Install soft-serve on ninurta

2023-07-09 01:11:47 +02:00 · 2023-07-09 01:11:47 +02:00 · 9480ab3246
commit 9480ab3246
parent 4225de2ae9
7 changed files with 280 additions and 5 deletions
--- a/nixos/configurations.nix
+++ b/nixos/configurations.nix
@ -17,6 +17,7 @@ let
    modules = [{
      # Add flakes to registry and nix path.
      dadada.inputs = inputs // { dadada = self; };
+      nixpkgs.overlays = nixpkgs.lib.attrValues self.overlays;
    }] ++ (nixpkgs.lib.attrValues self.nixosModules) ++ [ agenix.nixosModules.age ] ++ extraModules;
  };
 in
@ -101,5 +102,9 @@ in
    ];
  };

-  ninurta = nixosSystem { extraModules = [ ./ninurta/configuration.nix ]; };
+  ninurta = nixosSystem {
+    extraModules = [
+      ./ninurta/configuration.nix
+    ];
+  };
 }
--- a/nixos/modules/default.nix
+++ b/nixos/modules/default.nix
@ -16,6 +16,7 @@
  packages = import ./packages.nix;
  secrets = import ./secrets.nix;
  share = import ./share.nix;
+  soft-serve = import ./soft-serve.nix;
  steam = import ./steam.nix;
  sway = import ./sway.nix;
  vpnServer = import ./vpnServer.nix;
--- a/nixos/modules/networking.nix
+++ b/nixos/modules/networking.nix
@ -132,7 +132,7 @@ in

    networking.wireguard.interfaces = mkIf (cfg.vpnExtension != null) {
      dadada = {
-        ips = [ "fd42:9c3b:f96d:201::${cfg.vpnExtension}/64" "192.168.120.${cfg.vpnExtension}/17" ];
+        ips = [ "fd42:9c3b:f96d:201::${cfg.vpnExtension}/64" "192.168.120.${cfg.vpnExtension}/24" ];
        listenPort = 51234;
        privateKeyFile = "/var/lib/wireguard/privkey";
        postSetup = ''
--- a/nixos/modules/soft-serve.nix
+++ b/nixos/modules/soft-serve.nix
@ -0,0 +1,212 @@
+{ config, lib, pkgs, ... }:
+with lib;
+
+let
+  cfg = config.services.soft-serve;
+  configFile = format.generate "config.yaml" cfg.settings;
+  exe = getExe cfg.package;
+  format = pkgs.formats.yaml { };
+  user = "soft-serve";
+in
+{
+  options = {
+    services.soft-serve = {
+      enable = mkEnableOption "Enable soft-serve service";
+
+      package = mkPackageOption pkgs "soft-serve" { };
+
+      stateDir = mkOption {
+        type = types.path;
+        default = "/var/lib/soft-serve";
+        description = lib.mdDoc ''
+          The absolute path to the data directory.
+
+          See <https://github.com/charmbracelet/soft-serve>.
+        '';
+      };
+
+      user = mkOption {
+        type = types.str;
+        default = user;
+        description = lib.mdDoc "User account under which soft-serve runs.";
+      };
+
+      group = mkOption {
+        type = types.str;
+        default = user;
+        description = lib.mdDoc "Group account under which soft-serve runs.";
+      };
+
+      settings = mkOption {
+        type = format.type;
+        default = { };
+        description = lib.mdDoc ''
+          The contents of the configuration file.
+
+          See <https://github.com/charmbracelet/soft-serve>.
+        '';
+        example = literalExpression ''
+          {
+            # Soft Serve Server configurations
+
+            # The name of the server.
+            # This is the name that will be displayed in the UI.
+            name = "Soft Serve";
+
+            # Log format to use. Valid values are "json", "logfmt", and "text".
+            log_format = "text";
+
+            # The SSH server configuration.
+            ssh = {
+              # The address on which the SSH server will listen.
+              listen_addr = ":23231";
+
+              # The public URL of the SSH server.
+              # This is the address that will be used to clone repositories.
+              public_url = "ssh://localhost:23231";
+
+              # The path to the SSH server's private key.
+              key_path = "ssh/soft_serve_host";
+
+              # The path to the SSH server's client private key.
+              # This key will be used to authenticate the server to make git requests to
+              # ssh remotes.
+              client_key_path = "ssh/soft_serve_client";
+
+              # The maximum number of seconds a connection can take.
+              # A value of 0 means no timeout.
+              max_timeout = 0;
+
+              # The number of seconds a connection can be idle before it is closed.
+              idle_timeout = 120;
+            };
+            # The Git daemon configuration.
+            git = {
+              # The address on which the Git daemon will listen.
+              listen_addr = ":9418";
+
+              # The maximum number of seconds a connection can take.
+              # A value of 0 means no timeout.
+              max_timeout = 0;
+
+              # The number of seconds a connection can be idle before it is closed.
+              idle_timeout = 3;
+
+              # The maximum number of concurrent connections.
+              max_connections = 32;
+            };
+
+            # The HTTP server configuration.
+            http = {
+              # The address on which the HTTP server will listen.
+              listen_addr = ":23232";
+
+              # The path to the TLS private key.
+              tls_key_path = "";
+
+              # The path to the TLS certificate.
+              tls_cert_path = "";
+
+              # The public URL of the HTTP server.
+              # This is the address that will be used to clone repositories.
+              # Make sure to use https:// if you are using TLS.
+              public_url = "http://localhost:23232";
+
+            };
+
+            # The stats server configuration.
+            stats = {
+              # The address on which the stats server will listen.
+              listen_addr = ":23233";
+            };
+            # Additional admin keys.
+            initial_admin_keys = [
+              "ssh-rsa AAAAB3NzaC1yc2..."
+            ];
+          };
+        '';
+      };
+    };
+  };
+
+  config = let stateDir = cfg.stateDir; in mkIf cfg.enable {
+    users.users = mkIf (cfg.user == "soft-serve") {
+      soft-serve = {
+        description = "soft-serve service";
+        home = cfg.stateDir;
+        useDefaultShell = true;
+        group = cfg.group;
+        isSystemUser = true;
+      };
+    };
+
+    users.groups = mkIf (cfg.group == "soft-serve") {
+      soft-serve = { };
+    };
+
+    systemd.tmpfiles.rules = [
+      "d '${stateDir}' 0750 ${cfg.user} ${cfg.group} - -"
+    ];
+
+    systemd.services.soft-serve = {
+      description = "Soft Serve git server 🍦";
+      documentation = [ "https://github.com/charmbracelet/soft-serve" ];
+      requires = [ "network-online.target" ];
+      after = [ "network-online.target" ];
+      wantedBy = [ "multi-user.target" ];
+
+      environment = {
+        SOFT_SERVE_DATA_PATH = stateDir;
+      };
+
+      preStart = ''
+        # Link the settings file into the data directory.
+        ln -fs ${configFile} ${stateDir}/config.yaml
+      '';
+
+      serviceConfig = {
+        Type = "simple";
+        User = cfg.user;
+        Group = cfg.group;
+        Restart = "always";
+        RestartSec = "1";
+        ExecStart = "${exe} serve";
+        WorkingDirectory = stateDir;
+        RuntimeDirectory = "soft-serve";
+        RuntimeDirectoryMode = "0750";
+        ProcSubset = "pid";
+        ProtectProc = "invisible";
+        ReadWritePaths = [ stateDir ];
+        UMask = "0027";
+        CapabilityBoundingSet = "";
+        NoNewPrivileges = true;
+        ProtectSystem = "strict";
+        ProtectHome = true;
+        PrivateTmp = true;
+        PrivateDevices = true;
+        PrivateUsers = true;
+        ProtectHostname = true;
+        ProtectClock = true;
+        ProtectKernelTunables = true;
+        ProtectKernelModules = true;
+        ProtectKernelLogs = true;
+        ProtectControlGroups = true;
+        RestrictAddressFamilies = [ "AF_UNIX" "AF_INET" "AF_INET6" ];
+        RestrictNamespaces = true;
+        LockPersonality = true;
+        MemoryDenyWriteExecute = true;
+        RestrictRealtime = true;
+        RestrictSUIDSGID = true;
+        RemoveIPC = true;
+        PrivateMounts = true;
+        SystemCallArchitectures = "native";
+        SystemCallFilter = [
+          "@system-service"
+          "~@cpu-emulation @debug @keyring @module @mount @obsolete @privileged @raw-io @reboot @setuid @swap"
+        ];
+      };
+    };
+  };
+
+  meta.maintainers = [ maintainers.dadada ];
+}
--- a/nixos/ninurta/configuration.nix
+++ b/nixos/ninurta/configuration.nix
@ -11,6 +11,7 @@ let
  wg0PresharedKey = "pruflas-wg0-preshared-key";
  hydraGitHubAuth = "hydra-github-authorization";
  initrdSshKey = "/etc/ssh/ssh_initrd_ed25519_key";
+  softServePort = 23231;
 in
 {
  imports = [
@ -18,6 +19,22 @@ in
    ./hardware-configuration.nix
  ];

+  services.soft-serve = {
+    enable = true;
+    settings = {
+      name = "dadada's repos";
+      log_format = "text";
+      ssh = {
+        listen_addr = ":${toString softServePort}";
+        public_url = "ssh://soft-serve.dadada.li:${toString softServePort}";
+        max_timeout = 30;
+        idle_timeout = 120;
+      };
+      stats.listen_addr = ":23233";
+      initial_admin_keys = config.dadada.admin.users.dadada.keys;
+    };
+  };
+
  dadada.backupClient.bs.enable = false;
  dadada.backupClient.backup1.enable = false;

@ -75,7 +92,7 @@ in
    };
  };

-  dadada.ddns.domains = [ "backup1.dadada.li" ];
+  dadada.ddns.domains = [ "backup1.dadada.li" "soft-serve.dadada.li" ];
  dadada.ddns.credentialsPath = config.age.secrets."ddns-credentials".path;
  dadada.ddns.interface = "backup";

@ -350,6 +367,7 @@ in
      80 # HTTP
      443 # HTTPS
      3000 # Hydra
+      softServePort
    ];
    allowedUDPPorts = [
      51234 # Wireguard
@ -384,8 +402,6 @@ in
    '';
  };

-
-
  powerManagement = {
    enable = true;
    cpuFreqGovernor = "powersave";