From 6d0585bbc0a74ae8d23b643ab4a0e13149e3757f Mon Sep 17 00:00:00 2001 From: tux Date: Thu, 27 Feb 2025 17:30:27 +0530 Subject: [PATCH] feat: add trok --- flake.lock | 39 ++++++++++++++ flake.nix | 5 ++ hosts/alpha/default.nix | 3 ++ hosts/common/default.nix | 1 + modules/nixos/selfhosted/trok.nix | 90 +++++++++++++++++++++++++++++++ overlays/default.nix | 1 + 6 files changed, 139 insertions(+) create mode 100644 modules/nixos/selfhosted/trok.nix diff --git a/flake.lock b/flake.lock index aad9d3a..b1d5447 100755 --- a/flake.lock +++ b/flake.lock @@ -872,8 +872,10 @@ "nixpkgs-stable": "nixpkgs-stable_3", "nur": "nur", "sops-nix": "sops-nix", + "tawm": "tawm", "tfolio": "tfolio", "tnvim": "tnvim", + "trok": "trok", "wezterm-flake": "wezterm-flake" } }, @@ -1009,6 +1011,26 @@ "type": "github" } }, + "tawm": { + "inputs": { + "nixpkgs": [ + "nixpkgs" + ] + }, + "locked": { + "lastModified": 1740652942, + "narHash": "sha256-PTt6a/UQJTIbOUyHWw2mjVrPzIPsPA8rllJjNM5RoEo=", + "owner": "tuxdotrs", + "repo": "tawm", + "rev": "5f70161a1975096182518e5a8738d618465cf754", + "type": "github" + }, + "original": { + "owner": "tuxdotrs", + "repo": "tawm", + "type": "github" + } + }, "tfolio": { "inputs": { "nixpkgs": [ @@ -1070,6 +1092,23 @@ "type": "github" } }, + "trok": { + "inputs": { + "nixpkgs": [ + "nixpkgs" + ] + }, + "locked": { + "lastModified": 1740655111, + "narHash": "sha256-kDIolURbhhIYPteFKgND+4MPmLbtkJBh6T/gpavYA28=", + "path": "/home/tux/Projects/trok", + "type": "path" + }, + "original": { + "path": "/home/tux/Projects/trok", + "type": "path" + } + }, "utils": { "inputs": { "systems": "systems" diff --git a/flake.nix b/flake.nix index 90c6013..6207e59 100755 --- a/flake.nix +++ b/flake.nix @@ -133,6 +133,11 @@ url = "github:tuxdotrs/tnvim"; inputs.nixpkgs.follows = "nixpkgs"; }; + trok = { + # url = "git+ssh://git@github.com/tuxdotrs/trok.git"; + url = "path:/home/tux/Projects/trok"; + inputs.nixpkgs.follows = "nixpkgs"; + }; tfolio = { url = "git+ssh://git@github.com/tuxdotrs/tfolio.git"; inputs.nixpkgs.follows = "nixpkgs"; diff --git a/hosts/alpha/default.nix b/hosts/alpha/default.nix index af736fb..07fa243 100644 --- a/hosts/alpha/default.nix +++ b/hosts/alpha/default.nix @@ -15,6 +15,9 @@ tux.services.openssh.enable = true; tux.services.openssh.ports = [23]; + tux.services.trok.enable = true; + tux.services.trok.openFirewall = true; + tux.services.tfolio.enable = true; sops.secrets = { diff --git a/hosts/common/default.nix b/hosts/common/default.nix index b3bac8b..6fc0368 100644 --- a/hosts/common/default.nix +++ b/hosts/common/default.nix @@ -16,6 +16,7 @@ ../../modules/nixos/selfhosted/tfolio.nix ../../modules/nixos/selfhosted/cyber-tux.nix ../../modules/nixos/networking/ssh.nix + ../../modules/nixos/selfhosted/trok.nix ]; sops.secrets.tux-password = { diff --git a/modules/nixos/selfhosted/trok.nix b/modules/nixos/selfhosted/trok.nix new file mode 100644 index 0000000..a2e0231 --- /dev/null +++ b/modules/nixos/selfhosted/trok.nix @@ -0,0 +1,90 @@ +{ + config, + lib, + pkgs, + ... +}: +with lib; let + cfg = config.tux.services.trok; +in { + options.tux.services.trok = { + enable = mkEnableOption "Enable trok"; + + port = mkOption { + type = lib.types.port; + default = 1337; + description = "Port number on which the trok service will listen."; + }; + + openFirewall = mkEnableOption "Enable firewall port"; + + user = mkOption { + type = types.str; + default = "trok"; + description = "User under which the trok service runs."; + }; + + group = mkOption { + type = types.str; + default = "trok"; + description = "Group under which the trok service runs."; + }; + }; + + config = mkIf cfg.enable { + networking.firewall.allowedTCPPorts = mkIf cfg.openFirewall [cfg.port]; + + systemd.services = { + trok = { + description = "trok server"; + after = ["network.target"]; + wantedBy = ["multi-user.target"]; + + serviceConfig = { + Type = "simple"; + User = "trok"; + Group = "trok"; + ExecStart = "${getExe pkgs.trok} server -p ${toString cfg.port}"; + Restart = "always"; + + LockPersonality = true; + MemoryDenyWriteExecute = true; + NoNewPrivileges = true; + PrivateDevices = true; + PrivateIPC = true; + PrivateTmp = true; + PrivateUsers = true; + ProtectClock = true; + ProtectControlGroups = true; + ProtectHome = true; + ProtectHostname = true; + ProtectKernelLogs = true; + ProtectKernelModules = true; + ProtectKernelTunables = true; + ProtectProc = "invisible"; + ProtectSystem = "strict"; + RestrictNamespaces = "uts ipc pid user cgroup"; + RestrictRealtime = true; + RestrictSUIDSGID = true; + SystemCallArchitectures = "native"; + SystemCallFilter = ["@system-service"]; + UMask = "0077"; + }; + }; + }; + # Ensure the user and group exist + users.users = mkIf (cfg.user == "trok") { + ${cfg.user} = { + isSystemUser = true; + group = cfg.group; + description = "trok service user"; + home = "/var/lib/trok"; + createHome = true; + }; + }; + + users.groups = mkIf (cfg.group == "trok") { + ${cfg.group} = {}; + }; + }; +} diff --git a/overlays/default.nix b/overlays/default.nix index bfdce12..f5e1c36 100755 --- a/overlays/default.nix +++ b/overlays/default.nix @@ -7,6 +7,7 @@ tawm = inputs.tawm.packages.${prev.system}.default; tnvim = inputs.tnvim.packages.${prev.system}.default; tfolio = inputs.tfolio.packages.${prev.system}.default; + trok = inputs.trok.packages.${prev.system}.default; cyber-tux = inputs.cyber-tux.packages.${prev.system}.default; discord = prev.discord.override { withOpenASAR = true;