From d05fb68b774b7011197c1c229e61809f642fcdd2 Mon Sep 17 00:00:00 2001
From: Gregor Kleen <gkleen@yggdrasil.li>
Date: Wed, 19 Feb 2025 19:10:58 +0100
Subject: hledger

---
 hosts/vidhar/default.nix         |  2 +-
 hosts/vidhar/hledger/default.nix | 83 ++++++++++++++++++++++++++++++++++++++++
 hosts/vidhar/hledger/htpasswd    | 24 ++++++++++++
 hosts/vidhar/network/ruleset.nft |  6 ++-
 4 files changed, 113 insertions(+), 2 deletions(-)
 create mode 100644 hosts/vidhar/hledger/default.nix
 create mode 100644 hosts/vidhar/hledger/htpasswd

(limited to 'hosts/vidhar')

diff --git a/hosts/vidhar/default.nix b/hosts/vidhar/default.nix
index 90e58b42..de661f4a 100644
--- a/hosts/vidhar/default.nix
+++ b/hosts/vidhar/default.nix
@@ -4,7 +4,7 @@ with lib;
 
 {
   imports = with flake.nixosModules.systemProfiles; [
-    ./zfs.nix ./network ./samba.nix ./dns ./prometheus ./borg ./pgbackrest ./postgresql.nix ./immich.nix ./paperless ./firefly-iii
+    ./zfs.nix ./network ./samba.nix ./dns ./prometheus ./borg ./pgbackrest ./postgresql.nix ./immich.nix ./paperless ./firefly-iii ./hledger
     tmpfs-root zfs
     initrd-all-crypto-modules default-locale openssh rebuild-machines
     build-server
diff --git a/hosts/vidhar/hledger/default.nix b/hosts/vidhar/hledger/default.nix
new file mode 100644
index 00000000..ae080f66
--- /dev/null
+++ b/hosts/vidhar/hledger/default.nix
@@ -0,0 +1,83 @@
+{ config, lib, pkgs, ... }:
+{
+  config = {
+    services.hledger-web = {
+      enable = true;
+      allow = "view";
+      stateDir = "/var/lib/hledger";
+      journalFiles = lib.mkForce ["web.journal"];
+      baseUrl = "https://hledger.yggdrasil.li";
+      extraOptions = [
+        "--socket=/run/hledger-web/http.sock"
+      ];
+    };
+    users = {
+      users.hledger.uid = 982;
+      groups.hledger.gid = 979;
+    };
+    systemd.services.hledger-web = {
+      serviceConfig = {
+        UMask = "0002";
+        ReadOnlyPaths = [ config.services.hledger-web.stateDir ];
+        RuntimeDirectory = [ "hledger-web" ];
+        PrivateDevices = true;
+        StateDirectory = "hledger";
+        CapabilityBoundingSet = "";
+        AmbientCapabilities = "";
+        ProtectSystem = "strict";
+        ProtectKernelTunables = true;
+        ProtectKernelModules = true;
+        ProtectControlGroups = true;
+        ProtectClock = true;
+        ProtectHostname = true;
+        ProtectHome = "tmpfs";
+        ProtectKernelLogs = true;
+        ProtectProc = "invisible";
+        ProcSubset = "pid";
+        PrivateNetwork = false;
+        RestrictAddressFamilies = "AF_INET AF_INET6 AF_UNIX";
+        SystemCallArchitectures = "native";
+        SystemCallFilter = [
+          "@system-service @resources"
+          "~@obsolete @privileged"
+        ];
+        RestrictSUIDSGID = true;
+        RemoveIPC = true;
+        NoNewPrivileges = true;
+        RestrictRealtime = true;
+        RestrictNamespaces = true;
+        LockPersonality = true;
+        PrivateUsers = true;
+        TemporaryFileSystem = [ "/var/lib/hledger/.cache:mode=0750,uid=${toString (config.users.users.hledger.uid)},gid=${toString (config.users.groups.hledger.gid)}" ];
+      };
+    };
+    services.nginx = {
+      upstreams.hledger = {
+        servers = { "unix:/run/hledger-web/http.sock" = {}; };
+      };
+      virtualHosts."hledger.yggdrasil.li" = {
+        listen = [
+          { addr = "[2a03:4000:52:ada:4:1::]"; port = 5000; }
+        ];
+        extraConfig = ''
+          set_real_ip_from 2a03:4000:52:ada:4::;
+          auth_basic "hledger";
+          auth_basic_user_file "/run/credentials/nginx.service/hledger_users";
+        '';
+        locations."/" = {
+          proxyPass = "http://hledger/";
+          proxyWebsockets = true;
+        };
+      };
+    };
+    systemd.services.nginx.serviceConfig = {
+      SupplementaryGroups = [ "hledger" ];
+      LoadCredential = [ "hledger_users:${config.sops.secrets."hledger_users".path}" ];
+    };
+    sops.secrets."hledger_users" = {
+      format = "binary";
+      sopsFile = ./htpasswd;
+      reloadUnits = [ "nginx.service" ];
+    };
+  };
+}
diff --git a/hosts/vidhar/hledger/htpasswd b/hosts/vidhar/hledger/htpasswd
new file mode 100644
index 00000000..016cb525
--- /dev/null
+++ b/hosts/vidhar/hledger/htpasswd
@@ -0,0 +1,24 @@
+{
+	"data": "ENC[AES256_GCM,data:9MNDIAc7ePYk3xQDorX2pU8ybJkJb33RKiJxc2DYauXFNQYxtGwCYhZwod7p7fPh3KqZxBNMRoZXr+/RnV+trsqjAcOOjnXTWLbX6nubq/xm+q0BxEjOPn7FvJF9XOblBeupldo+byGh2CMH9qQv5Fov,iv:3Tym+Mfr48OJet3qDFZPg0XjYr4sNQdNdiu0vUxmzbY=,tag:E0sxRY/jeMVlqH6uAYvD/Q==,type:str]",
+	"sops": {
+		"kms": null,
+		"gcp_kms": null,
+		"azure_kv": null,
+		"hc_vault": null,
+		"age": [
+			{
+				"recipient": "age1rmmhetcmllq0ahl5qznlr0eya2zdxwl9h6y5wnl97d2wtyx5t99sm2u866",
+				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA3eFBsOEM2ZUNVT2V3LytC\nTUJvUDdKc0VzMyt2cDFKYU03djBjZVFpeVY4CjByMXhPVXRJVjhKQWZvQ2xuOTE3\ncXdJV1lZaHR3cVl0Z0hQaG00M2dGbjQKLS0tIEIzenVxb3cwM3pXTUl1YUZlSlk2\nbDc3VmE5NkEyZ2tRd01OUGZibmhtUlEKxdesIdvzm8s0SmXU5R+tSbmS5Dj24jrb\nEiMERYy1g8GyHR3d2/mU5iOIdsBegSZReUVzomaMT9L7/TmubgOP3g==\n-----END AGE ENCRYPTED FILE-----\n"
+			},
+			{
+				"recipient": "age1qffdqvy9arld9zd5a5cylt0n98xhcns5shxhrhwjq5g4qa844ejselaa4l",
+				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBPa2RDZzR6cEFYTFA1QkND\nbndVeHVrMVJ0MWZvRmw5VXRhOHlRYllIRWxRCjU4dks4R25LS1RZMHFnbmpQRVZz\nNXhubkJvZFc2amRwMDVtQlE0NnBKNzQKLS0tIHRyeDUxTEFPMEMzWUVkZURzODdm\nSHdqbUpvNmFTS1QveFRpRHdnWHpHb28KnvdUkMkKGiBVHQD7Yv7n6WZjihCGJAR2\nMKl2WAn4g4jzgcXPwwIAIjUrMGSIdGpwCTUDcDnlKWAbRYO2B6P17A==\n-----END AGE ENCRYPTED FILE-----\n"
+			}
+		],
+		"lastmodified": "2025-02-19T17:11:17Z",
+		"mac": "ENC[AES256_GCM,data:yBIEqHhr4igoMlRcgg2SigKfejqeuNmuleYolsLJo+QOaW4BHITJTvLxRV1JHPpcMVQkF//zx4ZfUUrb8tTN0znGu3Jnpd0JVagbfCVyEuT6d1SB/GzyUVvoQ2GlcA9us+5gjI4oEJTQCfVqnLDBWsw+jXdr3nEIWo6Mvbqo3lI=,iv:I6Swk4wyd+96+tJKRY/FHlS7ZShMDROcbl+l+ZLRxhM=,tag:P1uQvB4NLdkPEKRMI6lLxw==,type:str]",
+		"pgp": null,
+		"unencrypted_suffix": "_unencrypted",
+		"version": "3.9.4"
+	}
+}
\ No newline at end of file
diff --git a/hosts/vidhar/network/ruleset.nft b/hosts/vidhar/network/ruleset.nft
index 5398cbee..8f8f24f1 100644
--- a/hosts/vidhar/network/ruleset.nft
+++ b/hosts/vidhar/network/ruleset.nft
@@ -94,6 +94,7 @@ table inet filter {
   counter immich-rx {}
   counter paperless-rx {}
   counter firefly-rx {}
+  counter hledger-rx {}
 
   counter established-rx {}
 
@@ -125,6 +126,7 @@ table inet filter {
   counter immich-tx {}
   counter paperless-tx {}
   counter firefly-tx {}
+  counter hledger-tx {}
 
   counter tx {}
 
@@ -203,6 +205,7 @@ table inet filter {
     iifname bifrost tcp dport 2283 ip6 saddr $bifrost_surtr counter name immich-rx accept
     iifname bifrost tcp dport 28981 ip6 saddr $bifrost_surtr counter name paperless-rx accept
     iifname bifrost tcp dport 9000 ip6 saddr $bifrost_surtr counter name firefly-rx accept
+    iifname bifrost tcp dport 5000 ip6 saddr $bifrost_surtr counter name hledger-rx accept
 
     ct state { established, related } counter name established-rx accept
 
@@ -253,7 +256,8 @@ table inet filter {
 
     iifname bifrost tcp sport 2283 ip6 daddr $bifrost_surtr counter name immich-tx accept
     iifname bifrost tcp sport 28981 ip6 daddr $bifrost_surtr counter name paperless-tx accept
-    iifname bifrost tcp sport 28981 ip6 daddr $bifrost_surtr counter name firefly-tx accept
+    iifname bifrost tcp sport 9000 ip6 daddr $bifrost_surtr counter name firefly-tx accept
+    iifname bifrost tcp sport 5000 ip6 daddr $bifrost_surtr counter name hledger-tx accept
 
 
     counter name tx
-- 
cgit v1.2.3