self: { config, lib, pkgs, utils, ... }: let cfg = config.services.nexusbot; in { meta.maintainers = with lib.maintainers; [quadradical]; options.services.nexusbot = { enable = lib.mkEnableOption "the nexusbot server"; package = lib.mkPackageOption self.packages.${pkgs.system} "default" {}; botPasswordFile = lib.mkOption { type = lib.types.path; }; smtpPasswordFile = lib.mkOption { type = lib.types.path; }; group = lib.mkOption { type = lib.types.str; default = "nexusbot"; }; args = lib.mkOption { type = with lib.types; listOf str; default = []; }; }; config = lib.mkIf cfg.enable { systemd.services.nexusbot = { description = "nexusbot server"; documentation = ["https://git.federated.nexus/Henry-Hiles/nexusbot"]; wantedBy = ["multi-user.target"]; wants = ["network-online.target"]; after = ["network-online.target"]; serviceConfig = { LoadCredential = ["bot-password:${cfg.botPasswordFile}" "smtp-password:${cfg.smtpPasswordFile}"]; ExecStart = utils.escapeSystemdExecArgs ([ (lib.getExe cfg.package) "--botPasswordFile=/run/credentials/nexusbot.service/bot-password" "--smtpPasswordFile=/run/credentials/nexusbot.service/smtp-password" ] ++ cfg.args); DynamicUser = true; LockPersonality = true; MemoryDenyWriteExecute = true; ProtectClock = true; ProtectControlGroups = true; ProtectHostname = true; ProtectKernelLogs = true; ProtectKernelModules = true; ProtectKernelTunables = true; PrivateDevices = true; PrivateMounts = true; RestrictAddressFamilies = [ "AF_UNIX" "AF_INET" "AF_INET6" ]; RestrictNamespaces = true; RestrictRealtime = true; ProtectHome = true; SystemCallArchitectures = "native"; SystemCallFilter = [ "@system-service" "~@privileged" "~@resources" ]; Restart = "always"; RestartSec = 5; UMask = 007; RuntimeDirectory = "nexusbot"; RuntimeDirectoryMode = 0770; Group = cfg.group; }; }; }; }