4 files changed, 112 insertions, 1 deletions
diff --git a/hosts/vidhar/default.nix b/hosts/vidhar/default.nix
index 9660931d..90ab40dd 100644
--- a/hosts/vidhar/default.nix
+++ b/hosts/vidhar/default.nix
@@ -4,7 +4,7 @@ with lib;
 {
  imports = with flake.nixosModules.systemProfiles; [
-    ./zfs.nix ./network ./samba.nix ./dns ./prometheus ./borg ./pgbackrest ./postgresql.nix ./immich.nix ./paperless
+    ./zfs.nix ./network ./samba.nix ./dns ./prometheus ./borg ./pgbackrest ./postgresql.nix ./immich.nix ./paperless ./hledger
    tmpfs-root zfs
    initrd-all-crypto-modules default-locale openssh rebuild-machines
    build-server
diff --git a/hosts/vidhar/hledger/default.nix b/hosts/vidhar/hledger/default.nix
new file mode 100644
index 00000000..ae080f66
--- /dev/null
+++ b/hosts/vidhar/hledger/default.nix
@@ -0,0 +1,83 @@
+{ config, lib, pkgs, ... }:
+{
+  config = {
+    services.hledger-web = {
+      enable = true;
+      allow = "view";
+      stateDir = "/var/lib/hledger";
+      journalFiles = lib.mkForce ["web.journal"];
+      baseUrl = "https://hledger.yggdrasil.li";
+      extraOptions = [
+        "--socket=/run/hledger-web/http.sock"
+      ];
+    };
+    users = {
+      users.hledger.uid = 982;
+      groups.hledger.gid = 979;
+    };
+    systemd.services.hledger-web = {
+      serviceConfig = {
+        UMask = "0002";
+        ReadOnlyPaths = [ config.services.hledger-web.stateDir ];
+        RuntimeDirectory = [ "hledger-web" ];
+        PrivateDevices = true;
+        StateDirectory = "hledger";
+        CapabilityBoundingSet = "";
+        AmbientCapabilities = "";
+        ProtectSystem = "strict";
+        ProtectKernelTunables = true;
+        ProtectKernelModules = true;
+        ProtectControlGroups = true;
+        ProtectClock = true;
+        ProtectHostname = true;
+        ProtectHome = "tmpfs";
+        ProtectKernelLogs = true;
+        ProtectProc = "invisible";
+        ProcSubset = "pid";
+        PrivateNetwork = false;
+        RestrictAddressFamilies = "AF_INET AF_INET6 AF_UNIX";
+        SystemCallArchitectures = "native";
+        SystemCallFilter = [
+          "@system-service @resources"
+          "~@obsolete @privileged"
+        ];
+        RestrictSUIDSGID = true;
+        RemoveIPC = true;
+        NoNewPrivileges = true;
+        RestrictRealtime = true;
+        RestrictNamespaces = true;
+        LockPersonality = true;
+        PrivateUsers = true;
+        TemporaryFileSystem = [ "/var/lib/hledger/.cache:mode=0750,uid=${toString (config.users.users.hledger.uid)},gid=${toString (config.users.groups.hledger.gid)}" ];
+      };
+    };
+    services.nginx = {
+      upstreams.hledger = {
+        servers = { "unix:/run/hledger-web/http.sock" = {}; };
+      };
+      virtualHosts."hledger.yggdrasil.li" = {
+        listen = [
+          { addr = "[2a03:4000:52:ada:4:1::]"; port = 5000; }
+        ];
+        extraConfig = ''
+          set_real_ip_from 2a03:4000:52:ada:4::;
+          auth_basic "hledger";
+          auth_basic_user_file "/run/credentials/nginx.service/hledger_users";
+        '';
+        locations."/" = {
+          proxyPass = "http://hledger/";
+          proxyWebsockets = true;
+        };
+      };
+    };
+    systemd.services.nginx.serviceConfig = {
+      SupplementaryGroups = [ "hledger" ];
+      LoadCredential = [ "hledger_users:${config.sops.secrets."hledger_users".path}" ];
+    };
+    sops.secrets."hledger_users" = {
+      format = "binary";
+      sopsFile = ./htpasswd;
+      reloadUnits = [ "nginx.service" ];
+    };
+  };
+}
diff --git a/hosts/vidhar/hledger/htpasswd b/hosts/vidhar/hledger/htpasswd
new file mode 100644
index 00000000..016cb525
--- /dev/null
+++ b/hosts/vidhar/hledger/htpasswd
@@ -0,0 +1,24 @@
+{
+        "data": "ENC[AES256_GCM,data:9MNDIAc7ePYk3xQDorX2pU8ybJkJb33RKiJxc2DYauXFNQYxtGwCYhZwod7p7fPh3KqZxBNMRoZXr+/RnV+trsqjAcOOjnXTWLbX6nubq/xm+q0BxEjOPn7FvJF9XOblBeupldo+byGh2CMH9qQv5Fov,iv:3Tym+Mfr48OJet3qDFZPg0XjYr4sNQdNdiu0vUxmzbY=,tag:E0sxRY/jeMVlqH6uAYvD/Q==,type:str]",
+        "sops": {
+                "kms": null,
+                "gcp_kms": null,
+                "azure_kv": null,
+                "hc_vault": null,
+                "age": [
+                        {
+                                "recipient": "age1rmmhetcmllq0ahl5qznlr0eya2zdxwl9h6y5wnl97d2wtyx5t99sm2u866",
+                                "enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA3eFBsOEM2ZUNVT2V3LytC\nTUJvUDdKc0VzMyt2cDFKYU03djBjZVFpeVY4CjByMXhPVXRJVjhKQWZvQ2xuOTE3\ncXdJV1lZaHR3cVl0Z0hQaG00M2dGbjQKLS0tIEIzenVxb3cwM3pXTUl1YUZlSlk2\nbDc3VmE5NkEyZ2tRd01OUGZibmhtUlEKxdesIdvzm8s0SmXU5R+tSbmS5Dj24jrb\nEiMERYy1g8GyHR3d2/mU5iOIdsBegSZReUVzomaMT9L7/TmubgOP3g==\n-----END AGE ENCRYPTED FILE-----\n"
+                        },
+                        {
+                                "recipient": "age1qffdqvy9arld9zd5a5cylt0n98xhcns5shxhrhwjq5g4qa844ejselaa4l",
+                                "enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBPa2RDZzR6cEFYTFA1QkND\nbndVeHVrMVJ0MWZvRmw5VXRhOHlRYllIRWxRCjU4dks4R25LS1RZMHFnbmpQRVZz\nNXhubkJvZFc2amRwMDVtQlE0NnBKNzQKLS0tIHRyeDUxTEFPMEMzWUVkZURzODdm\nSHdqbUpvNmFTS1QveFRpRHdnWHpHb28KnvdUkMkKGiBVHQD7Yv7n6WZjihCGJAR2\nMKl2WAn4g4jzgcXPwwIAIjUrMGSIdGpwCTUDcDnlKWAbRYO2B6P17A==\n-----END AGE ENCRYPTED FILE-----\n"
+                        }
+                ],
+                "lastmodified": "2025-02-19T17:11:17Z",
+                "mac": "ENC[AES256_GCM,data:yBIEqHhr4igoMlRcgg2SigKfejqeuNmuleYolsLJo+QOaW4BHITJTvLxRV1JHPpcMVQkF//zx4ZfUUrb8tTN0znGu3Jnpd0JVagbfCVyEuT6d1SB/GzyUVvoQ2GlcA9us+5gjI4oEJTQCfVqnLDBWsw+jXdr3nEIWo6Mvbqo3lI=,iv:I6Swk4wyd+96+tJKRY/FHlS7ZShMDROcbl+l+ZLRxhM=,tag:P1uQvB4NLdkPEKRMI6lLxw==,type:str]",
+                "pgp": null,
+                "unencrypted_suffix": "_unencrypted",
+                "version": "3.9.4"
+        }
+}
+\ No newline at end of file
diff --git a/hosts/vidhar/network/ruleset.nft b/hosts/vidhar/network/ruleset.nft
index 3ead8fac..1edae167 100644
--- a/hosts/vidhar/network/ruleset.nft
+++ b/hosts/vidhar/network/ruleset.nft
@@ -93,6 +93,7 @@ table inet filter {
  counter pgbackrest-rx {}
  counter immich-rx {}
  counter paperless-rx {}
+  counter hledger-rx {}
  counter established-rx {}
@@ -123,6 +124,7 @@ table inet filter {
  counter pgbackrest-tx {}
  counter immich-tx {}
  counter paperless-tx {}
+  counter hledger-tx {}
  counter tx {}
@@ -200,6 +202,7 @@ table inet filter {
    iifname bifrost tcp dport 2283 ip6 saddr $bifrost_surtr counter name immich-rx accept
    iifname bifrost tcp dport 28981 ip6 saddr $bifrost_surtr counter name paperless-rx accept
+    iifname bifrost tcp dport 5000 ip6 saddr $bifrost_surtr counter name hledger-rx accept
    ct state { established, related } counter name established-rx accept
@@ -250,6 +253,7 @@ table inet filter {
    iifname bifrost tcp sport 2283 ip6 daddr $bifrost_surtr counter name immich-tx accept
    iifname bifrost tcp sport 28981 ip6 daddr $bifrost_surtr counter name paperless-tx accept
+    iifname bifrost tcp sport 5000 ip6 daddr $bifrost_surtr counter name hledger-tx accept
    counter name tx

diff --git a/hosts/vidhar/default.nix b/hosts/vidhar/default.nix index 9660931d..90ab40dd 100644 --- a/hosts/vidhar/default.nix +++ b/hosts/vidhar/default.nix
@@ -4,7 +4,7 @@ with lib;
4		4
5	{	5	{
6	imports = with flake.nixosModules.systemProfiles; [	6	imports = with flake.nixosModules.systemProfiles; [
7	./zfs.nix ./network ./samba.nix ./dns ./prometheus ./borg ./pgbackrest ./postgresql.nix ./immich.nix ./paperless	7	./zfs.nix ./network ./samba.nix ./dns ./prometheus ./borg ./pgbackrest ./postgresql.nix ./immich.nix ./paperless ./hledger
8	tmpfs-root zfs	8	tmpfs-root zfs
9	initrd-all-crypto-modules default-locale openssh rebuild-machines	9	initrd-all-crypto-modules default-locale openssh rebuild-machines
10	build-server	10	build-server


diff --git a/hosts/vidhar/hledger/default.nix b/hosts/vidhar/hledger/default.nix new file mode 100644 index 00000000..ae080f66 --- /dev/null +++ b/hosts/vidhar/hledger/default.nix
@@ -0,0 +1,83 @@
		1	{ config, lib, pkgs, ... }:
		2	{
		3	config = {
		4	services.hledger-web = {
		5	enable = true;
		6	allow = "view";
		7	stateDir = "/var/lib/hledger";
		8	journalFiles = lib.mkForce ["web.journal"];
		9	baseUrl = "https://hledger.yggdrasil.li";
		10	extraOptions = [
		11	"--socket=/run/hledger-web/http.sock"
		12	];
		13	};
		14	users = {
		15	users.hledger.uid = 982;
		16	groups.hledger.gid = 979;
		17	};
		18	systemd.services.hledger-web = {
		19	serviceConfig = {
		20	UMask = "0002";
		21	ReadOnlyPaths = [ config.services.hledger-web.stateDir ];
		22	RuntimeDirectory = [ "hledger-web" ];
		23	PrivateDevices = true;
		24	StateDirectory = "hledger";
		25	CapabilityBoundingSet = "";
		26	AmbientCapabilities = "";
		27	ProtectSystem = "strict";
		28	ProtectKernelTunables = true;
		29	ProtectKernelModules = true;
		30	ProtectControlGroups = true;
		31	ProtectClock = true;
		32	ProtectHostname = true;
		33	ProtectHome = "tmpfs";
		34	ProtectKernelLogs = true;
		35	ProtectProc = "invisible";
		36	ProcSubset = "pid";
		37	PrivateNetwork = false;
		38	RestrictAddressFamilies = "AF_INET AF_INET6 AF_UNIX";
		39	SystemCallArchitectures = "native";
		40	SystemCallFilter = [
		41	"@system-service @resources"
		42	"~@obsolete @privileged"
		43	];
		44	RestrictSUIDSGID = true;
		45	RemoveIPC = true;
		46	NoNewPrivileges = true;
		47	RestrictRealtime = true;
		48	RestrictNamespaces = true;
		49	LockPersonality = true;
		50	PrivateUsers = true;
		51	TemporaryFileSystem = [ "/var/lib/hledger/.cache:mode=0750,uid=${toString (config.users.users.hledger.uid)},gid=${toString (config.users.groups.hledger.gid)}" ];
		52	};
		53	};
		54	services.nginx = {
		55	upstreams.hledger = {
		56	servers = { "unix:/run/hledger-web/http.sock" = {}; };
		57	};
		58	virtualHosts."hledger.yggdrasil.li" = {
		59	listen = [
		60	{ addr = "[2a03:4000:52:ada:4:1::]"; port = 5000; }
		61	];
		62	extraConfig = ''
		63	set_real_ip_from 2a03:4000:52:ada:4::;
		64	auth_basic "hledger";
		65	auth_basic_user_file "/run/credentials/nginx.service/hledger_users";
		66	'';
		67	locations."/" = {
		68	proxyPass = "http://hledger/";
		69	proxyWebsockets = true;
		70	};
		71	};
		72	};
		73	systemd.services.nginx.serviceConfig = {
		74	SupplementaryGroups = [ "hledger" ];
		75	LoadCredential = [ "hledger_users:${config.sops.secrets."hledger_users".path}" ];
		76	};
		77	sops.secrets."hledger_users" = {
		78	format = "binary";
		79	sopsFile = ./htpasswd;
		80	reloadUnits = [ "nginx.service" ];
		81	};
		82	};
		83	}


diff --git a/hosts/vidhar/hledger/htpasswd b/hosts/vidhar/hledger/htpasswd new file mode 100644 index 00000000..016cb525 --- /dev/null +++ b/hosts/vidhar/hledger/htpasswd
@@ -0,0 +1,24 @@
		1	{
		2	"data": "ENC[AES256_GCM,data:9MNDIAc7ePYk3xQDorX2pU8ybJkJb33RKiJxc2DYauXFNQYxtGwCYhZwod7p7fPh3KqZxBNMRoZXr+/RnV+trsqjAcOOjnXTWLbX6nubq/xm+q0BxEjOPn7FvJF9XOblBeupldo+byGh2CMH9qQv5Fov,iv:3Tym+Mfr48OJet3qDFZPg0XjYr4sNQdNdiu0vUxmzbY=,tag:E0sxRY/jeMVlqH6uAYvD/Q==,type:str]",
		3	"sops": {
		4	"kms": null,
		5	"gcp_kms": null,
		6	"azure_kv": null,
		7	"hc_vault": null,
		8	"age": [
		9	{
		10	"recipient": "age1rmmhetcmllq0ahl5qznlr0eya2zdxwl9h6y5wnl97d2wtyx5t99sm2u866",
		11	"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA3eFBsOEM2ZUNVT2V3LytC\nTUJvUDdKc0VzMyt2cDFKYU03djBjZVFpeVY4CjByMXhPVXRJVjhKQWZvQ2xuOTE3\ncXdJV1lZaHR3cVl0Z0hQaG00M2dGbjQKLS0tIEIzenVxb3cwM3pXTUl1YUZlSlk2\nbDc3VmE5NkEyZ2tRd01OUGZibmhtUlEKxdesIdvzm8s0SmXU5R+tSbmS5Dj24jrb\nEiMERYy1g8GyHR3d2/mU5iOIdsBegSZReUVzomaMT9L7/TmubgOP3g==\n-----END AGE ENCRYPTED FILE-----\n"
		12	},
		13	{
		14	"recipient": "age1qffdqvy9arld9zd5a5cylt0n98xhcns5shxhrhwjq5g4qa844ejselaa4l",
		15	"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBPa2RDZzR6cEFYTFA1QkND\nbndVeHVrMVJ0MWZvRmw5VXRhOHlRYllIRWxRCjU4dks4R25LS1RZMHFnbmpQRVZz\nNXhubkJvZFc2amRwMDVtQlE0NnBKNzQKLS0tIHRyeDUxTEFPMEMzWUVkZURzODdm\nSHdqbUpvNmFTS1QveFRpRHdnWHpHb28KnvdUkMkKGiBVHQD7Yv7n6WZjihCGJAR2\nMKl2WAn4g4jzgcXPwwIAIjUrMGSIdGpwCTUDcDnlKWAbRYO2B6P17A==\n-----END AGE ENCRYPTED FILE-----\n"
		16	}
		17	],
		18	"lastmodified": "2025-02-19T17:11:17Z",
		19	"mac": "ENC[AES256_GCM,data:yBIEqHhr4igoMlRcgg2SigKfejqeuNmuleYolsLJo+QOaW4BHITJTvLxRV1JHPpcMVQkF//zx4ZfUUrb8tTN0znGu3Jnpd0JVagbfCVyEuT6d1SB/GzyUVvoQ2GlcA9us+5gjI4oEJTQCfVqnLDBWsw+jXdr3nEIWo6Mvbqo3lI=,iv:I6Swk4wyd+96+tJKRY/FHlS7ZShMDROcbl+l+ZLRxhM=,tag:P1uQvB4NLdkPEKRMI6lLxw==,type:str]",
		20	"pgp": null,
		21	"unencrypted_suffix": "_unencrypted",
		22	"version": "3.9.4"
		23	}
		24	} \ No newline at end of file


diff --git a/hosts/vidhar/network/ruleset.nft b/hosts/vidhar/network/ruleset.nft index 3ead8fac..1edae167 100644 --- a/hosts/vidhar/network/ruleset.nft +++ b/hosts/vidhar/network/ruleset.nft
@@ -93,6 +93,7 @@ table inet filter {
93	counter pgbackrest-rx {}	93	counter pgbackrest-rx {}
94	counter immich-rx {}	94	counter immich-rx {}
95	counter paperless-rx {}	95	counter paperless-rx {}
		96	counter hledger-rx {}
96		97
97	counter established-rx {}	98	counter established-rx {}
98		99
@@ -123,6 +124,7 @@ table inet filter {
123	counter pgbackrest-tx {}	124	counter pgbackrest-tx {}
124	counter immich-tx {}	125	counter immich-tx {}
125	counter paperless-tx {}	126	counter paperless-tx {}
		127	counter hledger-tx {}
126		128
127	counter tx {}	129	counter tx {}
128		130
@@ -200,6 +202,7 @@ table inet filter {
200		202
201	iifname bifrost tcp dport 2283 ip6 saddr $bifrost_surtr counter name immich-rx accept	203	iifname bifrost tcp dport 2283 ip6 saddr $bifrost_surtr counter name immich-rx accept
202	iifname bifrost tcp dport 28981 ip6 saddr $bifrost_surtr counter name paperless-rx accept	204	iifname bifrost tcp dport 28981 ip6 saddr $bifrost_surtr counter name paperless-rx accept
		205	iifname bifrost tcp dport 5000 ip6 saddr $bifrost_surtr counter name hledger-rx accept
203		206
204	ct state { established, related } counter name established-rx accept	207	ct state { established, related } counter name established-rx accept
205		208
@@ -250,6 +253,7 @@ table inet filter {
250		253
251	iifname bifrost tcp sport 2283 ip6 daddr $bifrost_surtr counter name immich-tx accept	254	iifname bifrost tcp sport 2283 ip6 daddr $bifrost_surtr counter name immich-tx accept
252	iifname bifrost tcp sport 28981 ip6 daddr $bifrost_surtr counter name paperless-tx accept	255	iifname bifrost tcp sport 28981 ip6 daddr $bifrost_surtr counter name paperless-tx accept
		256	iifname bifrost tcp sport 5000 ip6 daddr $bifrost_surtr counter name hledger-tx accept
253		257
254		258
255	counter name tx	259	counter name tx