tyo0: drop pixivfe

2024-08-29 23:22:46 +08:00 · 2024-08-29 23:22:46 +08:00 · 012dd00ed4
commit 012dd00ed4
parent 16777141b3
9 changed files with 4 additions and 313 deletions
--- a/hosts/tyo0/Caddyfile
+++ b/hosts/tyo0/Caddyfile
@ -51,14 +51,6 @@ ntfy.ny4.dev {
 	reverse_proxy unix//run/ntfy-sh/ntfy.sock
 }
 pixiv.ny4.dev {
 	import default
 	basicauth {
 		Guanran928 $2a$14$aI977hGZCX6H9IiyG7avdOFxXFGtlt7DcIahTkInPhEx9Sfhk7bri
 	}
 	reverse_proxy unix//run/pixivfe/pixiv.sock
 }
 id.ny4.dev {
 	import default
 	reverse_proxy localhost:8800
--- a/hosts/tyo0/default.nix
+++ b/hosts/tyo0/default.nix
@ -14,7 +14,6 @@
    ./services/miniflux.nix
    ./services/murmur.nix
    ./services/ntfy.nix
    ./services/pixivfe.nix
    ./services/redlib.nix
    ./services/sing-box.nix
    ./services/vaultwarden.nix
@ -39,9 +38,6 @@
    "sing-box/auth" = {
      restartUnits = [ "sing-box.service" ];
    };
    "pixivfe/environment" = {
      restartUnits = [ "pixivfe.service" ];
    };
    "miniflux/environment" = {
      restartUnits = [ "miniflux.service" ];
    };
--- a/hosts/tyo0/secrets.yaml
+++ b/hosts/tyo0/secrets.yaml
@ -1,7 +1,5 @@
 sing-box:
    auth: ENC[AES256_GCM,data:szsNEmPyKZZJXxZ/1CCVNNocNp2dkUNT8n/Evf61J8LnBZGiUNKZek7ecdvU6VVsszOYD4uv6F3WmulmUqSRff2fI8pn3/if5cNSMOT9KUQpJMwnYMVIWGI+Epmr76rQUuf766yMA3UEloSuwOvpWjUmfdonfr2jKocMJRDgDoI4tWRHpRmjcF7mRt5x12FFgAhDmlNZOSyRxx6R5opfL0ZEU3MPi6El+dokkUcq/frp/ZgjadTyVQMJc5E41QMYbAcqJmAIN8lCVnUbshwxDRGYcpkH66KLOf6NYo0Z4dbnK6bgUozHLpI=,iv:sgEAZOTk5zylOU1SeHCGIjMkmZ8KKhSRIW7UHXH4u/8=,tag:KwI5w2OSmhB3PjCKPgoSjQ==,type:str]
 pixivfe:
    environment: ENC[AES256_GCM,data:/Q/rShBXlXkWOOP+7OhKtKTSrp2zNizMaAOyKfWbKgJMHTjNfmMtRuGKRez9KXM5MDIMIF9iJSQ=,iv:whIAkaWiZcZT4HfmJw4qA+fbQ9zHFp+kTuHxQDE3XoU=,tag:FroLTMtNwGlvZw3osftj3A==,type:str]
 miniflux:
    environment: ENC[AES256_GCM,data:eT1rVeXbDANk/+9xmxmTHvMNofyplNGvVFgTj4lFQlJSHTi+br1qfg0tddf5aCtE8cNGt0fNm63qguI2Df/+KWENhb0vCpjRG7zryfBhEwMP5jkVgDnaHYolS1z3OmhlEpE=,iv:tWAUCtlk8wDGWGmn7j00QOVwjPYDkTPDGpyxd1pP6ig=,tag:gLNdzK9GZ/m5mWL5YNrzyQ==,type:str]
 vaultwarden:
@ -30,8 +28,8 @@ sops:
            UkYrb3JpZDBzOUgzWXFQbUZnWjNUUjAKKuJmaJ6kV5ITsCMXEOzv9ym3L9VQKoB4
            n/SE4eCXeaoE/1UCdw4VlpyuUuouHh2pgLWJF49dHhY/zhv84sURtA==
            -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2024-08-29T15:18:59Z"
+    lastmodified: "2024-08-29T15:22:29Z"
-    mac: ENC[AES256_GCM,data:XZMya28H5W4C2iBOAOvQ7tze2ooC4P4hy/VMJne7FQQu+fOlKtNUq5rWOOWIxttKriD00kkSjsE29KrVKVcreI1PeaxQ2a+QRhGONtQlLDrTQXVTBaHaHzBmu7VzQOWzSvs8d4KsLv5uaHfe5bwTGnHprjbZ9E9tH7oPNNhwOGo=,iv:69TabzusnSmiCLz/QG91IjoA4TRSfb80p0yKloBSiig=,tag:NjSOWau/aYp9KHwHjwOL9A==,type:str]
+    mac: ENC[AES256_GCM,data:wZzk/3ZdCXpMhMfIKbT0ZVm9k+c50MxWwZ88zZv0s44jYgWarzR92W09bTcOxw+SIfakdKt9y4aQENES1+JkGor3JpzxyVO4SGPaiZRFgNjjwAJJ2mAGTI3E69giirQipVHWOaPChZrpfCD2xa5Xrgm+as4fQpQrkgcv9ebyjrQ=,iv:GYsml4JuZ13OCMYcZiynaIlSU2V5lhsJd1GfSrOK/Oc=,tag:QodmEPuhmKA+/nuhP2Cufg==,type:str]
    pgp: []
    unencrypted_suffix: _unencrypted
    version: 3.9.0
--- a/hosts/tyo0/services/pixivfe.nix
+++ b/hosts/tyo0/services/pixivfe.nix
@ -1,23 +0,0 @@
 {
  pkgs,
  config,
  ...
 }:
 {
  services.pixivfe = {
    enable = true;
    EnvironmentFile = config.sops.secrets."pixivfe/environment".path;
    settings = {
      PIXIVFE_UNIXSOCKET = "/run/pixivfe/pixiv.sock";
      PIXIVFE_IMAGEPROXY = "https://i.pixiv.re";
    };
  };
  systemd.services.pixivfe.serviceConfig = {
    RuntimeDirectory = [ "pixivfe" ];
    ExecStartPost = pkgs.writeShellScript "pixivfe-unixsocket" ''
      ${pkgs.coreutils}/bin/sleep 5
      ${pkgs.coreutils}/bin/chmod 777 /run/pixivfe/pixiv.sock
    '';
  };
 }
--- a/nixos/modules/default.nix
+++ b/nixos/modules/default.nix
@ -1,7 +1,4 @@
 { ... }:
 {
-  imports = [
+  imports = [ ];
    ./services/hysteria.nix
    ./services/pixivfe.nix
  ];
 }
--- a/nixos/modules/services/hysteria.nix
+++ b/nixos/modules/services/hysteria.nix
@ -1,94 +0,0 @@
 {
  config,
  lib,
  pkgs,
  utils,
  ...
 }:
 let
  cfg = config.services.hysteria;
  settingsFormat = pkgs.formats.json { };
 in
 {
  options.services.hysteria = {
    enable = lib.mkEnableOption "Hysteria, a powerful, lightning fast and censorship resistant proxy";
    package = lib.mkPackageOption pkgs "hysteria" { };
    mode = lib.mkOption {
      type = lib.types.enum [
        "server"
        "client"
      ];
      default = "server";
      description = "Whether to use Hysteria as a client or a server.";
    };
    settings = lib.mkOption {
      type = lib.types.submodule {
        freeformType = settingsFormat.type;
      };
      default = { };
      description = ''
        The Hysteria configuration, see https://hysteria.network/ for documentation.
        Options containing secret data should be set to an attribute set
        containing the attribute `_secret` - a string pointing to a file
        containing the value the option should be set to.
        Ignored when `services.hysteria.configFile` is set.
      '';
    };
  };
  config = lib.mkIf cfg.enable {
    systemd.services."hysteria" = {
      description = "Hysteria daemon, a powerful, lightning fast and censorship resistant proxy.";
      documentation = [ "https://hysteria.network/" ];
      wantedBy = [ "multi-user.target" ];
      after = [ "network-online.target" ];
      wants = [ "network-online.target" ];
      preStart = utils.genJqSecretsReplacementSnippet cfg.settings "/var/lib/private/hysteria/config.json";
      serviceConfig = {
        ExecStart = lib.concatStringsSep " " [
          (lib.getExe cfg.package)
          cfg.mode
          "--config /var/lib/private/hysteria/config.json"
        ];
        DynamicUser = true;
        StateDirectory = "hysteria";
        ### Hardening
        AmbientCapabilities = [
          "CAP_NET_ADMIN"
          "CAP_NET_BIND_SERVICE"
          "CAP_NET_RAW"
        ];
        CapabilityBoundingSet = [
          "CAP_NET_ADMIN"
          "CAP_NET_BIND_SERVICE"
          "CAP_NET_RAW"
        ];
        NoNewPrivileges = true;
        PrivateMounts = true;
        PrivateTmp = true;
        ProcSubset = "pid";
        ProtectClock = true;
        ProtectControlGroups = true;
        ProtectHome = true;
        ProtectHostname = true;
        ProtectKernelLogs = true;
        ProtectKernelModules = true;
        ProtectKernelTunables = true;
        ProtectProc = "invisible";
        ProtectSystem = "strict";
        RestrictRealtime = true;
        RestrictSUIDSGID = true;
        RestrictNamespaces = true;
        SystemCallArchitectures = "native";
        SystemCallFilter = "@system-service";
        UMask = "0077";
      };
    };
  };
 }
--- a/nixos/modules/services/pixivfe.nix
+++ b/nixos/modules/services/pixivfe.nix
@ -1,125 +0,0 @@
 {
  lib,
  config,
  inputs,
  pkgs,
  ...
 }:
 let
  cfg = config.services.pixivfe;
 in
 {
  options.services.pixivfe = {
    enable = lib.mkEnableOption "PixivFE, a privacy respecting frontend for Pixiv";
    package =
      lib.mkPackageOption inputs.self.legacyPackages.${pkgs.stdenv.hostPlatform.system} "pixivfe"
        { };
    openFirewall = lib.mkEnableOption "open ports in the firewall needed for the daemon to function";
    settings = lib.mkOption {
      type = lib.types.nullOr (lib.types.attrsOf lib.types.anything);
      default = null;
      example = lib.literalExpression ''
        {
          PIXIVFE_PORT = "8282";
          PIXIVFE_TOKEN = "123456_AaBbccDDeeFFggHHIiJjkkllmMnnooPP";
        };
      '';
      description = ''
        Additional configuration for PixivFE, see
        <https://pixivfe.pages.dev/environment-variables/> for supported values.
        For secrets use `EnvironmentFile` option instead.
      '';
    };
    EnvironmentFile = lib.mkOption {
      type = lib.types.nullOr lib.types.str;
      default = null;
      example = lib.literalExpression ''
        /run/secrets/environment
      '';
      description = ''
        File containing environment variables to be passed to the PixivFE service.
        See `systemd.exec(5)` for more information.
      '';
    };
  };
  config = lib.mkIf cfg.enable {
    assertions = [
      {
        assertion = if cfg.openFirewall then (cfg.settings ? PIXIVFE_PORT) else true;
        message = ''
          PIXIVFE_PORT must be specified for NixOS to open a port.
          See https://pixivfe.pages.dev/environment-variables/ for more information.
        '';
      }
      {
        assertion =
          if (cfg.EnvironmentFile == null) then
            (cfg.settings ? PIXIVFE_UNIXSOCKET) || (cfg.settings ? PIXIVFE_PORT)
          else
            true;
        message = ''
          PIXIVFE_PORT or PIXIVFE_UNIXSOCKET must be set for PixivFE to run.
          See https://pixivfe.pages.dev/environment-variables/ for more information.
        '';
      }
      {
        assertion = if (cfg.EnvironmentFile == null) then cfg.settings ? PIXIVFE_TOKEN else true;
        message = ''
          PIXIVFE_TOKEN must be set for PixivFE to run.
          See https://pixivfe.pages.dev/environment-variables/ for more information.
        '';
      }
    ];
    systemd.services."pixivfe" = {
      description = "PixivFE, a privacy respecting frontend for Pixiv.";
      documentation = [ "https://pixivfe.pages.dev/" ];
      wantedBy = [ "multi-user.target" ];
      after = [ "network-online.target" ];
      wants = [ "network-online.target" ];
      environment = lib.mkIf (cfg.settings != null) (
        lib.mapAttrs (_: v: if lib.isBool v then lib.boolToString v else toString v) cfg.settings
      );
      serviceConfig = {
        inherit (cfg) EnvironmentFile;
        ExecStart = lib.getExe cfg.package;
        DynamicUser = true;
        ### Hardening
        AmbientCapabilities = [ "CAP_NET_BIND_SERVICE" ]; # For ports <= 1024
        CapabilityBoundingSet = [ "CAP_NET_BIND_SERVICE" ];
        NoNewPrivileges = true;
        PrivateMounts = true;
        PrivateTmp = true;
        ProcSubset = "pid";
        ProtectClock = true;
        ProtectControlGroups = true;
        ProtectHome = true;
        ProtectHostname = true;
        ProtectKernelLogs = true;
        ProtectKernelModules = true;
        ProtectKernelTunables = true;
        ProtectProc = "invisible";
        ProtectSystem = "strict";
        RestrictNamespaces = true;
        RestrictRealtime = true;
        RestrictSUIDSGID = true;
        SystemCallArchitectures = "native";
        SystemCallFilter = "@system-service";
        UMask = "0077";
      };
    };
    networking.firewall = lib.mkIf cfg.openFirewall {
      allowedTCPPorts = [ cfg.settings.PIXIVFE_PORT ];
    };
  };
 }
--- a/pkgs/default.nix
+++ b/pkgs/default.nix
@ -1,12 +1,5 @@
 # NOTE: 301: All packages are migrated to `github:Guanran928/nur-packages`,
 #       only keeping some packages that only fits for personal use.
-pkgs:
+pkgs: {
 let
  inherit (pkgs) callPackage;
 in
 {
  # https://github.com/NixOS/nixpkgs/pull/308720
  pixivfe = callPackage ./pixivfe.nix { };
  background = pkgs.nixos-artwork.wallpapers.nineish-dark-gray.src;
 }
--- a/pkgs/pixivfe.nix
+++ b/pkgs/pixivfe.nix
@ -1,43 +0,0 @@
 {
  lib,
  buildGoModule,
  fetchFromGitea,
  makeBinaryWrapper,
 }:
 buildGoModule rec {
  pname = "pixivfe";
  version = "2.6";
  src = fetchFromGitea {
    domain = "codeberg.org";
    owner = "VnPower";
    repo = "PixivFE";
    rev = "v${version}";
    hash = "sha256-pusyCXy2tsdvOSUR6LfSYHv8YT1tiCErqUEkUgKYbZ4=";
  };
  vendorHash = "sha256-QapDR964Tn+RxXdkGqCQXacdmlSapF841Y84n4d/6VI=";
  ldflags = [
    "-s"
    "-w"
  ];
  nativeBuildInputs = [ makeBinaryWrapper ];
  postInstall = ''
    mkdir -p $out/share/pixivfe
    cp -r ./views/ $out/share/pixivfe/views
    wrapProgram $out/bin/pixivfe \
      --chdir $out/share/pixivfe
  '';
  meta = {
    description = "Privacy respecting frontend for Pixiv";
    homepage = "https://codeberg.org/VnPower/PixivFE";
    license = lib.licenses.agpl3Only;
    mainProgram = "pixivfe";
    maintainers = with lib.maintainers; [ Guanran928 ];
    platforms = lib.platforms.linux;
  };
 }