snix/ops/modules/gerrit-webhook-to-irccat.nix
Ilan Joselevich 91d02d8c84 style: Switch to nixfmt from nixpkgs-fmt
Most of the ecosystem has moved to this formatter,
and many people configured their editors to autoformat it with this formatter.

Closes: https://git.snix.dev/snix/snix/issues/62
Change-Id: Icf39e7836c91fc2ae49fbe22a40a639105bfb0bd
Reviewed-on: https://cl.snix.dev/c/snix/+/30671
Reviewed-by: Florian Klink <flokli@flokli.de>
Tested-by: besadii
Autosubmit: Ilan Joselevich <personal@ilanjoselevich.com>
2025-08-10 13:40:23 +00:00

56 lines
1.3 KiB
Nix

{
config,
depot,
lib,
...
}:
let
cfg = config.services.depot.gerrit-webhook-to-irccat;
description = "receive gerrit webhooks and forward to irccat";
in
{
options.services.depot.gerrit-webhook-to-irccat = {
enable = lib.mkEnableOption description;
irccatUrl = lib.mkOption {
type = lib.types.str;
};
listenAddress = lib.mkOption {
type = lib.types.str;
};
};
config = lib.mkIf cfg.enable {
systemd.services.gerrit-webhook-to-irccat = {
serviceConfig = {
ExecStart =
"${depot.ops.gerrit-webhook-to-irccat}/bin/gerrit-webhook-to-irccat"
+ " -irccat-url ${cfg.irccatUrl}";
Restart = "always";
RestartSec = 5;
User = "gerrit-webhook-to-irccat";
DynamicUser = true;
ProtectHome = true;
ProtectSystem = true;
MemoryDenyWriteExecute = true;
ProtectControlGroups = true;
ProtectKernelModules = true;
ProtectKernelTunables = true;
RestrictNamespaces = true;
RestrictRealtime = true;
SystemCallArchitectures = "native";
SystemCallFilter = [
"@system-service"
"~@privileged"
];
};
};
systemd.sockets.gerrit-webhook-to-irccat = {
wantedBy = [ "sockets.target" ];
socketConfig.ListenStream = cfg.listenAddress;
};
};
}