WIP: pr-tracker hosting

config/services/maddy.nix

@@ -17,11 +17,6 @@ in {
       mode = "0770";
     };
   };
-  age.secrets.pr-tracker = {
-    generator.script = "alnum";
-    inherit (config.services.maddy) group;
-    mode = "640";
-  };
 
   age.secrets.resticpasswd = {
     generator.script = "alnum";
@@ -95,7 +90,6 @@ in {
     };
     ensureCredentials = {
       "patrick@${domain}".passwordFile = config.age.secrets.patrickPasswd.path;
-      "pr-tracker@${domain}".passwordFile = config.age.secrets.pr-tracker.path;
     };
     ensureAccounts = [
       "patrick@${domain}"

config/services/pr-tracker.nix

@@ -0,0 +1,129 @@
+{
+  config,
+  nodes,
+  lib,
+  pkgs,
+  ...
+}: let
+  prestart = pkgs.writeShellScript "pr-tracker-pre" ''
+    if [ ! -d "$DIRECTORY" ]; then
+      ${lib.getExe pkgs.git} clone https://github.com/NixOS/nixpkgs.git
+    fi
+  '';
+in {
+  environment.persistence."/persist".directories = [
+    {
+      directory = "/var/lib/pr-tracker";
+      user = "pr-tracker";
+      group = "pr-tracker";
+      mode = "0700";
+    }
+  ];
+  age.secrets.maddyPasswd = {
+    generator.script = "alnum";
+    owner = "pr-tracker";
+  };
+  age.secrets.prTrackerEnv = {
+    rekeyFile = config.node.secretsDir + "/pr-tracker-env.age";
+    owner = "pr-tracker";
+  };
+  age.secrets.prTrackerWhiteList = {
+    rekeyFile = config.node.secretsDir + "/pr-tracker-white-list.age";
+    owner = "pr-tracker";
+  };
+  nodes.maddy = {
+    age.secrets.pr-trackerPasswd = {
+      inherit (config.age.secrets.maddyPasswd) rekeyFile;
+      inherit (nodes.maddy.config.services.maddy) group;
+      mode = "640";
+    };
+    services.maddy.ensureCredentials = {
+      "pr-tracker@${config.secrets.secrets.global.domains.mail_public}".passwordFile = nodes.maddy.config.age.secrets.vaultwardenPasswd.path;
+    };
+  };
+  systemd.sockets.pr-tracker = {
+    listenStreams = "0.0.0.0:300";
+  };
+  systemd.services.pr-tracker = {
+    after = ["network.target"];
+    script = ''
+      ${lib.getExe pkgs.pr-tracker} --url pr-tracker.${config.secrets.secrets.gloab.domain}\
+        --user-agent "Patricks pr-tracker"\
+        --path nixpks --remote origin\
+        --white-list ${config.age.secrets.prTrackerEnv.path};
+    '';
+    serviceConfig = {
+      User = "pr-tracker";
+      Group = "pr-tracker";
+      StateDirectory = "pr-tracker";
+      WorkingDirectory = "/var/lib/pr-tracker";
+      LimitNOFILE = "1048576";
+      PrivateTmp = true;
+      PrivateDevices = true;
+      StateDirectoryMode = "0700";
+      Restart = "always";
+      ExecStartPre = prestart;
+      EnvironmentFile = config.age.secrets.prTrackerEnv.path;
+
+      # Hardening
+      CapabilityBoundingSet = "";
+      LockPersonality = true;
+      MemoryDenyWriteExecute = true;
+      PrivateUsers = true;
+      ProtectClock = true;
+      ProtectControlGroups = true;
+      ProtectHome = true;
+      ProtectHostname = true;
+      ProtectKernelLogs = true;
+      ProtectKernelModules = true;
+      ProtectKernelTunables = true;
+      ProtectProc = "invisible";
+      ProcSubset = "pid";
+      ProtectSystem = "strict";
+      RestrictAddressFamilies = [
+        "AF_INET"
+        "AF_INET6"
+        "AF_NETLINK"
+      ];
+      RestrictNamespaces = true;
+      RestrictRealtime = true;
+      SystemCallArchitectures = "native";
+      SystemCallFilter = [
+        "@system-service"
+        "@pkey"
+      ];
+      UMask = "0077";
+    };
+    wantedBy = ["multi-user.target"];
+  };
+  systemd.timers.pr-tracker-update = {
+    wantedBy = ["timers.target"];
+    timerConfig = {
+      OnBootSec = "30m";
+      OnUnitActiveSec = "30m";
+    };
+  };
+
+  systemd.services.pr-tracker-update = {
+    script = ''
+      set -eu
+      ${lib.getExe pkgs.git} -C nixpkgs fetch
+      ${lib.getExe pkgs.curl} http://localhost:3000/update
+    '';
+    serviceConfig = {
+      Requires = "pr-tracker";
+      Type = "oneshot";
+      User = "pr-tracker";
+      Group = "pr-tracker";
+      StateDirectory = "pr-tracker";
+      WorkingDirectory = "/var/lib/pr-tracker";
+      LimitNOFILE = "1048576";
+      PrivateTmp = true;
+      PrivateDevices = true;
+      StateDirectoryMode = "0700";
+      Restart = "always";
+      ExecStartPre = prestart;
+      EnvironmentFile = config.age.secrets.prTrackerEnv.path;
+    };
+  };
+}

hosts/elisabeth/guests.nix

@@ -26,6 +26,7 @@
       firefly = "money";
       homebox = "homebox";
       octoprint = "print";
+      pr-tracker = "tracker";
     };
   in "${domains.${hostName}}.${config.secrets.secrets.global.domains.web}";
   # TODO hard coded elisabeth nicht so schön
@@ -167,6 +168,14 @@ in {
       (proxyProtect "ttrss" {port = 80;} true)
       (blockOf "yourspotify" {port = 80;})
       #(blockOf "homebox" {})
+      (blockOf "pr-tracker" {})
+      {
+        virtualHosts.${domainOf "pr-tracker"} = {
+          locations."/update" = {
+            deny = "all";
+          };
+        };
+      }
       (proxyProtect "ollama" {} true)
       (proxyProtect "octoprint" {} true)
       (proxyProtect "firefly" {port = 80;} true)
@@ -277,6 +286,7 @@ in {
     // mkContainer "ollama" {}
     // mkContainer "murmur" {}
     #// mkContainer "homebox" {}
+    // mkContainer "pr-tracker" {}
     // mkContainer "ttrss" {}
     // mkContainer "firefly" {}
     // mkContainer "yourspotify" {}

pkgs/default.nix

@@ -5,6 +5,7 @@
     zsh-histdb = super.callPackage ./zsh-histdb.nix {};
     your_spotify = super.callPackage ./your_spotify.nix {};
     actual = super.callPackage ./actual.nix {};
+    pr-tracker = super.callPackage ./pr-tracker.nix {};
     homebox = super.callPackage ./homebox.nix {};
     deploy = super.callPackage ./deploy.nix {};
     mongodb-bin = super.callPackage ./mongodb-bin.nix {};

pkgs/pr-tracker.nix

@@ -0,0 +1,35 @@
+{
+  rustPlatform,
+  lib,
+  openssl,
+  pkg-config,
+  systemd,
+  fetchFromGitHub,
+}:
+rustPlatform.buildRustPackage {
+  name = "pr-tracker";
+
+  src = fetchFromGitHub {
+    owner = "patrickdag";
+    repo = "pr-tracker";
+    rev = "54d47f277df81bfe82339ec3d2ceabd9c371aa91";
+    hash = "sha256-C3dGaxxEH2acM1Ozvk5BcU+Gq6vPjSEzBVWZcRKMSzk=";
+  };
+
+  cargoHash = "sha256-pcIbL/mWhvQpQcVgyeNccW5cnHGKPKBpY9f2eeSrcjk=";
+
+  nativeBuildInputs = [pkg-config];
+  buildInputs = [openssl systemd];
+
+  meta = with lib; {
+    description = "Nixpkgs pull request channel tracker";
+    longDescription = ''
+      A web server that displays the path a Nixpkgs pull request will take
+      through the various release channels.
+    '';
+    platforms = platforms.linux;
+    license = licenses.agpl3Plus;
+    maintainers = with maintainers; [patrickdag];
+    mainProgram = "pr-tracker";
+  };
+}