feat(rustypaste): create module instead of container and use newer version through flake

2024-10-14 01:34:41 +02:00 · 2024-10-14 01:34:41 +02:00 · 520157cb2b
commit 520157cb2b
parent b8c7300e8a
13 changed files with 292 additions and 163 deletions
--- a/flake.lock
+++ b/flake.lock
@ -296,6 +296,24 @@
        "type": "github"
      }
    },
+    "naersk": {
+      "inputs": {
+        "nixpkgs": "nixpkgs_4"
+      },
+      "locked": {
+        "lastModified": 1721727458,
+        "narHash": "sha256-r/xppY958gmZ4oTfLiHN0ZGuQ+RSTijDblVgVLFi1mw=",
+        "owner": "nix-community",
+        "repo": "naersk",
+        "rev": "3fb418eaf352498f6b6c30592e3beb63df42ef11",
+        "type": "github"
+      },
+      "original": {
+        "owner": "nix-community",
+        "repo": "naersk",
+        "type": "github"
+      }
+    },
    "nixos-hardware": {
      "locked": {
        "lastModified": 1728056216,
@ -360,6 +378,34 @@
        "type": "github"
      }
    },
+    "nixpkgs_4": {
+      "locked": {
+        "lastModified": 0,
+        "narHash": "sha256-HP89HZOT0ReIbI7IJZJQoJgxvB2Tn28V6XS3MNKnfLs=",
+        "path": "/nix/store/lryfc8mhk1czqsa421di2y5nzz5c3b8m-source",
+        "type": "path"
+      },
+      "original": {
+        "id": "nixpkgs",
+        "type": "indirect"
+      }
+    },
+    "nixpkgs_5": {
+      "locked": {
+        "lastModified": 1728492678,
+        "narHash": "sha256-9UTxR8eukdg+XZeHgxW5hQA9fIKHsKCdOIUycTryeVw=",
+        "owner": "nixos",
+        "repo": "nixpkgs",
+        "rev": "5633bcff0c6162b9e4b5f1264264611e950c8ec7",
+        "type": "github"
+      },
+      "original": {
+        "owner": "nixos",
+        "ref": "nixos-unstable",
+        "repo": "nixpkgs",
+        "type": "github"
+      }
+    },
    "nysh": {
      "inputs": {
        "nixpkgs": [
@ -435,7 +481,8 @@
        "nixos-hardware": "nixos-hardware",
        "nixpkgs": "nixpkgs_2",
        "nysh": "nysh",
-        "rofi-obsidian": "rofi-obsidian"
+        "rofi-obsidian": "rofi-obsidian",
+        "rustypaste": "rustypaste"
      }
    },
    "rust-overlay": {
@ -456,6 +503,41 @@
        "type": "github"
      }
    },
+    "rustypaste": {
+      "inputs": {
+        "naersk": "naersk",
+        "nixpkgs": "nixpkgs_5",
+        "rustypasteRepo": "rustypasteRepo"
+      },
+      "locked": {
+        "dirtyRev": "561025fca47e63a4356cf8e41669ab823f033717-dirty",
+        "dirtyShortRev": "561025f-dirty",
+        "lastModified": 1728306155,
+        "narHash": "sha256-ewGx/X970ErBg6oKAaBKZd4pqnP2s0jeRHm9bIj8CzM=",
+        "type": "git",
+        "url": "file:///home/ny/Documents/opensource/rustypaste"
+      },
+      "original": {
+        "type": "git",
+        "url": "file:///home/ny/Documents/opensource/rustypaste"
+      }
+    },
+    "rustypasteRepo": {
+      "flake": false,
+      "locked": {
+        "lastModified": 1728306155,
+        "narHash": "sha256-mgB/arakSQu7mC/n7Oal/rsHdVxCD4NEgX7TAsCrCMI=",
+        "owner": "orhun",
+        "repo": "rustypaste",
+        "rev": "561025fca47e63a4356cf8e41669ab823f033717",
+        "type": "github"
+      },
+      "original": {
+        "owner": "orhun",
+        "repo": "rustypaste",
+        "type": "github"
+      }
+    },
    "systems": {
      "locked": {
        "lastModified": 1681028828,
--- a/flake.nix
+++ b/flake.nix
@ -42,6 +42,10 @@
      url = "github:hyprwm/hyprlock";
      inputs.nixpkgs.follows = "nixpkgs";
    };
+
+    rustypaste = {
+      url = "/home/ny/Documents/opensource/rustypaste";
+    };
  };

  outputs =
--- a/home/scripts/default.nix
+++ b/home/scripts/default.nix
@ -59,8 +59,7 @@ in
  getext = pkgs.writeScriptBin "ls | grep -E \"\.[a-zA-Z0-9]+$\" --only-matching  | sort | uniq";

  rpaste = writeFishBin "rpaste" ''
-    export $(cat ${config.age.secrets.rustypaste.path} | xargs)
-    ${pkgs.rustypaste-cli}/bin/rpaste -a "$AUTH_TOKEN" -s "https://rusty.ccnlc.eu/" $argv
+    ${pkgs.rustypaste-cli}/bin/rpaste -a "$(cat ${config.age.secrets.rustypaste.path})" -s "https://rusty.ccnlc.eu/" $argv
  '';

  gentest = nixos-rebuild "gentest" "test";
--- a/hosts/raptus/configuration.nix
+++ b/hosts/raptus/configuration.nix
@ -3,7 +3,6 @@
  lib,
  pkgs,
  config,
-  pubkeys,
  ...
 }:
 let
@ -14,14 +13,17 @@ in
    (modulesPath + "/profiles/qemu-guest.nix")
    ./disk-config.nix
    ./container-root.nix
-    ./rustypaste
    ./forgejo
    ./headscale.nix
  ];

  age.secrets = {
    couchdb.file = ../../secrets/couchdb.age;
-    rustypaste.file = ../../secrets/rustypaste.age;
+    rustypaste = {
+      file = ../../secrets/rustypaste.age;
+      owner = "rustypaste";
+      group = "rustypaste";
+    };
  };

  boot.loader.grub = {
@ -29,10 +31,46 @@ in
    efiInstallAsRemovable = true;
  };

-  modules.services.tailscale = {
-    enable = true;
-    tags = [ "server" ];
-    extraFlags = [ "--accept-dns=false" ]; # Want to disable that since *server* can't access the private dns... for now
+  modules = {
+    server.rustypaste = {
+      enable = true;
+      authTokenFile = config.age.secrets.rustypaste.path;
+      settings = {
+        server = {
+          url = "https://rusty.ccnlc.eu";
+          max_content_length = "50MB";
+          timeout = "30s";
+          expose_version = false;
+          expose_list = false;
+          handle_spaces = "replace";
+        };
+        paste = {
+          random_url = {
+            type = "petname";
+            words = 3;
+            separator = "-";
+          };
+          default_extension = "txt";
+          mime_blacklist = [
+            "application/x-dosexec"
+            "application/java-archive"
+            "application/java-vm"
+          ];
+          duplicate_files = false;
+          default_expiry = "1h";
+          delete_expired_files = {
+            enabled = true;
+            interval = "1h";
+          };
+        };
+      };
+    };
+
+    services.tailscale = {
+      enable = true;
+      tags = [ "server" ];
+      extraFlags = [ "--accept-dns=false" ]; # Want to disable that since *server* can't access the private dns... for now
+    };
  };

  services.headscale.enable = true;
--- a/hosts/raptus/rustypaste/conf.nix
+++ b/hosts/raptus/rustypaste/conf.nix
@ -1,90 +0,0 @@
-{
-  config = {
-    refresh_rate = "1s";
-  };
-  server = {
-    address = "127.0.0.1:8000";
-    url = "https://rusty.ccnlc.eu";
-    workers = 4;
-    max_content_length = "50MB";
-    upload_path = "./upload";
-    timeout = "30s";
-    expose_version = false;
-    expose_list = false;
-    handle_spaces = "replace";
-  };
-  landing_page = {
-    text = ''
-      ┬─┐┬ ┬┌─┐┌┬┐┬ ┬┌─┐┌─┐┌─┐┌┬┐┌─┐
-      ├┬┘│ │└─┐ │ └┬┘├─┘├─┤└─┐ │ ├┤
-      ┴└─└─┘└─┘ ┴  ┴ ┴  ┴ ┴└─┘ ┴ └─┘
-
-      Submit files via HTTP POST here:
-          curl -F 'file=@example.txt' <server>
-      This will return the URL of the uploaded file.
-
-      The server administrator might remove any pastes that they do not personally
-      want to host.
-
-      If you are the server administrator and want to change this page, just go
-      into your config file and change it! If you change the expiry time, it is
-      recommended that you do.
-
-      By default, pastes expire every hour. The server admin may or may not have
-      changed this.
-
-      Check out the GitHub repository at https://github.com/orhun/rustypaste
-      Command line tool is available  at https://github.com/orhun/rustypaste-cli
-    '';
-    content_type = "text/plain; charset=utf-8";
-  };
-  paste = {
-    random_url = {
-      type = "petname";
-      words = 2;
-      separator = "-";
-    };
-    default_extension = "txt";
-    mime_override = [
-      {
-        mime = "image/jpeg";
-        regex = "^.*\.jpg$";
-      }
-      {
-        mime = "image/png";
-        regex = "^.*\.png$";
-      }
-      {
-        mime = "image/svg+xml";
-        regex = "^.*\.svg$";
-      }
-      {
-        mime = "video/webm";
-        regex = "^.*\.webm$";
-      }
-      {
-        mime = "video/x-matroska";
-        regex = "^.*\.mkv$";
-      }
-      {
-        mime = "application/octet-stream";
-        regex = "^.*\.bin$";
-      }
-      {
-        mime = "text/plain";
-        regex = "^.*\.(log|txt|diff|sh|rs|toml)$";
-      }
-    ];
-    mime_blacklist = [
-      "application/x-dosexec"
-      "application/java-archive"
-      "application/java-vm"
-    ];
-    duplicate_files = false;
-    default_expiry = "1h";
-    delete_expired_files = {
-      enabled = true;
-      interval = "1h";
-    };
-  };
-}
--- a/hosts/raptus/rustypaste/default.nix
+++ b/hosts/raptus/rustypaste/default.nix
@ -1,53 +0,0 @@
-{
-  pkgs,
-  config,
-  lib,
-  ...
-}:
-{
-  virtualisation.oci-containers.containers."rustypaste" = {
-    image = "orhunp/rustypaste:latest";
-    environment = {
-      "RUST_LOG" = "debug";
-    };
-    environmentFiles = [ config.age.secrets.rustypaste.path ];
-    volumes = [
-      "${(pkgs.formats.toml { }).generate "conf" (import ./conf.nix)}:/app/config.toml:ro"
-      "test_rustypaste-data:/app/upload:rw"
-    ];
-    ports = [ "8000:8000/tcp" ];
-    log-driver = "journald";
-    extraOptions = [
-      "--network-alias=rustypaste"
-      "--network=test_default"
-    ];
-  };
-  systemd.services."podman-rustypaste" = {
-    serviceConfig = {
-      Restart = lib.mkOverride 500 "always";
-    };
-    after = [
-      "podman-network-test_default.service"
-      "podman-volume-test_rustypaste-data.service"
-    ];
-    requires = [
-      "podman-network-test_default.service"
-      "podman-volume-test_rustypaste-data.service"
-    ];
-    partOf = [ "podman-compose-test-root.target" ];
-    wantedBy = [ "podman-compose-test-root.target" ];
-  };
-
-  systemd.services."podman-volume-test_rustypaste-data" = {
-    path = [ pkgs.podman ];
-    serviceConfig = {
-      Type = "oneshot";
-      RemainAfterExit = true;
-    };
-    script = ''
-      podman volume inspect test_rustypaste-data || podman volume create test_rustypaste-data
-    '';
-    partOf = [ "podman-compose-test-root.target" ];
-    wantedBy = [ "podman-compose-test-root.target" ];
-  };
-}
--- a/modules/nix/overlays.nix
+++ b/modules/nix/overlays.nix
@ -1,4 +1,5 @@
 {
+  inputs,
  inputs',
  config,
  lib,
@ -37,5 +38,6 @@

      hyprlock = inputs'.hyprlock.packages.hyprlock;
    })
+    inputs.rustypaste.overlays.default
  ];
 }
--- a/options/server/default.nix
+++ b/options/server/default.nix
@ -3,5 +3,6 @@
    ./paperless-ngx
    ./navidrome.nix
    ./rsync-daemon
+    ./rustypaste.nix
  ];
 }
--- a/options/server/rustypaste.nix
+++ b/options/server/rustypaste.nix
@ -0,0 +1,146 @@
+{
+  config,
+  lib,
+  pkgs,
+  options,
+  ...
+}:
+let
+  inherit (lib)
+    mkEnableOption
+    mkIf
+    mkOption
+    types
+    ;
+  cfg = config.modules.server.rustypaste;
+  opts = options.modules.server.rustypaste;
+  toml = pkgs.formats.toml { };
+in
+{
+  options.modules.server.rustypaste = {
+    enable = mkEnableOption "rustypaste, a pastebin alternative";
+
+    authTokenFile = mkOption {
+      type = types.str;
+      default = "";
+    };
+
+    deleteTokenFile = mkOption {
+      type = types.str;
+      default = "";
+    };
+
+    port = mkOption {
+      type = types.port;
+      default = 8000;
+      description = "The port rustypaste should listen on.";
+    };
+
+    openFirewall = mkOption {
+      type = types.bool;
+      default = false;
+      description = "Whether to open the specified port.";
+    };
+
+    address = mkOption {
+      type = types.nonEmptyStr;
+      default = "127.0.0.1";
+      description = "The address rustypaste should listen on.";
+    };
+
+    package = mkOption {
+      type = types.package;
+      default = pkgs.rustypaste;
+    };
+
+    user = mkOption {
+      type = types.str;
+      default = "rustypaste";
+      description = "User account under which rustypaste runs.";
+    };
+
+    group = mkOption {
+      type = types.str;
+      default = "rustypaste";
+      description = "Group under which rustypaste runs.";
+    };
+
+    settings = lib.mkOption {
+      inherit (toml) type;
+      default = {
+        config.refresh_rate = "1y";
+        server = {
+          address = "${cfg.address}:${toString cfg.port}";
+          max_content_length = "10MB";
+          upload_path = cfg.dataDir;
+        };
+        paste = {
+          default_extension = "txt";
+        };
+      };
+      defaultText = "Refer to https://github.com/orhun/rustypaste/blob/master/config.toml";
+      apply = lib.recursiveUpdate opts.settings.default;
+    };
+
+    dataDir = lib.mkOption {
+      type = types.nonEmptyStr;
+      default = "/var/lib/rustypaste";
+      description = "Where rustypaste stores uploaded files.";
+    };
+
+    settingsFile = lib.mkOption {
+      type = types.path;
+      default = toml.generate "rustypaste.toml" cfg.settings;
+    };
+  };
+
+  config = mkIf cfg.enable {
+    networking.firewall.allowedTCPPorts = mkIf cfg.openFirewall [ cfg.port ];
+
+    systemd.tmpfiles.rules = [
+      "d ${cfg.dataDir} 0700 ${cfg.user} ${cfg.group}"
+    ];
+
+    systemd.services.rustypaste = {
+      enable = true;
+      after = [ "network.target" ];
+      wantedBy = [ "multi-user.target" ];
+
+      environment = {
+        "CONFIG" = cfg.settingsFile;
+        "AUTH_TOKENS_FILE" = mkIf (cfg.authTokenFile != "") cfg.authTokenFile;
+        "DELETE_TOKENS_FILE" = mkIf (cfg.deleteTokenFile != "") cfg.deleteTokenFile;
+      };
+      serviceConfig = {
+        Type = "simple";
+        User = cfg.user;
+        Group = cfg.group;
+        WorkingDirectory = cfg.dataDir;
+        ExecStart = "${cfg.package}/bin/rustypaste";
+        Restart = "on-failure";
+        PrivateDevices = true;
+        PrivateTmp = true;
+        ProtectSystem = "full";
+        ReadWritePaths = cfg.dataDir;
+        ReadOnlyPaths = lib.concatStringsSep " " [
+          cfg.settingsFile
+          cfg.authTokenFile
+          cfg.deleteTokenFile
+        ];
+        IPAddressAllow = "any";
+      };
+    };
+
+    users.users = mkIf (cfg.user == "rustypaste") {
+      rustypaste = {
+        useDefaultShell = true;
+        group = cfg.group;
+        isSystemUser = true;
+      };
+    };
+
+    users.groups = mkIf (cfg.group == "rustypaste") {
+      rustypaste = { };
+    };
+  };
+}
--- a/secrets/adguard-dns-list.age
+++ b/secrets/adguard-dns-list.age
--- a/secrets/couchdb.age
+++ b/secrets/couchdb.age
@ -1,11 +1,11 @@
 age-encryption.org/v1
-> ssh-ed25519 biwZXw M19MPetxrj5viO9n3YQ80hEObhyJg5IZnNycR3Wzqk4
-YBOWqQzb+zU8tSwEcrsr/ocPj6kzSly2wbJq0WK+gDM
-> ssh-ed25519 b3HlPA Z01OXca+e/XNFR0V9hPlCMZaQUdmbDfIqhQvLSfF5is
-bjPwLeKSzatDDIjAaKh1q4ZdgEvHB82EyC4hSzS4qXE
-> ssh-ed25519 cdUqUg 97W5cmHE/PS0MAlel2MDdzYJVinRVxBkigbV+c/xLRk
-UyMUJYb+782FZEbuCcn4xj62bCLaYSBLD5714xpQN4c
-> ssh-ed25519 a1hgwg +kQW6lvFa/sTuU91My1NepIasAFnscjluc3z3zyHWws
-rx/jQxCiC6sjGeXYeZcW0+UxkQr8uHNJKCGPxvH9GqQ
--- VGD7NEIKcPMDhDKCGXKP+kXXf1YIPIK/y64k5e4YFTs
-bw¾XÁm
Ÿ‚ws	hF1É+‡ZÜ }LY	ZÝ<5A>¯fg³°¹q]ÌƒtüxÊÛ¯¹õ`„¶Üw)—Y%u––ÚãåÅ^_v8QZfìqu<C2AD>:¹¶g1 VÛþ!í–Â’»A[€€Çöe{TnÕ	-f×
+-> ssh-ed25519 biwZXw iMQ+wyhe0edDZpfFTcvg2zKzdGt6aHVE/tQBqbtCcUc
+hAizLz8grjdYwjOnLSeEtp4kxA4MjRPywRs1BHrDSdo
+-> ssh-ed25519 b3HlPA G1inkewMY0dv885snGeJqWRVVXsaCK35iSBXVA6OEAc
+/VgBYT9W4ic6piJM5QTvmaAJtWDbzsXyP7M3GOilW8I
+-> ssh-ed25519 cdUqUg UzHj6mpJ1qNWA02x37JFhNEq/VdOP6k3p4ZtBY68Hjo
+4trOjzntsQ05C07SVSfO/gGoUTR2owyj6VnZPwLi4eE
+-> ssh-ed25519 a1hgwg pMJOkvg4Lg5tbY+nb9eqGPMweLwzxPxtvkhaOY8s3xk
+7rpmGdN84Lq/yU+FQCnaaHJOmvUhJgboFDmXgO4B7lc
+--- kZ3ul3tAFvY769eSvcTei2KdrGyHKCDh+OdOAHk3NoU
+‡×”S*D›<44>WŸv¡î=!‰Ø÷ðm‡…›R’“ˆéÊ‡921QkÔ!hÊ0ÇƒÁ]òá_¢¾æÝž]äj6 1Î76õÃÆ4‚H”T¼Ø’JÂÅ±øÖl‚j€H‰—oO@¶ Õ]9SUÓ×q '¡n
--- a/secrets/navidrome.age
+++ b/secrets/navidrome.age
--- a/secrets/rustypaste.age
+++ b/secrets/rustypaste.age