feat(ops/gerrit-webhook-to-irccat): init

This is a listener for gerrit events, sent by their "webhooks" plugin,
as well as a NixOS module to deploy it.

Issue: https://git.snix.dev/snix/snix/issues/74
Change-Id: I65c5c5a991e6b1f4f330b3439c8a25aec3f1b484
Reviewed-on: https://cl.snix.dev/c/snix/+/30526
Reviewed-by: Ryan Lahfa <ryan@lahfa.xyz>
Tested-by: besadii
Autosubmit: Florian Klink <flokli@flokli.de>

ops/modules/gerrit-webhook-to-irccat.nix

@@ -0,0 +1,50 @@
+{ config, depot, lib, ... }:
+
+let
+  cfg = config.services.depot.gerrit-webhook-to-irccat;
+  description = "receive gerrit webhooks and forward to irccat";
+in
+
+{
+  options.services.depot.gerrit-webhook-to-irccat = {
+    enable = lib.mkEnableOption description;
+
+    irccatUrl = lib.mkOption {
+      type = lib.types.str;
+    };
+
+    listenAddress = lib.mkOption {
+      type = lib.types.str;
+    };
+  };
+
+  config = lib.mkIf cfg.enable {
+    systemd.services.gerrit-webhook-to-irccat = {
+      serviceConfig = {
+        ExecStart = "${depot.ops.gerrit-webhook-to-irccat}/bin/gerrit-webhook-to-irccat" +
+          " -irccat-url ${cfg.irccatUrl}";
+        Restart = "always";
+        RestartSec = 5;
+        User = "gerrit-webhook-to-irccat";
+        DynamicUser = true;
+        ProtectHome = true;
+        ProtectSystem = true;
+        MemoryDenyWriteExecute = true;
+        ProtectControlGroups = true;
+        ProtectKernelModules = true;
+        ProtectKernelTunables = true;
+        RestrictNamespaces = true;
+        RestrictRealtime = true;
+        SystemCallArchitectures = "native";
+        SystemCallFilter = [
+          "@system-service"
+          "~@privileged"
+        ];
+      };
+    };
+    systemd.sockets.gerrit-webhook-to-irccat = {
+      wantedBy = [ "sockets.target" ];
+      socketConfig.ListenStream = cfg.listenAddress;
+    };
+  };
+}