From 3fb9c26b9f302dda9554daacea8f16d605b5af6a Mon Sep 17 00:00:00 2001
From: Julien Malka <julien@malka.sh>
Date: Fri, 1 Nov 2024 22:43:02 +0100
Subject: [PATCH] chore(gustave): intro readeck

---
 lib/mkmachine.nix            |   1 +
 machines/gustave/default.nix |   1 +
 machines/gustave/readeck.nix |  18 ++++++++
 modules/readeck/default.nix  |  71 +++++++++++++++++++++++++++++++
 packages/readeck/default.nix |  80 +++++++++++++++++++++++++++++++++++
 secrets/readeck-config.age   | Bin 0 -> 678 bytes
 secrets/secrets.nix          |   5 +++
 7 files changed, 176 insertions(+)
 create mode 100644 machines/gustave/readeck.nix
 create mode 100644 modules/readeck/default.nix
 create mode 100644 packages/readeck/default.nix
 create mode 100644 secrets/readeck-config.age

diff --git a/lib/mkmachine.nix b/lib/mkmachine.nix
index 6c36191..b661add 100644
--- a/lib/mkmachine.nix
+++ b/lib/mkmachine.nix
@@ -55,6 +55,7 @@ import "${nixpkgs}/nixos/lib/eval-config.nix" {
           keycloak-keywind = prev.pkgs.callPackage ../packages/keycloak-keywind { };
           hydrasect = prev.pkgs.callPackage ../packages/hydrasect { };
           codeberg-pages-custom = prev.pkgs.callPackage ../packages/codeberg-pages-custom { };
+          readeck = prev.pkgs.callPackage ../packages/readeck { };
         })
 
         (
diff --git a/machines/gustave/default.nix b/machines/gustave/default.nix
index fa369e7..d795e1e 100644
--- a/machines/gustave/default.nix
+++ b/machines/gustave/default.nix
@@ -12,6 +12,7 @@
     ./nsd.nix
     ./borg.nix
     ./pages.nix
+    ./readeck.nix
   ];
 
   machine.meta = {
diff --git a/machines/gustave/readeck.nix b/machines/gustave/readeck.nix
new file mode 100644
index 0000000..cc6b7d2
--- /dev/null
+++ b/machines/gustave/readeck.nix
@@ -0,0 +1,18 @@
+{ config, ... }:
+{
+
+  age.secrets."readeck-config".file = ../../secrets/readeck-config.age;
+
+  services.nginx.virtualHosts."read.luj" = {
+    forceSSL = true;
+    enableACME = true;
+    locations."/" = {
+      proxyPass = "http://localhost:8000";
+    };
+  };
+
+  services.readeck = {
+    enable = true;
+    configPath = config.age.secrets."readeck-config".path;
+  };
+}
diff --git a/modules/readeck/default.nix b/modules/readeck/default.nix
new file mode 100644
index 0000000..2a3fada
--- /dev/null
+++ b/modules/readeck/default.nix
@@ -0,0 +1,71 @@
+{
+  config,
+  pkgs,
+  lib,
+  ...
+}:
+
+with lib;
+
+let
+  cfg = config.services.readeck;
+in
+{
+
+  meta.maintainers = [ lib.maintainers.julienmalka ];
+
+  options = {
+    services.readeck = {
+      enable = mkEnableOption "Readeck";
+
+      package = mkPackageOption pkgs "readeck" { };
+
+      configPath = mkOption {
+        type = with types; nullOr str;
+        default = null;
+        description = "Path to file containing config.";
+      };
+
+    };
+  };
+
+  config = mkIf cfg.enable {
+    systemd.services.readeck = {
+      description = "Readeck";
+      after = [ "network.target" ];
+      wantedBy = [ "multi-user.target" ];
+      serviceConfig = {
+        Type = "simple";
+        StateDirectory = "readeck";
+        LoadCredential = "config:${cfg.configPath}";
+        WorkingDirectory = "/var/lib/readeck";
+        DynamicUser = true;
+        ExecStart = "${lib.getExe cfg.package} serve -config \${CREDENTIALS_DIRECTORY}/config";
+        ProtectSystem = "full";
+        SystemCallArchitectures = "native";
+        MemoryDenyWriteExecute = true;
+        NoNewPrivileges = true;
+        PrivateTmp = true;
+        PrivateDevices = true;
+        RestrictAddressFamilies = [
+          "AF_INET"
+          "AF_INET6"
+          "AF_UNIX"
+          "AF_NETLINK"
+        ];
+        RestrictNamespaces = true;
+        RestrictRealtime = true;
+        DevicePolicy = "closed";
+        ProtectClock = true;
+        ProtectHostname = true;
+        ProtectProc = "invisible";
+        ProtectControlGroups = true;
+        ProtectKernelModules = true;
+        ProtectKernelTunables = true;
+        LockPersonality = true;
+        Restart = "on-failure";
+
+      };
+    };
+  };
+}
diff --git a/packages/readeck/default.nix b/packages/readeck/default.nix
new file mode 100644
index 0000000..8c0b3cd
--- /dev/null
+++ b/packages/readeck/default.nix
@@ -0,0 +1,80 @@
+{
+  fetchFromGitea,
+  fetchNpmDeps,
+  buildGoModule,
+  nodejs,
+  npmHooks,
+  lib,
+}:
+
+let
+  file-compose = buildGoModule rec {
+
+    pname = "file-compose";
+    version = "unstable-2023-10-21";
+
+    src = fetchFromGitea {
+      domain = "codeberg.org";
+      owner = "readeck";
+      repo = "file-compose";
+      rev = "afa938655d412556a0db74b202f9bcc1c40d8579";
+      hash = "sha256-rMANRqUQRQ8ahlxuH1sWjlGpNvbReBOXIkmBim/wU2o=";
+    };
+
+    vendorHash = "sha256-Qwixx3Evbf+53OFeS3Zr7QCkRMfgqc9hUA4eqEBaY0c=";
+  };
+in
+
+buildGoModule rec {
+
+  pname = "readeck";
+  version = "0.15.4";
+
+  src = fetchFromGitea {
+    domain = "codeberg.org";
+    owner = "readeck";
+    repo = "readeck";
+    rev = version;
+    hash = "sha256-GqpCIxwaS0OBKEgd3ByGDeg5ZkSZFusg7dFPOZpQYtI=";
+  };
+
+  nativeBuildInputs = [
+    nodejs
+    npmHooks.npmConfigHook
+  ];
+
+  npmRoot = "web";
+
+  NODE_PATH = "$npmDeps";
+
+  preBuild = ''
+    make web-build
+    ${file-compose}/bin/file-compose -format json docs/api/api.yaml docs/assets/api.json
+    go run ./tools/docs docs/src docs/assets
+  '';
+
+  tags = [
+    "netgo"
+    "osusergo"
+    "sqlite_omit_load_extension"
+    "sqlite_foreign_keys"
+    "sqlite_json1"
+    "sqlite_fts5"
+    "sqlite_secure_delete"
+  ];
+
+  overrideModAttrs = oldAttrs: {
+    # Do not add `npmConfigHook` to `goModules`
+    nativeBuildInputs = lib.remove npmHooks.npmConfigHook oldAttrs.nativeBuildInputs;
+    # Do not run `preBuild` when building `goModules`
+    preBuild = null;
+  };
+
+  npmDeps = fetchNpmDeps {
+    src = "${src}/web";
+    hash = "sha256-zqaiAChUdkzeoDjbGJ57tFsAiawU50G6KQEJgrcM3OA=";
+  };
+
+  vendorHash = "sha256-U1vMIig2/mncH07o1AZ2mUor5lq5WmNsfY/X2GbSGQA=";
+
+}
diff --git a/secrets/readeck-config.age b/secrets/readeck-config.age
new file mode 100644
index 0000000000000000000000000000000000000000..7a5deccb4996200d834e4dea4264f2621a0e436e
GIT binary patch
literal 678
zcmYdHPt{G$OD?J`D9Oyv)5|YP*Do{V(zR14F3!+RO))YxHMCSHHLi?^3REb_&(e<y
z3J!91E_4nL%udTL4mEM~F7OTT4=XbCF;8|k_l)w=5Ad)EPUiBC@JmZ6OU?EvuShC#
zb@wwfDKaWZ@^j5`uW$<qO>|FAGR_J}H&1jm3q-fgu`t4@BweA{%emCmztl7-*eoe5
z)X>dY+rp`|sH{9V*Q+==&?haT$|$0+D#|w_JD;m0+d0ys%)-FU-=r|x%fl_lQQJAm
z)5p>%C^^;JGu0=`&nqjhAiN??-vr$@&ma%SY)6Ii@Z7)<ePdH+Q;&+E$Q1oxCxZ~r
z6vL`eFB9Vs)8N!>!^EoK@N(_Spkl5<BezIzSEs<_{0jG~!Vq^;PyL`oPnQyx9Frv9
z)QmKvlC+ZKoRGXgKVL3gU0sFn;L4DqDrd`_>>@8Gk4htRzo0@#Z5NX&i;RE*lZtZR
z+=#r$@^lxYOarbs&3y%$3cGHZ=>BQs-(#}9?oAWV&FmfZ%fC$GP|Aos+V|WjHD%@V
zFeQz3<qFsM6tfhrKH%PdYpu9lm$jD0{E0>zDw<M_3L>5yU|P;qb$*xe#E6etX$!X`
z`)|H#y5Q-tIW7IdF|XI^yEd^@SN&z~nVmXU*7?Q)ezwh9M7pMJ`L}H5)zSrf|EcX3
zd%hy@(~;oT)U`6qWn1S?e^AX6qpis|rSIyLSIaKEJ!}0sNk+Ab@A#r(39iHhp<jzW
zD8@7R+?n<^>xHD%^Oc!lXYMhYD6R|JUFzTNY1%6hn}2qy=yV3nxVLBc(t3-WFDm3l
wJ&wKaeo67tJkJ^I^}4H?$_`BtsQ1-+=h%F-`s7)LKtAdF95<X**2>xe0NRoQ!T<mO

literal 0
HcmV?d00001

diff --git a/secrets/secrets.nix b/secrets/secrets.nix
index 32cacc9..f94bdc1 100644
--- a/secrets/secrets.nix
+++ b/secrets/secrets.nix
@@ -96,4 +96,9 @@ in
   ];
   "404-ssl-certificate-cert.age".publicKeys = all;
   "404-ssl-certificate-key.age".publicKeys = all;
+  "readeck-config.age".publicKeys = [
+    gallifrey
+    tower
+    gustave
+  ];
 }