Inital bot files

nix/clippy.nix

@@ -0,0 +1,39 @@
+{
+  cargo,
+  clippy,
+  clippy-sarif,
+  refraction,
+  rustPlatform,
+  sarif-fmt,
+  stdenv,
+}:
+
+stdenv.mkDerivation {
+  pname = "${refraction.pname}-sarif-report";
+  inherit (refraction)
+    version
+    src
+    cargoDeps
+    buildInputs
+    ;
+
+  nativeBuildInputs = [
+    cargo
+    clippy
+    clippy-sarif
+    rustPlatform.cargoSetupHook
+    sarif-fmt
+  ];
+
+  buildPhase = ''
+    cargo clippy \
+      --all-features \
+      --all-targets \
+      --tests \
+      --message-format=json \
+    | clippy-sarif | tee $out | sarif-fmt
+  '';
+
+  dontInstall = true;
+  dontFixup = true;
+}

nix/containerize.nix

@@ -0,0 +1,9 @@
+{ lib, dockerTools }:
+refraction:
+
+dockerTools.buildLayeredImage {
+  name = "refraction";
+  tag = "latest-${refraction.passthru.dockerArchitecture}";
+  config.Cmd = [ (lib.getExe refraction) ];
+  architecture = refraction.passthru.dockerArchitecture;
+}

nix/module.nix

@@ -0,0 +1,147 @@
+self:
+{
+  config,
+  lib,
+  pkgs,
+  ...
+}:
+let
+  cfg = config.services.refraction;
+  defaultUser = "refraction";
+
+  inherit (lib)
+    getExe
+    literalExpression
+    mkEnableOption
+    mkIf
+    mkOption
+    mkPackageOption
+    optionals
+    types
+    ;
+in
+{
+  options.services.refraction = {
+    enable = mkEnableOption "refraction";
+    package = mkPackageOption self.packages.${pkgs.stdenv.hostPlatform.system} "refraction" { };
+
+    user = mkOption {
+      description = ''
+        User under which the service should run. If this is the default value,
+        the user will be created, with the specified group as the primary
+        group.
+      '';
+      type = types.str;
+      default = defaultUser;
+      example = literalExpression ''
+        "bob"
+      '';
+    };
+
+    group = mkOption {
+      description = ''
+        Group under which the service should run. If this is the default value,
+        the group will be created.
+      '';
+      type = types.str;
+      default = defaultUser;
+      example = literalExpression ''
+        "discordbots"
+      '';
+    };
+
+    redisUrl = mkOption {
+      description = ''
+        Connection to a redis server. If this needs to include credentials
+        that shouldn't be world-readable in the Nix store, set environmentFile
+        and override the `REDIS_URL` entry.
+        Pass the string `local` to setup a local Redis database.
+      '';
+      type = types.str;
+      default = "local";
+      example = literalExpression ''
+        "redis://localhost/"
+      '';
+    };
+
+    environmentFile = mkOption {
+      description = ''
+        Environment file as defined in {manpage}`systemd.exec(5)`
+      '';
+      type = types.nullOr types.path;
+      default = null;
+      example = literalExpression ''
+        "/run/agenix.d/1/refraction"
+      '';
+    };
+  };
+
+  config = mkIf cfg.enable {
+    services.redis.servers.refraction = mkIf (cfg.redisUrl == "local") {
+      enable = true;
+      inherit (cfg) user;
+      port = 0; # disable tcp listener
+    };
+
+    systemd.services."refraction" = {
+      enable = true;
+      wantedBy = [ "multi-user.target" ];
+      after = [ "network.target" ] ++ optionals (cfg.redisUrl == "local") [ "redis-refraction.service" ];
+
+      script = ''
+        ${getExe cfg.package}
+      '';
+
+      environment = {
+        BOT_REDIS_URL =
+          if cfg.redisUrl == "local" then
+            "unix:${config.services.redis.servers.refraction.unixSocket}"
+          else
+            cfg.redisUrl;
+      };
+
+      serviceConfig = {
+        Type = "simple";
+        Restart = "on-failure";
+
+        EnvironmentFile = mkIf (cfg.environmentFile != null) cfg.environmentFile;
+
+        User = cfg.user;
+        Group = cfg.group;
+
+        # hardening
+        NoNewPrivileges = true;
+        PrivateDevices = true;
+        PrivateTmp = true;
+        PrivateUsers = true;
+        ProtectClock = true;
+        ProtectControlGroups = true;
+        ProtectHome = true;
+        ProtectHostname = true;
+        ProtectKernelLogs = true;
+        ProtectKernelModules = true;
+        ProtectKernelTunables = true;
+        ProtectSystem = "strict";
+        RestrictNamespaces = true;
+        RestrictSUIDSGID = true;
+        SystemCallArchitectures = "native";
+        SystemCallFilter = [
+          "@system-service"
+          "~@resources"
+          "~@privileged"
+        ];
+      };
+    };
+
+    users = {
+      users = mkIf (cfg.user == defaultUser) {
+        ${defaultUser} = {
+          isSystemUser = true;
+          inherit (cfg) group;
+        };
+      };
+
+      groups = mkIf (cfg.group == defaultUser) { ${defaultUser} = { }; };
+    };
+  };
+}

nix/package.nix

@@ -0,0 +1,68 @@
+{
+  lib,
+  stdenv,
+  go,
+  rustPlatform,
+  lto ? !optimizeSize,
+  optimizeSize ? false,
+}:
+
+let
+  fs = lib.fileset;
+  toRustFlags = flags: toString (lib.mapAttrsToList (name: value: "-C ${name}=${value}") flags);
+in
+assert lib.assertMsg (lto -> !optimizeSize) "`lto` and `optimizeSize` are mutually exclusive";
+rustPlatform.buildRustPackage rec {
+  pname = "refraction";
+  inherit (passthru.cargoToml.package) version;
+
+  src = fs.toSource {
+    root = ../.;
+    fileset = fs.intersection (fs.gitTracked ../.) (
+      fs.unions [
+        ../src
+        ../build.rs
+        ../Cargo.lock
+        ../Cargo.toml
+        ../tags
+      ]
+    );
+  };
+
+  cargoLock.lockFile = ../Cargo.lock;
+
+  # `panic=abort` breaks tests womp womp
+  doCheck = stdenv.buildPlatform.canExecute stdenv.hostPlatform && !optimizeSize;
+
+  env = {
+    RUSTFLAGS = toRustFlags (
+      lib.optionalAttrs lto {
+        lto = "thin";
+        embed-bitcode = "yes";
+      }
+      // lib.optionalAttrs optimizeSize {
+        codegen-units = "1";
+        opt-level = "s";
+        panic = "abort";
+        strip = "symbols";
+      }
+    );
+  };
+
+  passthru = {
+    cargoToml = lib.importTOML ../Cargo.toml;
+    # For container images
+    dockerArchitecture = go.GOARCH;
+  };
+
+  meta = {
+    description = "Discord bot for Prism Launcher";
+    homepage = "https://github.com/PrismLauncher/refraction";
+    license = lib.licenses.gpl3Plus;
+    maintainers = with lib.maintainers; [
+      getchoo
+      Scrumplex
+    ];
+    mainProgram = "refraction";
+  };
+}

nix/static.nix

@@ -0,0 +1,9 @@
+{ pkgsCross }:
+let
+  crossPlatformFor = with pkgsCross; {
+    x86_64 = musl64.pkgsStatic;
+    aarch64 = aarch64-multiplatform.pkgsStatic;
+  };
+in
+{ arch }:
+crossPlatformFor.${arch}.callPackage ./package.nix { optimizeSize = true; }