diff options
Diffstat (limited to 'nixos/modules/services/web-apps')
| -rw-r--r-- | nixos/modules/services/web-apps/dex.nix | 7 | ||||
| -rw-r--r-- | nixos/modules/services/web-apps/microbin.nix | 93 | ||||
| -rw-r--r-- | nixos/modules/services/web-apps/outline.nix | 50 | ||||
| -rw-r--r-- | nixos/modules/services/web-apps/peering-manager.nix | 137 | ||||
| -rw-r--r-- | nixos/modules/services/web-apps/plausible.nix | 2 | ||||
| -rw-r--r-- | nixos/modules/services/web-apps/writefreely.nix | 2 |
6 files changed, 227 insertions, 64 deletions
diff --git a/nixos/modules/services/web-apps/dex.nix b/nixos/modules/services/web-apps/dex.nix index bd041db007a1..0c4a71c6dfe4 100644 --- a/nixos/modules/services/web-apps/dex.nix +++ b/nixos/modules/services/web-apps/dex.nix @@ -108,8 +108,7 @@ in ProtectClock = true; ProtectHome = true; ProtectHostname = true; - # Would re-mount paths ignored by temporary root - #ProtectSystem = "strict"; + ProtectSystem = "strict"; ProtectControlGroups = true; ProtectKernelLogs = true; ProtectKernelModules = true; @@ -121,9 +120,7 @@ in RestrictSUIDSGID = true; SystemCallArchitectures = "native"; SystemCallFilter = [ "@system-service" "~@privileged @setuid @keyring" ]; - TemporaryFileSystem = "/:ro"; - # Does not work well with the temporary root - #UMask = "0066"; + UMask = "0066"; } // optionalAttrs (cfg.environmentFile != null) { EnvironmentFile = cfg.environmentFile; }; diff --git a/nixos/modules/services/web-apps/microbin.nix b/nixos/modules/services/web-apps/microbin.nix new file mode 100644 index 000000000000..233bfac6e699 --- /dev/null +++ b/nixos/modules/services/web-apps/microbin.nix @@ -0,0 +1,93 @@ +{ config, lib, pkgs, ... }: + +let + cfg = config.services.microbin; +in +{ + options.services.microbin = { + enable = lib.mkEnableOption (lib.mdDoc "MicroBin is a super tiny, feature rich, configurable paste bin web application"); + + package = lib.mkPackageOption pkgs "microbin" { }; + + settings = lib.mkOption { + type = lib.types.submodule { freeformType = with lib.types; attrsOf (oneOf [ bool int str ]); }; + default = { }; + example = { + MICROBIN_PORT = 8080; + MICROBIN_HIDE_LOGO = false; + }; + description = lib.mdDoc '' + Additional configuration for MicroBin, see + <https://microbin.eu/docs/installation-and-configuration/configuration/> + for supported values. + + For secrets use passwordFile option instead. + ''; + }; + + dataDir = lib.mkOption { + type = lib.types.str; + default = "/var/lib/microbin"; + description = lib.mdDoc "Default data folder for MicroBin."; + }; + + passwordFile = lib.mkOption { + type = lib.types.nullOr lib.types.path; + default = null; + example = "/run/secrets/microbin.env"; + description = lib.mdDoc '' + Path to file containing environment variables. + Useful for passing down secrets. + Variables that can be considered secrets are: + - MICROBIN_BASIC_AUTH_USERNAME + - MICROBIN_BASIC_AUTH_PASSWORD + - MICROBIN_ADMIN_USERNAME + - MICROBIN_ADMIN_PASSWORD + - MICROBIN_UPLOADER_PASSWORD + ''; + }; + }; + + config = lib.mkIf cfg.enable { + services.microbin.settings = with lib; { + MICROBIN_BIND = mkDefault "0.0.0.0"; + MICROBIN_DISABLE_TELEMETRY = mkDefault true; + MICROBIN_LIST_SERVER = mkDefault false; + MICROBIN_PORT = mkDefault "8080"; + }; + + systemd.services.microbin = { + after = [ "network.target" ]; + wantedBy = [ "multi-user.target" ]; + environment = lib.mapAttrs (_: v: if lib.isBool v then lib.boolToString v else toString v) cfg.settings; + serviceConfig = { + CapabilityBoundingSet = [ "CAP_NET_BIND_SERVICE" ]; + DevicePolicy = "closed"; + DynamicUser = true; + EnvironmentFile = lib.optional (cfg.passwordFile != null) cfg.passwordFile; + ExecStart = "${cfg.package}/bin/microbin"; + LockPersonality = true; + MemoryDenyWriteExecute = true; + PrivateDevices = true; + PrivateUsers = true; + ProtectClock = true; + ProtectControlGroups = true; + ProtectHostname = true; + ProtectKernelLogs = true; + ProtectKernelModules = true; + ProtectKernelTunables = true; + ProtectProc = "invisible"; + ReadWritePaths = cfg.dataDir; + RestrictAddressFamilies = [ "AF_INET" "AF_INET6" ]; + RestrictNamespaces = true; + RestrictRealtime = true; + StateDirectory = "microbin"; + SystemCallArchitectures = [ "native" ]; + SystemCallFilter = [ "@system-service" ]; + WorkingDirectory = cfg.dataDir; + }; + }; + }; + + meta.maintainers = with lib.maintainers; [ surfaceflinger ]; +} diff --git a/nixos/modules/services/web-apps/outline.nix b/nixos/modules/services/web-apps/outline.nix index 1d8298963e6d..0e3bd07c1fc1 100644 --- a/nixos/modules/services/web-apps/outline.nix +++ b/nixos/modules/services/web-apps/outline.nix @@ -117,13 +117,14 @@ in storage = lib.mkOption { description = lib.mdDoc '' To support uploading of images for avatars and document attachments an - s3-compatible storage must be provided. AWS S3 is recommended for + s3-compatible storage can be provided. AWS S3 is recommended for redundancy however if you want to keep all file storage local an alternative such as [minio](https://github.com/minio/minio) can be used. + Local filesystem storage can also be used. - A more detailed guide on setting up S3 is available - [here](https://wiki.generaloutline.com/share/125de1cc-9ff6-424b-8415-0d58c809a40f). + A more detailed guide on setting up storage is available + [here](https://docs.getoutline.com/s/hosting/doc/file-storage-N4M0T6Ypu7). ''; example = lib.literalExpression '' { @@ -136,6 +137,19 @@ in ''; type = lib.types.submodule { options = { + storageType = lib.mkOption { + type = lib.types.enum [ "local" "s3" ]; + description = lib.mdDoc "File storage type, it can be local or s3."; + default = "s3"; + }; + localRootDir = lib.mkOption { + type = lib.types.str; + description = lib.mdDoc '' + If `storageType` is `local`, this sets the parent directory + under which all attachments/images go. + ''; + default = "/var/lib/outline/data"; + }; accessKey = lib.mkOption { type = lib.types.str; description = lib.mdDoc "S3 access key."; @@ -557,7 +571,10 @@ in systemd.tmpfiles.rules = [ "f ${cfg.secretKeyFile} 0600 ${cfg.user} ${cfg.group} -" "f ${cfg.utilsSecretFile} 0600 ${cfg.user} ${cfg.group} -" - "f ${cfg.storage.secretKeyFile} 0600 ${cfg.user} ${cfg.group} -" + (if (cfg.storage.storageType == "s3") then + "f ${cfg.storage.secretKeyFile} 0600 ${cfg.user} ${cfg.group} -" + else + "d ${cfg.storage.localRootDir} 0700 ${cfg.user} ${cfg.group} - -") ]; services.postgresql = lib.mkIf (cfg.databaseUrl == "local") { @@ -599,14 +616,6 @@ in URL = cfg.publicUrl; PORT = builtins.toString cfg.port; - AWS_ACCESS_KEY_ID = cfg.storage.accessKey; - AWS_REGION = cfg.storage.region; - AWS_S3_UPLOAD_BUCKET_URL = cfg.storage.uploadBucketUrl; - AWS_S3_UPLOAD_BUCKET_NAME = cfg.storage.uploadBucketName; - AWS_S3_UPLOAD_MAX_SIZE = builtins.toString cfg.storage.uploadMaxSize; - AWS_S3_FORCE_PATH_STYLE = builtins.toString cfg.storage.forcePathStyle; - AWS_S3_ACL = cfg.storage.acl; - CDN_URL = cfg.cdnUrl; FORCE_HTTPS = builtins.toString cfg.forceHttps; ENABLE_UPDATES = builtins.toString cfg.enableUpdateCheck; @@ -622,8 +631,21 @@ in RATE_LIMITER_ENABLED = builtins.toString cfg.rateLimiter.enable; RATE_LIMITER_REQUESTS = builtins.toString cfg.rateLimiter.requests; RATE_LIMITER_DURATION_WINDOW = builtins.toString cfg.rateLimiter.durationWindow; + + FILE_STORAGE = cfg.storage.storageType; + FILE_STORAGE_UPLOAD_MAX_SIZE = builtins.toString cfg.storage.uploadMaxSize; + FILE_STORAGE_LOCAL_ROOT_DIR = cfg.storage.localRootDir; } + (lib.mkIf (cfg.storage.storageType == "s3") { + AWS_ACCESS_KEY_ID = cfg.storage.accessKey; + AWS_REGION = cfg.storage.region; + AWS_S3_UPLOAD_BUCKET_URL = cfg.storage.uploadBucketUrl; + AWS_S3_UPLOAD_BUCKET_NAME = cfg.storage.uploadBucketName; + AWS_S3_FORCE_PATH_STYLE = builtins.toString cfg.storage.forcePathStyle; + AWS_S3_ACL = cfg.storage.acl; + }) + (lib.mkIf (cfg.slackAuthentication != null) { SLACK_CLIENT_ID = cfg.slackAuthentication.clientId; }) @@ -676,7 +698,9 @@ in script = '' export SECRET_KEY="$(head -n1 ${lib.escapeShellArg cfg.secretKeyFile})" export UTILS_SECRET="$(head -n1 ${lib.escapeShellArg cfg.utilsSecretFile})" - export AWS_SECRET_ACCESS_KEY="$(head -n1 ${lib.escapeShellArg cfg.storage.secretKeyFile})" + ${lib.optionalString (cfg.storage.storageType == "s3") '' + export AWS_SECRET_ACCESS_KEY="$(head -n1 ${lib.escapeShellArg cfg.storage.secretKeyFile})" + ''} ${lib.optionalString (cfg.slackAuthentication != null) '' export SLACK_CLIENT_SECRET="$(head -n1 ${lib.escapeShellArg cfg.slackAuthentication.secretFile})" ''} diff --git a/nixos/modules/services/web-apps/peering-manager.nix b/nixos/modules/services/web-apps/peering-manager.nix index 55bf0da7b7b9..7012df6dffbf 100644 --- a/nixos/modules/services/web-apps/peering-manager.nix +++ b/nixos/modules/services/web-apps/peering-manager.nix @@ -35,7 +35,15 @@ in { Enable Peering Manager. This module requires a reverse proxy that serves `/static` separately. - See this [example](https://github.com/peering-manager-community/peering-manager/blob/develop/contrib/nginx.conf/) on how to configure this. + See this [example](https://github.com/peering-manager/contrib/blob/main/nginx.conf on how to configure this. + ''; + }; + + enableScheduledTasks = mkOption { + type = types.bool; + default = true; + description = '' + Set up [scheduled tasks](https://peering-manager.readthedocs.io/en/stable/setup/8-scheduled-tasks/) ''; }; @@ -194,32 +202,30 @@ in { }; systemd.services = let - defaultServiceConfig = { - WorkingDirectory = "/var/lib/peering-manager"; - User = "peering-manager"; - Group = "peering-manager"; - StateDirectory = "peering-manager"; - StateDirectoryMode = "0750"; - Restart = "on-failure"; + defaults = { + environment = { + PYTHONPATH = pkg.pythonPath; + }; + serviceConfig = { + WorkingDirectory = "/var/lib/peering-manager"; + User = "peering-manager"; + Group = "peering-manager"; + StateDirectory = "peering-manager"; + StateDirectoryMode = "0750"; + Restart = "on-failure"; + }; }; in { - peering-manager-migration = { + peering-manager-migration = lib.recursiveUpdate defaults { description = "Peering Manager migrations"; wantedBy = [ "peering-manager.target" ]; - - environment = { - PYTHONPATH = pkg.pythonPath; - }; - - serviceConfig = defaultServiceConfig // { + serviceConfig = { Type = "oneshot"; - ExecStart = '' - ${pkg}/bin/peering-manager migrate - ''; + ExecStart = "${pkg}/bin/peering-manager migrate"; }; }; - peering-manager = { + peering-manager = lib.recursiveUpdate defaults { description = "Peering Manager WSGI Service"; wantedBy = [ "peering-manager.target" ]; after = [ "peering-manager-migration.service" ]; @@ -228,11 +234,7 @@ in { ${pkg}/bin/peering-manager remove_stale_contenttypes --no-input ''; - environment = { - PYTHONPATH = pkg.pythonPath; - }; - - serviceConfig = defaultServiceConfig // { + serviceConfig = { ExecStart = '' ${pkg.python.pkgs.gunicorn}/bin/gunicorn peering_manager.wsgi \ --bind ${cfg.listenAddress}:${toString cfg.port} \ @@ -241,45 +243,92 @@ in { }; }; - peering-manager-rq = { + peering-manager-rq = lib.recursiveUpdate defaults { description = "Peering Manager Request Queue Worker"; wantedBy = [ "peering-manager.target" ]; after = [ "peering-manager.service" ]; + serviceConfig.ExecStart = "${pkg}/bin/peering-manager rqworker high default low"; + }; - environment = { - PYTHONPATH = pkg.pythonPath; + peering-manager-housekeeping = lib.recursiveUpdate defaults { + description = "Peering Manager housekeeping job"; + after = [ "peering-manager.service" ]; + serviceConfig = { + Type = "oneshot"; + ExecStart = "${pkg}/bin/peering-manager housekeeping"; }; + }; - serviceConfig = defaultServiceConfig // { - ExecStart = '' - ${pkg}/bin/peering-manager rqworker high default low - ''; + peering-manager-peeringdb-sync = lib.recursiveUpdate defaults { + description = "PeeringDB sync"; + after = [ "peering-manager.service" ]; + serviceConfig = { + Type = "oneshot"; + ExecStart = "${pkg}/bin/peering-manager peeringdb_sync"; }; }; - peering-manager-housekeeping = { - description = "Peering Manager housekeeping job"; + peering-manager-prefix-fetch = lib.recursiveUpdate defaults { + description = "Fetch IRR AS-SET prefixes"; after = [ "peering-manager.service" ]; + serviceConfig = { + Type = "oneshot"; + ExecStart = "${pkg}/bin/peering-manager grab_prefixes"; + }; + }; - environment = { - PYTHONPATH = pkg.pythonPath; + peering-manager-configuration-deployment = lib.recursiveUpdate defaults { + description = "Push configuration to routers"; + after = [ "peering-manager.service" ]; + serviceConfig = { + Type = "oneshot"; + ExecStart = "${pkg}/bin/peering-manager configure_routers"; }; + }; - serviceConfig = defaultServiceConfig // { + peering-manager-session-poll = lib.recursiveUpdate defaults { + description = "Poll peering sessions from routers"; + after = [ "peering-manager.service" ]; + serviceConfig = { Type = "oneshot"; - ExecStart = '' - ${pkg}/bin/peering-manager housekeeping - ''; + ExecStart = "${pkg}/bin/peering-manager poll_bgp_sessions --all"; }; }; }; - systemd.timers.peering-manager-housekeeping = { - description = "Run Peering Manager housekeeping job"; - wantedBy = [ "timers.target" ]; + systemd.timers = { + peering-manager-housekeeping = { + description = "Run Peering Manager housekeeping job"; + wantedBy = [ "timers.target" ]; + timerConfig.OnCalendar = "daily"; + }; + + peering-manager-peeringdb-sync = { + enable = lib.mkDefault cfg.enableScheduledTasks; + description = "Sync PeeringDB at 2:30"; + wantedBy = [ "timers.target" ]; + timerConfig.OnCalendar = "02:30:00"; + }; + + peering-manager-prefix-fetch = { + enable = lib.mkDefault cfg.enableScheduledTasks; + description = "Fetch IRR AS-SET prefixes at 4:30"; + wantedBy = [ "timers.target" ]; + timerConfig.OnCalendar = "04:30:00"; + }; + + peering-manager-configuration-deployment = { + enable = lib.mkDefault cfg.enableScheduledTasks; + description = "Push router configuration every hour 5 minutes before full hour"; + wantedBy = [ "timers.target" ]; + timerConfig.OnCalendar = "*:55:00"; + }; - timerConfig = { - OnCalendar = "daily"; + peering-manager-session-poll = { + enable = lib.mkDefault cfg.enableScheduledTasks; + description = "Poll peering sessions from routers every hour"; + wantedBy = [ "timers.target" ]; + timerConfig.OnCalendar = "*:00:00"; }; }; diff --git a/nixos/modules/services/web-apps/plausible.nix b/nixos/modules/services/web-apps/plausible.nix index e2d5cdc4f7c7..e5deb6cf511f 100644 --- a/nixos/modules/services/web-apps/plausible.nix +++ b/nixos/modules/services/web-apps/plausible.nix @@ -296,6 +296,6 @@ in { ]; }; - meta.maintainers = with maintainers; [ ma27 ]; + meta.maintainers = with maintainers; [ ]; meta.doc = ./plausible.md; } diff --git a/nixos/modules/services/web-apps/writefreely.nix b/nixos/modules/services/web-apps/writefreely.nix index a7671aa717f4..f92afa9276e3 100644 --- a/nixos/modules/services/web-apps/writefreely.nix +++ b/nixos/modules/services/web-apps/writefreely.nix @@ -120,7 +120,7 @@ let withConfigFile '' query () { local result=$(${sqlite}/bin/sqlite3 \ - '${cfg.stateDir}/${settings.database.filename}' + '${cfg.stateDir}/${settings.database.filename}' \ "$1" \ ) |