From ac2dd37be87570ef8cd011297cb04a3343d2b597 Mon Sep 17 00:00:00 2001 From: Wittano Bonarotti Date: Thu, 22 Aug 2024 23:52:07 +0200 Subject: [PATCH] refactor(nixos): added pass bot configuration via secret files --- .envrc | 1 - .gitignore | 1 + bot/config/types.go | 41 ++++++++++++++++++++++++++++++++--------- flake.lock | 6 +++--- nixos.nix | 41 +++++++++++++++-------------------------- shell.nix | 12 +----------- 6 files changed, 52 insertions(+), 50 deletions(-) delete mode 100644 .envrc diff --git a/.envrc b/.envrc deleted file mode 100644 index 44610e5..0000000 --- a/.envrc +++ /dev/null @@ -1 +0,0 @@ -use flake; diff --git a/.gitignore b/.gitignore index 6ee430b..c9add86 100644 --- a/.gitignore +++ b/.gitignore @@ -37,3 +37,4 @@ api # Sqlit *.sqlite sql +.envrc diff --git a/bot/config/types.go b/bot/config/types.go index e108a46..3b6ab05 100644 --- a/bot/config/types.go +++ b/bot/config/types.go @@ -1,6 +1,7 @@ package config import ( + "errors" "fmt" "os" ) @@ -12,21 +13,43 @@ type BotProperties struct { } func NewBotProperties() (prop BotProperties, err error) { - var ok bool - - prop.Token, ok = os.LookupEnv("DISCORD_BOT_TOKEN") - if !ok || prop.Token == "" { - err = fmt.Errorf("missing DISCORD_BOT_TOKEN variable") + prop.Token, err = loadEnv("DISCORD_BOT_TOKEN") + if err != nil { return } - prop.AppID, ok = os.LookupEnv("APPLICATION_ID") - if !ok || prop.AppID == "" { - err = fmt.Errorf("missing APPLICATION_ID variable") + prop.AppID, err = loadEnv("APPLICATION_ID") + if err != nil { return } - prop.ServerGUID = os.Getenv("SERVER_GUID") + prop.ServerGUID, _ = loadEnv("SERVER_GUID") + + return +} + +func loadEnv(name string) (env string, err error) { + if value, ok := os.LookupEnv(name + "_PATH"); ok { + return loadFromFile(value) + } else { + return loadFromEnvVar(name) + } +} + +func loadFromEnvVar(name string) (env string, err error) { + env, ok := os.LookupEnv(name) + if !ok || env == "" { + return "", fmt.Errorf("missing %s variable", name) + } return } + +func loadFromFile(path string) (env string, err error) { + if _, err = os.Stat(path); errors.Is(err, os.ErrNotExist) { + return + } + + b, err := os.ReadFile(path) + return string(b), err +} diff --git a/flake.lock b/flake.lock index 025cdf0..b828ecb 100644 --- a/flake.lock +++ b/flake.lock @@ -20,11 +20,11 @@ }, "nixpkgs": { "locked": { - "lastModified": 1722141560, - "narHash": "sha256-Ul3rIdesWaiW56PS/Ak3UlJdkwBrD4UcagCmXZR9Z7Y=", + "lastModified": 1724300212, + "narHash": "sha256-x3jl6OWTs+L9C7EtscuWZmGZWI0iSBDafvg3X7JMa1A=", "owner": "nixos", "repo": "nixpkgs", - "rev": "038fb464fcfa79b4f08131b07f2d8c9a6bcc4160", + "rev": "4de4818c1ffa76d57787af936e8a23648bda6be4", "type": "github" }, "original": { diff --git a/nixos.nix b/nixos.nix index e793596..2059cd5 100644 --- a/nixos.nix +++ b/nixos.nix @@ -2,7 +2,6 @@ with lib; let cfg = config.komputer; - komputer = pkgs.callPackage ./default.nix { }; in { @@ -12,27 +11,17 @@ in package = mkOption { type = types.package; default = komputer; - description = "komputer package"; - }; - guildID = mkOption { - type = types.nullOr types.str; - default = null; - description = "Discord server id, that you deploy bot"; }; - applicationID = mkOption { - type = types.str; + applicationIDSecretPath = mkOption { + type = types.path; description = "Application ID for you local version of komputer bot"; }; - token = mkOption { - type = types.str; - description = '' - Discord token for bot. - - Your token never shouldn't be publish on any public git repository e.g. Github or Gitlab - ''; + tokenSecretPath = mkOption { + type = types.path; + description = "Path to file, that contain discord token for bot"; }; - mongodbURI = mkOption { - type = types.str; + mongodbURISecretPath = mkOption { + type = types.path; description = "Connection URI to your instance of mongodb"; }; }; @@ -41,15 +30,15 @@ in config = mkIf (cfg.enable) { assertions = [ { - assertion = cfg.token != ""; + assertion = cfg.tokenSecretPath != ""; message = "Option komputer.token is empty"; } { - assertion = cfg.applicationID != ""; + assertion = cfg.applicationIDSecretPath != ""; message = "Option komputer.applicationID is empty"; } { - assertion = cfg.mongodbURI != ""; + assertion = cfg.mongodbURISecretPath != ""; message = "Option komputer.mongodbURI is empty"; } ]; @@ -57,12 +46,12 @@ in systemd.services.komputer = { description = "Komputer - Discord bot behave as like 'komputer'. One of character in Star Track parody series created by Dem3000"; wantedBy = [ "multi-user.target" ]; - path = cfg.package.propagatedBuildInputs or []; + path = cfg.package.propagatedBuildInputs or [ ]; environment = { - DISCORD_BOT_TOKEN = cfg.token; - APPLICATION_ID = cfg.applicationID; - MONGODB_URI = cfg.mongodbURI; - } // (attrsets.optionalAttrs (cfg ? guildID && cfg.guildID != null) { SERVER_GUID = cfg.guildID; }); + DISCORD_BOT_TOKEN_PATH = cfg.tokenSecretPath; + APPLICATION_ID_PATH = cfg.applicationIDSecretPath; + MONGODB_URI_PATH = cfg.mongodbURISecretPath; + }; script = "${cfg.package}/bin/komputer"; }; }; diff --git a/shell.nix b/shell.nix index 94886a3..87dc554 100644 --- a/shell.nix +++ b/shell.nix @@ -3,30 +3,20 @@ , gopls , ffmpeg , nixfmt-classic -, protoc-gen-go -, protobuf -, protoc-gen-go-grpc , act -, go-migrate -, sqlc , ... }: mkShell { hardeningDisable = [ "all" ]; nativeBuildInputs = [ go - protobuf - go-migrate - sqlc act ]; + buildInputs = [ gopls - protoc-gen-go-grpc - protoc-gen-go ffmpeg nixfmt-classic ]; GOROOT = "${go}/share/go"; - }