anonymous-overflow: init
This commit is contained in:
parent
4108ae298a
commit
7f0fc887b8
7 changed files with 82 additions and 2 deletions
BIN
agenix/hosts/sail/anonymous-overflow/auth.age
Normal file
BIN
agenix/hosts/sail/anonymous-overflow/auth.age
Normal file
Binary file not shown.
BIN
agenix/hosts/sail/anonymous-overflow/config.age
Normal file
BIN
agenix/hosts/sail/anonymous-overflow/config.age
Normal file
Binary file not shown.
|
@ -82,5 +82,16 @@
|
|||
owner = "nginx";
|
||||
group = "nginx";
|
||||
};
|
||||
|
||||
anonymous-overflow-config = {
|
||||
file = ./anonymous-overflow/config.age;
|
||||
mode = "444";
|
||||
};
|
||||
|
||||
anonymous-overflow-auth = {
|
||||
file = ./anonymous-overflow/auth.age;
|
||||
owner = "nginx";
|
||||
group = "nginx";
|
||||
};
|
||||
};
|
||||
}
|
||||
|
|
|
@ -26,4 +26,7 @@ in
|
|||
"agenix/hosts/sail/nitter/auth.age".publicKeys = sail;
|
||||
|
||||
"agenix/hosts/sail/libreddit/auth.age".publicKeys = sail;
|
||||
|
||||
"agenix/hosts/sail/anonymous-overflow/config.age".publicKeys = sail;
|
||||
"agenix/hosts/sail/anonymous-overflow/auth.age".publicKeys = sail;
|
||||
}
|
||||
|
|
|
@ -16,6 +16,8 @@ in
|
|||
|
||||
../nixos/cloudflared.nix
|
||||
|
||||
../nixos/anonymous-overflow.nix
|
||||
|
||||
(import ../nixos/freshrss.nix (args // { inherit secret; }))
|
||||
|
||||
../nixos/libreddit.nix
|
||||
|
|
66
system/nixos/anonymous-overflow.nix
Normal file
66
system/nixos/anonymous-overflow.nix
Normal file
|
@ -0,0 +1,66 @@
|
|||
{ pkgs, config, ... }:
|
||||
|
||||
let
|
||||
anonymous-overflow-pkg = pkgs.anonymous-overflow;
|
||||
in
|
||||
{
|
||||
systemd.services.anonymous-overflow = {
|
||||
description = "View StackOverflow in privacy and without the clutter";
|
||||
wantedBy = [ "multi-user.target" ];
|
||||
after = [ "network.target" ];
|
||||
serviceConfig = {
|
||||
DynamicUser = true;
|
||||
StateDirectory = "anonymous-overflow";
|
||||
EnvironmentFile = [ config.age.secrets.anonymous-overflow-config.path ];
|
||||
# Some parts of Nitter expect `public` folder in working directory,
|
||||
# see https://github.com/zedeus/nitter/issues/414
|
||||
ExecStart = "${anonymous-overflow-pkg}/bin/anonymousoverflow";
|
||||
Restart = "on-failure";
|
||||
RestartSec = "5s";
|
||||
# Hardening
|
||||
CapabilityBoundingSet = [ "" ];
|
||||
DeviceAllow = [ "" ];
|
||||
LockPersonality = true;
|
||||
MemoryDenyWriteExecute = true;
|
||||
PrivateDevices = true;
|
||||
PrivateUsers = true;
|
||||
ProcSubset = "pid";
|
||||
ProtectClock = true;
|
||||
ProtectControlGroups = true;
|
||||
ProtectHome = true;
|
||||
ProtectHostname = true;
|
||||
ProtectKernelLogs = true;
|
||||
ProtectKernelModules = true;
|
||||
ProtectKernelTunables = true;
|
||||
ProtectProc = "invisible";
|
||||
RestrictAddressFamilies = [ "AF_INET" "AF_INET6" ];
|
||||
RestrictNamespaces = true;
|
||||
RestrictRealtime = true;
|
||||
RestrictSUIDSGID = true;
|
||||
SystemCallArchitectures = "native";
|
||||
SystemCallFilter = [ "@system-service" "~@privileged" "~@resources" ];
|
||||
UMask = "0077";
|
||||
};
|
||||
};
|
||||
|
||||
services.nginx = {
|
||||
enable = true;
|
||||
virtualHosts."anonymous-overflow.only.internal" = {
|
||||
listen = [
|
||||
{
|
||||
addr = "127.0.0.1";
|
||||
port = 80;
|
||||
}
|
||||
];
|
||||
|
||||
forceSSL = false;
|
||||
enableACME = false;
|
||||
|
||||
locations."/" = {
|
||||
basicAuthFile = config.age.secrets.anonymous-overflow-auth.path;
|
||||
recommendedProxySettings = true;
|
||||
proxyPass = "http://127.0.0.1:8003";
|
||||
};
|
||||
};
|
||||
};
|
||||
}
|
|
@ -31,8 +31,6 @@ in
|
|||
LockPersonality = true;
|
||||
MemoryDenyWriteExecute = true;
|
||||
PrivateDevices = true;
|
||||
# A private user cannot have process capabilities on the host's user
|
||||
# namespace and thus CAP_NET_BIND_SERVICE has no effect.
|
||||
PrivateUsers = true;
|
||||
ProcSubset = "pid";
|
||||
ProtectClock = true;
|
||||
|
|
Loading…
Reference in a new issue