From ea0338519d0e9599738fb896e2dd71b8496dcfd4 Mon Sep 17 00:00:00 2001 From: Daniel Kempkens Date: Sun, 5 Mar 2023 19:22:15 +0100 Subject: [PATCH] Add rimgo --- agenix/hosts/sail/config.nix | 6 +++ agenix/hosts/sail/rimgo/auth.age | 14 +++++++ secrets.nix | 2 + system/hosts/sail.nix | 2 + system/nixos/rimgo.nix | 67 ++++++++++++++++++++++++++++++++ 5 files changed, 91 insertions(+) create mode 100644 agenix/hosts/sail/rimgo/auth.age create mode 100644 system/nixos/rimgo.nix diff --git a/agenix/hosts/sail/config.nix b/agenix/hosts/sail/config.nix index 3f0ce65..0f9c2c7 100644 --- a/agenix/hosts/sail/config.nix +++ b/agenix/hosts/sail/config.nix @@ -89,6 +89,12 @@ group = "nginx"; }; + rimgo-auth = { + file = ./rimgo/auth.age; + owner = "nginx"; + group = "nginx"; + }; + anonymous-overflow-config = { file = ./anonymous-overflow/config.age; mode = "444"; diff --git a/agenix/hosts/sail/rimgo/auth.age b/agenix/hosts/sail/rimgo/auth.age new file mode 100644 index 0000000..207c66f --- /dev/null +++ b/agenix/hosts/sail/rimgo/auth.age @@ -0,0 +1,14 @@ +-----BEGIN AGE ENCRYPTED FILE----- +YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHNzaC1lZDI1NTE5IE10R3A2ZyAySTBM +aFBCMXFLc0JJeHlSMjBEM0pqeElpZ3FOYmd6WFI4bndMcGluMWxVCmJ6aHBYNFlW +RFlyTjhGYkluMWJ3bmRjaU55QWthYUZaWVpnZ081NUxYdDQKLT4gc3NoLWVkMjU1 +MTkgTmJWNGh3IFN2SWJ6ZFloZkk4YVI3NXFFUkJsQnMwemV0czQ0L3Q3d0ZxQkZP +aXRFQUEKWWRSV2hQOC8zMFZ4aUFack9DcjM0SEg5VmVDdnZoUUdKb1FoTzMvclhI +YwotPiBtc017cmNSNy1ncmVhc2UgO191L2tOfSAuX2sKYjlmMEpJSTJKbFpNb1h0 +U2s2K1U0NnAyejBjbHhyTDJaUG85dCtORDdMME1iTmFNTWlTZGdpRi90emVVT0ZL +RgpLemUyVXJHR1ZyNEJCbExuN3cxQWw4Q1ZvKzAzZ1l5bTJ6ekh1N2VtbWhsUAot +LS0gZDZuVXliZXRqeHpEa24vbTdLRjY2RkdReUgrVk4yRXJVam82ZklCUER5dwoi +onrE2i7Culh6zYX79xMkJOuhSXlTpX2q4LQin5RA8O0b6lVui5lGR+K+wTkfYvKw +D92KqHxvQbCpYECM5QrEued9+3ujmRjd5Zh9YBCdmoM1P7BlyTYaMIduUenN7VjP +LjqdajKkDcu8Jf7p27Qob0A= +-----END AGE ENCRYPTED FILE----- diff --git a/secrets.nix b/secrets.nix index 46943e2..9f2615d 100644 --- a/secrets.nix +++ b/secrets.nix @@ -29,6 +29,8 @@ in "agenix/hosts/sail/libreddit/auth.age".publicKeys = sail; + "agenix/hosts/sail/rimgo/auth.age".publicKeys = sail; + "agenix/hosts/sail/anonymous-overflow/config.age".publicKeys = sail; "agenix/hosts/sail/anonymous-overflow/auth.age".publicKeys = sail; diff --git a/system/hosts/sail.nix b/system/hosts/sail.nix index bd4e20f..7075458 100644 --- a/system/hosts/sail.nix +++ b/system/hosts/sail.nix @@ -30,6 +30,8 @@ in (import ../nixos/ntfy-sh.nix (args // { inherit secret; })) + ../nixos/rimgo.nix + ../nixos/synapse.nix ../nixos/websites.nix diff --git a/system/nixos/rimgo.nix b/system/nixos/rimgo.nix new file mode 100644 index 0000000..4fdde08 --- /dev/null +++ b/system/nixos/rimgo.nix @@ -0,0 +1,67 @@ +{ pkgs, config, ... }: + +let + rimgo-pkg = pkgs.rimgo; +in +{ + systemd.services.rimgo = { + description = "An alternative frontend for Imgur"; + wantedBy = [ "multi-user.target" ]; + after = [ "network.target" ]; + serviceConfig = { + DynamicUser = true; + StateDirectory = "rimgo"; + Environment = [ + "ADDRESS=127.0.0.1" + "PORT=8006" + ]; + ExecStart = "${rimgo-pkg}/bin/rimgo"; + Restart = "on-failure"; + RestartSec = "5s"; + # Hardening + CapabilityBoundingSet = [ "" ]; + DeviceAllow = [ "" ]; + LockPersonality = true; + MemoryDenyWriteExecute = true; + PrivateDevices = true; + PrivateUsers = true; + ProcSubset = "pid"; + ProtectClock = true; + ProtectControlGroups = true; + ProtectHome = true; + ProtectHostname = true; + ProtectKernelLogs = true; + ProtectKernelModules = true; + ProtectKernelTunables = true; + RestrictAddressFamilies = [ "AF_INET" "AF_INET6" ]; + RestrictNamespaces = true; + RestrictRealtime = true; + RestrictSUIDSGID = true; + }; + }; + + services.nginx = { + enable = true; + recommendedOptimisation = true; + recommendedGzipSettings = true; + recommendedBrotliSettings = true; + + virtualHosts."rimgo.only.internal" = { + listen = [ + { + addr = "127.0.0.1"; + port = 80; + } + ]; + + forceSSL = false; + enableACME = false; + basicAuthFile = config.age.secrets.rimgo-auth.path; + + locations."/" = { + recommendedProxySettings = true; + proxyPass = "http://127.0.0.1:8006"; + }; + }; + }; +}