064765b19a
This is a listener for gerrit events, sent by their "webhooks" plugin, as well as a NixOS module to deploy it. Issue: https://git.snix.dev/snix/snix/issues/74 Change-Id: I65c5c5a991e6b1f4f330b3439c8a25aec3f1b484 Reviewed-on: https://cl.snix.dev/c/snix/+/30526 Reviewed-by: Ryan Lahfa <ryan@lahfa.xyz> Tested-by: besadii Autosubmit: Florian Klink <flokli@flokli.de>
50 lines
1.3 KiB
Nix
50 lines
1.3 KiB
Nix
{ config, depot, lib, ... }:
|
|
|
|
let
|
|
cfg = config.services.depot.gerrit-webhook-to-irccat;
|
|
description = "receive gerrit webhooks and forward to irccat";
|
|
in
|
|
|
|
{
|
|
options.services.depot.gerrit-webhook-to-irccat = {
|
|
enable = lib.mkEnableOption description;
|
|
|
|
irccatUrl = lib.mkOption {
|
|
type = lib.types.str;
|
|
};
|
|
|
|
listenAddress = lib.mkOption {
|
|
type = lib.types.str;
|
|
};
|
|
};
|
|
|
|
config = lib.mkIf cfg.enable {
|
|
systemd.services.gerrit-webhook-to-irccat = {
|
|
serviceConfig = {
|
|
ExecStart = "${depot.ops.gerrit-webhook-to-irccat}/bin/gerrit-webhook-to-irccat" +
|
|
" -irccat-url ${cfg.irccatUrl}";
|
|
Restart = "always";
|
|
RestartSec = 5;
|
|
User = "gerrit-webhook-to-irccat";
|
|
DynamicUser = true;
|
|
ProtectHome = true;
|
|
ProtectSystem = true;
|
|
MemoryDenyWriteExecute = true;
|
|
ProtectControlGroups = true;
|
|
ProtectKernelModules = true;
|
|
ProtectKernelTunables = true;
|
|
RestrictNamespaces = true;
|
|
RestrictRealtime = true;
|
|
SystemCallArchitectures = "native";
|
|
SystemCallFilter = [
|
|
"@system-service"
|
|
"~@privileged"
|
|
];
|
|
};
|
|
};
|
|
systemd.sockets.gerrit-webhook-to-irccat = {
|
|
wantedBy = [ "sockets.target" ];
|
|
socketConfig.ListenStream = cfg.listenAddress;
|
|
};
|
|
};
|
|
}
|