+1

modules/nixos/all-modules.nix

··· 1 1 [ 2 2 ./blahaj.nix 3 3 + ./nixpkgs-prs-bot.nix 3 4 ]

+124

modules/nixos/nixpkgs-prs-bot.nix

··· 1 1 + { tgirlpkgs }: 2 2 + { 3 3 + lib, 4 4 + pkgs, 5 5 + config, 6 6 + ... 7 7 + }: 8 8 + let 9 9 + inherit (lib) 10 10 + getExe 11 11 + mkIf 12 12 + mkMerge 13 13 + mkOption 14 14 + mkEnableOption 15 15 + ; 16 16 + 17 17 + cfg = config.services.nixpkgs-prs-bot; 18 18 + in 19 19 + { 20 20 + _class = "nixos"; 21 21 + 22 22 + options.services.nixpkgs-prs-bot = { 23 23 + enable = mkEnableOption "nixpkgs prs bot"; 24 24 + 25 25 + package = lib.mkOption { 26 26 + type = lib.types.package; 27 27 + default = tgirlpkgs.packages.${pkgs.stdenv.hostPlatform.system}.nixpkgs-prs; 28 28 + description = "The package to use for blahaj"; 29 29 + }; 30 30 + 31 31 + fedi = { 32 32 + enable = mkEnableOption "fedi" // { 33 33 + default = cfg.enable; 34 34 + }; 35 35 + 36 36 + environmentFile = mkOption { 37 37 + type = lib.types.nullOr lib.types.path; 38 38 + default = null; 39 39 + }; 40 40 + }; 41 41 + 42 42 + bsky = { 43 43 + enable = mkEnableOption "bsky" // { 44 44 + default = cfg.enable; 45 45 + }; 46 46 + 47 47 + environmentFile = mkOption { 48 48 + type = lib.types.nullOr lib.types.path; 49 49 + default = null; 50 50 + }; 51 51 + }; 52 52 + }; 53 53 + 54 54 + config = mkIf cfg.enable { 55 55 + users = { 56 56 + users.nixpkgs-prs-bot = { 57 57 + isSystemUser = true; 58 58 + createHome = false; 59 59 + description = "nixpkgs prs bot"; 60 60 + group = "nixpkgs-prs-bot"; 61 61 + }; 62 62 + 63 63 + groups.nixpkgs-prs-bot = { }; 64 64 + }; 65 65 + 66 66 + systemd = mkMerge ( 67 67 + lib.map 68 68 + ( 69 69 + attr: 70 70 + mkIf cfg.${attr}.enable { 71 71 + timers."nixpkgs-prs-${attr}" = { 72 72 + description = "post to ${attr} every night"; 73 73 + wantedBy = [ "timers.target" ]; 74 74 + timerConfig = { 75 75 + OnCalendar = "*-*-* 00:05:00 UTC"; 76 76 + Persistent = true; 77 77 + }; 78 78 + }; 79 79 + 80 80 + services."nixpkgs-prs-${attr}" = { 81 81 + description = "nixpkgs prs ${attr} bot"; 82 82 + after = [ "network.target" ]; 83 83 + path = [ cfg.package ]; 84 84 + 85 85 + serviceConfig = { 86 86 + ExecStart = "${getExe cfg.package} ${attr}"; 87 87 + EnvironmentFile = mkIf (cfg.${attr}.environmentFile != null) cfg.${attr}.environmentFile; 88 88 + Type = "oneshot"; 89 89 + User = "nixpkgs-prs-bot"; 90 90 + Group = "nixpkgs-prs-bot"; 91 91 + ReadWritePaths = [ ]; 92 92 + LockPersonality = true; 93 93 + MemoryDenyWriteExecute = true; 94 94 + NoNewPrivileges = true; 95 95 + PrivateDevices = true; 96 96 + PrivateIPC = true; 97 97 + PrivateTmp = true; 98 98 + PrivateUsers = true; 99 99 + ProtectClock = true; 100 100 + ProtectControlGroups = true; 101 101 + ProtectHome = true; 102 102 + ProtectHostname = true; 103 103 + ProtectKernelLogs = true; 104 104 + ProtectKernelModules = true; 105 105 + ProtectKernelTunables = true; 106 106 + ProtectProc = "invisible"; 107 107 + ProtectSystem = "full"; 108 108 + RestrictNamespaces = "uts ipc pid user cgroup"; 109 109 + RestrictRealtime = true; 110 110 + RestrictSUIDSGID = true; 111 111 + SystemCallArchitectures = "native"; 112 112 + SystemCallFilter = [ "@system-service" ]; 113 113 + UMask = "0077"; 114 114 + }; 115 115 + }; 116 116 + } 117 117 + ) 118 118 + [ 119 119 + "fedi" 120 120 + "bsky" 121 121 + ] 122 122 + ); 123 123 + }; 124 124 + }

+47

nilla.nix

··· 1 1 + let 2 2 + nilla = import ( 3 3 + builtins.fetchTarball { 4 4 + url = "https://github.com/nilla-nix/nilla/archive/main.tar.gz"; 5 5 + sha256 = "sha256-8vHPd/vRbylp9C4+PMk+pf63SDzSPgfkuSdAf7VAums="; 6 6 + } 7 7 + ); 8 8 + 9 9 + flakelock = builtins.fromJSON (builtins.readFile ./flake.lock); 10 10 + 11 11 + result = nilla.create ( 12 12 + { config }: 13 13 + { 14 14 + config = { 15 15 + inputs = { 16 16 + nixpkgs = 17 17 + let 18 18 + lock = flakelock.nodes.nixpkgs.locked; 19 19 + in 20 20 + { 21 21 + src = builtins.fetchTarball { 22 22 + url = "https://github.com/NixOS/nixpkgs/archive/${lock.rev}.tar.gz"; 23 23 + sha256 = lock.narHash; 24 24 + }; 25 25 + 26 26 + loader = "flake"; 27 27 + }; 28 28 + }; 29 29 + 30 30 + packages = builtins.mapAttrs (name: _: { 31 31 + systems = [ "aarch64-darwin" ]; 32 32 + 33 33 + builder = "nixpkgs"; 34 34 + 35 35 + settings = { 36 36 + pkgs = config.inputs.nixpkgs.loaded; 37 37 + 38 38 + args = { }; 39 39 + }; 40 40 + 41 41 + package = import ./pkgs/${name}/package.nix; 42 42 + }) (builtins.readDir ./pkgs); 43 43 + }; 44 44 + } 45 45 + ); 46 46 + in 47 47 + result

+51

pkgs/nixpkgs-prs/package.nix

··· 1 1 + { 2 2 + lib, 3 3 + rustPlatform, 4 4 + fetchFromGitHub, 5 5 + openssl, 6 6 + pkg-config, 7 7 + versionCheckHook, 8 8 + nix-update-script, 9 9 + }: 10 10 + rustPlatform.buildRustPackage { 11 11 + pname = "nixpkgs-prs"; 12 12 + version = "0.3.0"; 13 13 + 14 14 + src = fetchFromGitHub { 15 15 + owner = "isabelroses"; 16 16 + repo = "nixpkgs-prs-bot"; 17 17 + rev = "771a46c84fc48c8bda085593ebfd427d8d7db989"; 18 18 + hash = "sha256-IwnBqjdBilqeRJvXF8zNzrO7zKkCsN2pHSpf9uHchnU="; 19 19 + }; 20 20 + 21 21 + useFetchCargoVendor = true; 22 22 + cargoHash = "sha256-h4rVyfrjajlsxcWB2WCPuhUdpMlPu1VxfKmEUY5g9ic="; 23 23 + 24 24 + nativeBuildInputs = [ 25 25 + pkg-config 26 26 + versionCheckHook 27 27 + ]; 28 28 + 29 29 + buildInputs = [ 30 30 + openssl 31 31 + ]; 32 32 + 33 33 + doInstallCheck = true; 34 34 + versionCheckProgram = "${placeholder "out"}/bin/nixpkgs-prs"; 35 35 + versionCheckProgramArg = [ "--version" ]; 36 36 + 37 37 + passthru.updateScript = nix-update-script { 38 38 + extraArgs = [ 39 39 + "--version" 40 40 + "branch=HEAD" 41 41 + ]; 42 42 + }; 43 43 + 44 44 + meta = { 45 45 + homepage = "https://github.com/isabelroses/nixpkgs-prs-bot"; 46 46 + description = "check the merged nixpkgs PRs for that day"; 47 47 + license = lib.licenses.eupl12; 48 48 + maintainers = with lib.maintainers; [ isabelroses ]; 49 49 + mainProgram = "nixpkgs-prs"; 50 50 + }; 51 51 + }