diff --git a/config/basic/users.nix b/config/basic/users.nix index 8495664..e4dd4b4 100644 --- a/config/basic/users.nix +++ b/config/basic/users.nix @@ -44,5 +44,6 @@ ggr = uidGid 2002; family = uidGid 2003; printer = uidGid 2005; + pr-tracker = uidGid 2006; }; } diff --git a/config/services/pr-tracker.nix b/config/services/pr-tracker.nix index 0fcbbf3..5199c43 100644 --- a/config/services/pr-tracker.nix +++ b/config/services/pr-tracker.nix @@ -6,11 +6,16 @@ ... }: let prestart = pkgs.writeShellScript "pr-tracker-pre" '' - if [ ! -d "$DIRECTORY" ]; then + if [ ! -d ./nixpkgs ]; then ${lib.getExe pkgs.git} clone https://github.com/NixOS/nixpkgs.git fi ''; in { + wireguard.elisabeth = { + client.via = "elisabeth"; + firewallRuleForNode.elisabeth.allowedTCPPorts = [3000]; + }; + networking.firewall.allowedTCPPorts = [3000]; environment.persistence."/persist".directories = [ { directory = "/var/lib/pr-tracker"; @@ -24,11 +29,11 @@ in { owner = "pr-tracker"; }; age.secrets.prTrackerEnv = { - rekeyFile = config.node.secretsDir + "/pr-tracker-env.age"; + rekeyFile = config.node.secretsDir + "/env.age"; owner = "pr-tracker"; }; age.secrets.prTrackerWhiteList = { - rekeyFile = config.node.secretsDir + "/pr-tracker-white-list.age"; + rekeyFile = config.node.secretsDir + "/white-list.age"; owner = "pr-tracker"; }; nodes.maddy = { @@ -38,20 +43,15 @@ in { mode = "640"; }; services.maddy.ensureCredentials = { - "pr-tracker@${config.secrets.secrets.global.domains.mail_public}".passwordFile = nodes.maddy.config.age.secrets.vaultwardenPasswd.path; + "pr-tracker@${config.secrets.secrets.global.domains.mail_public}".passwordFile = nodes.maddy.config.age.secrets.pr-trackerPasswd.path; }; }; systemd.sockets.pr-tracker = { - listenStreams = "0.0.0.0:300"; + listenStreams = ["0.0.0.0:3000"]; + wantedBy = ["sockets.target"]; }; systemd.services.pr-tracker = { - after = ["network.target"]; - script = '' - ${lib.getExe pkgs.pr-tracker} --url pr-tracker.${config.secrets.secrets.gloab.domain}\ - --user-agent "Patricks pr-tracker"\ - --path nixpks --remote origin\ - --white-list ${config.age.secrets.prTrackerEnv.path}; - ''; + path = [pkgs.git]; serviceConfig = { User = "pr-tracker"; Group = "pr-tracker"; @@ -63,6 +63,12 @@ in { StateDirectoryMode = "0700"; Restart = "always"; ExecStartPre = prestart; + ExecStart = '' + ${lib.getExe pkgs.pr-tracker} --url pr-tracker.${config.secrets.secrets.global.domains.web}\ + --user-agent "Patricks pr-tracker"\ + --path nixpkgs --remote origin\ + --email-white-list ${config.age.secrets.prTrackerWhiteList.path} + ''; EnvironmentFile = config.age.secrets.prTrackerEnv.path; # Hardening @@ -94,7 +100,6 @@ in { ]; UMask = "0077"; }; - wantedBy = ["multi-user.target"]; }; systemd.timers.pr-tracker-update = { wantedBy = ["timers.target"]; @@ -103,6 +108,12 @@ in { OnUnitActiveSec = "30m"; }; }; + users.groups.pr-tracker = {}; + users.users.pr-tracker = { + isSystemUser = true; + group = "pr-tracker"; + home = "/var/lib/pr-tracker"; + }; systemd.services.pr-tracker-update = { script = '' @@ -121,7 +132,6 @@ in { PrivateTmp = true; PrivateDevices = true; StateDirectoryMode = "0700"; - Restart = "always"; ExecStartPre = prestart; EnvironmentFile = config.age.secrets.prTrackerEnv.path; }; diff --git a/hosts/elisabeth/guests.nix b/hosts/elisabeth/guests.nix index c771863..2c9e08e 100644 --- a/hosts/elisabeth/guests.nix +++ b/hosts/elisabeth/guests.nix @@ -172,7 +172,7 @@ in { { virtualHosts.${domainOf "pr-tracker"} = { locations."/update" = { - deny = "all"; + extraConfig = "deny all;"; }; }; } diff --git a/hosts/elisabeth/secrets/pr-tracker/env.age b/hosts/elisabeth/secrets/pr-tracker/env.age new file mode 100644 index 0000000..bceaff9 Binary files /dev/null and b/hosts/elisabeth/secrets/pr-tracker/env.age differ diff --git a/hosts/elisabeth/secrets/pr-tracker/generated/maddyPasswd.age b/hosts/elisabeth/secrets/pr-tracker/generated/maddyPasswd.age new file mode 100644 index 0000000..4496015 --- /dev/null +++ b/hosts/elisabeth/secrets/pr-tracker/generated/maddyPasswd.age @@ -0,0 +1,17 @@ +age-encryption.org/v1 +-> X25519 U5pEv18rB3zNF10c5Evt74YBjl6ebM+jqYuWqr9mAU0 +/TvTIWHrqbCZ5ujaG+diSsJe5XE6lRcQS77bY6a4b/Q +-> piv-p256 ZFgiIw A+NQEsOQRfWXXh6JRa6BEcP7UtkhKJ59z9wpX6jyxZnX +GPD1/WwG52lY7AmRDttsv4o9XP1uPW3Yx7i0oPE980Q +-> piv-p256 XTQkUA AkfTy8tl43wHRIk/ngK36EAwX9mdOpXpfp/JEGhzEMPv +AN68T7tV2kiDfgcHB/h+IiBqz3lffwr4OkHLG7LP/VA +-> piv-p256 ZFgiIw A8lV/rIMV5NsOA5zTKZv09mTi3Sgddps0JkyET7EB1m0 +em3orzIidOeLv/YG6ANDWUki8jCd8ELicDPWLh+OWP8 +-> piv-p256 5vmPtQ AtsNn3+AoZQ5o76NOVlsmFx4LeMgu0enqnHrITz3gWws +AaIrGLPzMFZlP4yLG/dOD/TMDIZG9qbDQsuJm+RcD2I +-> Ck-grease W(W~n :k +K9daT5dj0mqkpMGKVLmMGI6Qx2x3k27aLADTYb/a1cJPfNbDZKAsN31/haAXr/62 +hh8 +--- fJtlUiysfb6UAKgPUJsb8ARuwDuztAXGoh0MOgswVb0 + (%1ܬ|@PV +\Bw穤r߫v.3m#d#9vL\\S7V?s{XtUv"h \ No newline at end of file diff --git a/hosts/elisabeth/secrets/pr-tracker/host.pub b/hosts/elisabeth/secrets/pr-tracker/host.pub new file mode 100644 index 0000000..dfed316 --- /dev/null +++ b/hosts/elisabeth/secrets/pr-tracker/host.pub @@ -0,0 +1 @@ +ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICMHvbb5M9On2JdROGrpjgYfQ/R0gG8yuWuQFra4AHmG diff --git a/hosts/elisabeth/secrets/pr-tracker/white-list.age b/hosts/elisabeth/secrets/pr-tracker/white-list.age new file mode 100644 index 0000000..81f5264 --- /dev/null +++ b/hosts/elisabeth/secrets/pr-tracker/white-list.age @@ -0,0 +1,17 @@ +age-encryption.org/v1 +-> X25519 wOf49STmWvYTvHtLqT/8mNOmY8BLzOvM5NwsW6JUtGQ +p43LTBOa+rqWM7HhdzK+/+tuXECZYMhRycd4KYeeHDY +-> piv-p256 ZFgiIw AqUAM0bkhzEor6JFYcbctW6s3v17g+Gyz3+qvjL8ODig +lg7C1TCY2VtOO5FVxn7Qb3uHhoDwVZnaZnhAozl1y2Q +-> piv-p256 XTQkUA A2ntX3eQk5U/Yi+UQ1frmpDgOxrUKumh1Wy5BeTyauUl +krvmwwO0uFdrrw2pSBVdISHjGf0av06zFRlYygwfYSo +-> piv-p256 ZFgiIw AsR3cbG6BR+bAYv4u8fp86faaseTQrWNu3tMXVPZjYmQ +EU4rLBSy5vkrjIbUL3kO3GrFKttK6EjcBJWgOrawKdA +-> piv-p256 5vmPtQ Ay6lxP005c2h7JU6gcId+2YTGx5E8NkDyhnqyoFZpVyI +tv/FMRq3SdVDspcInA7nv0i6S2sHmsDtZD4WGfxKLDQ +-> NRp-grease j65O ' Pg6Cw ]~Jilw +dWRZsjvCv9cV7xBLC4U8oNXw9aTa8OZTqFsALKqBxcgri56n+gSn1MEOrfHa+pYc +moslDzDwxwa7UX8EcIzjLCsZJl7+rPYqSu41yhNGLI6OnyiS2EYaOJg9ZR+/seGd + +--- FZIPmNz/IAyDFW3/LMdX8neUiZfNkZ008pl6jb+SONE +Cd{bfT_y@3勇a|1 Ma Rf0ifDt9sbъ \ No newline at end of file diff --git a/hosts/maddy/secrets/generated/pr-tracker.age b/hosts/maddy/secrets/generated/pr-tracker.age deleted file mode 100644 index 7bc0096..0000000 Binary files a/hosts/maddy/secrets/generated/pr-tracker.age and /dev/null differ diff --git a/pkgs/pr-tracker.nix b/pkgs/pr-tracker.nix index cbf6420..e62eb15 100644 --- a/pkgs/pr-tracker.nix +++ b/pkgs/pr-tracker.nix @@ -12,8 +12,8 @@ rustPlatform.buildRustPackage { src = fetchFromGitHub { owner = "patrickdag"; repo = "pr-tracker"; - rev = "54d47f277df81bfe82339ec3d2ceabd9c371aa91"; - hash = "sha256-C3dGaxxEH2acM1Ozvk5BcU+Gq6vPjSEzBVWZcRKMSzk="; + rev = "4cd2e8216f8c98441c74a883833ee73123fb1042"; + hash = "sha256-OOohIvqPsCBtMXbg3D3GUdZYsTR13YPyWERGPCGZwa4="; }; cargoHash = "sha256-pcIbL/mWhvQpQcVgyeNccW5cnHGKPKBpY9f2eeSrcjk="; diff --git a/secrets/secrets.nix.age b/secrets/secrets.nix.age index 5ba8bb9..a3f6e9d 100644 Binary files a/secrets/secrets.nix.age and b/secrets/secrets.nix.age differ diff --git a/secrets/wireguard/elisabeth/keys/elisabeth-pr-tracker.age b/secrets/wireguard/elisabeth/keys/elisabeth-pr-tracker.age new file mode 100644 index 0000000..d30e0c0 --- /dev/null +++ b/secrets/wireguard/elisabeth/keys/elisabeth-pr-tracker.age @@ -0,0 +1,16 @@ +age-encryption.org/v1 +-> X25519 sJWb1AB1ani7iSARBKiza76F4BZ/1RT+nYo+h3SCvDM +G9r4LID6JVa+CbM+goWlorWNAutTfCWCRXkMKe68GnQ +-> piv-p256 ZFgiIw AimY8gt/sR16sX1pmQ7KsWjklSprUl5xQT51DJ2CBrmo +35Gchuo7PlxnVg7nCmPX2l+Hwpqkn11Deh/gINotDK4 +-> piv-p256 XTQkUA A4Y83D0/vdl4f2gr8g09YO5xTM2en6/zdXTA4tlXTzse +pt0/k460n/rw0pGQVmbBvWkmscra5wL7Q4pUfC1aqJs +-> piv-p256 ZFgiIw A7kGeBnc71Bei30JFsrUPlhOYRfP/WwrtNYxyZ94blmd +tQcInK3OPdN5uYugFZc6JNMgMMrBHrNrfPLgK1GQuOU +-> piv-p256 5vmPtQ A2cBNFJA8IFoZcUGhwpTCrrh9v+ffe6UhbJkhYvfv310 +zf161XjBEKWYDLwaWw+wGuCGJJFD6NatL3BgSQACB38 +-> --grease \tv Z&IiJD *{Xl~2`' FOEGQ+s +hnw8ilMQCmjeH1dsP0p0Y6fY0X7l5goCmTR07RFMnXRH2Y7FQzSe5Ipg16+V9Rmj +1+RZABaebmFQFAJwtfFmeLXzsFVn0sMtflMR/wmunn+RuZ0XfzHzM0QOU2g +--- rdxJZDoceAdq9YF8GoDLcHz5UInJlcXCrOgr3/XxI/Q +Ч"V\ү/SwqH(H(=aPiǔ_:KS1tإ \ No newline at end of file diff --git a/secrets/wireguard/elisabeth/keys/elisabeth-pr-tracker.pub b/secrets/wireguard/elisabeth/keys/elisabeth-pr-tracker.pub new file mode 100644 index 0000000..a8a442b --- /dev/null +++ b/secrets/wireguard/elisabeth/keys/elisabeth-pr-tracker.pub @@ -0,0 +1 @@ +HKftlC7tQXYToYo0VLHqvdnZxQfNtJ8u0QDN3mLgqiA= diff --git a/secrets/wireguard/elisabeth/psks/elisabeth+elisabeth-pr-tracker.age b/secrets/wireguard/elisabeth/psks/elisabeth+elisabeth-pr-tracker.age new file mode 100644 index 0000000..7be413a Binary files /dev/null and b/secrets/wireguard/elisabeth/psks/elisabeth+elisabeth-pr-tracker.age differ