From d05fb68b774b7011197c1c229e61809f642fcdd2 Mon Sep 17 00:00:00 2001
From: Gregor Kleen <gkleen@yggdrasil.li>
Date: Wed, 19 Feb 2025 19:10:58 +0100
Subject: hledger

---
 hosts/vidhar/hledger/default.nix | 83 ++++++++++++++++++++++++++++++++++++++++
 1 file changed, 83 insertions(+)
 create mode 100644 hosts/vidhar/hledger/default.nix

(limited to 'hosts/vidhar/hledger/default.nix')

diff --git a/hosts/vidhar/hledger/default.nix b/hosts/vidhar/hledger/default.nix
new file mode 100644
index 00000000..ae080f66
--- /dev/null
+++ b/hosts/vidhar/hledger/default.nix
@@ -0,0 +1,83 @@
+{ config, lib, pkgs, ... }:
+{
+  config = {
+    services.hledger-web = {
+      enable = true;
+      allow = "view";
+      stateDir = "/var/lib/hledger";
+      journalFiles = lib.mkForce ["web.journal"];
+      baseUrl = "https://hledger.yggdrasil.li";
+      extraOptions = [
+        "--socket=/run/hledger-web/http.sock"
+      ];
+    };
+    users = {
+      users.hledger.uid = 982;
+      groups.hledger.gid = 979;
+    };
+    systemd.services.hledger-web = {
+      serviceConfig = {
+        UMask = "0002";
+        ReadOnlyPaths = [ config.services.hledger-web.stateDir ];
+        RuntimeDirectory = [ "hledger-web" ];
+        PrivateDevices = true;
+        StateDirectory = "hledger";
+        CapabilityBoundingSet = "";
+        AmbientCapabilities = "";
+        ProtectSystem = "strict";
+        ProtectKernelTunables = true;
+        ProtectKernelModules = true;
+        ProtectControlGroups = true;
+        ProtectClock = true;
+        ProtectHostname = true;
+        ProtectHome = "tmpfs";
+        ProtectKernelLogs = true;
+        ProtectProc = "invisible";
+        ProcSubset = "pid";
+        PrivateNetwork = false;
+        RestrictAddressFamilies = "AF_INET AF_INET6 AF_UNIX";
+        SystemCallArchitectures = "native";
+        SystemCallFilter = [
+          "@system-service @resources"
+          "~@obsolete @privileged"
+        ];
+        RestrictSUIDSGID = true;
+        RemoveIPC = true;
+        NoNewPrivileges = true;
+        RestrictRealtime = true;
+        RestrictNamespaces = true;
+        LockPersonality = true;
+        PrivateUsers = true;
+        TemporaryFileSystem = [ "/var/lib/hledger/.cache:mode=0750,uid=${toString (config.users.users.hledger.uid)},gid=${toString (config.users.groups.hledger.gid)}" ];
+      };
+    };
+    services.nginx = {
+      upstreams.hledger = {
+        servers = { "unix:/run/hledger-web/http.sock" = {}; };
+      };
+      virtualHosts."hledger.yggdrasil.li" = {
+        listen = [
+          { addr = "[2a03:4000:52:ada:4:1::]"; port = 5000; }
+        ];
+        extraConfig = ''
+          set_real_ip_from 2a03:4000:52:ada:4::;
+          auth_basic "hledger";
+          auth_basic_user_file "/run/credentials/nginx.service/hledger_users";
+        '';
+        locations."/" = {
+          proxyPass = "http://hledger/";
+          proxyWebsockets = true;
+        };
+      };
+    };
+    systemd.services.nginx.serviceConfig = {
+      SupplementaryGroups = [ "hledger" ];
+      LoadCredential = [ "hledger_users:${config.sops.secrets."hledger_users".path}" ];
+    };
+    sops.secrets."hledger_users" = {
+      format = "binary";
+      sopsFile = ./htpasswd;
+      reloadUnits = [ "nginx.service" ];
+    };
+  };
+}
-- 
cgit v1.2.3