From 37ae370144fb75ad231b866f6c932fdd1e747f10 Mon Sep 17 00:00:00 2001 From: Patrick Date: Fri, 19 Jul 2024 07:01:37 +0200 Subject: [PATCH] WIP: pr-tracker hosting --- config/services/maddy.nix | 6 -- config/services/pr-tracker.nix | 129 +++++++++++++++++++++++++++++++++ hosts/elisabeth/guests.nix | 10 +++ pkgs/default.nix | 1 + pkgs/pr-tracker.nix | 35 +++++++++ 5 files changed, 175 insertions(+), 6 deletions(-) create mode 100644 config/services/pr-tracker.nix create mode 100644 pkgs/pr-tracker.nix diff --git a/config/services/maddy.nix b/config/services/maddy.nix index 4bb4184..fe93bd1 100644 --- a/config/services/maddy.nix +++ b/config/services/maddy.nix @@ -17,11 +17,6 @@ in { mode = "0770"; }; }; - age.secrets.pr-tracker = { - generator.script = "alnum"; - inherit (config.services.maddy) group; - mode = "640"; - }; age.secrets.resticpasswd = { generator.script = "alnum"; @@ -95,7 +90,6 @@ in { }; ensureCredentials = { "patrick@${domain}".passwordFile = config.age.secrets.patrickPasswd.path; - "pr-tracker@${domain}".passwordFile = config.age.secrets.pr-tracker.path; }; ensureAccounts = [ "patrick@${domain}" diff --git a/config/services/pr-tracker.nix b/config/services/pr-tracker.nix new file mode 100644 index 0000000..0fcbbf3 --- /dev/null +++ b/config/services/pr-tracker.nix @@ -0,0 +1,129 @@ +{ + config, + nodes, + lib, + pkgs, + ... +}: let + prestart = pkgs.writeShellScript "pr-tracker-pre" '' + if [ ! -d "$DIRECTORY" ]; then + ${lib.getExe pkgs.git} clone https://github.com/NixOS/nixpkgs.git + fi + ''; +in { + environment.persistence."/persist".directories = [ + { + directory = "/var/lib/pr-tracker"; + user = "pr-tracker"; + group = "pr-tracker"; + mode = "0700"; + } + ]; + age.secrets.maddyPasswd = { + generator.script = "alnum"; + owner = "pr-tracker"; + }; + age.secrets.prTrackerEnv = { + rekeyFile = config.node.secretsDir + "/pr-tracker-env.age"; + owner = "pr-tracker"; + }; + age.secrets.prTrackerWhiteList = { + rekeyFile = config.node.secretsDir + "/pr-tracker-white-list.age"; + owner = "pr-tracker"; + }; + nodes.maddy = { + age.secrets.pr-trackerPasswd = { + inherit (config.age.secrets.maddyPasswd) rekeyFile; + inherit (nodes.maddy.config.services.maddy) group; + mode = "640"; + }; + services.maddy.ensureCredentials = { + "pr-tracker@${config.secrets.secrets.global.domains.mail_public}".passwordFile = nodes.maddy.config.age.secrets.vaultwardenPasswd.path; + }; + }; + systemd.sockets.pr-tracker = { + listenStreams = "0.0.0.0:300"; + }; + systemd.services.pr-tracker = { + after = ["network.target"]; + script = '' + ${lib.getExe pkgs.pr-tracker} --url pr-tracker.${config.secrets.secrets.gloab.domain}\ + --user-agent "Patricks pr-tracker"\ + --path nixpks --remote origin\ + --white-list ${config.age.secrets.prTrackerEnv.path}; + ''; + serviceConfig = { + User = "pr-tracker"; + Group = "pr-tracker"; + StateDirectory = "pr-tracker"; + WorkingDirectory = "/var/lib/pr-tracker"; + LimitNOFILE = "1048576"; + PrivateTmp = true; + PrivateDevices = true; + StateDirectoryMode = "0700"; + Restart = "always"; + ExecStartPre = prestart; + EnvironmentFile = config.age.secrets.prTrackerEnv.path; + + # Hardening + CapabilityBoundingSet = ""; + LockPersonality = true; + MemoryDenyWriteExecute = true; + PrivateUsers = true; + ProtectClock = true; + ProtectControlGroups = true; + ProtectHome = true; + ProtectHostname = true; + ProtectKernelLogs = true; + ProtectKernelModules = true; + ProtectKernelTunables = true; + ProtectProc = "invisible"; + ProcSubset = "pid"; + ProtectSystem = "strict"; + RestrictAddressFamilies = [ + "AF_INET" + "AF_INET6" + "AF_NETLINK" + ]; + RestrictNamespaces = true; + RestrictRealtime = true; + SystemCallArchitectures = "native"; + SystemCallFilter = [ + "@system-service" + "@pkey" + ]; + UMask = "0077"; + }; + wantedBy = ["multi-user.target"]; + }; + systemd.timers.pr-tracker-update = { + wantedBy = ["timers.target"]; + timerConfig = { + OnBootSec = "30m"; + OnUnitActiveSec = "30m"; + }; + }; + + systemd.services.pr-tracker-update = { + script = '' + set -eu + ${lib.getExe pkgs.git} -C nixpkgs fetch + ${lib.getExe pkgs.curl} http://localhost:3000/update + ''; + serviceConfig = { + Requires = "pr-tracker"; + Type = "oneshot"; + User = "pr-tracker"; + Group = "pr-tracker"; + StateDirectory = "pr-tracker"; + WorkingDirectory = "/var/lib/pr-tracker"; + LimitNOFILE = "1048576"; + PrivateTmp = true; + PrivateDevices = true; + StateDirectoryMode = "0700"; + Restart = "always"; + ExecStartPre = prestart; + EnvironmentFile = config.age.secrets.prTrackerEnv.path; + }; + }; +} diff --git a/hosts/elisabeth/guests.nix b/hosts/elisabeth/guests.nix index ad6509f..c771863 100644 --- a/hosts/elisabeth/guests.nix +++ b/hosts/elisabeth/guests.nix @@ -26,6 +26,7 @@ firefly = "money"; homebox = "homebox"; octoprint = "print"; + pr-tracker = "tracker"; }; in "${domains.${hostName}}.${config.secrets.secrets.global.domains.web}"; # TODO hard coded elisabeth nicht so schön @@ -167,6 +168,14 @@ in { (proxyProtect "ttrss" {port = 80;} true) (blockOf "yourspotify" {port = 80;}) #(blockOf "homebox" {}) + (blockOf "pr-tracker" {}) + { + virtualHosts.${domainOf "pr-tracker"} = { + locations."/update" = { + deny = "all"; + }; + }; + } (proxyProtect "ollama" {} true) (proxyProtect "octoprint" {} true) (proxyProtect "firefly" {port = 80;} true) @@ -277,6 +286,7 @@ in { // mkContainer "ollama" {} // mkContainer "murmur" {} #// mkContainer "homebox" {} + // mkContainer "pr-tracker" {} // mkContainer "ttrss" {} // mkContainer "firefly" {} // mkContainer "yourspotify" {} diff --git a/pkgs/default.nix b/pkgs/default.nix index 34e1a64..3e8cf17 100644 --- a/pkgs/default.nix +++ b/pkgs/default.nix @@ -5,6 +5,7 @@ zsh-histdb = super.callPackage ./zsh-histdb.nix {}; your_spotify = super.callPackage ./your_spotify.nix {}; actual = super.callPackage ./actual.nix {}; + pr-tracker = super.callPackage ./pr-tracker.nix {}; homebox = super.callPackage ./homebox.nix {}; deploy = super.callPackage ./deploy.nix {}; mongodb-bin = super.callPackage ./mongodb-bin.nix {}; diff --git a/pkgs/pr-tracker.nix b/pkgs/pr-tracker.nix new file mode 100644 index 0000000..cbf6420 --- /dev/null +++ b/pkgs/pr-tracker.nix @@ -0,0 +1,35 @@ +{ + rustPlatform, + lib, + openssl, + pkg-config, + systemd, + fetchFromGitHub, +}: +rustPlatform.buildRustPackage { + name = "pr-tracker"; + + src = fetchFromGitHub { + owner = "patrickdag"; + repo = "pr-tracker"; + rev = "54d47f277df81bfe82339ec3d2ceabd9c371aa91"; + hash = "sha256-C3dGaxxEH2acM1Ozvk5BcU+Gq6vPjSEzBVWZcRKMSzk="; + }; + + cargoHash = "sha256-pcIbL/mWhvQpQcVgyeNccW5cnHGKPKBpY9f2eeSrcjk="; + + nativeBuildInputs = [pkg-config]; + buildInputs = [openssl systemd]; + + meta = with lib; { + description = "Nixpkgs pull request channel tracker"; + longDescription = '' + A web server that displays the path a Nixpkgs pull request will take + through the various release channels. + ''; + platforms = platforms.linux; + license = licenses.agpl3Plus; + maintainers = with maintainers; [patrickdag]; + mainProgram = "pr-tracker"; + }; +}