1 files changed, 83 insertions, 0 deletions
diff --git a/hosts/vidhar/hledger/default.nix b/hosts/vidhar/hledger/default.nix
new file mode 100644
index 00000000..ae080f66
--- /dev/null
+++ b/hosts/vidhar/hledger/default.nix
@@ -0,0 +1,83 @@
+{ config, lib, pkgs, ... }:
+{
+  config = {
+    services.hledger-web = {
+      enable = true;
+      allow = "view";
+      stateDir = "/var/lib/hledger";
+      journalFiles = lib.mkForce ["web.journal"];
+      baseUrl = "https://hledger.yggdrasil.li";
+      extraOptions = [
+        "--socket=/run/hledger-web/http.sock"
+      ];
+    };
+    users = {
+      users.hledger.uid = 982;
+      groups.hledger.gid = 979;
+    };
+    systemd.services.hledger-web = {
+      serviceConfig = {
+        UMask = "0002";
+        ReadOnlyPaths = [ config.services.hledger-web.stateDir ];
+        RuntimeDirectory = [ "hledger-web" ];
+        PrivateDevices = true;
+        StateDirectory = "hledger";
+        CapabilityBoundingSet = "";
+        AmbientCapabilities = "";
+        ProtectSystem = "strict";
+        ProtectKernelTunables = true;
+        ProtectKernelModules = true;
+        ProtectControlGroups = true;
+        ProtectClock = true;
+        ProtectHostname = true;
+        ProtectHome = "tmpfs";
+        ProtectKernelLogs = true;
+        ProtectProc = "invisible";
+        ProcSubset = "pid";
+        PrivateNetwork = false;
+        RestrictAddressFamilies = "AF_INET AF_INET6 AF_UNIX";
+        SystemCallArchitectures = "native";
+        SystemCallFilter = [
+          "@system-service @resources"
+          "~@obsolete @privileged"
+        ];
+        RestrictSUIDSGID = true;
+        RemoveIPC = true;
+        NoNewPrivileges = true;
+        RestrictRealtime = true;
+        RestrictNamespaces = true;
+        LockPersonality = true;
+        PrivateUsers = true;
+        TemporaryFileSystem = [ "/var/lib/hledger/.cache:mode=0750,uid=${toString (config.users.users.hledger.uid)},gid=${toString (config.users.groups.hledger.gid)}" ];
+      };
+    };
+    services.nginx = {
+      upstreams.hledger = {
+        servers = { "unix:/run/hledger-web/http.sock" = {}; };
+      };
+      virtualHosts."hledger.yggdrasil.li" = {
+        listen = [
+          { addr = "[2a03:4000:52:ada:4:1::]"; port = 5000; }
+        ];
+        extraConfig = ''
+          set_real_ip_from 2a03:4000:52:ada:4::;
+          auth_basic "hledger";
+          auth_basic_user_file "/run/credentials/nginx.service/hledger_users";
+        '';
+        locations."/" = {
+          proxyPass = "http://hledger/";
+          proxyWebsockets = true;
+        };
+      };
+    };
+    systemd.services.nginx.serviceConfig = {
+      SupplementaryGroups = [ "hledger" ];
+      LoadCredential = [ "hledger_users:${config.sops.secrets."hledger_users".path}" ];
+    };
+    sops.secrets."hledger_users" = {
+      format = "binary";
+      sopsFile = ./htpasswd;
+      reloadUnits = [ "nginx.service" ];
+    };
+  };
+}

diff --git a/hosts/vidhar/hledger/default.nix b/hosts/vidhar/hledger/default.nix new file mode 100644 index 00000000..ae080f66 --- /dev/null +++ b/hosts/vidhar/hledger/default.nix
@@ -0,0 +1,83 @@
	1	{ config, lib, pkgs, ... }:
	2	{
	3	config = {
	4	services.hledger-web = {
	5	enable = true;
	6	allow = "view";
	7	stateDir = "/var/lib/hledger";
	8	journalFiles = lib.mkForce ["web.journal"];
	9	baseUrl = "https://hledger.yggdrasil.li";
	10	extraOptions = [
	11	"--socket=/run/hledger-web/http.sock"
	12	];
	13	};
	14	users = {
	15	users.hledger.uid = 982;
	16	groups.hledger.gid = 979;
	17	};
	18	systemd.services.hledger-web = {
	19	serviceConfig = {
	20	UMask = "0002";
	21	ReadOnlyPaths = [ config.services.hledger-web.stateDir ];
	22	RuntimeDirectory = [ "hledger-web" ];
	23	PrivateDevices = true;
	24	StateDirectory = "hledger";
	25	CapabilityBoundingSet = "";
	26	AmbientCapabilities = "";
	27	ProtectSystem = "strict";
	28	ProtectKernelTunables = true;
	29	ProtectKernelModules = true;
	30	ProtectControlGroups = true;
	31	ProtectClock = true;
	32	ProtectHostname = true;
	33	ProtectHome = "tmpfs";
	34	ProtectKernelLogs = true;
	35	ProtectProc = "invisible";
	36	ProcSubset = "pid";
	37	PrivateNetwork = false;
	38	RestrictAddressFamilies = "AF_INET AF_INET6 AF_UNIX";
	39	SystemCallArchitectures = "native";
	40	SystemCallFilter = [
	41	"@system-service @resources"
	42	"~@obsolete @privileged"
	43	];
	44	RestrictSUIDSGID = true;
	45	RemoveIPC = true;
	46	NoNewPrivileges = true;
	47	RestrictRealtime = true;
	48	RestrictNamespaces = true;
	49	LockPersonality = true;
	50	PrivateUsers = true;
	51	TemporaryFileSystem = [ "/var/lib/hledger/.cache:mode=0750,uid=${toString (config.users.users.hledger.uid)},gid=${toString (config.users.groups.hledger.gid)}" ];
	52	};
	53	};
	54	services.nginx = {
	55	upstreams.hledger = {
	56	servers = { "unix:/run/hledger-web/http.sock" = {}; };
	57	};
	58	virtualHosts."hledger.yggdrasil.li" = {
	59	listen = [
	60	{ addr = "[2a03:4000:52:ada:4:1::]"; port = 5000; }
	61	];
	62	extraConfig = ''
	63	set_real_ip_from 2a03:4000:52:ada:4::;
	64	auth_basic "hledger";
	65	auth_basic_user_file "/run/credentials/nginx.service/hledger_users";
	66	'';
	67	locations."/" = {
	68	proxyPass = "http://hledger/";
	69	proxyWebsockets = true;
	70	};
	71	};
	72	};
	73	systemd.services.nginx.serviceConfig = {
	74	SupplementaryGroups = [ "hledger" ];
	75	LoadCredential = [ "hledger_users:${config.sops.secrets."hledger_users".path}" ];
	76	};
	77	sops.secrets."hledger_users" = {
	78	format = "binary";
	79	sopsFile = ./htpasswd;
	80	reloadUnits = [ "nginx.service" ];
	81	};
	82	};
	83	}