From b6b49c2738924239a64e86769e8dcccedfef2248 Mon Sep 17 00:00:00 2001 From: Kyren223 Date: Tue, 8 Jul 2025 22:16:57 +0300 Subject: [PATCH] a --- nixosModules/eko.nix | 188 +++++++++++++++++++++---------------------- 1 file changed, 94 insertions(+), 94 deletions(-) diff --git a/nixosModules/eko.nix b/nixosModules/eko.nix index cf45d0a..fab206a 100644 --- a/nixosModules/eko.nix +++ b/nixosModules/eko.nix @@ -27,100 +27,100 @@ # "eko/privacy.md".text = builtins.readFile ./eko-privacy.md; # }; - # systemd.services.eko = { - # description = "Eko - a secure terminal-based social media"; - # - # wants = [ "network-online.target" ]; - # after = [ "network-online.target" ]; - # wantedBy = [ "multi-user.target" ]; - # - # # restartTriggers = [ "/var/lib/eko/eko-server" ]; - # reloadTriggers = lib.mapAttrsToList (_: v: v.source or null) ( - # lib.filterAttrs (n: _: lib.hasPrefix "eko/" n) config.environment.etc - # ); - # - # environment = { - # EKO_SERVER_CERT_FILE = config.sops.secrets.eko-server-cert-key.path; - # EKO_SERVER_LOG_DIR = "/var/log/eko"; - # }; - # - # serviceConfig = { - # Restart = "on-failure"; - # RestartSec = "10s"; - # - # ExecStart = "%S/eko/eko-server"; - # ExecReload = "${pkgs.coreutils}/bin/kill -SIGHUP $MAINPID"; - # - # ConfigurationDirectory = "eko"; - # StateDirectory = "eko"; - # LogsDirectory = "eko"; - # WorkingDirectory = "%S/eko"; - # Type = "simple"; - # - # User = "eko"; - # Group = "eko"; - # - # # Hardening - # ProtectHostname = true; - # ProtectKernelLogs = true; - # ProtectKernelModules = true; - # ProtectKernelTunables = true; - # ProtectProc = "invisible"; - # RestrictAddressFamilies = [ - # "AF_INET" - # "AF_INET6" - # "AF_UNIX" - # ]; - # RestrictNamespaces = true; - # RestrictRealtime = true; - # RestrictSUIDSGID = true; - # }; - # }; - # - # # Enable metrics/logging - # grafana.enable = true; - # loki.enable = true; - # - # environment.systemPackages = with pkgs; [ - # grafana-alloy - # ]; - # - # systemd.services.alloy = { - # description = "Alloy"; - # - # wants = [ "network-online.target" ]; - # after = [ "network-online.target" ]; - # wantedBy = [ "multi-user.target" ]; - # - # reloadTriggers = lib.mapAttrsToList (_: v: v.source or null) ( - # lib.filterAttrs (n: _: lib.hasPrefix "alloy/" n && lib.hasSuffix ".alloy" n) config.environment.etc - # ); - # - # serviceConfig = { - # Restart = "always"; - # RestartSec = "2s"; - # - # User = "root"; # TODO: make these not root? - # Group = "root"; - # - # SupplementaryGroups = [ - # # allow to read the systemd journal for loki log forwarding - # "systemd-journal" - # ]; - # - # ConfigurationDirectory = "alloy"; - # StateDirectory = "alloy"; - # WorkingDirectory = "%S/alloy"; - # Type = "simple"; - # - # ExecStart = "${lib.getExe pkgs.grafana-alloy} run /etc/alloy/"; - # ExecReload = "${pkgs.coreutils}/bin/kill -SIGHUP $MAINPID"; - # }; - # }; - # - # environment.etc = { - # "alloy/eko-config.alloy".text = builtins.readFile ./eko-config.alloy; - # }; + systemd.services.eko = { + description = "Eko - a secure terminal-based social media"; + + wants = [ "network-online.target" ]; + after = [ "network-online.target" ]; + wantedBy = [ "multi-user.target" ]; + + # restartTriggers = [ "/var/lib/eko/eko-server" ]; + reloadTriggers = lib.mapAttrsToList (_: v: v.source or null) ( + lib.filterAttrs (n: _: lib.hasPrefix "eko/" n) config.environment.etc + ); + + environment = { + EKO_SERVER_CERT_FILE = config.sops.secrets.eko-server-cert-key.path; + EKO_SERVER_LOG_DIR = "/var/log/eko"; + }; + + serviceConfig = { + Restart = "on-failure"; + RestartSec = "10s"; + + ExecStart = "%S/eko/eko-server"; + ExecReload = "${pkgs.coreutils}/bin/kill -SIGHUP $MAINPID"; + + ConfigurationDirectory = "eko"; + StateDirectory = "eko"; + LogsDirectory = "eko"; + WorkingDirectory = "%S/eko"; + Type = "simple"; + + User = "eko"; + Group = "eko"; + + # Hardening + ProtectHostname = true; + ProtectKernelLogs = true; + ProtectKernelModules = true; + ProtectKernelTunables = true; + ProtectProc = "invisible"; + RestrictAddressFamilies = [ + "AF_INET" + "AF_INET6" + "AF_UNIX" + ]; + RestrictNamespaces = true; + RestrictRealtime = true; + RestrictSUIDSGID = true; + }; + }; + + # Enable metrics/logging + grafana.enable = true; + loki.enable = true; + + environment.systemPackages = with pkgs; [ + grafana-alloy + ]; + + systemd.services.alloy = { + description = "Alloy"; + + wants = [ "network-online.target" ]; + after = [ "network-online.target" ]; + wantedBy = [ "multi-user.target" ]; + + reloadTriggers = lib.mapAttrsToList (_: v: v.source or null) ( + lib.filterAttrs (n: _: lib.hasPrefix "alloy/" n && lib.hasSuffix ".alloy" n) config.environment.etc + ); + + serviceConfig = { + Restart = "always"; + RestartSec = "2s"; + + User = "root"; # TODO: make these not root? + Group = "root"; + + SupplementaryGroups = [ + # allow to read the systemd journal for loki log forwarding + "systemd-journal" + ]; + + ConfigurationDirectory = "alloy"; + StateDirectory = "alloy"; + WorkingDirectory = "%S/alloy"; + Type = "simple"; + + ExecStart = "${lib.getExe pkgs.grafana-alloy} run /etc/alloy/"; + ExecReload = "${pkgs.coreutils}/bin/kill -SIGHUP $MAINPID"; + }; + }; + + environment.etc = { + "alloy/eko-config.alloy".text = builtins.readFile ./eko-config.alloy; + }; # # Make sure acme module is active for the "kyren.codes" ssl cert # acme.enable = true;