chore(gustave): intro readeck

2025-03-25 21:30:52 +01:00 · 2024-11-01 22:43:02 +01:00 · 2024-11-01 22:43:02 +01:00 · 3fb9c26b9f
commit 3fb9c26b9f
parent 3343c41223
7 changed files with 176 additions and 0 deletions
--- a/lib/mkmachine.nix
+++ b/lib/mkmachine.nix
@ -55,6 +55,7 @@ import "${nixpkgs}/nixos/lib/eval-config.nix" {
          keycloak-keywind = prev.pkgs.callPackage ../packages/keycloak-keywind { };
          hydrasect = prev.pkgs.callPackage ../packages/hydrasect { };
          codeberg-pages-custom = prev.pkgs.callPackage ../packages/codeberg-pages-custom { };
+          readeck = prev.pkgs.callPackage ../packages/readeck { };
        })

        (
--- a/machines/gustave/default.nix
+++ b/machines/gustave/default.nix
@ -12,6 +12,7 @@
    ./nsd.nix
    ./borg.nix
    ./pages.nix
+    ./readeck.nix
  ];

  machine.meta = {
--- a/machines/gustave/readeck.nix
+++ b/machines/gustave/readeck.nix
@ -0,0 +1,18 @@
+{ config, ... }:
+{
+
+  age.secrets."readeck-config".file = ../../secrets/readeck-config.age;
+
+  services.nginx.virtualHosts."read.luj" = {
+    forceSSL = true;
+    enableACME = true;
+    locations."/" = {
+      proxyPass = "http://localhost:8000";
+    };
+  };
+
+  services.readeck = {
+    enable = true;
+    configPath = config.age.secrets."readeck-config".path;
+  };
+}
--- a/modules/readeck/default.nix
+++ b/modules/readeck/default.nix
@ -0,0 +1,71 @@
+{
+  config,
+  pkgs,
+  lib,
+  ...
+}:
+
+with lib;
+
+let
+  cfg = config.services.readeck;
+in
+{
+
+  meta.maintainers = [ lib.maintainers.julienmalka ];
+
+  options = {
+    services.readeck = {
+      enable = mkEnableOption "Readeck";
+
+      package = mkPackageOption pkgs "readeck" { };
+
+      configPath = mkOption {
+        type = with types; nullOr str;
+        default = null;
+        description = "Path to file containing config.";
+      };
+
+    };
+  };
+
+  config = mkIf cfg.enable {
+    systemd.services.readeck = {
+      description = "Readeck";
+      after = [ "network.target" ];
+      wantedBy = [ "multi-user.target" ];
+      serviceConfig = {
+        Type = "simple";
+        StateDirectory = "readeck";
+        LoadCredential = "config:${cfg.configPath}";
+        WorkingDirectory = "/var/lib/readeck";
+        DynamicUser = true;
+        ExecStart = "${lib.getExe cfg.package} serve -config \${CREDENTIALS_DIRECTORY}/config";
+        ProtectSystem = "full";
+        SystemCallArchitectures = "native";
+        MemoryDenyWriteExecute = true;
+        NoNewPrivileges = true;
+        PrivateTmp = true;
+        PrivateDevices = true;
+        RestrictAddressFamilies = [
+          "AF_INET"
+          "AF_INET6"
+          "AF_UNIX"
+          "AF_NETLINK"
+        ];
+        RestrictNamespaces = true;
+        RestrictRealtime = true;
+        DevicePolicy = "closed";
+        ProtectClock = true;
+        ProtectHostname = true;
+        ProtectProc = "invisible";
+        ProtectControlGroups = true;
+        ProtectKernelModules = true;
+        ProtectKernelTunables = true;
+        LockPersonality = true;
+        Restart = "on-failure";
+
+      };
+    };
+  };
+}
--- a/packages/readeck/default.nix
+++ b/packages/readeck/default.nix
@ -0,0 +1,80 @@
+{
+  fetchFromGitea,
+  fetchNpmDeps,
+  buildGoModule,
+  nodejs,
+  npmHooks,
+  lib,
+}:
+
+let
+  file-compose = buildGoModule rec {
+
+    pname = "file-compose";
+    version = "unstable-2023-10-21";
+
+    src = fetchFromGitea {
+      domain = "codeberg.org";
+      owner = "readeck";
+      repo = "file-compose";
+      rev = "afa938655d412556a0db74b202f9bcc1c40d8579";
+      hash = "sha256-rMANRqUQRQ8ahlxuH1sWjlGpNvbReBOXIkmBim/wU2o=";
+    };
+
+    vendorHash = "sha256-Qwixx3Evbf+53OFeS3Zr7QCkRMfgqc9hUA4eqEBaY0c=";
+  };
+in
+
+buildGoModule rec {
+
+  pname = "readeck";
+  version = "0.15.4";
+
+  src = fetchFromGitea {
+    domain = "codeberg.org";
+    owner = "readeck";
+    repo = "readeck";
+    rev = version;
+    hash = "sha256-GqpCIxwaS0OBKEgd3ByGDeg5ZkSZFusg7dFPOZpQYtI=";
+  };
+
+  nativeBuildInputs = [
+    nodejs
+    npmHooks.npmConfigHook
+  ];
+
+  npmRoot = "web";
+
+  NODE_PATH = "$npmDeps";
+
+  preBuild = ''
+    make web-build
+    ${file-compose}/bin/file-compose -format json docs/api/api.yaml docs/assets/api.json
+    go run ./tools/docs docs/src docs/assets
+  '';
+
+  tags = [
+    "netgo"
+    "osusergo"
+    "sqlite_omit_load_extension"
+    "sqlite_foreign_keys"
+    "sqlite_json1"
+    "sqlite_fts5"
+    "sqlite_secure_delete"
+  ];
+
+  overrideModAttrs = oldAttrs: {
+    # Do not add `npmConfigHook` to `goModules`
+    nativeBuildInputs = lib.remove npmHooks.npmConfigHook oldAttrs.nativeBuildInputs;
+    # Do not run `preBuild` when building `goModules`
+    preBuild = null;
+  };
+
+  npmDeps = fetchNpmDeps {
+    src = "${src}/web";
+    hash = "sha256-zqaiAChUdkzeoDjbGJ57tFsAiawU50G6KQEJgrcM3OA=";
+  };
+
+  vendorHash = "sha256-U1vMIig2/mncH07o1AZ2mUor5lq5WmNsfY/X2GbSGQA=";
+
+}
--- a/secrets/readeck-config.age
+++ b/secrets/readeck-config.age
--- a/secrets/secrets.nix
+++ b/secrets/secrets.nix
@ -96,4 +96,9 @@ in
  ];
  "404-ssl-certificate-cert.age".publicKeys = all;
  "404-ssl-certificate-key.age".publicKeys = all;
+  "readeck-config.age".publicKeys = [
+    gallifrey
+    tower
+    gustave
+  ];
 }