feat: signald is broken use signal-cli

2024-09-01 19:51:52 +02:00 · 2024-09-01 19:51:52 +02:00 · 98e22fb96a
parent 21872334fa
commit 98e22fb96a
8 changed files with 17 additions and 245 deletions
--- a/config/basic/users.nix
+++ b/config/basic/users.nix
@ -36,6 +36,8 @@
      oauth2-proxy = uidGid 224;
      influxdb2 = uidGid 225;
      firefly-iii = uidGid 226;
+      homebox = uidGid 227;
+      signal = uidGid 228;
      paperless = uidGid 315;
      systemd-oom = uidGid 300;
      systemd-coredump = uidGid 301;
@ -48,6 +50,5 @@
      printer = uidGid 2005;
      pr-tracker = uidGid 2006;
      blog = uidGid 2007;
-      signald = uidGid 2008;
    };
 }
--- a/config/services/blog.nix
+++ b/config/services/blog.nix
@ -18,6 +18,10 @@ in
    client.via = "elisabeth";
    firewallRuleForNode.elisabeth.allowedTCPPorts = [ 80 ];
  };
+  environment.systemPackages = [
+    pkgs.signal-cli
+    pkgs.cargo
+  ];
  services.nginx = {
    enable = true;
    user = "blog";
@ -36,9 +40,9 @@ in
      mode = "0700";
    }
    {
-      directory = "/var/lib/signald";
-      user = "signald";
-      group = "signald";
+      directory = "/var/lib/signal";
+      user = "signal";
+      group = "signal";
      mode = "0700";
    }
  ];
@ -49,6 +53,12 @@ in
      OnUnitActiveSec = "1m";
    };
  };
+  users.groups.signal = { };
+  users.users.signal = {
+    isSystemUser = true;
+    group = "signal";
+    home = "/var/lib/signal";
+  };
  users.groups.blog = { };
  users.users.blog = {
    isSystemUser = true;
@ -77,8 +87,4 @@ in
    };
  };

-  services.signald = {
-    enable = true;
-    group = "blog";
-  };
 }
--- a/config/services/homebox.nix
+++ b/config/services/homebox.nix
@ -1,5 +1,4 @@
 {
-  imports = [ ../../modules/homebox.nix ];
  wireguard.elisabeth = {
    client.via = "elisabeth";
    firewallRuleForNode.elisabeth.allowedTCPPorts = [ 3000 ];
--- a/hosts/elisabeth/guests.nix
+++ b/hosts/elisabeth/guests.nix
@ -185,7 +185,7 @@ in
      (proxyProtect "invidious" { } true)
      (blockOf "yourspotify" { port = 80; })
      (blockOf "blog" { port = 80; })
-      #(blockOf "homebox" {})
+      (blockOf "homebox" { })
      (blockOf "pr-tracker" { })
      {
        virtualHosts.${domainOf "pr-tracker"} = {
@ -312,7 +312,7 @@ in
    // mkContainer "ddclient" { }
    // mkContainer "ollama" { }
    // mkContainer "murmur" { }
-    #// mkContainer "homebox" {}
+    // mkContainer "homebox" { }
    // mkContainer "pr-tracker" { }
    // mkContainer "invidious" { }
    // mkContainer "ttrss" { }
--- a/modules/homebox.nix
+++ b/modules/homebox.nix
@ -1,94 +0,0 @@
-{
-  lib,
-  config,
-  pkgs,
-  ...
-}:
-let
-  cfg = config.services.homebox;
-  inherit (lib)
-    mkEnableOption
-    mkPackageOption
-    mkDefault
-    types
-    mkIf
-    ;
-in
-{
-  options.services.homebox = {
-    enable = mkEnableOption "homebox";
-    package = mkPackageOption pkgs "homebox" { };
-    settings = lib.mkOption {
-      type = types.attrsOf types.str;
-      defaultText = ''
-        HBOX_STORAGE_DATA = "/var/lib/homebox/data";
-        HBOX_STORAGE_SQLITE_URL = "/var/lib/homebox/data/homebox.db?_pragma=busy_timeout=999&_pragma=journal_mode=WAL&_fk=1";
-        HBOX_OPTIONS_ALLOW_REGISTRATION = "false";
-        HBOX_MODE = "production";
-      '';
-      description = ''
-        The homebox configuration as Environment variables. For definitions and available options see the upstream documentation at:
-        [docs](https://hay-kot.github.io/homebox/quick-start/#env-variables-configuration).
-      '';
-    };
-  };
-  config = mkIf cfg.enable {
-    services.homebox.settings = {
-      HBOX_STORAGE_DATA = mkDefault "/var/lib/homebox/data";
-      HBOX_STORAGE_SQLITE_URL = mkDefault "/var/lib/homebox/data/homebox.db?_pragma=busy_timeout=999&_pragma=journal_mode=WAL&_fk=1";
-      HBOX_OPTIONS_ALLOW_REGISTRATION = mkDefault "false";
-      HBOX_MODE = mkDefault "production";
-    };
-    systemd.services.homebox = {
-      after = [ "network.target" ];
-      environment = cfg.settings;
-      serviceConfig = {
-        User = "homebox";
-        Group = "homebox";
-        ExecStart = lib.getExe cfg.package;
-        DynamicUser = true;
-        StateDirectory = "homebox";
-        WorkingDirectory = "/var/lib/homebox";
-        LimitNOFILE = "1048576";
-        PrivateTmp = true;
-        PrivateDevices = true;
-        StateDirectoryMode = "0700";
-        Restart = "always";
-
-        # Hardening
-        CapabilityBoundingSet = "";
-        LockPersonality = true;
-        MemoryDenyWriteExecute = true;
-        PrivateUsers = true;
-        ProtectClock = true;
-        ProtectControlGroups = true;
-        ProtectHome = true;
-        ProtectHostname = true;
-        ProtectKernelLogs = true;
-        ProtectKernelModules = true;
-        ProtectKernelTunables = true;
-        ProtectProc = "invisible";
-        ProcSubset = "pid";
-        ProtectSystem = "strict";
-        RestrictAddressFamilies = [
-          "AF_INET"
-          "AF_INET6"
-          "AF_NETLINK"
-        ];
-        RestrictNamespaces = true;
-        RestrictRealtime = true;
-        SystemCallArchitectures = "native";
-        SystemCallFilter = [
-          "@system-service"
-          "@pkey"
-        ];
-        RestrictSUIDSGID = true;
-        PrivateMounts = true;
-        # System Call Filtering
-        UMask = "0077";
-      };
-      wantedBy = [ "multi-user.target" ];
-    };
-  };
-  meta.maintainers = with lib.maintainers; [ patrickdag ];
-}
--- a/pkgs/default.nix
+++ b/pkgs/default.nix
@ -5,7 +5,6 @@ _inputs: [
    zsh-histdb = prev.callPackage ./zsh-histdb.nix { };
    actual = prev.callPackage ./actual.nix { };
    pr-tracker = prev.callPackage ./pr-tracker.nix { };
-    homebox = prev.callPackage ./homebox.nix { };
    deploy = prev.callPackage ./deploy.nix { };
    minion = prev.callPackage ./minion.nix { };
    mongodb-bin = prev.callPackage ./mongodb-bin.nix { };
--- a/pkgs/homebox.nix
+++ b/pkgs/homebox.nix
@ -1,139 +0,0 @@
-{
-  stdenvNoCC,
-  jq,
-  moreutils,
-  nodePackages,
-  cacert,
-  lib,
-  buildGoModule,
-  fetchFromGitHub,
-}:
-let
-  pname = "homebox";
-  version = "0.10.3";
-  src = "${fetchFromGitHub {
-    owner = "hay-kot";
-    repo = "homebox";
-    rev = "v${version}";
-    hash = "sha256-Hej/dM0BgtRWiMOpp/SDVr3H1IbYb935T1pfX8apjpE=";
-    # Inspired by: https://github.com/NixOS/nixpkgs/blob/f2d7a289c5a5ece8521dd082b81ac7e4a57c2c5c/pkgs/applications/graphics/pdfcpu/default.nix#L20-L32
-    # The intention here is to write the information into files in the `src`'s
-    # `$out`, and use them later in other phases (in this case `preBuild`).
-    # In order to keep determinism, we also delete the `.git` directory
-    # afterwards, imitating the default behavior of `leaveDotGit = false`.
-    # More info about git log format can be found at `git-log(1)` manpage.
-    leaveDotGit = true;
-    postFetch = ''
-      cd "$out"
-      git log -1 --pretty=%H > "backend/COMMIT"
-      git log -1 --pretty=%cd --date=format:'%Y-%m-%dT%H:%M:%SZ' > "backend/SOURCE_DATE"
-      rm -rf ".git"
-    '';
-  }}";
-
-  frontend = stdenvNoCC.mkDerivation {
-    pname = "${pname}-frontend";
-    inherit version;
-
-    src = "${src}/frontend";
-
-    preBuild = ''
-      export HOME=$(mktemp -d)
-      export STORE_PATH=$(mktemp -d)
-
-      pnpm config set store-dir "${pnpm-deps}"
-      pnpm install --offline --frozen-lockfile --shamefully-hoist
-      patchShebangs node_modules/{*,.*}
-    '';
-
-    buildPhase = ''
-      runHook preBuild
-
-      pnpm build
-
-      runHook postBuild
-    '';
-    env.NUXT_TELEMETRY_DISABLED = 1;
-
-    nativeBuildInputs = [
-      nodePackages.pnpm
-      #breakpointHook
-    ];
-    installPhase = ''
-      runHook preInstall
-
-      mkdir -p $out
-      cp -r .output/public/* $out/
-
-      runHook postInstall
-    '';
-  };
-  pnpm-deps = stdenvNoCC.mkDerivation {
-    pname = "${pname}-pnpm-deps";
-    inherit version;
-    src = "${src}/frontend";
-
-    nativeBuildInputs = [
-      jq
-      moreutils
-      nodePackages.pnpm
-      cacert
-    ];
-
-    installPhase = ''
-      export HOME=$(mktemp -d)
-      pnpm config set store-dir $out
-      # This version of the package has different versions of esbuild as a dependency.
-      # You can use the command below to get esbuild binaries for a specific platform and calculate hashes for that platforms. (linux, darwin for os, and x86, arm64, ia32 for cpu)
-      # cat package.json | jq '.pnpm.supportedArchitectures += { "os": ["linux"], "cpu": ["arm64"] }' | sponge package.json
-      pnpm install --frozen-lockfile --ignore-script
-
-      # Remove timestamp and sort the json files.
-      rm -rf $out/v3/tmp
-      for f in $(find $out -name "*.json"); do
-        sed -i -E -e 's/"checkedAt":[0-9]+,//g' $f
-        jq --sort-keys . $f | sponge $f
-      done
-    '';
-
-    dontBuild = true;
-    dontFixup = true;
-    outputHashMode = "recursive";
-    outputHash = "sha256-BVZSdc8e6v+paMzMYazEdnKSNw+OnCpjSzGSEKxVl24=";
-  };
-in
-buildGoModule {
-  inherit pname version;
-  src = "${src}/backend";
-
-  vendorHash = "sha256-TtFz+dDpoMs3PAQjiYQm1+Q6prn4Hiaf7xqWt41oY7w=";
-
-  CGO_ENABLED = 0;
-  GOOS = "linux";
-  doCheck = false;
-
-  # options used by upstream:
-  # https://github.com/simulot/immich-go/blob/0.13.2/.goreleaser.yaml
-  ldflags = [
-    "-s"
-    "-w"
-    "-extldflags=-static"
-    "-X main.version=${version}"
-  ];
-
-  preBuild = ''
-    ldflags+=" -X main.commit=$(cat COMMIT)"
-    ldflags+=" -X main.date=$(cat SOURCE_DATE)"
-    mkdir -p ./app/api/static/public
-    cp -r ${frontend}/* ./app/api/static/public
-  '';
-
-  meta = with lib; {
-    mainProgram = "api";
-    homepage = "https://hay-kot.github.io/homebox/";
-    maintainers = with maintainers; [ patrickdag ];
-    license = licenses.agpl3Only;
-    description = "A inventory and organization system built for the Home User";
-    platforms = platforms.all;
-  };
-}
--- a/secrets/secrets.nix.age
+++ b/secrets/secrets.nix.age