self.packages.x86_64-linux.default}/bin/noisebell-cache"; +in +{ + options.services.noisebell-cache = { + enable = lib.mkEnableOption "noisebell cache service"; + + domain = lib.mkOption { + type = lib.types.str; + description = "Domain for the Caddy virtual host."; + }; + + piAddress = lib.mkOption { + type = lib.types.str; + description = "Address of the Pi (e.g. http://noisebell:80)."; + }; + + piApiKeyFile = lib.mkOption { + type = lib.types.path; + description = "Path to file containing API key for authenticating to Pi GET endpoints."; + }; + + inboundApiKeyFile = lib.mkOption { + type = lib.types.path; + description = "Path to file containing API key for the cache's inbound webhook."; + }; + + port = lib.mkOption { + type = lib.types.port; + default = 3000; + }; + + statusPollIntervalSecs = lib.mkOption { + type = lib.types.ints.positive; + default = 60; + }; + + infoPollIntervalSecs = lib.mkOption { + type = lib.types.ints.positive; + default = 300; + }; + + offlineThreshold = lib.mkOption { + type = lib.types.ints.positive; + default = 3; + }; + + retryAttempts = lib.mkOption { + type = lib.types.ints.unsigned; + default = 3; + }; + + retryBaseDelaySecs = lib.mkOption { + type = lib.types.ints.positive; + default = 1; + }; + + httpTimeoutSecs = lib.mkOption { + type = lib.types.ints.positive; + default = 10; + }; + + dataDir = lib.mkOption { + type = lib.types.str; + default = "/var/lib/noisebell-cache"; + }; + + outboundWebhooks = lib.mkOption { + type = lib.types.listOf (lib.types.submodule { + options = { + url = lib.mkOption { type = lib.types.str; }; + secretFile = lib.mkOption { + type = lib.types.nullOr lib.types.path; + default = null; + }; + }; + }); + default = []; + }; + }; + + config = lib.mkIf cfg.enable { + users.users.noisebell-cache = { + isSystemUser = true; + group = "noisebell-cache"; + }; + users.groups.noisebell-cache = {}; + + services.caddy.virtualHosts.${cfg.domain}.extraConfig = '' + reverse_proxy localhost:${toString cfg.port} + ''; + + systemd.services.noisebell-cache = let + webhookExports = lib.concatImapStringsSep "\n" (i: wh: + let idx = toString (i - 1); in + ''export NOISEBELL_CACHE_WEBHOOK_${idx}_URL="${wh.url}"'' + + lib.optionalString (wh.secretFile != null) + ''\nexport NOISEBELL_CACHE_WEBHOOK_${idx}_SECRET="$(cat ${wh.secretFile})"'' + ) cfg.outboundWebhooks; + in { + description = "Noisebell cache service"; + wantedBy = [ "multi-user.target" ]; + after = [ "network-online.target" ]; + wants = [ "network-online.target" ]; + environment = { + NOISEBELL_CACHE_PORT = toString cfg.port; + NOISEBELL_CACHE_PI_ADDRESS = cfg.piAddress; + NOISEBELL_CACHE_DATA_DIR = cfg.dataDir; + NOISEBELL_CACHE_STATUS_POLL_INTERVAL_SECS = toString cfg.statusPollIntervalSecs; + NOISEBELL_CACHE_INFO_POLL_INTERVAL_SECS = toString cfg.infoPollIntervalSecs; + NOISEBELL_CACHE_OFFLINE_THRESHOLD = toString cfg.offlineThreshold; + NOISEBELL_CACHE_RETRY_ATTEMPTS = toString cfg.retryAttempts; + NOISEBELL_CACHE_RETRY_BASE_DELAY_SECS = toString cfg.retryBaseDelaySecs; + NOISEBELL_CACHE_HTTP_TIMEOUT_SECS = toString cfg.httpTimeoutSecs; + RUST_LOG = "info"; + }; + script = '' + export NOISEBELL_CACHE_INBOUND_API_KEY="$(cat ${cfg.inboundApiKeyFile})" + export NOISEBELL_CACHE_PI_API_KEY="$(cat ${cfg.piApiKeyFile})" + ${webhookExports} + exec ${bin} + ''; + serviceConfig = { + Type = "simple"; + Restart = "on-failure"; + RestartSec = 5; + User = "noisebell-cache"; + Group = "noisebell-cache"; + StateDirectory = "noisebell-cache"; + NoNewPrivileges = true; + ProtectSystem = "strict"; + ProtectHome = true; + PrivateTmp = true; + ProtectKernelTunables = true; + ProtectKernelModules = true; + ProtectControlGroups = true; + RestrictSUIDSGID = true; + ReadWritePaths = [ cfg.dataDir ]; + }; + }; + }; +} diff --git a/remote/configuration.nix b/remote/configuration.nix deleted file mode 100644 index f96464c..0000000 --- a/remote/configuration.nix +++ /dev/null @@ -1,57 +0,0 @@ -{ config, pkgs, ... }: - -{ - system.stateVersion = "24.11"; - - networking.hostName = "noisebell-remote"; - - nix.settings.experimental-features = [ "nix-command" "flakes" ]; - - services.openssh.enable = true; - services.caddy.enable = true; - - users.users.root.openssh.authorizedKeys.keys = [ - # Add your SSH public key here - ]; - - # ── Secrets ─────────────────────────────────────────────────────────── - - age.secrets.pi-api-key.file = ./secrets/pi-api-key.age; - age.secrets.pi-inbound-api-key.file = ./secrets/pi-inbound-api-key.age; - age.secrets.discord-token.file = ./secrets/discord-token.age; - age.secrets.discord-webhook-secret.file = ./secrets/discord-webhook-secret.age; - age.secrets.rss-webhook-secret.file = ./secrets/rss-webhook-secret.age; - - # ── Cache ───────────────────────────────────────────────────────────── - - services.noisebell-cache = { - enable = true; - domain = "noisebell.extremist.software"; - piAddress = "http://noisebell:80"; - inboundApiKeyFile = config.age.secrets.pi-api-key.path; - piApiKeyFile = config.age.secrets.pi-inbound-api-key.path; - outboundWebhooks = [ - { url = "https://discord.noisebell.extremist.software/webhook"; secretFile = config.age.secrets.discord-webhook-secret.path; } - { url = "https://rss.noisebell.extremist.software/webhook"; secretFile = config.age.secrets.rss-webhook-secret.path; } - ]; - }; - - # ── Discord ─────────────────────────────────────────────────────────── - - services.noisebell-discord = { - enable = true; - domain = "discord.noisebell.extremist.software"; - discordTokenFile = config.age.secrets.discord-token.path; - channelId = "000000000000000000"; # Replace with actual channel ID - webhookSecretFile = config.age.secrets.discord-webhook-secret.path; - }; - - # ── RSS ─────────────────────────────────────────────────────────────── - - services.noisebell-rss = { - enable = true; - domain = "rss.noisebell.extremist.software"; - webhookSecretFile = config.age.secrets.rss-webhook-secret.path; - }; - -} diff --git a/remote/discord-bot/flake.nix b/remote/discord-bot/flake.nix index 190a823..f0fc982 100644 --- a/remote/discord-bot/flake.nix +++ b/remote/discord-bot/flake.nix @@ -38,6 +38,8 @@ { packages.${system}.default = noisebell-discord; + nixosModules.default = import ./module.nix self; + devShells.${system}.default = craneLib.devShell { packages = [ pkgs.rust-analyzer ]; }; diff --git a/remote/discord-bot/module.nix b/remote/discord-bot/module.nix new file mode 100644 index 0000000..d33ebd1 --- /dev/null +++ b/remote/discord-bot/module.nix @@ -0,0 +1,81 @@ +self: +{ config, lib, ... }: + +let + cfg = config.services.noisebell-discord; + bin = "${self.packages.x86_64-linux.default}/bin/noisebell-discord"; +in +{ + options.services.noisebell-discord = { + enable = lib.mkEnableOption "noisebell Discord bot"; + + domain = lib.mkOption { + type = lib.types.str; + description = "Domain for the Caddy virtual host."; + }; + + port = lib.mkOption { + type = lib.types.port; + default = 3001; + }; + + discordTokenFile = lib.mkOption { + type = lib.types.path; + description = "Path to file containing the Discord bot token."; + }; + + channelId = lib.mkOption { + type = lib.types.str; + description = "Discord channel ID to post messages to."; + }; + + webhookSecretFile = lib.mkOption { + type = lib.types.path; + description = "Path to file containing the webhook secret."; + }; + }; + + config = lib.mkIf cfg.enable { + users.users.noisebell-discord = { + isSystemUser = true; + group = "noisebell-discord"; + }; + users.groups.noisebell-discord = {}; + + services.caddy.virtualHosts.${cfg.domain}.extraConfig = '' + reverse_proxy localhost:${toString cfg.port} + ''; + + systemd.services.noisebell-discord = { + description = "Noisebell Discord bot"; + wantedBy = [ "multi-user.target" ]; + after = [ "network-online.target" ]; + wants = [ "network-online.target" ]; + environment = { + NOISEBELL_DISCORD_PORT = toString cfg.port; + NOISEBELL_DISCORD_CHANNEL_ID = cfg.channelId; + RUST_LOG = "info"; + }; + script = '' + export NOISEBELL_DISCORD_TOKEN="$(cat ${cfg.discordTokenFile})" + export NOISEBELL_DISCORD_WEBHOOK_SECRET="$(cat ${cfg.webhookSecretFile})" + exec ${bin} + ''; + serviceConfig = { + Type = "simple"; + Restart = "on-failure"; + RestartSec = 5; + User = "noisebell-discord"; + Group = "noisebell-discord"; + NoNewPrivileges = true; + ProtectSystem = "strict"; + ProtectHome = true; + PrivateTmp = true; + ProtectKernelTunables = true; + ProtectKernelModules = true; + ProtectControlGroups = true; + RestrictSUIDSGID = true; + }; + }; + }; +} diff --git a/remote/flake.nix b/remote/flake.nix index 1fdc11d..f10d606 100644 --- a/remote/flake.nix +++ b/remote/flake.nix @@ -1,242 +1,23 @@ { - description = "NixOS configuration for noisebell remote services"; + description = "Noisebell remote services"; inputs = { nixpkgs.url = "github:NixOS/nixpkgs/nixos-unstable"; - agenix = { - url = "github:ryantm/agenix"; - inputs.nixpkgs.follows = "nixpkgs"; - }; noisebell-cache.url = "path:./cache-service"; noisebell-discord.url = "path:./discord-bot"; noisebell-rss.url = "path:./rss-service"; }; - outputs = { self, nixpkgs, agenix, noisebell-cache, noisebell-discord, noisebell-rss }: - let - - # ── Cache module ────────────────────────────────────────────────── - cacheModule = { config, lib, pkgs, ... }: - let cfg = config.services.noisebell-cache; in - { - options.services.noisebell-cache = { - enable = lib.mkEnableOption "noisebell cache service"; - domain = lib.mkOption { type = lib.types.str; }; - piAddress = lib.mkOption { type = lib.types.str; }; - piApiKeyFile = lib.mkOption { type = lib.types.path; description = "Path to agenix secret for authenticating to Pi GET endpoints."; }; - inboundApiKeyFile = lib.mkOption { type = lib.types.path; }; - port = lib.mkOption { type = lib.types.port; default = 3000; }; - statusPollIntervalSecs = lib.mkOption { type = lib.types.ints.positive; default = 60; }; - infoPollIntervalSecs = lib.mkOption { type = lib.types.ints.positive; default = 300; }; - offlineThreshold = lib.mkOption { type = lib.types.ints.positive; default = 3; }; - retryAttempts = lib.mkOption { type = lib.types.ints.unsigned; default = 3; }; - retryBaseDelaySecs = lib.mkOption { type = lib.types.ints.positive; default = 1; }; - httpTimeoutSecs = lib.mkOption { type = lib.types.ints.positive; default = 10; }; - dataDir = lib.mkOption { type = lib.types.str; default = "/var/lib/noisebell-cache"; }; - outboundWebhooks = lib.mkOption { - type = lib.types.listOf (lib.types.submodule { - options = { - url = lib.mkOption { type = lib.types.str; }; - secretFile = lib.mkOption { type = lib.types.nullOr lib.types.path; default = null; }; - }; - }); - default = []; - }; - }; - - config = lib.mkIf cfg.enable { - users.users.noisebell-cache = { isSystemUser = true; group = "noisebell-cache"; }; - users.groups.noisebell-cache = {}; - - services.caddy.virtualHosts."${cfg.domain}".extraConfig = '' - reverse_proxy localhost:${toString cfg.port} - ''; - - systemd.services.noisebell-cache = let - bin = "${noisebell-cache.packages.x86_64-linux.default}/bin/noisebell-cache"; - webhookExports = lib.concatImapStringsSep "\n" (i: wh: - let idx = toString (i - 1); in - ''export NOISEBELL_CACHE_WEBHOOK_${idx}_URL="${wh.url}"'' + - lib.optionalString (wh.secretFile != null) - ''\nexport NOISEBELL_CACHE_WEBHOOK_${idx}_SECRET="$(cat ${wh.secretFile})"'' - ) cfg.outboundWebhooks; - in { - description = "Noisebell cache service"; - wantedBy = [ "multi-user.target" ]; - after = [ "network-online.target" ]; - wants = [ "network-online.target" ]; - environment = { - NOISEBELL_CACHE_PORT = toString cfg.port; - NOISEBELL_CACHE_PI_ADDRESS = cfg.piAddress; - NOISEBELL_CACHE_DATA_DIR = cfg.dataDir; - NOISEBELL_CACHE_STATUS_POLL_INTERVAL_SECS = toString cfg.statusPollIntervalSecs; - NOISEBELL_CACHE_INFO_POLL_INTERVAL_SECS = toString cfg.infoPollIntervalSecs; - NOISEBELL_CACHE_OFFLINE_THRESHOLD = toString cfg.offlineThreshold; - NOISEBELL_CACHE_RETRY_ATTEMPTS = toString cfg.retryAttempts; - NOISEBELL_CACHE_RETRY_BASE_DELAY_SECS = toString cfg.retryBaseDelaySecs; - NOISEBELL_CACHE_HTTP_TIMEOUT_SECS = toString cfg.httpTimeoutSecs; - RUST_LOG = "info"; - }; - script = '' - export NOISEBELL_CACHE_INBOUND_API_KEY="$(cat ${cfg.inboundApiKeyFile})" - export NOISEBELL_CACHE_PI_API_KEY="$(cat ${cfg.piApiKeyFile})" - ${webhookExports} - exec ${bin} - ''; - serviceConfig = { - Type = "simple"; - Restart = "on-failure"; - RestartSec = 5; - User = "noisebell-cache"; - Group = "noisebell-cache"; - StateDirectory = "noisebell-cache"; - NoNewPrivileges = true; - ProtectSystem = "strict"; - ProtectHome = true; - PrivateTmp = true; - ProtectKernelTunables = true; - ProtectKernelModules = true; - ProtectControlGroups = true; - RestrictSUIDSGID = true; - ReadWritePaths = [ cfg.dataDir ]; - }; - }; - }; - }; - - # ── Discord module ──────────────────────────────────────────────── - discordModule = { config, lib, pkgs, ... }: - let cfg = config.services.noisebell-discord; in - { - options.services.noisebell-discord = { - enable = lib.mkEnableOption "noisebell Discord bot"; - domain = lib.mkOption { type = lib.types.str; }; - port = lib.mkOption { type = lib.types.port; default = 3001; }; - discordTokenFile = lib.mkOption { type = lib.types.path; }; - channelId = lib.mkOption { type = lib.types.str; }; - webhookSecretFile = lib.mkOption { type = lib.types.path; }; - }; - - config = lib.mkIf cfg.enable { - users.users.noisebell-discord = { isSystemUser = true; group = "noisebell-discord"; }; - users.groups.noisebell-discord = {}; - - services.caddy.virtualHosts."${cfg.domain}".extraConfig = '' - reverse_proxy localhost:${toString cfg.port} - ''; - - systemd.services.noisebell-discord = let - bin = "${noisebell-discord.packages.x86_64-linux.default}/bin/noisebell-discord"; - in { - description = "Noisebell Discord bot"; - wantedBy = [ "multi-user.target" ]; - after = [ "network-online.target" ]; - wants = [ "network-online.target" ]; - environment = { - NOISEBELL_DISCORD_PORT = toString cfg.port; - NOISEBELL_DISCORD_CHANNEL_ID = cfg.channelId; - RUST_LOG = "info"; - }; - script = '' - export NOISEBELL_DISCORD_TOKEN="$(cat ${cfg.discordTokenFile})" - export NOISEBELL_DISCORD_WEBHOOK_SECRET="$(cat ${cfg.webhookSecretFile})" - exec ${bin} - ''; - serviceConfig = { - Type = "simple"; - Restart = "on-failure"; - RestartSec = 5; - User = "noisebell-discord"; - Group = "noisebell-discord"; - NoNewPrivileges = true; - ProtectSystem = "strict"; - ProtectHome = true; - PrivateTmp = true; - ProtectKernelTunables = true; - ProtectKernelModules = true; - ProtectControlGroups = true; - RestrictSUIDSGID = true; - }; - }; - }; - }; - - # ── RSS module ──────────────────────────────────────────────────── - rssModule = { config, lib, pkgs, ... }: - let cfg = config.services.noisebell-rss; in - { - options.services.noisebell-rss = { - enable = lib.mkEnableOption "noisebell RSS/Atom feed"; - domain = lib.mkOption { type = lib.types.str; }; - port = lib.mkOption { type = lib.types.port; default = 3002; }; - webhookSecretFile = lib.mkOption { type = lib.types.path; }; - dataDir = lib.mkOption { type = lib.types.str; default = "/var/lib/noisebell-rss"; }; - }; - - config = lib.mkIf cfg.enable { - users.users.noisebell-rss = { isSystemUser = true; group = "noisebell-rss"; }; - users.groups.noisebell-rss = {}; - - services.caddy.virtualHosts."${cfg.domain}".extraConfig = '' - reverse_proxy localhost:${toString cfg.port} - ''; - - systemd.services.noisebell-rss = let - bin = "${noisebell-rss.packages.x86_64-linux.default}/bin/noisebell-rss"; - in { - description = "Noisebell RSS/Atom feed"; - wantedBy = [ "multi-user.target" ]; - after = [ "network-online.target" ]; - wants = [ "network-online.target" ]; - environment = { - NOISEBELL_RSS_PORT = toString cfg.port; - NOISEBELL_RSS_DATA_DIR = cfg.dataDir; - NOISEBELL_RSS_SITE_URL = "https://${cfg.domain}"; - RUST_LOG = "info"; - }; - script = '' - export NOISEBELL_RSS_WEBHOOK_SECRET="$(cat ${cfg.webhookSecretFile})" - exec ${bin} - ''; - serviceConfig = { - Type = "simple"; - Restart = "on-failure"; - RestartSec = 5; - User = "noisebell-rss"; - Group = "noisebell-rss"; - StateDirectory = "noisebell-rss"; - NoNewPrivileges = true; - ProtectSystem = "strict"; - ProtectHome = true; - PrivateTmp = true; - ProtectKernelTunables = true; - ProtectKernelModules = true; - ProtectControlGroups = true; - RestrictSUIDSGID = true; - ReadWritePaths = [ cfg.dataDir ]; - }; - }; - }; - }; - - in - { - nixosModules = { - cache = cacheModule; - discord = discordModule; - rss = rssModule; - }; - - nixosConfigurations.remote = nixpkgs.lib.nixosSystem { - system = "x86_64-linux"; - modules = [ - agenix.nixosModules.default - cacheModule - discordModule - rssModule - ./configuration.nix - ./hardware-configuration.nix - ]; - }; + outputs = { self, nixpkgs, noisebell-cache, noisebell-discord, noisebell-rss }: { + nixosModules = { + cache = noisebell-cache.nixosModules.default; + discord = noisebell-discord.nixosModules.default; + rss = noisebell-rss.nixosModules.default; + default = { imports = [ + noisebell-cache.nixosModules.default + noisebell-discord.nixosModules.default + noisebell-rss.nixosModules.default + ]; }; }; + }; } diff --git a/remote/hardware-configuration.nix b/remote/hardware-configuration.nix deleted file mode 100644 index bb51012..0000000 --- a/remote/hardware-configuration.nix +++ /dev/null @@ -1,13 +0,0 @@ -{ config, lib, pkgs, modulesPath, ... }: - -{ - imports = [ ]; - - boot.loader.grub.enable = true; - boot.loader.grub.devices = [ "/dev/sda" ]; - - fileSystems."/" = { - device = "/dev/disk/by-label/nixos"; - fsType = "ext4"; - }; -} diff --git a/remote/rss-service/flake.nix b/remote/rss-service/flake.nix index b5685c8..2e0984d 100644 --- a/remote/rss-service/flake.nix +++ b/remote/rss-service/flake.nix @@ -38,6 +38,8 @@ { packages.${system}.default = noisebell-rss; + nixosModules.default = import ./module.nix self; + devShells.${system}.default = craneLib.devShell { packages = [ pkgs.rust-analyzer ]; }; diff --git a/remote/rss-service/module.nix b/remote/rss-service/module.nix new file mode 100644 index 0000000..7ad58c2 --- /dev/null +++ b/remote/rss-service/module.nix @@ -0,0 +1,78 @@ +self: +{ config, lib, ... }: + +let + cfg = config.services.noisebell-rss; + bin = "${self.packages.x86_64-linux.default}/bin/noisebell-rss"; +in +{ + options.services.noisebell-rss = { + enable = lib.mkEnableOption "noisebell RSS/Atom feed"; + + domain = lib.mkOption { + type = lib.types.str; + description = "Domain for the Caddy virtual host."; + }; + + port = lib.mkOption { + type = lib.types.port; + default = 3002; + }; + + webhookSecretFile = lib.mkOption { + type = lib.types.path; + description = "Path to file containing the webhook secret."; + }; + + dataDir = lib.mkOption { + type = lib.types.str; + default = "/var/lib/noisebell-rss"; + }; + }; + + config = lib.mkIf cfg.enable { + users.users.noisebell-rss = { + isSystemUser = true; + group = "noisebell-rss"; + }; + users.groups.noisebell-rss = {}; + + services.caddy.virtualHosts.${cfg.domain}.extraConfig = '' + reverse_proxy localhost:${toString cfg.port} + ''; + + systemd.services.noisebell-rss = { + description = "Noisebell RSS/Atom feed"; + wantedBy = [ "multi-user.target" ]; + after = [ "network-online.target" ]; + wants = [ "network-online.target" ]; + environment = { + NOISEBELL_RSS_PORT = toString cfg.port; + NOISEBELL_RSS_DATA_DIR = cfg.dataDir; + NOISEBELL_RSS_SITE_URL = "https://${cfg.domain}"; + RUST_LOG = "info"; + }; + script = '' + export NOISEBELL_RSS_WEBHOOK_SECRET="$(cat ${cfg.webhookSecretFile})" + exec ${bin} + ''; + serviceConfig = { + Type = "simple"; + Restart = "on-failure"; + RestartSec = 5; + User = "noisebell-rss"; + Group = "noisebell-rss"; + StateDirectory = "noisebell-rss"; + NoNewPrivileges = true; + ProtectSystem = "strict"; + ProtectHome = true; + PrivateTmp = true; + ProtectKernelTunables = true; + ProtectKernelModules = true; + ProtectControlGroups = true; + RestrictSUIDSGID = true; + ReadWritePaths = [ cfg.dataDir ]; + }; + }; + }; +} diff --git a/remote/secrets/secrets.nix b/remote/secrets/secrets.nix deleted file mode 100644 index cd72784..0000000 --- a/remote/secrets/secrets.nix +++ /dev/null @@ -1,10 +0,0 @@ -let - remote = "ssh-ed25519 AAAA..."; # Remote server's SSH host public key -in -{ - "pi-api-key.age".publicKeys = [ remote ]; - "pi-inbound-api-key.age".publicKeys = [ remote ]; - "discord-token.age".publicKeys = [ remote ]; - "discord-webhook-secret.age".publicKeys = [ remote ]; - "rss-webhook-secret.age".publicKeys = [ remote ]; -}