diff --git a/config/basic/users.nix b/config/basic/users.nix index ab5a2f3..dd67e2f 100644 --- a/config/basic/users.nix +++ b/config/basic/users.nix @@ -36,6 +36,8 @@ oauth2-proxy = uidGid 224; influxdb2 = uidGid 225; firefly-iii = uidGid 226; + homebox = uidGid 227; + signal = uidGid 228; paperless = uidGid 315; systemd-oom = uidGid 300; systemd-coredump = uidGid 301; @@ -48,6 +50,5 @@ printer = uidGid 2005; pr-tracker = uidGid 2006; blog = uidGid 2007; - signald = uidGid 2008; }; } diff --git a/config/services/blog.nix b/config/services/blog.nix index 8514e0b..6bdc7aa 100644 --- a/config/services/blog.nix +++ b/config/services/blog.nix @@ -18,6 +18,10 @@ in client.via = "elisabeth"; firewallRuleForNode.elisabeth.allowedTCPPorts = [ 80 ]; }; + environment.systemPackages = [ + pkgs.signal-cli + pkgs.cargo + ]; services.nginx = { enable = true; user = "blog"; @@ -36,9 +40,9 @@ in mode = "0700"; } { - directory = "/var/lib/signald"; - user = "signald"; - group = "signald"; + directory = "/var/lib/signal"; + user = "signal"; + group = "signal"; mode = "0700"; } ]; @@ -49,6 +53,12 @@ in OnUnitActiveSec = "1m"; }; }; + users.groups.signal = { }; + users.users.signal = { + isSystemUser = true; + group = "signal"; + home = "/var/lib/signal"; + }; users.groups.blog = { }; users.users.blog = { isSystemUser = true; @@ -77,8 +87,4 @@ in }; }; - services.signald = { - enable = true; - group = "blog"; - }; } diff --git a/config/services/homebox.nix b/config/services/homebox.nix index bf1eb2d..488b7b3 100644 --- a/config/services/homebox.nix +++ b/config/services/homebox.nix @@ -1,5 +1,4 @@ { - imports = [ ../../modules/homebox.nix ]; wireguard.elisabeth = { client.via = "elisabeth"; firewallRuleForNode.elisabeth.allowedTCPPorts = [ 3000 ]; diff --git a/hosts/elisabeth/guests.nix b/hosts/elisabeth/guests.nix index 8a8160c..e90756f 100644 --- a/hosts/elisabeth/guests.nix +++ b/hosts/elisabeth/guests.nix @@ -185,7 +185,7 @@ in (proxyProtect "invidious" { } true) (blockOf "yourspotify" { port = 80; }) (blockOf "blog" { port = 80; }) - #(blockOf "homebox" {}) + (blockOf "homebox" { }) (blockOf "pr-tracker" { }) { virtualHosts.${domainOf "pr-tracker"} = { @@ -312,7 +312,7 @@ in // mkContainer "ddclient" { } // mkContainer "ollama" { } // mkContainer "murmur" { } - #// mkContainer "homebox" {} + // mkContainer "homebox" { } // mkContainer "pr-tracker" { } // mkContainer "invidious" { } // mkContainer "ttrss" { } diff --git a/modules/homebox.nix b/modules/homebox.nix deleted file mode 100644 index ec2804e..0000000 --- a/modules/homebox.nix +++ /dev/null @@ -1,94 +0,0 @@ -{ - lib, - config, - pkgs, - ... -}: -let - cfg = config.services.homebox; - inherit (lib) - mkEnableOption - mkPackageOption - mkDefault - types - mkIf - ; -in -{ - options.services.homebox = { - enable = mkEnableOption "homebox"; - package = mkPackageOption pkgs "homebox" { }; - settings = lib.mkOption { - type = types.attrsOf types.str; - defaultText = '' - HBOX_STORAGE_DATA = "/var/lib/homebox/data"; - HBOX_STORAGE_SQLITE_URL = "/var/lib/homebox/data/homebox.db?_pragma=busy_timeout=999&_pragma=journal_mode=WAL&_fk=1"; - HBOX_OPTIONS_ALLOW_REGISTRATION = "false"; - HBOX_MODE = "production"; - ''; - description = '' - The homebox configuration as Environment variables. For definitions and available options see the upstream documentation at: - [docs](https://hay-kot.github.io/homebox/quick-start/#env-variables-configuration). - ''; - }; - }; - config = mkIf cfg.enable { - services.homebox.settings = { - HBOX_STORAGE_DATA = mkDefault "/var/lib/homebox/data"; - HBOX_STORAGE_SQLITE_URL = mkDefault "/var/lib/homebox/data/homebox.db?_pragma=busy_timeout=999&_pragma=journal_mode=WAL&_fk=1"; - HBOX_OPTIONS_ALLOW_REGISTRATION = mkDefault "false"; - HBOX_MODE = mkDefault "production"; - }; - systemd.services.homebox = { - after = [ "network.target" ]; - environment = cfg.settings; - serviceConfig = { - User = "homebox"; - Group = "homebox"; - ExecStart = lib.getExe cfg.package; - DynamicUser = true; - StateDirectory = "homebox"; - WorkingDirectory = "/var/lib/homebox"; - LimitNOFILE = "1048576"; - PrivateTmp = true; - PrivateDevices = true; - StateDirectoryMode = "0700"; - Restart = "always"; - - # Hardening - CapabilityBoundingSet = ""; - LockPersonality = true; - MemoryDenyWriteExecute = true; - PrivateUsers = true; - ProtectClock = true; - ProtectControlGroups = true; - ProtectHome = true; - ProtectHostname = true; - ProtectKernelLogs = true; - ProtectKernelModules = true; - ProtectKernelTunables = true; - ProtectProc = "invisible"; - ProcSubset = "pid"; - ProtectSystem = "strict"; - RestrictAddressFamilies = [ - "AF_INET" - "AF_INET6" - "AF_NETLINK" - ]; - RestrictNamespaces = true; - RestrictRealtime = true; - SystemCallArchitectures = "native"; - SystemCallFilter = [ - "@system-service" - "@pkey" - ]; - RestrictSUIDSGID = true; - PrivateMounts = true; - # System Call Filtering - UMask = "0077"; - }; - wantedBy = [ "multi-user.target" ]; - }; - }; - meta.maintainers = with lib.maintainers; [ patrickdag ]; -} diff --git a/pkgs/default.nix b/pkgs/default.nix index 3fe047f..b3fd76d 100644 --- a/pkgs/default.nix +++ b/pkgs/default.nix @@ -5,7 +5,6 @@ _inputs: [ zsh-histdb = prev.callPackage ./zsh-histdb.nix { }; actual = prev.callPackage ./actual.nix { }; pr-tracker = prev.callPackage ./pr-tracker.nix { }; - homebox = prev.callPackage ./homebox.nix { }; deploy = prev.callPackage ./deploy.nix { }; minion = prev.callPackage ./minion.nix { }; mongodb-bin = prev.callPackage ./mongodb-bin.nix { }; diff --git a/pkgs/homebox.nix b/pkgs/homebox.nix deleted file mode 100644 index 5c7e06b..0000000 --- a/pkgs/homebox.nix +++ /dev/null @@ -1,139 +0,0 @@ -{ - stdenvNoCC, - jq, - moreutils, - nodePackages, - cacert, - lib, - buildGoModule, - fetchFromGitHub, -}: -let - pname = "homebox"; - version = "0.10.3"; - src = "${fetchFromGitHub { - owner = "hay-kot"; - repo = "homebox"; - rev = "v${version}"; - hash = "sha256-Hej/dM0BgtRWiMOpp/SDVr3H1IbYb935T1pfX8apjpE="; - # Inspired by: https://github.com/NixOS/nixpkgs/blob/f2d7a289c5a5ece8521dd082b81ac7e4a57c2c5c/pkgs/applications/graphics/pdfcpu/default.nix#L20-L32 - # The intention here is to write the information into files in the `src`'s - # `$out`, and use them later in other phases (in this case `preBuild`). - # In order to keep determinism, we also delete the `.git` directory - # afterwards, imitating the default behavior of `leaveDotGit = false`. - # More info about git log format can be found at `git-log(1)` manpage. - leaveDotGit = true; - postFetch = '' - cd "$out" - git log -1 --pretty=%H > "backend/COMMIT" - git log -1 --pretty=%cd --date=format:'%Y-%m-%dT%H:%M:%SZ' > "backend/SOURCE_DATE" - rm -rf ".git" - ''; - }}"; - - frontend = stdenvNoCC.mkDerivation { - pname = "${pname}-frontend"; - inherit version; - - src = "${src}/frontend"; - - preBuild = '' - export HOME=$(mktemp -d) - export STORE_PATH=$(mktemp -d) - - pnpm config set store-dir "${pnpm-deps}" - pnpm install --offline --frozen-lockfile --shamefully-hoist - patchShebangs node_modules/{*,.*} - ''; - - buildPhase = '' - runHook preBuild - - pnpm build - - runHook postBuild - ''; - env.NUXT_TELEMETRY_DISABLED = 1; - - nativeBuildInputs = [ - nodePackages.pnpm - #breakpointHook - ]; - installPhase = '' - runHook preInstall - - mkdir -p $out - cp -r .output/public/* $out/ - - runHook postInstall - ''; - }; - pnpm-deps = stdenvNoCC.mkDerivation { - pname = "${pname}-pnpm-deps"; - inherit version; - src = "${src}/frontend"; - - nativeBuildInputs = [ - jq - moreutils - nodePackages.pnpm - cacert - ]; - - installPhase = '' - export HOME=$(mktemp -d) - pnpm config set store-dir $out - # This version of the package has different versions of esbuild as a dependency. - # You can use the command below to get esbuild binaries for a specific platform and calculate hashes for that platforms. (linux, darwin for os, and x86, arm64, ia32 for cpu) - # cat package.json | jq '.pnpm.supportedArchitectures += { "os": ["linux"], "cpu": ["arm64"] }' | sponge package.json - pnpm install --frozen-lockfile --ignore-script - - # Remove timestamp and sort the json files. - rm -rf $out/v3/tmp - for f in $(find $out -name "*.json"); do - sed -i -E -e 's/"checkedAt":[0-9]+,//g' $f - jq --sort-keys . $f | sponge $f - done - ''; - - dontBuild = true; - dontFixup = true; - outputHashMode = "recursive"; - outputHash = "sha256-BVZSdc8e6v+paMzMYazEdnKSNw+OnCpjSzGSEKxVl24="; - }; -in -buildGoModule { - inherit pname version; - src = "${src}/backend"; - - vendorHash = "sha256-TtFz+dDpoMs3PAQjiYQm1+Q6prn4Hiaf7xqWt41oY7w="; - - CGO_ENABLED = 0; - GOOS = "linux"; - doCheck = false; - - # options used by upstream: - # https://github.com/simulot/immich-go/blob/0.13.2/.goreleaser.yaml - ldflags = [ - "-s" - "-w" - "-extldflags=-static" - "-X main.version=${version}" - ]; - - preBuild = '' - ldflags+=" -X main.commit=$(cat COMMIT)" - ldflags+=" -X main.date=$(cat SOURCE_DATE)" - mkdir -p ./app/api/static/public - cp -r ${frontend}/* ./app/api/static/public - ''; - - meta = with lib; { - mainProgram = "api"; - homepage = "https://hay-kot.github.io/homebox/"; - maintainers = with maintainers; [ patrickdag ]; - license = licenses.agpl3Only; - description = "A inventory and organization system built for the Home User"; - platforms = platforms.all; - }; -} diff --git a/secrets/secrets.nix.age b/secrets/secrets.nix.age index 2837910..77e2003 100644 Binary files a/secrets/secrets.nix.age and b/secrets/secrets.nix.age differ