nydragon/nix-da
1
Fork 0
Code Issues Pull requests Activity Actions1

feat(rustypaste): create module instead of container and use newer version through flake

Browse source
This commit is contained in:
Nydragon 2024-10-14 01:34:41 +02:00
parent b8c7300e8a
commit 520157cb2b
Signed by: nydragon
SSH key fingerprint: SHA256:iQnIC12spf4QjWSbarmkD2No1cLMlu6TWoV7K6cYF5g
13 changed files with 292 additions and 163 deletions

84
flake.lock generated
View file

@ -296,6 +296,24 @@
"type": "github" "type": "github"
} }
}, },
"naersk": {
"inputs": {
"nixpkgs": "nixpkgs_4"
},
"locked": {
"lastModified": 1721727458,
"narHash": "sha256-r/xppY958gmZ4oTfLiHN0ZGuQ+RSTijDblVgVLFi1mw=",
"owner": "nix-community",
"repo": "naersk",
"rev": "3fb418eaf352498f6b6c30592e3beb63df42ef11",
"type": "github"
},
"original": {
"owner": "nix-community",
"repo": "naersk",
"type": "github"
}
},
"nixos-hardware": { "nixos-hardware": {
"locked": { "locked": {
"lastModified": 1728056216, "lastModified": 1728056216,
@ -360,6 +378,34 @@
"type": "github" "type": "github"
} }
}, },
"nixpkgs_4": {
"locked": {
"lastModified": 0,
"narHash": "sha256-HP89HZOT0ReIbI7IJZJQoJgxvB2Tn28V6XS3MNKnfLs=",
"path": "/nix/store/lryfc8mhk1czqsa421di2y5nzz5c3b8m-source",
"type": "path"
},
"original": {
"id": "nixpkgs",
"type": "indirect"
}
},
"nixpkgs_5": {
"locked": {
"lastModified": 1728492678,
"narHash": "sha256-9UTxR8eukdg+XZeHgxW5hQA9fIKHsKCdOIUycTryeVw=",
"owner": "nixos",
"repo": "nixpkgs",
"rev": "5633bcff0c6162b9e4b5f1264264611e950c8ec7",
"type": "github"
},
"original": {
"owner": "nixos",
"ref": "nixos-unstable",
"repo": "nixpkgs",
"type": "github"
}
},
"nysh": { "nysh": {
"inputs": { "inputs": {
"nixpkgs": [ "nixpkgs": [
@ -435,7 +481,8 @@
"nixos-hardware": "nixos-hardware", "nixos-hardware": "nixos-hardware",
"nixpkgs": "nixpkgs_2", "nixpkgs": "nixpkgs_2",
"nysh": "nysh", "nysh": "nysh",
"rofi-obsidian": "rofi-obsidian" "rofi-obsidian": "rofi-obsidian",
"rustypaste": "rustypaste"
} }
}, },
"rust-overlay": { "rust-overlay": {
@ -456,6 +503,41 @@
"type": "github" "type": "github"
} }
}, },
"rustypaste": {
"inputs": {
"naersk": "naersk",
"nixpkgs": "nixpkgs_5",
"rustypasteRepo": "rustypasteRepo"
},
"locked": {
"dirtyRev": "561025fca47e63a4356cf8e41669ab823f033717-dirty",
"dirtyShortRev": "561025f-dirty",
"lastModified": 1728306155,
"narHash": "sha256-ewGx/X970ErBg6oKAaBKZd4pqnP2s0jeRHm9bIj8CzM=",
"type": "git",
"url": "file:///home/ny/Documents/opensource/rustypaste"
},
"original": {
"type": "git",
"url": "file:///home/ny/Documents/opensource/rustypaste"
}
},
"rustypasteRepo": {
"flake": false,
"locked": {
"lastModified": 1728306155,
"narHash": "sha256-mgB/arakSQu7mC/n7Oal/rsHdVxCD4NEgX7TAsCrCMI=",
"owner": "orhun",
"repo": "rustypaste",
"rev": "561025fca47e63a4356cf8e41669ab823f033717",
"type": "github"
},
"original": {
"owner": "orhun",
"repo": "rustypaste",
"type": "github"
}
},
"systems": { "systems": {
"locked": { "locked": {
"lastModified": 1681028828, "lastModified": 1681028828,

4
flake.nix
View file

@ -42,6 +42,10 @@
url = "github:hyprwm/hyprlock"; url = "github:hyprwm/hyprlock";
inputs.nixpkgs.follows = "nixpkgs"; inputs.nixpkgs.follows = "nixpkgs";
}; };
rustypaste = {
url = "/home/ny/Documents/opensource/rustypaste";
};
}; };
outputs = outputs =

3
home/scripts/default.nix
View file

@ -59,8 +59,7 @@ in
getext = pkgs.writeScriptBin "ls | grep -E \"\.[a-zA-Z0-9]+$\" --only-matching | sort | uniq"; getext = pkgs.writeScriptBin "ls | grep -E \"\.[a-zA-Z0-9]+$\" --only-matching | sort | uniq";
rpaste = writeFishBin "rpaste" '' rpaste = writeFishBin "rpaste" ''
export $(cat ${config.age.secrets.rustypaste.path} | xargs) ${pkgs.rustypaste-cli}/bin/rpaste -a "$(cat ${config.age.secrets.rustypaste.path})" -s "https://rusty.ccnlc.eu/" $argv
${pkgs.rustypaste-cli}/bin/rpaste -a "$AUTH_TOKEN" -s "https://rusty.ccnlc.eu/" $argv
''; '';
gentest = nixos-rebuild "gentest" "test"; gentest = nixos-rebuild "gentest" "test";

52
hosts/raptus/configuration.nix
View file

@ -3,7 +3,6 @@
lib, lib,
pkgs, pkgs,
config, config,
pubkeys,
... ...
}: }:
let let
@ -14,14 +13,17 @@ in
(modulesPath + "/profiles/qemu-guest.nix") (modulesPath + "/profiles/qemu-guest.nix")
./disk-config.nix ./disk-config.nix
./container-root.nix ./container-root.nix
./rustypaste
./forgejo ./forgejo
./headscale.nix ./headscale.nix
]; ];
age.secrets = { age.secrets = {
couchdb.file = ../../secrets/couchdb.age; couchdb.file = ../../secrets/couchdb.age;
rustypaste.file = ../../secrets/rustypaste.age; rustypaste = {
file = ../../secrets/rustypaste.age;
owner = "rustypaste";
group = "rustypaste";
};
}; };
boot.loader.grub = { boot.loader.grub = {
@ -29,10 +31,46 @@ in
efiInstallAsRemovable = true; efiInstallAsRemovable = true;
}; };
modules.services.tailscale = { modules = {
enable = true; server.rustypaste = {
tags = [ "server" ]; enable = true;
extraFlags = [ "--accept-dns=false" ]; # Want to disable that since *server* can't access the private dns... for now authTokenFile = config.age.secrets.rustypaste.path;
settings = {
server = {
url = "https://rusty.ccnlc.eu";
max_content_length = "50MB";
timeout = "30s";
expose_version = false;
expose_list = false;
handle_spaces = "replace";
};
paste = {
random_url = {
type = "petname";
words = 3;
separator = "-";
};
default_extension = "txt";
mime_blacklist = [
"application/x-dosexec"
"application/java-archive"
"application/java-vm"
];
duplicate_files = false;
default_expiry = "1h";
delete_expired_files = {
enabled = true;
interval = "1h";
};
};
};
};
services.tailscale = {
enable = true;
tags = [ "server" ];
extraFlags = [ "--accept-dns=false" ]; # Want to disable that since *server* can't access the private dns... for now
};
}; };
services.headscale.enable = true; services.headscale.enable = true;

90
hosts/raptus/rustypaste/conf.nix
View file

@ -1,90 +0,0 @@
{
config = {
refresh_rate = "1s";
};
server = {
address = "127.0.0.1:8000";
url = "https://rusty.ccnlc.eu";
workers = 4;
max_content_length = "50MB";
upload_path = "./upload";
timeout = "30s";
expose_version = false;
expose_list = false;
handle_spaces = "replace";
};
landing_page = {
text = ''
Submit files via HTTP POST here:
curl -F 'file=@example.txt' <server>
This will return the URL of the uploaded file.
The server administrator might remove any pastes that they do not personally
want to host.
If you are the server administrator and want to change this page, just go
into your config file and change it! If you change the expiry time, it is
recommended that you do.
By default, pastes expire every hour. The server admin may or may not have
changed this.
Check out the GitHub repository at https://github.com/orhun/rustypaste
Command line tool is available at https://github.com/orhun/rustypaste-cli
'';
content_type = "text/plain; charset=utf-8";
};
paste = {
random_url = {
type = "petname";
words = 2;
separator = "-";
};
default_extension = "txt";
mime_override = [
{
mime = "image/jpeg";
regex = "^.*\.jpg$";
}
{
mime = "image/png";
regex = "^.*\.png$";
}
{
mime = "image/svg+xml";
regex = "^.*\.svg$";
}
{
mime = "video/webm";
regex = "^.*\.webm$";
}
{
mime = "video/x-matroska";
regex = "^.*\.mkv$";
}
{
mime = "application/octet-stream";
regex = "^.*\.bin$";
}
{
mime = "text/plain";
regex = "^.*\.(log|txt|diff|sh|rs|toml)$";
}
];
mime_blacklist = [
"application/x-dosexec"
"application/java-archive"
"application/java-vm"
];
duplicate_files = false;
default_expiry = "1h";
delete_expired_files = {
enabled = true;
interval = "1h";
};
};
}

53
hosts/raptus/rustypaste/default.nix
View file

@ -1,53 +0,0 @@
{
pkgs,
config,
lib,
...
}:
{
virtualisation.oci-containers.containers."rustypaste" = {
image = "orhunp/rustypaste:latest";
environment = {
"RUST_LOG" = "debug";
};
environmentFiles = [ config.age.secrets.rustypaste.path ];
volumes = [
"${(pkgs.formats.toml { }).generate "conf" (import ./conf.nix)}:/app/config.toml:ro"
"test_rustypaste-data:/app/upload:rw"
];
ports = [ "8000:8000/tcp" ];
log-driver = "journald";
extraOptions = [
"--network-alias=rustypaste"
"--network=test_default"
];
};
systemd.services."podman-rustypaste" = {
serviceConfig = {
Restart = lib.mkOverride 500 "always";
};
after = [
"podman-network-test_default.service"
"podman-volume-test_rustypaste-data.service"
];
requires = [
"podman-network-test_default.service"
"podman-volume-test_rustypaste-data.service"
];
partOf = [ "podman-compose-test-root.target" ];
wantedBy = [ "podman-compose-test-root.target" ];
};
systemd.services."podman-volume-test_rustypaste-data" = {
path = [ pkgs.podman ];
serviceConfig = {
Type = "oneshot";
RemainAfterExit = true;
};
script = ''
podman volume inspect test_rustypaste-data || podman volume create test_rustypaste-data
'';
partOf = [ "podman-compose-test-root.target" ];
wantedBy = [ "podman-compose-test-root.target" ];
};
}

2
modules/nix/overlays.nix
View file

@ -1,4 +1,5 @@
{ {
inputs,
inputs', inputs',
config, config,
lib, lib,
@ -37,5 +38,6 @@
hyprlock = inputs'.hyprlock.packages.hyprlock; hyprlock = inputs'.hyprlock.packages.hyprlock;
}) })
inputs.rustypaste.overlays.default
]; ];
} }

1
options/server/default.nix
View file

@ -3,5 +3,6 @@
./paperless-ngx ./paperless-ngx
./navidrome.nix ./navidrome.nix
./rsync-daemon ./rsync-daemon
./rustypaste.nix
]; ];
} }

146
options/server/rustypaste.nix Normal file
View file

@ -0,0 +1,146 @@
{
config,
lib,
pkgs,
options,
...
}:
let
inherit (lib)
mkEnableOption
mkIf
mkOption
types
;
cfg = config.modules.server.rustypaste;
opts = options.modules.server.rustypaste;
toml = pkgs.formats.toml { };
in
{
options.modules.server.rustypaste = {
enable = mkEnableOption "rustypaste, a pastebin alternative";
authTokenFile = mkOption {
type = types.str;
default = "";
};
deleteTokenFile = mkOption {
type = types.str;
default = "";
};
port = mkOption {
type = types.port;
default = 8000;
description = "The port rustypaste should listen on.";
};
openFirewall = mkOption {
type = types.bool;
default = false;
description = "Whether to open the specified port.";
};
address = mkOption {
type = types.nonEmptyStr;
default = "127.0.0.1";
description = "The address rustypaste should listen on.";
};
package = mkOption {
type = types.package;
default = pkgs.rustypaste;
};
user = mkOption {
type = types.str;
default = "rustypaste";
description = "User account under which rustypaste runs.";
};
group = mkOption {
type = types.str;
default = "rustypaste";
description = "Group under which rustypaste runs.";
};
settings = lib.mkOption {
inherit (toml) type;
default = {
config.refresh_rate = "1y";
server = {
address = "${cfg.address}:${toString cfg.port}";
max_content_length = "10MB";
upload_path = cfg.dataDir;
};
paste = {
default_extension = "txt";
};
};
defaultText = "Refer to https://github.com/orhun/rustypaste/blob/master/config.toml";
apply = lib.recursiveUpdate opts.settings.default;
};
dataDir = lib.mkOption {
type = types.nonEmptyStr;
default = "/var/lib/rustypaste";
description = "Where rustypaste stores uploaded files.";
};
settingsFile = lib.mkOption {
type = types.path;
default = toml.generate "rustypaste.toml" cfg.settings;
};
};
config = mkIf cfg.enable {
networking.firewall.allowedTCPPorts = mkIf cfg.openFirewall [ cfg.port ];
systemd.tmpfiles.rules = [
"d ${cfg.dataDir} 0700 ${cfg.user} ${cfg.group}"
];
systemd.services.rustypaste = {
enable = true;
after = [ "network.target" ];
wantedBy = [ "multi-user.target" ];
environment = {
"CONFIG" = cfg.settingsFile;
"AUTH_TOKENS_FILE" = mkIf (cfg.authTokenFile != "") cfg.authTokenFile;
"DELETE_TOKENS_FILE" = mkIf (cfg.deleteTokenFile != "") cfg.deleteTokenFile;
};
serviceConfig = {
Type = "simple";
User = cfg.user;
Group = cfg.group;
WorkingDirectory = cfg.dataDir;
ExecStart = "${cfg.package}/bin/rustypaste";
Restart = "on-failure";
PrivateDevices = true;
PrivateTmp = true;
ProtectSystem = "full";
ReadWritePaths = cfg.dataDir;
ReadOnlyPaths = lib.concatStringsSep " " [
cfg.settingsFile
cfg.authTokenFile
cfg.deleteTokenFile
];
IPAddressAllow = "any";
};
};
users.users = mkIf (cfg.user == "rustypaste") {
rustypaste = {
useDefaultShell = true;
group = cfg.group;
isSystemUser = true;
};
};
users.groups = mkIf (cfg.group == "rustypaste") {
rustypaste = { };
};
};
}

BIN
secrets/adguard-dns-list.age
View file

Binary file not shown.

20
secrets/couchdb.age
View file

@ -1,11 +1,11 @@
age-encryption.org/v1 age-encryption.org/v1
-> ssh-ed25519 biwZXw M19MPetxrj5viO9n3YQ80hEObhyJg5IZnNycR3Wzqk4 -> ssh-ed25519 biwZXw iMQ+wyhe0edDZpfFTcvg2zKzdGt6aHVE/tQBqbtCcUc
YBOWqQzb+zU8tSwEcrsr/ocPj6kzSly2wbJq0WK+gDM hAizLz8grjdYwjOnLSeEtp4kxA4MjRPywRs1BHrDSdo
-> ssh-ed25519 b3HlPA Z01OXca+e/XNFR0V9hPlCMZaQUdmbDfIqhQvLSfF5is -> ssh-ed25519 b3HlPA G1inkewMY0dv885snGeJqWRVVXsaCK35iSBXVA6OEAc
bjPwLeKSzatDDIjAaKh1q4ZdgEvHB82EyC4hSzS4qXE /VgBYT9W4ic6piJM5QTvmaAJtWDbzsXyP7M3GOilW8I
-> ssh-ed25519 cdUqUg 97W5cmHE/PS0MAlel2MDdzYJVinRVxBkigbV+c/xLRk -> ssh-ed25519 cdUqUg UzHj6mpJ1qNWA02x37JFhNEq/VdOP6k3p4ZtBY68Hjo
UyMUJYb+782FZEbuCcn4xj62bCLaYSBLD5714xpQN4c 4trOjzntsQ05C07SVSfO/gGoUTR2owyj6VnZPwLi4eE
-> ssh-ed25519 a1hgwg +kQW6lvFa/sTuU91My1NepIasAFnscjluc3z3zyHWws -> ssh-ed25519 a1hgwg pMJOkvg4Lg5tbY+nb9eqGPMweLwzxPxtvkhaOY8s3xk
rx/jQxCiC6sjGeXYeZcW0+UxkQr8uHNJKCGPxvH9GqQ 7rpmGdN84Lq/yU+FQCnaaHJOmvUhJgboFDmXgO4B7lc
--- VGD7NEIKcPMDhDKCGXKP+kXXf1YIPIK/y64k5e4YFTs --- kZ3ul3tAFvY769eSvcTei2KdrGyHKCDh+OdOAHk3NoU
bw¾XÁm Ÿws hF1É­+‡ZÜ }LY ZÝ<5A>¯fg³°¹q]̃tüxÊÛ¯¹õ`„¶Üw)—Y%uÚãåÅ^_v8QZfìq­u<C2AD>:¹¶g1 VÛþ!í–Â’»A[€€Çöe{TnÕ -f× ×”S*D<44>WŸv¡î=!‰Ø÷ðm‡…R ˆéʇ921QkÔ!hÊ0ǃÁ]òá_¢¾æÝž]äj6 1Î76õÃÆ4H”T¼ØJÂűøÖlj€H‰—oO@¶ Õ]9SUÓ×q '¡n

BIN
secrets/navidrome.age
View file

Binary file not shown.

BIN
secrets/rustypaste.age
View file

Binary file not shown.