From 5db2541201ff9bdcdd0ac43d329fdb5715d2ef20 Mon Sep 17 00:00:00 2001 From: tux Date: Sat, 22 Feb 2025 09:51:08 +0530 Subject: [PATCH] feat: add tfolio --- flake.lock | 21 ++++++++ flake.nix | 4 ++ hosts/alpha/default.nix | 2 + hosts/common/default.nix | 1 + modules/nixos/tfolio.nix | 102 +++++++++++++++++++++++++++++++++++++++ overlays/default.nix | 1 + 6 files changed, 131 insertions(+) create mode 100644 modules/nixos/tfolio.nix diff --git a/flake.lock b/flake.lock index d833b68..7d91880 100755 --- a/flake.lock +++ b/flake.lock @@ -713,6 +713,7 @@ "nixpkgs-stable": "nixpkgs-stable_3", "nur": "nur", "sops-nix": "sops-nix", + "tfolio": "tfolio", "wezterm-flake": "wezterm-flake" } }, @@ -832,6 +833,26 @@ "type": "github" } }, + "tfolio": { + "inputs": { + "nixpkgs": [ + "nixpkgs" + ] + }, + "locked": { + "lastModified": 1740197906, + "narHash": "sha256-G4H/c91GlHhUG7joDXxmvtcWz1xepzwRR4J+gQGLH+k=", + "ref": "refs/heads/main", + "rev": "23cf45aa50e8db9533d8ca432bcd7b4d2bc2b421", + "revCount": 13, + "type": "git", + "url": "ssh://git@github.com/tuxdotrs/tfolio.git" + }, + "original": { + "type": "git", + "url": "ssh://git@github.com/tuxdotrs/tfolio.git" + } + }, "treefmt-nix": { "inputs": { "nixpkgs": [ diff --git a/flake.nix b/flake.nix index 785f3b8..c544717 100755 --- a/flake.nix +++ b/flake.nix @@ -90,6 +90,10 @@ url = "git+ssh://git@github.com/tuxdotrs/nix-secrets.git?shallow=1"; inputs.nixpkgs.follows = "nixpkgs"; }; + tfolio = { + url = "git+ssh://git@github.com/tuxdotrs/tfolio.git"; + inputs.nixpkgs.follows = "nixpkgs"; + }; cyber-tux = { url = "git+ssh://git@github.com/tuxdotrs/cyber-tux.git"; inputs.nixpkgs.follows = "nixpkgs"; diff --git a/hosts/alpha/default.nix b/hosts/alpha/default.nix index e071317..51fe3e7 100644 --- a/hosts/alpha/default.nix +++ b/hosts/alpha/default.nix @@ -15,6 +15,8 @@ tux.services.openssh.enable = true; tux.services.openssh.ports = [23]; + tux.services.tfolio.enable = true; + sops.secrets = { borg_encryption_key = { sopsFile = ./secrets.yaml; diff --git a/hosts/common/default.nix b/hosts/common/default.nix index ec6a834..b0c234b 100644 --- a/hosts/common/default.nix +++ b/hosts/common/default.nix @@ -14,6 +14,7 @@ ../../modules/nixos/fail2ban.nix ../../modules/nixos/sops.nix ../../modules/nixos/upstream-proxy.nix + ../../modules/nixos/tfolio.nix ../../modules/nixos/cyber-tux.nix ../../modules/nixos/networking/ssh.nix ]; diff --git a/modules/nixos/tfolio.nix b/modules/nixos/tfolio.nix new file mode 100644 index 0000000..3a90505 --- /dev/null +++ b/modules/nixos/tfolio.nix @@ -0,0 +1,102 @@ +{ + config, + lib, + pkgs, + ... +}: +with lib; let + cfg = config.tux.services.tfolio; +in { + options.tux.services.tfolio = { + enable = mkEnableOption "Enable tfolio"; + + host = mkOption { + type = lib.types.str; + default = "0.0.0.0"; + description = ""; + }; + + port = mkOption { + type = lib.types.port; + default = 22; + description = ""; + }; + + dataDir = mkOption { + type = lib.types.str; + default = "/var/lib/tfolio/"; + description = ""; + }; + + user = mkOption { + type = types.str; + default = "tfolio"; + description = "User under which the tfolio service runs."; + }; + + group = mkOption { + type = types.str; + default = "tfolio"; + description = "Group under which the tfolio service runs."; + }; + }; + + config = mkIf cfg.enable { + systemd.services = { + tfolio = { + description = "my portfolio in a ssh session"; + after = ["network.target"]; + wantedBy = ["multi-user.target"]; + + serviceConfig = { + Type = "simple"; + User = cfg.user; + Group = cfg.group; + ExecStart = "${getExe pkgs.tfolio} -l ${cfg.host} -p ${toString cfg.port} -d ${cfg.dataDir}"; + Restart = "always"; + StateDirectory = "tfolio"; + + # Allow binding to privileged ports + AmbientCapabilities = "CAP_NET_BIND_SERVICE"; + CapabilityBoundingSet = "CAP_NET_BIND_SERVICE"; + + LockPersonality = true; + MemoryDenyWriteExecute = true; + NoNewPrivileges = true; + PrivateDevices = true; + PrivateIPC = true; + PrivateTmp = true; + ProtectClock = true; + ProtectControlGroups = true; + ProtectHome = "read-only"; + ProtectHostname = true; + ProtectKernelLogs = true; + ProtectKernelModules = true; + ProtectKernelTunables = true; + ProtectProc = "invisible"; + ProtectSystem = "full"; + RestrictNamespaces = "uts ipc pid user cgroup"; + RestrictRealtime = true; + RestrictSUIDSGID = true; + SystemCallArchitectures = "native"; + SystemCallFilter = ["@system-service"]; + UMask = "0077"; + }; + }; + }; + # Ensure the user and group exist + users.users = mkIf (cfg.user == "tfolio") { + ${cfg.user} = { + isSystemUser = true; + group = cfg.group; + description = "tfolio service user"; + home = "/var/lib/tfolio"; + createHome = true; + }; + }; + + users.groups = mkIf (cfg.group == "tfolio") { + ${cfg.group} = {}; + }; + }; +} diff --git a/overlays/default.nix b/overlays/default.nix index b5f5b39..b6aa436 100755 --- a/overlays/default.nix +++ b/overlays/default.nix @@ -4,6 +4,7 @@ modifications = final: prev: { awesome = inputs.nixpkgs-f2k.packages.${prev.system}.awesome-git; ghostty = inputs.ghostty.packages.${prev.system}.default; + tfolio = inputs.tfolio.packages.${prev.system}.default; cyber-tux = inputs.cyber-tux.packages.${prev.system}.default; discord = prev.discord.override { withOpenASAR = true;