patrick/nix-config
1
1
Fork 0
Code Issues Pull requests Projects Wiki Activity

WIP: pr-tracker hosting

Browse source
This commit is contained in:
Patrick 2024-07-19 07:01:37 +02:00
parent 0c9b25bc43
commit 37ae370144
Signed by: patrick
GPG key ID: 451F95EFB8BECD0F
5 changed files with 175 additions and 6 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

6
config/services/maddy.nix
View file

@ -17,11 +17,6 @@ in {
mode = "0770";
};
};
age.secrets.pr-tracker = {
generator.script = "alnum";
inherit (config.services.maddy) group;
mode = "640";
};
age.secrets.resticpasswd = {
generator.script = "alnum";
@ -95,7 +90,6 @@ in {
};
ensureCredentials = {
"patrick@${domain}".passwordFile = config.age.secrets.patrickPasswd.path;
"pr-tracker@${domain}".passwordFile = config.age.secrets.pr-tracker.path;
};
ensureAccounts = [
"patrick@${domain}"

129
config/services/pr-tracker.nix Normal file
View file

@ -0,0 +1,129 @@
{
config,
nodes,
lib,
pkgs,
...
}: let
prestart = pkgs.writeShellScript "pr-tracker-pre" ''
if [ ! -d "$DIRECTORY" ]; then
${lib.getExe pkgs.git} clone https://github.com/NixOS/nixpkgs.git
fi
'';
in {
environment.persistence."/persist".directories = [
{
directory = "/var/lib/pr-tracker";
user = "pr-tracker";
group = "pr-tracker";
mode = "0700";
}
];
age.secrets.maddyPasswd = {
generator.script = "alnum";
owner = "pr-tracker";
};
age.secrets.prTrackerEnv = {
rekeyFile = config.node.secretsDir + "/pr-tracker-env.age";
owner = "pr-tracker";
};
age.secrets.prTrackerWhiteList = {
rekeyFile = config.node.secretsDir + "/pr-tracker-white-list.age";
owner = "pr-tracker";
};
nodes.maddy = {
age.secrets.pr-trackerPasswd = {
inherit (config.age.secrets.maddyPasswd) rekeyFile;
inherit (nodes.maddy.config.services.maddy) group;
mode = "640";
};
services.maddy.ensureCredentials = {
"pr-tracker@${config.secrets.secrets.global.domains.mail_public}".passwordFile = nodes.maddy.config.age.secrets.vaultwardenPasswd.path;
};
};
systemd.sockets.pr-tracker = {
listenStreams = "0.0.0.0:300";
};
systemd.services.pr-tracker = {
after = ["network.target"];
script = ''
${lib.getExe pkgs.pr-tracker} --url pr-tracker.${config.secrets.secrets.gloab.domain}\
--user-agent "Patricks pr-tracker"\
--path nixpks --remote origin\
--white-list ${config.age.secrets.prTrackerEnv.path};
'';
serviceConfig = {
User = "pr-tracker";
Group = "pr-tracker";
StateDirectory = "pr-tracker";
WorkingDirectory = "/var/lib/pr-tracker";
LimitNOFILE = "1048576";
PrivateTmp = true;
PrivateDevices = true;
StateDirectoryMode = "0700";
Restart = "always";
ExecStartPre = prestart;
EnvironmentFile = config.age.secrets.prTrackerEnv.path;
# Hardening
CapabilityBoundingSet = "";
LockPersonality = true;
MemoryDenyWriteExecute = true;
PrivateUsers = true;
ProtectClock = true;
ProtectControlGroups = true;
ProtectHome = true;
ProtectHostname = true;
ProtectKernelLogs = true;
ProtectKernelModules = true;
ProtectKernelTunables = true;
ProtectProc = "invisible";
ProcSubset = "pid";
ProtectSystem = "strict";
RestrictAddressFamilies = [
"AF_INET"
"AF_INET6"
"AF_NETLINK"
];
RestrictNamespaces = true;
RestrictRealtime = true;
SystemCallArchitectures = "native";
SystemCallFilter = [
"@system-service"
"@pkey"
];
UMask = "0077";
};
wantedBy = ["multi-user.target"];
};
systemd.timers.pr-tracker-update = {
wantedBy = ["timers.target"];
timerConfig = {
OnBootSec = "30m";
OnUnitActiveSec = "30m";
};
};
systemd.services.pr-tracker-update = {
script = ''
set -eu
${lib.getExe pkgs.git} -C nixpkgs fetch
${lib.getExe pkgs.curl} http://localhost:3000/update
'';
serviceConfig = {
Requires = "pr-tracker";
Type = "oneshot";
User = "pr-tracker";
Group = "pr-tracker";
StateDirectory = "pr-tracker";
WorkingDirectory = "/var/lib/pr-tracker";
LimitNOFILE = "1048576";
PrivateTmp = true;
PrivateDevices = true;
StateDirectoryMode = "0700";
Restart = "always";
ExecStartPre = prestart;
EnvironmentFile = config.age.secrets.prTrackerEnv.path;
};
};
}

10
hosts/elisabeth/guests.nix
View file

@ -26,6 +26,7 @@
firefly = "money";
homebox = "homebox";
octoprint = "print";
pr-tracker = "tracker";
};
in "${domains.${hostName}}.${config.secrets.secrets.global.domains.web}";
# TODO hard coded elisabeth nicht so schön
@ -167,6 +168,14 @@ in {
(proxyProtect "ttrss" {port = 80;} true)
(blockOf "yourspotify" {port = 80;})
#(blockOf "homebox" {})
(blockOf "pr-tracker" {})
{
virtualHosts.${domainOf "pr-tracker"} = {
locations."/update" = {
deny = "all";
};
};
}
(proxyProtect "ollama" {} true)
(proxyProtect "octoprint" {} true)
(proxyProtect "firefly" {port = 80;} true)
@ -277,6 +286,7 @@ in {
// mkContainer "ollama" {}
// mkContainer "murmur" {}
#// mkContainer "homebox" {}
// mkContainer "pr-tracker" {}
// mkContainer "ttrss" {}
// mkContainer "firefly" {}
// mkContainer "yourspotify" {}

1
pkgs/default.nix
View file

@ -5,6 +5,7 @@
zsh-histdb = super.callPackage ./zsh-histdb.nix {};
your_spotify = super.callPackage ./your_spotify.nix {};
actual = super.callPackage ./actual.nix {};
pr-tracker = super.callPackage ./pr-tracker.nix {};
homebox = super.callPackage ./homebox.nix {};
deploy = super.callPackage ./deploy.nix {};
mongodb-bin = super.callPackage ./mongodb-bin.nix {};

35
pkgs/pr-tracker.nix Normal file
View file

@ -0,0 +1,35 @@
{
rustPlatform,
lib,
openssl,
pkg-config,
systemd,
fetchFromGitHub,
}:
rustPlatform.buildRustPackage {
name = "pr-tracker";
src = fetchFromGitHub {
owner = "patrickdag";
repo = "pr-tracker";
rev = "54d47f277df81bfe82339ec3d2ceabd9c371aa91";
hash = "sha256-C3dGaxxEH2acM1Ozvk5BcU+Gq6vPjSEzBVWZcRKMSzk=";
};
cargoHash = "sha256-pcIbL/mWhvQpQcVgyeNccW5cnHGKPKBpY9f2eeSrcjk=";
nativeBuildInputs = [pkg-config];
buildInputs = [openssl systemd];
meta = with lib; {
description = "Nixpkgs pull request channel tracker";
longDescription = ''
A web server that displays the path a Nixpkgs pull request will take
through the various release channels.
'';
platforms = platforms.linux;
license = licenses.agpl3Plus;
maintainers = with maintainers; [patrickdag];
mainProgram = "pr-tracker";
};
}