diff --git a/flake.lock b/flake.lock index 2e974f1..a220a4a 100644 --- a/flake.lock +++ b/flake.lock @@ -296,6 +296,24 @@ "type": "github" } }, + "naersk": { + "inputs": { + "nixpkgs": "nixpkgs_4" + }, + "locked": { + "lastModified": 1721727458, + "narHash": "sha256-r/xppY958gmZ4oTfLiHN0ZGuQ+RSTijDblVgVLFi1mw=", + "owner": "nix-community", + "repo": "naersk", + "rev": "3fb418eaf352498f6b6c30592e3beb63df42ef11", + "type": "github" + }, + "original": { + "owner": "nix-community", + "repo": "naersk", + "type": "github" + } + }, "nixos-hardware": { "locked": { "lastModified": 1728056216, @@ -360,6 +378,34 @@ "type": "github" } }, + "nixpkgs_4": { + "locked": { + "lastModified": 0, + "narHash": "sha256-HP89HZOT0ReIbI7IJZJQoJgxvB2Tn28V6XS3MNKnfLs=", + "path": "/nix/store/lryfc8mhk1czqsa421di2y5nzz5c3b8m-source", + "type": "path" + }, + "original": { + "id": "nixpkgs", + "type": "indirect" + } + }, + "nixpkgs_5": { + "locked": { + "lastModified": 1728492678, + "narHash": "sha256-9UTxR8eukdg+XZeHgxW5hQA9fIKHsKCdOIUycTryeVw=", + "owner": "nixos", + "repo": "nixpkgs", + "rev": "5633bcff0c6162b9e4b5f1264264611e950c8ec7", + "type": "github" + }, + "original": { + "owner": "nixos", + "ref": "nixos-unstable", + "repo": "nixpkgs", + "type": "github" + } + }, "nysh": { "inputs": { "nixpkgs": [ @@ -435,7 +481,8 @@ "nixos-hardware": "nixos-hardware", "nixpkgs": "nixpkgs_2", "nysh": "nysh", - "rofi-obsidian": "rofi-obsidian" + "rofi-obsidian": "rofi-obsidian", + "rustypaste": "rustypaste" } }, "rust-overlay": { @@ -456,6 +503,41 @@ "type": "github" } }, + "rustypaste": { + "inputs": { + "naersk": "naersk", + "nixpkgs": "nixpkgs_5", + "rustypasteRepo": "rustypasteRepo" + }, + "locked": { + "dirtyRev": "561025fca47e63a4356cf8e41669ab823f033717-dirty", + "dirtyShortRev": "561025f-dirty", + "lastModified": 1728306155, + "narHash": "sha256-ewGx/X970ErBg6oKAaBKZd4pqnP2s0jeRHm9bIj8CzM=", + "type": "git", + "url": "file:///home/ny/Documents/opensource/rustypaste" + }, + "original": { + "type": "git", + "url": "file:///home/ny/Documents/opensource/rustypaste" + } + }, + "rustypasteRepo": { + "flake": false, + "locked": { + "lastModified": 1728306155, + "narHash": "sha256-mgB/arakSQu7mC/n7Oal/rsHdVxCD4NEgX7TAsCrCMI=", + "owner": "orhun", + "repo": "rustypaste", + "rev": "561025fca47e63a4356cf8e41669ab823f033717", + "type": "github" + }, + "original": { + "owner": "orhun", + "repo": "rustypaste", + "type": "github" + } + }, "systems": { "locked": { "lastModified": 1681028828, diff --git a/flake.nix b/flake.nix index 47965a0..1386342 100644 --- a/flake.nix +++ b/flake.nix @@ -42,6 +42,10 @@ url = "github:hyprwm/hyprlock"; inputs.nixpkgs.follows = "nixpkgs"; }; + + rustypaste = { + url = "/home/ny/Documents/opensource/rustypaste"; + }; }; outputs = diff --git a/home/scripts/default.nix b/home/scripts/default.nix index a9a1158..c609ffb 100644 --- a/home/scripts/default.nix +++ b/home/scripts/default.nix @@ -59,8 +59,7 @@ in getext = pkgs.writeScriptBin "ls | grep -E \"\.[a-zA-Z0-9]+$\" --only-matching | sort | uniq"; rpaste = writeFishBin "rpaste" '' - export $(cat ${config.age.secrets.rustypaste.path} | xargs) - ${pkgs.rustypaste-cli}/bin/rpaste -a "$AUTH_TOKEN" -s "https://rusty.ccnlc.eu/" $argv + ${pkgs.rustypaste-cli}/bin/rpaste -a "$(cat ${config.age.secrets.rustypaste.path})" -s "https://rusty.ccnlc.eu/" $argv ''; gentest = nixos-rebuild "gentest" "test"; diff --git a/hosts/raptus/configuration.nix b/hosts/raptus/configuration.nix index cc1619e..546f13f 100644 --- a/hosts/raptus/configuration.nix +++ b/hosts/raptus/configuration.nix @@ -3,7 +3,6 @@ lib, pkgs, config, - pubkeys, ... }: let @@ -14,14 +13,17 @@ in (modulesPath + "/profiles/qemu-guest.nix") ./disk-config.nix ./container-root.nix - ./rustypaste ./forgejo ./headscale.nix ]; age.secrets = { couchdb.file = ../../secrets/couchdb.age; - rustypaste.file = ../../secrets/rustypaste.age; + rustypaste = { + file = ../../secrets/rustypaste.age; + owner = "rustypaste"; + group = "rustypaste"; + }; }; boot.loader.grub = { @@ -29,10 +31,46 @@ in efiInstallAsRemovable = true; }; - modules.services.tailscale = { - enable = true; - tags = [ "server" ]; - extraFlags = [ "--accept-dns=false" ]; # Want to disable that since *server* can't access the private dns... for now + modules = { + server.rustypaste = { + enable = true; + authTokenFile = config.age.secrets.rustypaste.path; + settings = { + server = { + url = "https://rusty.ccnlc.eu"; + max_content_length = "50MB"; + timeout = "30s"; + expose_version = false; + expose_list = false; + handle_spaces = "replace"; + }; + paste = { + random_url = { + type = "petname"; + words = 3; + separator = "-"; + }; + default_extension = "txt"; + mime_blacklist = [ + "application/x-dosexec" + "application/java-archive" + "application/java-vm" + ]; + duplicate_files = false; + default_expiry = "1h"; + delete_expired_files = { + enabled = true; + interval = "1h"; + }; + }; + }; + }; + + services.tailscale = { + enable = true; + tags = [ "server" ]; + extraFlags = [ "--accept-dns=false" ]; # Want to disable that since *server* can't access the private dns... for now + }; }; services.headscale.enable = true; diff --git a/hosts/raptus/rustypaste/conf.nix b/hosts/raptus/rustypaste/conf.nix deleted file mode 100644 index 942e944..0000000 --- a/hosts/raptus/rustypaste/conf.nix +++ /dev/null @@ -1,90 +0,0 @@ -{ - config = { - refresh_rate = "1s"; - }; - server = { - address = "127.0.0.1:8000"; - url = "https://rusty.ccnlc.eu"; - workers = 4; - max_content_length = "50MB"; - upload_path = "./upload"; - timeout = "30s"; - expose_version = false; - expose_list = false; - handle_spaces = "replace"; - }; - landing_page = { - text = '' - ┬─┐┬ ┬┌─┐┌┬┐┬ ┬┌─┐┌─┐┌─┐┌┬┐┌─┐ - ├┬┘│ │└─┐ │ └┬┘├─┘├─┤└─┐ │ ├┤ - ┴└─└─┘└─┘ ┴ ┴ ┴ ┴ ┴└─┘ ┴ └─┘ - - Submit files via HTTP POST here: - curl -F 'file=@example.txt' - This will return the URL of the uploaded file. - - The server administrator might remove any pastes that they do not personally - want to host. - - If you are the server administrator and want to change this page, just go - into your config file and change it! If you change the expiry time, it is - recommended that you do. - - By default, pastes expire every hour. The server admin may or may not have - changed this. - - Check out the GitHub repository at https://github.com/orhun/rustypaste - Command line tool is available at https://github.com/orhun/rustypaste-cli - ''; - content_type = "text/plain; charset=utf-8"; - }; - paste = { - random_url = { - type = "petname"; - words = 2; - separator = "-"; - }; - default_extension = "txt"; - mime_override = [ - { - mime = "image/jpeg"; - regex = "^.*\.jpg$"; - } - { - mime = "image/png"; - regex = "^.*\.png$"; - } - { - mime = "image/svg+xml"; - regex = "^.*\.svg$"; - } - { - mime = "video/webm"; - regex = "^.*\.webm$"; - } - { - mime = "video/x-matroska"; - regex = "^.*\.mkv$"; - } - { - mime = "application/octet-stream"; - regex = "^.*\.bin$"; - } - { - mime = "text/plain"; - regex = "^.*\.(log|txt|diff|sh|rs|toml)$"; - } - ]; - mime_blacklist = [ - "application/x-dosexec" - "application/java-archive" - "application/java-vm" - ]; - duplicate_files = false; - default_expiry = "1h"; - delete_expired_files = { - enabled = true; - interval = "1h"; - }; - }; -} diff --git a/hosts/raptus/rustypaste/default.nix b/hosts/raptus/rustypaste/default.nix deleted file mode 100644 index 054d156..0000000 --- a/hosts/raptus/rustypaste/default.nix +++ /dev/null @@ -1,53 +0,0 @@ -{ - pkgs, - config, - lib, - ... -}: -{ - virtualisation.oci-containers.containers."rustypaste" = { - image = "orhunp/rustypaste:latest"; - environment = { - "RUST_LOG" = "debug"; - }; - environmentFiles = [ config.age.secrets.rustypaste.path ]; - volumes = [ - "${(pkgs.formats.toml { }).generate "conf" (import ./conf.nix)}:/app/config.toml:ro" - "test_rustypaste-data:/app/upload:rw" - ]; - ports = [ "8000:8000/tcp" ]; - log-driver = "journald"; - extraOptions = [ - "--network-alias=rustypaste" - "--network=test_default" - ]; - }; - systemd.services."podman-rustypaste" = { - serviceConfig = { - Restart = lib.mkOverride 500 "always"; - }; - after = [ - "podman-network-test_default.service" - "podman-volume-test_rustypaste-data.service" - ]; - requires = [ - "podman-network-test_default.service" - "podman-volume-test_rustypaste-data.service" - ]; - partOf = [ "podman-compose-test-root.target" ]; - wantedBy = [ "podman-compose-test-root.target" ]; - }; - - systemd.services."podman-volume-test_rustypaste-data" = { - path = [ pkgs.podman ]; - serviceConfig = { - Type = "oneshot"; - RemainAfterExit = true; - }; - script = '' - podman volume inspect test_rustypaste-data || podman volume create test_rustypaste-data - ''; - partOf = [ "podman-compose-test-root.target" ]; - wantedBy = [ "podman-compose-test-root.target" ]; - }; -} diff --git a/modules/nix/overlays.nix b/modules/nix/overlays.nix index 09113a8..c0f4de9 100644 --- a/modules/nix/overlays.nix +++ b/modules/nix/overlays.nix @@ -1,4 +1,5 @@ { + inputs, inputs', config, lib, @@ -37,5 +38,6 @@ hyprlock = inputs'.hyprlock.packages.hyprlock; }) + inputs.rustypaste.overlays.default ]; } diff --git a/options/server/default.nix b/options/server/default.nix index c73374b..d5e34af 100644 --- a/options/server/default.nix +++ b/options/server/default.nix @@ -3,5 +3,6 @@ ./paperless-ngx ./navidrome.nix ./rsync-daemon + ./rustypaste.nix ]; } diff --git a/options/server/rustypaste.nix b/options/server/rustypaste.nix new file mode 100644 index 0000000..dc71d98 --- /dev/null +++ b/options/server/rustypaste.nix @@ -0,0 +1,146 @@ +{ + config, + lib, + pkgs, + options, + ... +}: +let + inherit (lib) + mkEnableOption + mkIf + mkOption + types + ; + cfg = config.modules.server.rustypaste; + opts = options.modules.server.rustypaste; + toml = pkgs.formats.toml { }; +in +{ + options.modules.server.rustypaste = { + enable = mkEnableOption "rustypaste, a pastebin alternative"; + + authTokenFile = mkOption { + type = types.str; + default = ""; + }; + + deleteTokenFile = mkOption { + type = types.str; + default = ""; + }; + + port = mkOption { + type = types.port; + default = 8000; + description = "The port rustypaste should listen on."; + }; + + openFirewall = mkOption { + type = types.bool; + default = false; + description = "Whether to open the specified port."; + }; + + address = mkOption { + type = types.nonEmptyStr; + default = "127.0.0.1"; + description = "The address rustypaste should listen on."; + }; + + package = mkOption { + type = types.package; + default = pkgs.rustypaste; + }; + + user = mkOption { + type = types.str; + default = "rustypaste"; + description = "User account under which rustypaste runs."; + }; + + group = mkOption { + type = types.str; + default = "rustypaste"; + description = "Group under which rustypaste runs."; + }; + + settings = lib.mkOption { + inherit (toml) type; + default = { + config.refresh_rate = "1y"; + server = { + address = "${cfg.address}:${toString cfg.port}"; + max_content_length = "10MB"; + upload_path = cfg.dataDir; + }; + paste = { + default_extension = "txt"; + }; + }; + defaultText = "Refer to https://github.com/orhun/rustypaste/blob/master/config.toml"; + apply = lib.recursiveUpdate opts.settings.default; + }; + + dataDir = lib.mkOption { + type = types.nonEmptyStr; + default = "/var/lib/rustypaste"; + description = "Where rustypaste stores uploaded files."; + }; + + settingsFile = lib.mkOption { + type = types.path; + default = toml.generate "rustypaste.toml" cfg.settings; + }; + }; + + config = mkIf cfg.enable { + networking.firewall.allowedTCPPorts = mkIf cfg.openFirewall [ cfg.port ]; + + systemd.tmpfiles.rules = [ + "d ${cfg.dataDir} 0700 ${cfg.user} ${cfg.group}" + ]; + + systemd.services.rustypaste = { + enable = true; + after = [ "network.target" ]; + wantedBy = [ "multi-user.target" ]; + + environment = { + "CONFIG" = cfg.settingsFile; + "AUTH_TOKENS_FILE" = mkIf (cfg.authTokenFile != "") cfg.authTokenFile; + "DELETE_TOKENS_FILE" = mkIf (cfg.deleteTokenFile != "") cfg.deleteTokenFile; + }; + serviceConfig = { + Type = "simple"; + User = cfg.user; + Group = cfg.group; + WorkingDirectory = cfg.dataDir; + ExecStart = "${cfg.package}/bin/rustypaste"; + Restart = "on-failure"; + PrivateDevices = true; + PrivateTmp = true; + ProtectSystem = "full"; + ReadWritePaths = cfg.dataDir; + ReadOnlyPaths = lib.concatStringsSep " " [ + cfg.settingsFile + cfg.authTokenFile + cfg.deleteTokenFile + ]; + IPAddressAllow = "any"; + }; + }; + + users.users = mkIf (cfg.user == "rustypaste") { + rustypaste = { + useDefaultShell = true; + group = cfg.group; + isSystemUser = true; + }; + }; + + users.groups = mkIf (cfg.group == "rustypaste") { + rustypaste = { }; + }; + }; +} diff --git a/secrets/adguard-dns-list.age b/secrets/adguard-dns-list.age index 6649fa4..59aacd7 100644 Binary files a/secrets/adguard-dns-list.age and b/secrets/adguard-dns-list.age differ diff --git a/secrets/couchdb.age b/secrets/couchdb.age index 4168bc2..5bad6c1 100644 --- a/secrets/couchdb.age +++ b/secrets/couchdb.age @@ -1,11 +1,11 @@ age-encryption.org/v1 --> ssh-ed25519 biwZXw M19MPetxrj5viO9n3YQ80hEObhyJg5IZnNycR3Wzqk4 -YBOWqQzb+zU8tSwEcrsr/ocPj6kzSly2wbJq0WK+gDM --> ssh-ed25519 b3HlPA Z01OXca+e/XNFR0V9hPlCMZaQUdmbDfIqhQvLSfF5is -bjPwLeKSzatDDIjAaKh1q4ZdgEvHB82EyC4hSzS4qXE --> ssh-ed25519 cdUqUg 97W5cmHE/PS0MAlel2MDdzYJVinRVxBkigbV+c/xLRk -UyMUJYb+782FZEbuCcn4xj62bCLaYSBLD5714xpQN4c --> ssh-ed25519 a1hgwg +kQW6lvFa/sTuU91My1NepIasAFnscjluc3z3zyHWws -rx/jQxCiC6sjGeXYeZcW0+UxkQr8uHNJKCGPxvH9GqQ ---- VGD7NEIKcPMDhDKCGXKP+kXXf1YIPIK/y64k5e4YFTs -bwXm ws hF1ɭ+Zܠ}LY Zݍfgq]̃txۯ`w)Y%u^_v8QZfqu:g1 V!’A[e{Tn -f \ No newline at end of file +-> ssh-ed25519 biwZXw iMQ+wyhe0edDZpfFTcvg2zKzdGt6aHVE/tQBqbtCcUc +hAizLz8grjdYwjOnLSeEtp4kxA4MjRPywRs1BHrDSdo +-> ssh-ed25519 b3HlPA G1inkewMY0dv885snGeJqWRVVXsaCK35iSBXVA6OEAc +/VgBYT9W4ic6piJM5QTvmaAJtWDbzsXyP7M3GOilW8I +-> ssh-ed25519 cdUqUg UzHj6mpJ1qNWA02x37JFhNEq/VdOP6k3p4ZtBY68Hjo +4trOjzntsQ05C07SVSfO/gGoUTR2owyj6VnZPwLi4eE +-> ssh-ed25519 a1hgwg pMJOkvg4Lg5tbY+nb9eqGPMweLwzxPxtvkhaOY8s3xk +7rpmGdN84Lq/yU+FQCnaaHJOmvUhJgboFDmXgO4B7lc +--- kZ3ul3tAFvY769eSvcTei2KdrGyHKCDh+OdOAHk3NoU +הS*DWv=!mR 921Qk!h0ǃ]_ݞ]j6 1764HTؒJűljHoO@ ]9SUq'n \ No newline at end of file diff --git a/secrets/navidrome.age b/secrets/navidrome.age index 5e4c32b..f4e1687 100644 Binary files a/secrets/navidrome.age and b/secrets/navidrome.age differ diff --git a/secrets/rustypaste.age b/secrets/rustypaste.age index 8dba28c..1467743 100644 Binary files a/secrets/rustypaste.age and b/secrets/rustypaste.age differ