Kyren223/server
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Added eko

Browse Source
This commit is contained in:
Kyren223
2025-01-08 23:17:23 +02:00
parent e17066f680
commit 5942a69255
3 changed files with 72 additions and 2 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
host/configuration.nix
View File

@@ -11,6 +11,7 @@
./../nixosModules/syncthing.nix
./../nixosModules/nextcloud.nix
./../nixosModules/wakapi.nix
./../nixosModules/eko.nix
];
boot.loader.grub = {
@@ -43,6 +44,7 @@
syncthing.enable = true;
nextcloud.enable = false;
wakapi.enable = true;
eko.enable = true;
# Automatically pull this config from git
autoUpdate.enable = true;

67
nixosModules/eko.nix Normal file
View File

@@ -0,0 +1,67 @@
{ pkgs, lib, config, ... }: {
options = {
eko.enable = lib.mkEnableOption "enables eko";
};
config = lib.mkIf config.eko.enable {
users.groups.eko = { };
users.users.eko = {
createHome = false;
isNormalUser = true;
group = "eko";
openssh.authorizedKeys.keys = [
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIO7P9K9D5RkBk+JCRRS6AtHuTAc6cRpXfRfRMg/Kyren"
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGbntLELS9l2auPVZtCtQ6KYQNka72qDbTdkDtX9rkyJ"
];
};
# Make sure the "eko" user has access to /srv/eko
systemd.tmpfiles.rules = [
"d /srv/website 0750 eko eko"
];
# Open port for the server to listen on
networking.firewall.allowedTCPPorts = [ 7223 ];
sops.secrets.eko-server-cert-key = { owner = "eko"; };
systemd.services.eko = {
description = "Eko (a secure terminal-based social media)";
wants = [ "network-online.target" ];
after = [ "network-online.target" ];
wantedBy = [ "multi-user.target" ];
script = ''
cd /srv/eko
SERVER_CERT_KEY_FILE=${config.sops.secrets.eko-server-cert-key.path} ./eko-server
'';
serviceConfig = {
User = "eko";
Group = "eko";
# Hardening
ProtectHostname = true;
ProtectKernelLogs = true;
ProtectKernelModules = true;
ProtectKernelTunables = true;
ProtectProc = "invisible";
ProtectSystem = "strict";
RestrictAddressFamilies = [
"AF_INET"
"AF_INET6"
"AF_UNIX"
];
RestrictNamespaces = true;
RestrictRealtime = true;
RestrictSUIDSGID = true;
Restart = "always";
RestartSec = "10s";
};
};
};
}

5
nixosModules/secrets.yaml
View File

@@ -4,6 +4,7 @@ gitea-db-password: ENC[AES256_GCM,data:LHru7hpuT9dmEsfEfcsejfcyoNo2JHITmDzxcqHsj
syncthing-gui-password: ENC[AES256_GCM,data:CSQuswlhnCX1ChRTffWvIFodQ3vU4PmlDj8H7MjtQ7aWEok330V2Cqs/4EV0PnVtFd3uBCQ=,iv:TqNYonoB7ygN3PT67MFjythf8a+gNPEwDNdtNadMHQk=,tag:hnGs0Z59EGOUKtit9wGD+A==,type:str]
nextcloud-admin-password: ENC[AES256_GCM,data:qLpqlcZtXt5q1U0okGplawLP/9xK0M8rM7uMdu6j1ld8G4rT8QhM8dyBTJWQPdopoCbjaOE=,iv:iMZqEOq/zDbCXwAr838SNAi0OyLOaN6RXC6XM4ttNF8=,tag:m7I2Lj0ykm5U9mWr4f/tXA==,type:str]
nextcloud-kyren-password: ENC[AES256_GCM,data:2pAnsX1HHPbA4+3jAtZqQBW0oXX5OtqHQXBxLDlmHs5oT0jxHWY52Wpxh89eW7VOECGI/ro=,iv:mwPgmaAAnRwfy5tl6G+jOQHB4usV3dr86rksL69Ai0Y=,tag:g50tkVft/RatU4BQ6aRpLA==,type:str]
eko-server-cert-key: ENC[AES256_GCM,data:rfz5M5fhpheObzhmzx1nABXVXwwOeWqmZbmO5yvavIAg/hQrJAW7efdmKNhbhyvribMCqNPBzWvdK69XEDL4+gdEcwp92w03t2XbdFqPTo4cFbU/a2akA1/+YXg13nNbJbeKGTd744f/lRlKrDdn3M303fjDasqwJYINg2JIxg36gB/aKYHGITWPWF+pdqeLdud63W6Zgbf9Sj3A38uxdJvphTYQU+Xy0sEOIbvhmN8/hDcVTtuxnU6YukVuN0Tt4hw/nrVsEVxHrXOb9zKBmbrR0E3N0s1xhzRDH2dvR1BKvLfnr6Nn39acrMjA08FL7qB6EprgkMeWIYv3r4X5AYCkDGJcynTuQo4KtcZxoEUGD0nPklD4haY25Xl+XKshRqdGw1ntqyc2O/FCzqILv1lEDW1pOWWVRwa0BWtz0jZXM4b2OABsXSmxrg0s1ABUh4SvcATHzGUmydJeIcJFxtsZlSCAy5OPLFlTO9o9tyKbzqyLRFri0Ood1kLTa0SuDIWxptS2MdENszcgBps6sR7wYr4flRQnn4myR0nEUkeFsRUaj0ej8re+6eBCDYmds9yGLwsOpUjsAuoRcm0s//04utf4897e2sknGJPbFGzr+vtUfIX/weZ+VlrOSvtwJcnTMnCOZFQEhuCzoa5CFei+p2mmjybv803HMgQSd49QHRWGU1cKXdG6guzEiOZbSBkWKWQp/iqXjgDb+IndYukMaxreTT3gimuon5XsrQRxK1k8q93YV7Td9jVe8ANq5nOCV71g5yVUMDruMXhMkrVm/Nnkf1n9IbDOdVZv2OQSRK5Bt/1q6n42cu1ez0nMb6MbzfMyTuKGaYr5oFt6zrEYpMzRtNv2SHnPG5IfHtmkuMHUdWXOCv2odMEThuVN9tMX5LWxaIKf67SSPIkYFRU+oBEFki2OuiMiYQhucxolq5i3nTklnfME+6QDg7YgrSaZMD+rURiu0TQtEYN05Z+qx1gmChDiFm2jZ9yfG3IIi6DWiboPIDbuxDpDYfwOaclBht90+Nv9MyF2y/lONHiY4G9r/xeCZIMVD75CMswjM+bUUHdbKXgRl3FKpI5gajgBDbO534iin/OpKrp565yGvfp6yd5ekZEl+PJALe9YDsS52UnyQZMqtswY7zy01HQTPBEZWwk6IksBb/Qr9e8CbfNlzCzZt3SfwWA2tG9FlwdVomj1BcJ+qxKgY4rjl8CxaVqnHAkidtODebW20K/0Jw51M/b6fkkWeNC/4eQycu9fBiGQ1btuNs70LvlLOOp4bNe+JtZ0G1HSI/3oCL6c3qIalyfnje/0PkTgUhZwZRsrPMCUuC9Xxosx8hI5kjpNxpUW5/vkXQzrqjl9VOzqadwAFH8UYTuLtYvNlTHZPICS7ziOXOt3n9iG0OtEw20iRmmukD1FYQQauGwFIhRxnhVPIucAFTc+vrqkwWsVbaBkIZGsUp4wUYsTnb5r0yXKBL06y/vDuQETQf2cYPMNGMgrM0lnQ688T+CSiOpqGpi4YYly/ww8s1525Yj9gzmo6jhPLRYo507ryDnq/zeZOKaoBD+3hESti4o5wIH1F7lZAhivm43PA+rW+930OoC6H9KaTwIYVZggTJrvPk24ewHSjR8JE6IvQgv30U/4/N75bMQMyyKgwr2DQhIofWpsaQodxbQVt+OQ0yL8ZUVD/sTf4Tf3T6bNw2myEt2pocFES3ZlU+dmG+S7SxMp84WbqXZB0Tt+r78VW+4pdl3GfXPGJnnm/wuYrpwgeAA9ovngN3acUlDKZxVuHjwO7pcTRcKxvNVxpa+H+guzVMvg673xVZa53ccURIfgB4gOCAZQyzOxRRnX8iWQuQRD7A3VRl0auHw3V15Kv8IkC5qvMI4gOr3bZ6kCrFTHu17ZU1y8ebJ719XeFJzXYPC+abk9g/7ZmQGMZPoWC91uzmFzwCBySacYDHBPDUgVbOdTWOoQBypA4JdlZXa8d/tTXSdsC3g8vtBxhbB/PbplK9aeNQ79xkkyKU+xUVf+sO5NWHKWboaVf7l4QhiFIIM9YCyT0yONWVjN4bnUbKMWDKns0HE5Zt63ixPa1dL5VMSWjMLM4VoyNcAOG5vK/hOryFv05xLDzbRDgAdV9YLUs/PDaR8ZC3VbosxjAW6C5mNldFf5/GuZfGGCLedrMjoI0cq7xCmh3OzO2MS2dLnnVby+j2OrW9VYm3P0rw0BP+2hBC9WhGB+Fbdw4N8H6eRWHHi7Av7UmdRSE77CDsNti7vdWZdhRKI3,iv:pTjCk5oIJbsu1mWRFN5jdYgPVeX7E2GV7I9Y5ZmXkDg=,tag:9HY0Q3afcguJfKx3D7Ffww==,type:str]
sops:
kms: []
gcp_kms: []
@@ -19,8 +20,8 @@ sops:
b254YjZLRm9odks2Y1Erdk1NSU1CVncKnhMnBLjSLfMO3A7gTUI9vIRQvaK07I7k
mQdtsGZM+1FqlbxsFIoqji+xrqAvcBQENott5+tuFM+ePT5EjQUYGg==
-----END AGE ENCRYPTED FILE-----
lastmodified: "2024-12-31T20:31:45Z"
mac: ENC[AES256_GCM,data:4zIYkvldOKty7VFXB8GlCwqcJ1PMVGjXHlnlGAnmXK+o+EMgx4SPLrCR9UB9RTDPBxecjWMlLK+m4vookZGOEot5wDDzbMvcoabLmLZG8wCKkN/ZjVcQnHUZ4Efkd8djZ1DNRukGAwoSdu9QJFKMgCxXRfMJRCnU5JLThe3hlrQ=,iv:SmhjSUh7cPuTNHS9Y8k4zol7misiej+qZDTxl0AeUAE=,tag:kpdk7QDyTioLsgnuxZ6aPA==,type:str]
lastmodified: "2025-01-08T19:32:27Z"
mac: ENC[AES256_GCM,data:S9lMzFE5WQgSrs6j1oUSt4bWCnzGEikky2qHjNT/MMBnnGouws+NnOw6Aak+9BcazYvweQKT1iNMzB4zLRDryU71JNXAu6XmO4tbThmcSzjLIensTFX40r7e5QivljMOUT+de7X/Q6kknQ2TS7rrQi4rYRT3vylU/FaGlhYDPqw=,iv:FsalgaN/g9DHteawRT3klC/Ji8YIGHizr3vJPhZ4SCQ=,tag:O7dj3Zt4hwmMYC7W5SQ3Ew==,type:str]
pgp: []
unencrypted_suffix: _unencrypted
version: 3.9.1