anonymous-overflow: init

2023-02-15 20:35:46 +01:00 · 2023-02-15 20:35:46 +01:00 · 7f0fc887b8
commit 7f0fc887b8
parent 4108ae298a
7 changed files with 82 additions and 2 deletions
--- a/agenix/hosts/sail/anonymous-overflow/auth.age
+++ b/agenix/hosts/sail/anonymous-overflow/auth.age
--- a/agenix/hosts/sail/anonymous-overflow/config.age
+++ b/agenix/hosts/sail/anonymous-overflow/config.age
--- a/agenix/hosts/sail/config.nix
+++ b/agenix/hosts/sail/config.nix
@ -82,5 +82,16 @@
      owner = "nginx";
      group = "nginx";
    };
+
+    anonymous-overflow-config = {
+      file = ./anonymous-overflow/config.age;
+      mode = "444";
+    };
+
+    anonymous-overflow-auth = {
+      file = ./anonymous-overflow/auth.age;
+      owner = "nginx";
+      group = "nginx";
+    };
  };
 }
--- a/secrets.nix
+++ b/secrets.nix
@ -26,4 +26,7 @@ in
  "agenix/hosts/sail/nitter/auth.age".publicKeys = sail;

  "agenix/hosts/sail/libreddit/auth.age".publicKeys = sail;
+
+  "agenix/hosts/sail/anonymous-overflow/config.age".publicKeys = sail;
+  "agenix/hosts/sail/anonymous-overflow/auth.age".publicKeys = sail;
 }
--- a/system/hosts/sail.nix
+++ b/system/hosts/sail.nix
@ -16,6 +16,8 @@ in

    ../nixos/cloudflared.nix

+    ../nixos/anonymous-overflow.nix
+
    (import ../nixos/freshrss.nix (args // { inherit secret; }))

    ../nixos/libreddit.nix
--- a/system/nixos/anonymous-overflow.nix
+++ b/system/nixos/anonymous-overflow.nix
@ -0,0 +1,66 @@
+{ pkgs, config, ... }:
+
+let
+  anonymous-overflow-pkg = pkgs.anonymous-overflow;
+in
+{
+  systemd.services.anonymous-overflow = {
+    description = "View StackOverflow in privacy and without the clutter";
+    wantedBy = [ "multi-user.target" ];
+    after = [ "network.target" ];
+    serviceConfig = {
+      DynamicUser = true;
+      StateDirectory = "anonymous-overflow";
+      EnvironmentFile = [ config.age.secrets.anonymous-overflow-config.path ];
+      # Some parts of Nitter expect `public` folder in working directory,
+      # see https://github.com/zedeus/nitter/issues/414
+      ExecStart = "${anonymous-overflow-pkg}/bin/anonymousoverflow";
+      Restart = "on-failure";
+      RestartSec = "5s";
+      # Hardening
+      CapabilityBoundingSet = [ "" ];
+      DeviceAllow = [ "" ];
+      LockPersonality = true;
+      MemoryDenyWriteExecute = true;
+      PrivateDevices = true;
+      PrivateUsers = true;
+      ProcSubset = "pid";
+      ProtectClock = true;
+      ProtectControlGroups = true;
+      ProtectHome = true;
+      ProtectHostname = true;
+      ProtectKernelLogs = true;
+      ProtectKernelModules = true;
+      ProtectKernelTunables = true;
+      ProtectProc = "invisible";
+      RestrictAddressFamilies = [ "AF_INET" "AF_INET6" ];
+      RestrictNamespaces = true;
+      RestrictRealtime = true;
+      RestrictSUIDSGID = true;
+      SystemCallArchitectures = "native";
+      SystemCallFilter = [ "@system-service" "~@privileged" "~@resources" ];
+      UMask = "0077";
+    };
+  };
+
+  services.nginx = {
+    enable = true;
+    virtualHosts."anonymous-overflow.only.internal" = {
+      listen = [
+        {
+          addr = "127.0.0.1";
+          port = 80;
+        }
+      ];
+
+      forceSSL = false;
+      enableACME = false;
+
+      locations."/" = {
+        basicAuthFile = config.age.secrets.anonymous-overflow-auth.path;
+        recommendedProxySettings = true;
+        proxyPass = "http://127.0.0.1:8003";
+      };
+    };
+  };
+}
--- a/system/nixos/nitter.nix
+++ b/system/nixos/nitter.nix
@ -31,8 +31,6 @@ in
      LockPersonality = true;
      MemoryDenyWriteExecute = true;
      PrivateDevices = true;
-      # A private user cannot have process capabilities on the host's user
-      # namespace and thus CAP_NET_BIND_SERVICE has no effect.
      PrivateUsers = true;
      ProcSubset = "pid";
      ProtectClock = true;