patrick/nix-config
1
1
Fork 0
Code Issues Pull requests Projects Wiki Activity

feat: host pr-tracker

Browse source
This commit is contained in:
Patrick 2024-07-19 22:53:10 +02:00
parent 37ae370144
commit 382d9e9e9b
Signed by: patrick
GPG key ID: 451F95EFB8BECD0F
13 changed files with 80 additions and 17 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

1
config/basic/users.nix
View file

@ -44,5 +44,6 @@
ggr = uidGid 2002;
family = uidGid 2003;
printer = uidGid 2005;
pr-tracker = uidGid 2006;
};
}

38
config/services/pr-tracker.nix
View file

@ -6,11 +6,16 @@
...
}: let
prestart = pkgs.writeShellScript "pr-tracker-pre" ''
if [ ! -d "$DIRECTORY" ]; then
if [ ! -d ./nixpkgs ]; then
${lib.getExe pkgs.git} clone https://github.com/NixOS/nixpkgs.git
fi
'';
in {
wireguard.elisabeth = {
client.via = "elisabeth";
firewallRuleForNode.elisabeth.allowedTCPPorts = [3000];
};
networking.firewall.allowedTCPPorts = [3000];
environment.persistence."/persist".directories = [
{
directory = "/var/lib/pr-tracker";
@ -24,11 +29,11 @@ in {
owner = "pr-tracker";
};
age.secrets.prTrackerEnv = {
rekeyFile = config.node.secretsDir + "/pr-tracker-env.age";
rekeyFile = config.node.secretsDir + "/env.age";
owner = "pr-tracker";
};
age.secrets.prTrackerWhiteList = {
rekeyFile = config.node.secretsDir + "/pr-tracker-white-list.age";
rekeyFile = config.node.secretsDir + "/white-list.age";
owner = "pr-tracker";
};
nodes.maddy = {
@ -38,20 +43,15 @@ in {
mode = "640";
};
services.maddy.ensureCredentials = {
"pr-tracker@${config.secrets.secrets.global.domains.mail_public}".passwordFile = nodes.maddy.config.age.secrets.vaultwardenPasswd.path;
"pr-tracker@${config.secrets.secrets.global.domains.mail_public}".passwordFile = nodes.maddy.config.age.secrets.pr-trackerPasswd.path;
};
};
systemd.sockets.pr-tracker = {
listenStreams = "0.0.0.0:300";
listenStreams = ["0.0.0.0:3000"];
wantedBy = ["sockets.target"];
};
systemd.services.pr-tracker = {
after = ["network.target"];
script = ''
${lib.getExe pkgs.pr-tracker} --url pr-tracker.${config.secrets.secrets.gloab.domain}\
--user-agent "Patricks pr-tracker"\
--path nixpks --remote origin\
--white-list ${config.age.secrets.prTrackerEnv.path};
'';
path = [pkgs.git];
serviceConfig = {
User = "pr-tracker";
Group = "pr-tracker";
@ -63,6 +63,12 @@ in {
StateDirectoryMode = "0700";
Restart = "always";
ExecStartPre = prestart;
ExecStart = ''
${lib.getExe pkgs.pr-tracker} --url pr-tracker.${config.secrets.secrets.global.domains.web}\
--user-agent "Patricks pr-tracker"\
--path nixpkgs --remote origin\
--email-white-list ${config.age.secrets.prTrackerWhiteList.path}
'';
EnvironmentFile = config.age.secrets.prTrackerEnv.path;
# Hardening
@ -94,7 +100,6 @@ in {
];
UMask = "0077";
};
wantedBy = ["multi-user.target"];
};
systemd.timers.pr-tracker-update = {
wantedBy = ["timers.target"];
@ -103,6 +108,12 @@ in {
OnUnitActiveSec = "30m";
};
};
users.groups.pr-tracker = {};
users.users.pr-tracker = {
isSystemUser = true;
group = "pr-tracker";
home = "/var/lib/pr-tracker";
};
systemd.services.pr-tracker-update = {
script = ''
@ -121,7 +132,6 @@ in {
PrivateTmp = true;
PrivateDevices = true;
StateDirectoryMode = "0700";
Restart = "always";
ExecStartPre = prestart;
EnvironmentFile = config.age.secrets.prTrackerEnv.path;
};

2
hosts/elisabeth/guests.nix
View file

@ -172,7 +172,7 @@ in {
{
virtualHosts.${domainOf "pr-tracker"} = {
locations."/update" = {
deny = "all";
extraConfig = "deny all;";
};
};
}

BIN
hosts/elisabeth/secrets/pr-tracker/env.age Normal file
View file

Binary file not shown.

17
hosts/elisabeth/secrets/pr-tracker/generated/maddyPasswd.age Normal file
View file

@ -0,0 +1,17 @@
age-encryption.org/v1
-> X25519 U5pEv18rB3zNF10c5Evt74YBjl6ebM+jqYuWqr9mAU0
/TvTIWHrqbCZ5ujaG+diSsJe5XE6lRcQS77bY6a4b/Q
-> piv-p256 ZFgiIw A+NQEsOQRfWXXh6JRa6BEcP7UtkhKJ59z9wpX6jyxZnX
GPD1/WwG52lY7AmRDttsv4o9XP1uPW3Yx7i0oPE980Q
-> piv-p256 XTQkUA AkfTy8tl43wHRIk/ngK36EAwX9mdOpXpfp/JEGhzEMPv
AN68T7tV2kiDfgcHB/h+IiBqz3lffwr4OkHLG7LP/VA
-> piv-p256 ZFgiIw A8lV/rIMV5NsOA5zTKZv09mTi3Sgddps0JkyET7EB1m0
em3orzIidOeLv/YG6ANDWUki8jCd8ELicDPWLh+OWP8
-> piv-p256 5vmPtQ AtsNn3+AoZQ5o76NOVlsmFx4LeMgu0enqnHrITz3gWws
AaIrGLPzMFZlP4yLG/dOD/TMDIZG9qbDQsuJm+RcD2I
-> Ck-grease W(W~n :k
K9daT5dj0mqkpMGKVLmMGI6Qx2x3k27aLADTYb/a1cJPfNbDZKAsN31/haAXr/62
hh8
--- fJtlUiysfb6UAKgPUJsb8ARuwDuztAXGoh0MOgswVb0
%1ܬßðÍÆ«ß|Þ@ÏPVï
\žBw穤ìœrí¶Ôß«vÑ.ÿ3¹m#d#9üvL\\ˆS€ö7ŠÝV?s{XtÉUv"°hÞå

1
hosts/elisabeth/secrets/pr-tracker/host.pub Normal file
View file

@ -0,0 +1 @@
ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICMHvbb5M9On2JdROGrpjgYfQ/R0gG8yuWuQFra4AHmG

17
hosts/elisabeth/secrets/pr-tracker/white-list.age Normal file
View file

@ -0,0 +1,17 @@
age-encryption.org/v1
-> X25519 wOf49STmWvYTvHtLqT/8mNOmY8BLzOvM5NwsW6JUtGQ
p43LTBOa+rqWM7HhdzK+/+tuXECZYMhRycd4KYeeHDY
-> piv-p256 ZFgiIw AqUAM0bkhzEor6JFYcbctW6s3v17g+Gyz3+qvjL8ODig
lg7C1TCY2VtOO5FVxn7Qb3uHhoDwVZnaZnhAozl1y2Q
-> piv-p256 XTQkUA A2ntX3eQk5U/Yi+UQ1frmpDgOxrUKumh1Wy5BeTyauUl
krvmwwO0uFdrrw2pSBVdISHjGf0av06zFRlYygwfYSo
-> piv-p256 ZFgiIw AsR3cbG6BR+bAYv4u8fp86faaseTQrWNu3tMXVPZjYmQ
EU4rLBSy5vkrjIbUL3kO3GrFKttK6EjcBJWgOrawKdA
-> piv-p256 5vmPtQ Ay6lxP005c2h7JU6gcId+2YTGx5E8NkDyhnqyoFZpVyI
tv/FMRq3SdVDspcInA7nv0i6S2sHmsDtZD4WGfxKLDQ
-> NRp-grease j65O ' Pg6Cw ]~Jilw
dWRZsjvCv9cV7xBLC4U8oNXw9aTa8OZTqFsALKqBxcgri56n+gSn1MEOrfHa+pYc
moslDzDwxwa7UX8EcIzjLCsZJl7+rPYqSu41yhNGLI6OnyiS2EYaOJg9ZR+/seGd
--- FZIPmNz/IAyDFW3/LMdX8neUiZfNkZ008pl6jb+SONE
Cd{Ź“©ŕbfT”_‡@ň3ĺ‡aź€Ň|1 ő§˝Mžaż Š´Rf»Óăřđ©0ŰfDt9sb˝<CB9D>ţŃŠ

BIN
hosts/maddy/secrets/generated/pr-tracker.age
View file

Binary file not shown.

4
pkgs/pr-tracker.nix
View file

@ -12,8 +12,8 @@ rustPlatform.buildRustPackage {
src = fetchFromGitHub {
owner = "patrickdag";
repo = "pr-tracker";
rev = "54d47f277df81bfe82339ec3d2ceabd9c371aa91";
hash = "sha256-C3dGaxxEH2acM1Ozvk5BcU+Gq6vPjSEzBVWZcRKMSzk=";
rev = "4cd2e8216f8c98441c74a883833ee73123fb1042";
hash = "sha256-OOohIvqPsCBtMXbg3D3GUdZYsTR13YPyWERGPCGZwa4=";
};
cargoHash = "sha256-pcIbL/mWhvQpQcVgyeNccW5cnHGKPKBpY9f2eeSrcjk=";

BIN
secrets/secrets.nix.age
View file

Binary file not shown.

16
secrets/wireguard/elisabeth/keys/elisabeth-pr-tracker.age Normal file
View file

@ -0,0 +1,16 @@
age-encryption.org/v1
-> X25519 sJWb1AB1ani7iSARBKiza76F4BZ/1RT+nYo+h3SCvDM
G9r4LID6JVa+CbM+goWlorWNAutTfCWCRXkMKe68GnQ
-> piv-p256 ZFgiIw AimY8gt/sR16sX1pmQ7KsWjklSprUl5xQT51DJ2CBrmo
35Gchuo7PlxnVg7nCmPX2l+Hwpqkn11Deh/gINotDK4
-> piv-p256 XTQkUA A4Y83D0/vdl4f2gr8g09YO5xTM2en6/zdXTA4tlXTzse
pt0/k460n/rw0pGQVmbBvWkmscra5wL7Q4pUfC1aqJs
-> piv-p256 ZFgiIw A7kGeBnc71Bei30JFsrUPlhOYRfP/WwrtNYxyZ94blmd
tQcInK3OPdN5uYugFZc6JNMgMMrBHrNrfPLgK1GQuOU
-> piv-p256 5vmPtQ A2cBNFJA8IFoZcUGhwpTCrrh9v+ffe6UhbJkhYvfv310
zf161XjBEKWYDLwaWw+wGuCGJJFD6NatL3BgSQACB38
-> --grease \tv Z&IiJD *{Xl~2`' FOEGQ+s
hnw8ilMQCmjeH1dsP0p0Y6fY0X7l5goCmTR07RFMnXRH2Y7FQzSe5Ipg16+V9Rmj
1+RZABaebmFQFAJwtfFmeLXzsFVn0sMtflMR/wmunn+RuZ0XfzHzM0QOU2g
--- rdxJZDoceAdq9YF8GoDLcHz5UInJlcXCrOgr3/XxI/Q
è×Ч"ðV÷\ÆÒ¯<C392>œ/¤ßSÙñó×Üw¿qH(„¡€­HÐØö<C398>(=÷Åæ­ùŒœîaPiäÇ”ûØÜ_:K°·ˆSŸ1tØ¥Æ

1
secrets/wireguard/elisabeth/keys/elisabeth-pr-tracker.pub Normal file
View file

@ -0,0 +1 @@
HKftlC7tQXYToYo0VLHqvdnZxQfNtJ8u0QDN3mLgqiA=

BIN
secrets/wireguard/elisabeth/psks/elisabeth+elisabeth-pr-tracker.age Normal file
View file

Binary file not shown.