hledger

author: Gregor Kleen <gkleen@yggdrasil.li> 2025-02-19 19:10:58 +0100
committer: Gregor Kleen <gkleen@yggdrasil.li> 2025-02-19 19:10:58 +0100
commit: d05fb68b774b7011197c1c229e61809f642fcdd2 (patch)
tree: fb7b81ab3ae8ea533b8c5fedf801b9a568bd183e /hosts/vidhar/hledger
parent: c0616edd38161b81ec1624efba3f024b120ba4c6 (diff)
download: nixos-d05fb68b774b7011197c1c229e61809f642fcdd2.tar
nixos-d05fb68b774b7011197c1c229e61809f642fcdd2.tar.gz
nixos-d05fb68b774b7011197c1c229e61809f642fcdd2.tar.bz2
nixos-d05fb68b774b7011197c1c229e61809f642fcdd2.tar.xz
nixos-d05fb68b774b7011197c1c229e61809f642fcdd2.zip
2 files changed, 107 insertions, 0 deletions
diff --git a/hosts/vidhar/hledger/default.nix b/hosts/vidhar/hledger/default.nix
new file mode 100644
index 00000000..ae080f66
--- /dev/null
+++ b/hosts/vidhar/hledger/default.nix
@@ -0,0 +1,83 @@
+{ config, lib, pkgs, ... }:
+{
+  config = {
+    services.hledger-web = {
+      enable = true;
+      allow = "view";
+      stateDir = "/var/lib/hledger";
+      journalFiles = lib.mkForce ["web.journal"];
+      baseUrl = "https://hledger.yggdrasil.li";
+      extraOptions = [
+        "--socket=/run/hledger-web/http.sock"
+      ];
+    };
+    users = {
+      users.hledger.uid = 982;
+      groups.hledger.gid = 979;
+    };
+    systemd.services.hledger-web = {
+      serviceConfig = {
+        UMask = "0002";
+        ReadOnlyPaths = [ config.services.hledger-web.stateDir ];
+        RuntimeDirectory = [ "hledger-web" ];
+        PrivateDevices = true;
+        StateDirectory = "hledger";
+        CapabilityBoundingSet = "";
+        AmbientCapabilities = "";
+        ProtectSystem = "strict";
+        ProtectKernelTunables = true;
+        ProtectKernelModules = true;
+        ProtectControlGroups = true;
+        ProtectClock = true;
+        ProtectHostname = true;
+        ProtectHome = "tmpfs";
+        ProtectKernelLogs = true;
+        ProtectProc = "invisible";
+        ProcSubset = "pid";
+        PrivateNetwork = false;
+        RestrictAddressFamilies = "AF_INET AF_INET6 AF_UNIX";
+        SystemCallArchitectures = "native";
+        SystemCallFilter = [
+          "@system-service @resources"
+          "~@obsolete @privileged"
+        ];
+        RestrictSUIDSGID = true;
+        RemoveIPC = true;
+        NoNewPrivileges = true;
+        RestrictRealtime = true;
+        RestrictNamespaces = true;
+        LockPersonality = true;
+        PrivateUsers = true;
+        TemporaryFileSystem = [ "/var/lib/hledger/.cache:mode=0750,uid=${toString (config.users.users.hledger.uid)},gid=${toString (config.users.groups.hledger.gid)}" ];
+      };
+    };
+    services.nginx = {
+      upstreams.hledger = {
+        servers = { "unix:/run/hledger-web/http.sock" = {}; };
+      };
+      virtualHosts."hledger.yggdrasil.li" = {
+        listen = [
+          { addr = "[2a03:4000:52:ada:4:1::]"; port = 5000; }
+        ];
+        extraConfig = ''
+          set_real_ip_from 2a03:4000:52:ada:4::;
+          auth_basic "hledger";
+          auth_basic_user_file "/run/credentials/nginx.service/hledger_users";
+        '';
+        locations."/" = {
+          proxyPass = "http://hledger/";
+          proxyWebsockets = true;
+        };
+      };
+    };
+    systemd.services.nginx.serviceConfig = {
+      SupplementaryGroups = [ "hledger" ];
+      LoadCredential = [ "hledger_users:${config.sops.secrets."hledger_users".path}" ];
+    };
+    sops.secrets."hledger_users" = {
+      format = "binary";
+      sopsFile = ./htpasswd;
+      reloadUnits = [ "nginx.service" ];
+    };
+  };
+}
diff --git a/hosts/vidhar/hledger/htpasswd b/hosts/vidhar/hledger/htpasswd
new file mode 100644
index 00000000..016cb525
--- /dev/null
+++ b/hosts/vidhar/hledger/htpasswd
@@ -0,0 +1,24 @@
+{
+        "data": "ENC[AES256_GCM,data:9MNDIAc7ePYk3xQDorX2pU8ybJkJb33RKiJxc2DYauXFNQYxtGwCYhZwod7p7fPh3KqZxBNMRoZXr+/RnV+trsqjAcOOjnXTWLbX6nubq/xm+q0BxEjOPn7FvJF9XOblBeupldo+byGh2CMH9qQv5Fov,iv:3Tym+Mfr48OJet3qDFZPg0XjYr4sNQdNdiu0vUxmzbY=,tag:E0sxRY/jeMVlqH6uAYvD/Q==,type:str]",
+        "sops": {
+                "kms": null,
+                "gcp_kms": null,
+                "azure_kv": null,
+                "hc_vault": null,
+                "age": [
+                        {
+                                "recipient": "age1rmmhetcmllq0ahl5qznlr0eya2zdxwl9h6y5wnl97d2wtyx5t99sm2u866",
+                                "enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA3eFBsOEM2ZUNVT2V3LytC\nTUJvUDdKc0VzMyt2cDFKYU03djBjZVFpeVY4CjByMXhPVXRJVjhKQWZvQ2xuOTE3\ncXdJV1lZaHR3cVl0Z0hQaG00M2dGbjQKLS0tIEIzenVxb3cwM3pXTUl1YUZlSlk2\nbDc3VmE5NkEyZ2tRd01OUGZibmhtUlEKxdesIdvzm8s0SmXU5R+tSbmS5Dj24jrb\nEiMERYy1g8GyHR3d2/mU5iOIdsBegSZReUVzomaMT9L7/TmubgOP3g==\n-----END AGE ENCRYPTED FILE-----\n"
+                        },
+                        {
+                                "recipient": "age1qffdqvy9arld9zd5a5cylt0n98xhcns5shxhrhwjq5g4qa844ejselaa4l",
+                                "enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBPa2RDZzR6cEFYTFA1QkND\nbndVeHVrMVJ0MWZvRmw5VXRhOHlRYllIRWxRCjU4dks4R25LS1RZMHFnbmpQRVZz\nNXhubkJvZFc2amRwMDVtQlE0NnBKNzQKLS0tIHRyeDUxTEFPMEMzWUVkZURzODdm\nSHdqbUpvNmFTS1QveFRpRHdnWHpHb28KnvdUkMkKGiBVHQD7Yv7n6WZjihCGJAR2\nMKl2WAn4g4jzgcXPwwIAIjUrMGSIdGpwCTUDcDnlKWAbRYO2B6P17A==\n-----END AGE ENCRYPTED FILE-----\n"
+                        }
+                ],
+                "lastmodified": "2025-02-19T17:11:17Z",
+                "mac": "ENC[AES256_GCM,data:yBIEqHhr4igoMlRcgg2SigKfejqeuNmuleYolsLJo+QOaW4BHITJTvLxRV1JHPpcMVQkF//zx4ZfUUrb8tTN0znGu3Jnpd0JVagbfCVyEuT6d1SB/GzyUVvoQ2GlcA9us+5gjI4oEJTQCfVqnLDBWsw+jXdr3nEIWo6Mvbqo3lI=,iv:I6Swk4wyd+96+tJKRY/FHlS7ZShMDROcbl+l+ZLRxhM=,tag:P1uQvB4NLdkPEKRMI6lLxw==,type:str]",
+                "pgp": null,
+                "unencrypted_suffix": "_unencrypted",
+                "version": "3.9.4"
+        }
+}
+\ No newline at end of file
author	Gregor Kleen <gkleen@yggdrasil.li>	2025-02-19 19:10:58 +0100
committer	Gregor Kleen <gkleen@yggdrasil.li>	2025-02-19 19:10:58 +0100
commit	d05fb68b774b7011197c1c229e61809f642fcdd2 (patch)
tree	fb7b81ab3ae8ea533b8c5fedf801b9a568bd183e /hosts/vidhar/hledger
parent	c0616edd38161b81ec1624efba3f024b120ba4c6 (diff)
download	nixos-d05fb68b774b7011197c1c229e61809f642fcdd2.tar nixos-d05fb68b774b7011197c1c229e61809f642fcdd2.tar.gz nixos-d05fb68b774b7011197c1c229e61809f642fcdd2.tar.bz2 nixos-d05fb68b774b7011197c1c229e61809f642fcdd2.tar.xz nixos-d05fb68b774b7011197c1c229e61809f642fcdd2.zip

diff --git a/hosts/vidhar/hledger/default.nix b/hosts/vidhar/hledger/default.nix new file mode 100644 index 00000000..ae080f66 --- /dev/null +++ b/hosts/vidhar/hledger/default.nix
@@ -0,0 +1,83 @@
	1	{ config, lib, pkgs, ... }:
	2	{
	3	config = {
	4	services.hledger-web = {
	5	enable = true;
	6	allow = "view";
	7	stateDir = "/var/lib/hledger";
	8	journalFiles = lib.mkForce ["web.journal"];
	9	baseUrl = "https://hledger.yggdrasil.li";
	10	extraOptions = [
	11	"--socket=/run/hledger-web/http.sock"
	12	];
	13	};
	14	users = {
	15	users.hledger.uid = 982;
	16	groups.hledger.gid = 979;
	17	};
	18	systemd.services.hledger-web = {
	19	serviceConfig = {
	20	UMask = "0002";
	21	ReadOnlyPaths = [ config.services.hledger-web.stateDir ];
	22	RuntimeDirectory = [ "hledger-web" ];
	23	PrivateDevices = true;
	24	StateDirectory = "hledger";
	25	CapabilityBoundingSet = "";
	26	AmbientCapabilities = "";
	27	ProtectSystem = "strict";
	28	ProtectKernelTunables = true;
	29	ProtectKernelModules = true;
	30	ProtectControlGroups = true;
	31	ProtectClock = true;
	32	ProtectHostname = true;
	33	ProtectHome = "tmpfs";
	34	ProtectKernelLogs = true;
	35	ProtectProc = "invisible";
	36	ProcSubset = "pid";
	37	PrivateNetwork = false;
	38	RestrictAddressFamilies = "AF_INET AF_INET6 AF_UNIX";
	39	SystemCallArchitectures = "native";
	40	SystemCallFilter = [
	41	"@system-service @resources"
	42	"~@obsolete @privileged"
	43	];
	44	RestrictSUIDSGID = true;
	45	RemoveIPC = true;
	46	NoNewPrivileges = true;
	47	RestrictRealtime = true;
	48	RestrictNamespaces = true;
	49	LockPersonality = true;
	50	PrivateUsers = true;
	51	TemporaryFileSystem = [ "/var/lib/hledger/.cache:mode=0750,uid=${toString (config.users.users.hledger.uid)},gid=${toString (config.users.groups.hledger.gid)}" ];
	52	};
	53	};
	54	services.nginx = {
	55	upstreams.hledger = {
	56	servers = { "unix:/run/hledger-web/http.sock" = {}; };
	57	};
	58	virtualHosts."hledger.yggdrasil.li" = {
	59	listen = [
	60	{ addr = "[2a03:4000:52:ada:4:1::]"; port = 5000; }
	61	];
	62	extraConfig = ''
	63	set_real_ip_from 2a03:4000:52:ada:4::;
	64	auth_basic "hledger";
	65	auth_basic_user_file "/run/credentials/nginx.service/hledger_users";
	66	'';
	67	locations."/" = {
	68	proxyPass = "http://hledger/";
	69	proxyWebsockets = true;
	70	};
	71	};
	72	};
	73	systemd.services.nginx.serviceConfig = {
	74	SupplementaryGroups = [ "hledger" ];
	75	LoadCredential = [ "hledger_users:${config.sops.secrets."hledger_users".path}" ];
	76	};
	77	sops.secrets."hledger_users" = {
	78	format = "binary";
	79	sopsFile = ./htpasswd;
	80	reloadUnits = [ "nginx.service" ];
	81	};
	82	};
	83	}


diff --git a/hosts/vidhar/hledger/htpasswd b/hosts/vidhar/hledger/htpasswd new file mode 100644 index 00000000..016cb525 --- /dev/null +++ b/hosts/vidhar/hledger/htpasswd
@@ -0,0 +1,24 @@
	1	{
	2	"data": "ENC[AES256_GCM,data:9MNDIAc7ePYk3xQDorX2pU8ybJkJb33RKiJxc2DYauXFNQYxtGwCYhZwod7p7fPh3KqZxBNMRoZXr+/RnV+trsqjAcOOjnXTWLbX6nubq/xm+q0BxEjOPn7FvJF9XOblBeupldo+byGh2CMH9qQv5Fov,iv:3Tym+Mfr48OJet3qDFZPg0XjYr4sNQdNdiu0vUxmzbY=,tag:E0sxRY/jeMVlqH6uAYvD/Q==,type:str]",
	3	"sops": {
	4	"kms": null,
	5	"gcp_kms": null,
	6	"azure_kv": null,
	7	"hc_vault": null,
	8	"age": [
	9	{
	10	"recipient": "age1rmmhetcmllq0ahl5qznlr0eya2zdxwl9h6y5wnl97d2wtyx5t99sm2u866",
	11	"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA3eFBsOEM2ZUNVT2V3LytC\nTUJvUDdKc0VzMyt2cDFKYU03djBjZVFpeVY4CjByMXhPVXRJVjhKQWZvQ2xuOTE3\ncXdJV1lZaHR3cVl0Z0hQaG00M2dGbjQKLS0tIEIzenVxb3cwM3pXTUl1YUZlSlk2\nbDc3VmE5NkEyZ2tRd01OUGZibmhtUlEKxdesIdvzm8s0SmXU5R+tSbmS5Dj24jrb\nEiMERYy1g8GyHR3d2/mU5iOIdsBegSZReUVzomaMT9L7/TmubgOP3g==\n-----END AGE ENCRYPTED FILE-----\n"
	12	},
	13	{
	14	"recipient": "age1qffdqvy9arld9zd5a5cylt0n98xhcns5shxhrhwjq5g4qa844ejselaa4l",
	15	"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBPa2RDZzR6cEFYTFA1QkND\nbndVeHVrMVJ0MWZvRmw5VXRhOHlRYllIRWxRCjU4dks4R25LS1RZMHFnbmpQRVZz\nNXhubkJvZFc2amRwMDVtQlE0NnBKNzQKLS0tIHRyeDUxTEFPMEMzWUVkZURzODdm\nSHdqbUpvNmFTS1QveFRpRHdnWHpHb28KnvdUkMkKGiBVHQD7Yv7n6WZjihCGJAR2\nMKl2WAn4g4jzgcXPwwIAIjUrMGSIdGpwCTUDcDnlKWAbRYO2B6P17A==\n-----END AGE ENCRYPTED FILE-----\n"
	16	}
	17	],
	18	"lastmodified": "2025-02-19T17:11:17Z",
	19	"mac": "ENC[AES256_GCM,data:yBIEqHhr4igoMlRcgg2SigKfejqeuNmuleYolsLJo+QOaW4BHITJTvLxRV1JHPpcMVQkF//zx4ZfUUrb8tTN0znGu3Jnpd0JVagbfCVyEuT6d1SB/GzyUVvoQ2GlcA9us+5gjI4oEJTQCfVqnLDBWsw+jXdr3nEIWo6Mvbqo3lI=,iv:I6Swk4wyd+96+tJKRY/FHlS7ZShMDROcbl+l+ZLRxhM=,tag:P1uQvB4NLdkPEKRMI6lLxw==,type:str]",
	20	"pgp": null,
	21	"unencrypted_suffix": "_unencrypted",
	22	"version": "3.9.4"
	23	}
	24	} \ No newline at end of file