infra/nix/hosts/pure-joy/modules/ta.nix

{
  config,
  pkgs,
  ...
}: {
  systemd = {
    services.ta = let
      srv = "ta";
      datadir = "/media/y${srv}";
      workdir = "/var/lib/tubearchivist";
      compose = "/etc/${srv}/compose.yml";
      cmd = "${pkgs.docker}/bin/docker compose -p ${srv} -f ${compose}";
    in {
      wants = ["multi-user.target"];
      requires = ["docker.service"];
      upholds = ["docker.service" "caddy.service"];
      wantedBy = ["multi-user.target"];
      unitConfig = {
        Description = "Tube Archivist";
        ConditionPathIsMountPoint = [
          datadir # ta data dir.
          "${workdir}/es" # es dir.
        ];
        ConditionPathExists = [
          "${datadir}/data"
          "${workdir}/es"
          "${workdir}/redis"
          "${workdir}/cache"
        ];
      };
      serviceConfig = {
        #Restart=on-failure;
        Restart="always";
        Slice="ta.slice";
        ExecStartPre = "${cmd} down";
        ExecStart    = "${cmd} up --remove-orphans";
        ExecStop     = "${cmd} stop";
        RestartSec=10;
        Nice=-2;
        IOSchedulingClass=1;
        IOSchedulingPriority=0;
        #Delegate=yes;
        Delegate="no";

        ReadOnlyPaths = [
          "/etc/${srv}"
        ];
        ReadWritePaths = [
          workdir
          datadir
        ];
     
        # CapabilityBoundingSet=;
        CapabilityBoundingSet="~CAP_SYS_ADMIN CAP_SYS_BOOT CAP_SYS_CHROOT CAP_AUDIT_*";
        #SystemCallFilter=~memfd_create @reboot @swap @resources @cpu-emulation @debug @module @clock @raw-io @obsolete;
        SystemCallFilter="~memfd_create @reboot @swap @cpu-emulation @debug @module @clock @raw-io @obsolete";
        ProtectProc="invisible";
        ProcSubset="pid";
        ProtectHome=true;
        #; RestrictNamespaces="uts ipc pid user cgroup";
        RestrictNamespaces=true;
        NoNewPrivileges=true;
        #SecureBits=noroot-locked;
        ProtectSystem="strict";
        PrivateTmp=true;
        DevicePolicy="closed";
        PrivateDevices=true;
        PrivateUsers=true;
        ProtectHostname=true;
        ProtectClock=true;
        ProtectKernelTunables=true;
        ProtectKernelModules=true;
        ProtectKernelLogs=true;
        ProtectControlGroups=true;
        LockPersonality=true;
        MemoryDenyWriteExecute=true;
        RestrictAddressFamilies="AF_UNIX AF_INET AF_INET6";
        RestrictRealtime=true;
        RestrictSUIDSGID=true;
        SystemCallArchitectures="native";
      };
    };
    slices.ta = {
      before = ["slices.target"];
      # wants = ["docker.service"];
      unitConfig.Description = "Slice that limits resources of Tube Archivist";
      sliceConfig = {
        CPUAccounting = true;
        CPUQuota = "300%";
        MemoryAccounting = true;
        MemoryHigh = "6.5G";
        MemoryMax = "8G";
        #MemorySwapMax="200M";
      };
    };
  };
}