feat: enable rustypaste https

home/scripts/default.nix

@@ -60,7 +60,7 @@ in
 
   rpaste = pkgs.writers.writeBashBin "rpaste" ''
     export $(cat ${config.age.secrets.rustypaste.path} | xargs)
-    curl -F "file=@$1" -H "Authorization: $AUTH_TOKEN" http://rusty.ccnlc.eu/
+    curl -F "file=@$1" -H "Authorization: $AUTH_TOKEN" https://rusty.ccnlc.eu/
   '';
 
   gentest = nixos-rebuild "gentest" "test";

hosts/brontes/home.nix

@@ -74,6 +74,7 @@
         scripts.nixedit
         scripts.set-background
         scripts.fishl
+        scripts.nrun
         scripts.rpaste
         scripts.genswitch
         scripts.gentest

hosts/default.nix

@@ -7,11 +7,13 @@ in
     marr = lib.my.mkSystem {
       hostname = "marr";
       system = "x86_64-linux";
+      extraModules = [ inputs.agenix.nixosModules.default ];
     };
 
     brontes = lib.my.mkSystem {
       hostname = "brontes";
       system = "x86_64-linux";
+      extraModules = [ inputs.agenix.nixosModules.default ];
     };
 
     styrak = lib.my.mkSystem {

hosts/marr/configuration.nix

@@ -47,6 +47,8 @@
     };
   };
 
+  age.identityPaths = [ "/home/nico/.ssh/id_ed25519" ];
+
   programs = {
     dconf.enable = true;
     steam.enable = true;

hosts/marr/home.nix

@@ -75,6 +75,7 @@
         scripts.nixedit
         scripts.set-background
         scripts.rpaste
+        scripts.nrun
         scripts.genswitch
         scripts.gentest
       ];

hosts/raptus/configuration.nix

@@ -4,15 +4,26 @@
   pkgs,
   ...
 }:
+let
+  sshAccess = [
+    "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIMvPqWPXEUOSMGMIRmirQfbrzq//NkPlEI2TmFpIkSfw" # brontes
+    "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGwlScEmVbdc0EH93XLX+K8yP5FKUKzMf/bWTSO+rMiO" # marr
+  ];
+in
 {
   imports = [
     (modulesPath + "/profiles/qemu-guest.nix")
     ./disk-config.nix
-    ./docker-compose.nix
+    ./container-root.nix
+    ./rustypaste
+    ./obsidian-livesync
     ../../modules/nix
   ];
 
-  age.secrets.couchdb.file = ../../secrets/couchdb.age;
+  age.secrets = {
+    couchdb.file = ../../secrets/couchdb.age;
+    rustypaste.file = ../../secrets/rustypaste.age;
+  };
 
   device.type = {
     vm.enable = true;
@@ -27,18 +38,40 @@
   networking.firewall = lib.mkForce {
     enable = true;
     allowedTCPPorts = [
-      80
       22
+      443
       5984 # couchdb
     ];
   };
 
+  # User account to run remote builds
+  users.users.remote-build = {
+    isSystemUser = true;
+    hashedPassword = ""; # Only allow login via ssh
+    openssh.authorizedKeys.keys = sshAccess;
+    shell = pkgs.bash;
+    group = "remote-build";
+    extraGroups = [ "wheel" ];
+  };
+
+  security.sudo.wheelNeedsPassword = false;
+
+  users.groups.remote-build = { };
+
+  # Ensure the user can build derivations
+  nix.settings.trusted-users = [ "remote-build" ];
+
+  security.acme.defaults.email = "admin@ccnlc.eu";
+  security.acme.acceptTerms = true;
+
   services.nginx = {
     enable = true;
     recommendedProxySettings = true;
     recommendedTlsSettings = true;
+    clientMaxBodySize = "50M";
     virtualHosts."rusty.ccnlc.eu" = {
-      # TODO: Enable https
+      enableACME = true;
+      forceSSL = true;
 
       locations."/" = {
         proxyPass = "http://127.0.0.1:8000";
@@ -56,10 +89,7 @@
     pkgs.gitMinimal
   ];
 
-  users.users.root.openssh.authorizedKeys.keys = [
+  users.users.root.openssh.authorizedKeys.keys = sshAccess;
-    "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIMvPqWPXEUOSMGMIRmirQfbrzq//NkPlEI2TmFpIkSfw" # brontes
-    "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGwlScEmVbdc0EH93XLX+K8yP5FKUKzMf/bWTSO+rMiO" # marr
-  ];
 
   system.stateVersion = "24.11";
 }

hosts/raptus/container-root.nix

@@ -0,0 +1,40 @@
+{ pkgs, ... }:
+
+{
+  # Runtime
+  virtualisation.podman = {
+    enable = true;
+    autoPrune.enable = true;
+    dockerCompat = true;
+    defaultNetwork.settings = {
+      # Required for container networking to be able to use names.
+      dns_enabled = true;
+    };
+  };
+  virtualisation.oci-containers.backend = "podman";
+
+  # Networks
+  systemd.services."podman-network-test_default" = {
+    path = [ pkgs.podman ];
+    serviceConfig = {
+      Type = "oneshot";
+      RemainAfterExit = true;
+      ExecStop = "podman network rm -f test_default";
+    };
+    script = ''
+      podman network inspect test_default || podman network create test_default
+    '';
+    partOf = [ "podman-compose-test-root.target" ];
+    wantedBy = [ "podman-compose-test-root.target" ];
+  };
+
+  # Root service
+  # When started, this will automatically create all resources and start
+  # the containers. When stopped, this will teardown all resources.
+  systemd.targets."podman-compose-test-root" = {
+    unitConfig = {
+      Description = "Root target generated by compose2nix.";
+    };
+    wantedBy = [ "multi-user.target" ];
+  };
+}

hosts/raptus/docker-compose.nix

@@ -1,136 +0,0 @@
-# Auto-generated using compose2nix v0.2.2-pre.
-{
-  pkgs,
-  lib,
-  config,
-  ...
-}:
-
-{
-  # Runtime
-  virtualisation.podman = {
-    enable = true;
-    autoPrune.enable = true;
-    dockerCompat = true;
-    defaultNetwork.settings = {
-      # Required for container networking to be able to use names.
-      dns_enabled = true;
-    };
-  };
-  virtualisation.oci-containers.backend = "podman";
-
-  # Containers
-  virtualisation.oci-containers.containers."obsidian-livesync" = {
-    image = "couchdb";
-    environmentFiles = [ config.age.secrets.couchdb.path ];
-    volumes = [
-      "${./local.ini}:/opt/couchdb/etc/local.ini:rw"
-      "test_dbdata:/opt/couchdb/data:rw"
-    ];
-    ports = [ "5984:5984/tcp" ];
-    log-driver = "journald";
-    extraOptions = [
-      "--network-alias=couchserver"
-      "--network=test_default"
-    ];
-  };
-  systemd.services."podman-obsidian-livesync" = {
-    serviceConfig = {
-      Restart = lib.mkOverride 500 "always";
-    };
-    after = [
-      "podman-network-test_default.service"
-      "podman-volume-test_dbdata.service"
-    ];
-    requires = [
-      "podman-network-test_default.service"
-      "podman-volume-test_dbdata.service"
-    ];
-    partOf = [ "podman-compose-test-root.target" ];
-    wantedBy = [ "podman-compose-test-root.target" ];
-  };
-  virtualisation.oci-containers.containers."rustypaste" = {
-    image = "orhunp/rustypaste:latest";
-    environment = {
-      "RUST_LOG" = "debug";
-    };
-    volumes = [
-      "${
-        (pkgs.formats.toml { }).generate "conf" (import ./rustypaste.nix { inherit config; })
-      }:/app/config.toml:ro"
-      "test_rustypaste-data:/app/upload:rw"
-    ];
-    ports = [ "8000:8000/tcp" ];
-    log-driver = "journald";
-    extraOptions = [
-      "--network-alias=rustypaste"
-      "--network=test_default"
-    ];
-  };
-  systemd.services."podman-rustypaste" = {
-    serviceConfig = {
-      Restart = lib.mkOverride 500 "always";
-    };
-    after = [
-      "podman-network-test_default.service"
-      "podman-volume-test_rustypaste-data.service"
-    ];
-    requires = [
-      "podman-network-test_default.service"
-      "podman-volume-test_rustypaste-data.service"
-    ];
-    partOf = [ "podman-compose-test-root.target" ];
-    wantedBy = [ "podman-compose-test-root.target" ];
-  };
-
-  # Networks
-  systemd.services."podman-network-test_default" = {
-    path = [ pkgs.podman ];
-    serviceConfig = {
-      Type = "oneshot";
-      RemainAfterExit = true;
-      ExecStop = "podman network rm -f test_default";
-    };
-    script = ''
-      podman network inspect test_default || podman network create test_default
-    '';
-    partOf = [ "podman-compose-test-root.target" ];
-    wantedBy = [ "podman-compose-test-root.target" ];
-  };
-
-  # Volumes
-  systemd.services."podman-volume-test_dbdata" = {
-    path = [ pkgs.podman ];
-    serviceConfig = {
-      Type = "oneshot";
-      RemainAfterExit = true;
-    };
-    script = ''
-      podman volume inspect test_dbdata || podman volume create test_dbdata
-    '';
-    partOf = [ "podman-compose-test-root.target" ];
-    wantedBy = [ "podman-compose-test-root.target" ];
-  };
-  systemd.services."podman-volume-test_rustypaste-data" = {
-    path = [ pkgs.podman ];
-    serviceConfig = {
-      Type = "oneshot";
-      RemainAfterExit = true;
-    };
-    script = ''
-      podman volume inspect test_rustypaste-data || podman volume create test_rustypaste-data
-    '';
-    partOf = [ "podman-compose-test-root.target" ];
-    wantedBy = [ "podman-compose-test-root.target" ];
-  };
-
-  # Root service
-  # When started, this will automatically create all resources and start
-  # the containers. When stopped, this will teardown all resources.
-  systemd.targets."podman-compose-test-root" = {
-    unitConfig = {
-      Description = "Root target generated by compose2nix.";
-    };
-    wantedBy = [ "multi-user.target" ];
-  };
-}

hosts/raptus/docker-compose.yml

@@ -1,28 +0,0 @@
-services:
-  couchserver:
-    image: couchdb
-    container_name: obsidian-livesync
-    restart: always
-    ports:
-      - 5984:5984
-    environment:
-      - COUCHDB_USER=USERNAME
-      - COUCHDB_PASSWORD=PASSWORD
-    volumes:
-      - dbdata:/opt/couchdb/data
-      - ./local.ini:/opt/couchdb/etc/local.ini
-  rustypaste:
-    image: orhunp/rustypaste:${IMAGE_TAG:-latest}
-    build: .
-    container_name: rustypaste
-    restart: always
-    environment:
-      - RUST_LOG=debug
-    ports:
-      - "8000:8000"
-    volumes:
-      - rustypaste-data:/app/upload
-      - ./rusty.toml:/app/config.toml
-volumes:
-  dbdata:
-  rustypaste-data:

hosts/raptus/obsidian-livesync/default.nix

@@ -0,0 +1,52 @@
+{
+  config,
+  lib,
+  pkgs,
+  ...
+}:
+{
+  virtualisation.oci-containers.containers."obsidian-livesync" = {
+    image = "couchdb";
+    environmentFiles = [ config.age.secrets.couchdb.path ];
+    volumes = [
+      "${./local.ini}:/opt/couchdb/etc/local.ini:rw"
+      "test_dbdata:/opt/couchdb/data:rw"
+    ];
+    ports = [ "5984:5984/tcp" ];
+    log-driver = "journald";
+    extraOptions = [
+      "--network-alias=couchserver"
+      "--network=test_default"
+    ];
+  };
+  systemd.services."podman-obsidian-livesync" = {
+    serviceConfig = {
+      Restart = lib.mkOverride 500 "always";
+    };
+    after = [
+      "podman-network-test_default.service"
+      "podman-volume-test_dbdata.service"
+    ];
+    requires = [
+      "podman-network-test_default.service"
+      "podman-volume-test_dbdata.service"
+    ];
+    partOf = [ "podman-compose-test-root.target" ];
+    wantedBy = [ "podman-compose-test-root.target" ];
+  };
+
+  # Volumes
+  systemd.services."podman-volume-test_dbdata" = {
+    path = [ pkgs.podman ];
+    serviceConfig = {
+      Type = "oneshot";
+      RemainAfterExit = true;
+    };
+    script = ''
+      podman volume inspect test_dbdata || podman volume create test_dbdata
+    '';
+    partOf = [ "podman-compose-test-root.target" ];
+    wantedBy = [ "podman-compose-test-root.target" ];
+  };
+
+}

hosts/raptus/rusty.toml

@@ -1,67 +0,0 @@
-[config]
-refresh_rate = "1s"
-
-[server]
-address = "127.0.0.1:8000"
-url = "http://rusty.ccnlc.eu"
-workers = 4
-max_content_length = "50MB"
-upload_path = "./upload"
-timeout = "30s"
-expose_version = false
-expose_list = false
-auth_tokens = ["super_secret_token1", "super_secret_token2"]
-#delete_tokens = [
-#  "super_secret_token1",
-#  "super_secret_token3",
-#]
-handle_spaces = "replace" # or "encode"
-
-[landing_page]
-text = """
-┬─┐┬ ┬┌─┐┌┬┐┬ ┬┌─┐┌─┐┌─┐┌┬┐┌─┐
-├┬┘│ │└─┐ │ └┬┘├─┘├─┤└─┐ │ ├┤
-┴└─└─┘└─┘ ┴  ┴ ┴  ┴ ┴└─┘ ┴ └─┘
-
-Submit files via HTTP POST here:
-    curl -F 'file=@example.txt' <server>
-This will return the URL of the uploaded file.
-
-The server administrator might remove any pastes that they do not personally
-want to host.
-
-If you are the server administrator and want to change this page, just go
-into your config file and change it! If you change the expiry time, it is
-recommended that you do.
-
-By default, pastes expire every hour. The server admin may or may not have
-changed this.
-
-Check out the GitHub repository at https://github.com/orhun/rustypaste
-Command line tool is available  at https://github.com/orhun/rustypaste-cli
-"""
-#file = "index.txt"
-content_type = "text/plain; charset=utf-8"
-
-[paste]
-random_url = { type = "petname", words = 2, separator = "-" }
-#random_url = { type = "alphanumeric", length = 8 }
-#random_url = { type = "alphanumeric", length = 6, suffix_mode = true }
-default_extension = "txt"
-mime_override = [
-  { mime = "image/jpeg", regex = "^.*\\.jpg$" },
-  { mime = "image/png", regex = "^.*\\.png$" },
-  { mime = "image/svg+xml", regex = "^.*\\.svg$" },
-  { mime = "video/webm", regex = "^.*\\.webm$" },
-  { mime = "video/x-matroska", regex = "^.*\\.mkv$" },
-  { mime = "application/octet-stream", regex = "^.*\\.bin$" },
-  { mime = "text/plain", regex = "^.*\\.(log|txt|diff|sh|rs|toml)$" },
-]
-mime_blacklist = [
-  "application/x-dosexec",
-  "application/java-archive",
-  "application/java-vm",
-]
-duplicate_files = false
-default_expiry = "1h"
-delete_expired_files = { enabled = true, interval = "1h" }

hosts/raptus/rustypaste/conf.nix

@@ -1,11 +1,10 @@
-{ config, ... }:
 {
   config = {
     refresh_rate = "1s";
   };
   server = {
     address = "127.0.0.1:8000";
-    url = "http://rusty.ccnlc.eu";
+    url = "https://rusty.ccnlc.eu";
     workers = 4;
     max_content_length = "50MB";
     upload_path = "./upload";

hosts/raptus/rustypaste/default.nix

@@ -0,0 +1,53 @@
+{
+  pkgs,
+  config,
+  lib,
+  ...
+}:
+{
+  virtualisation.oci-containers.containers."rustypaste" = {
+    image = "orhunp/rustypaste:latest";
+    environment = {
+      "RUST_LOG" = "debug";
+    };
+    environmentFiles = [ config.age.secrets.rustypaste.path ];
+    volumes = [
+      "${(pkgs.formats.toml { }).generate "conf" (import ./conf.nix)}:/app/config.toml:ro"
+      "test_rustypaste-data:/app/upload:rw"
+    ];
+    ports = [ "8000:8000/tcp" ];
+    log-driver = "journald";
+    extraOptions = [
+      "--network-alias=rustypaste"
+      "--network=test_default"
+    ];
+  };
+  systemd.services."podman-rustypaste" = {
+    serviceConfig = {
+      Restart = lib.mkOverride 500 "always";
+    };
+    after = [
+      "podman-network-test_default.service"
+      "podman-volume-test_rustypaste-data.service"
+    ];
+    requires = [
+      "podman-network-test_default.service"
+      "podman-volume-test_rustypaste-data.service"
+    ];
+    partOf = [ "podman-compose-test-root.target" ];
+    wantedBy = [ "podman-compose-test-root.target" ];
+  };
+
+  systemd.services."podman-volume-test_rustypaste-data" = {
+    path = [ pkgs.podman ];
+    serviceConfig = {
+      Type = "oneshot";
+      RemainAfterExit = true;
+    };
+    script = ''
+      podman volume inspect test_rustypaste-data || podman volume create test_rustypaste-data
+    '';
+    partOf = [ "podman-compose-test-root.target" ];
+    wantedBy = [ "podman-compose-test-root.target" ];
+  };
+}

modules/default.nix

@@ -18,5 +18,6 @@
     ./env.nix
     ./system/printing.nix
     ./system/audio.nix
+    ./secrets.nix
   ];
 }

modules/secrets.nix

@@ -0,0 +1,6 @@
+{
+  age.secrets.rustypaste = {
+    file = ../secrets/rustypaste.age;
+    owner = "nico";
+  };
+}

options/default.nix

@@ -1,15 +1,25 @@
 { lib, ... }:
+let
+  inherit (lib.types) bool array string;
+
+in
+
 {
   options = {
     device = {
+      pubKeys = lib.mkOption {
+        type = array string;
+        default = [ ];
+      };
+
       type = {
         gaming.enable = lib.mkEnableOption {
-          type = lib.types.bool;
+          type = bool;
           default = false;
         };
 
         graphical.enable = lib.mkEnableOption {
-          type = lib.types.bool;
+          type = bool;
           default = false;
         };