Started on implementing derek's site

Updated permissions
Updated secrets
2025-09-30 18:51:38 +02:00 · 2025-09-30 16:49:52 +00:00 · 2025-09-23 08:10:26 +00:00
9 changed files with 143 additions and 24 deletions
--- a/hosts/lapserv/hardware-configuration.nix
+++ b/hosts/lapserv/hardware-configuration.nix
@ -1,17 +1,23 @@
 # Do not modify this file!  It was generated by ‘nixos-generate-config’
 # and may be overwritten by future invocations.  Please make changes
 # to /etc/nixos/configuration.nix instead.
-{ config, lib, pkgs, modulesPath, ... }:
-
 {
-  imports =
-    [ (modulesPath + "/installer/scan/not-detected.nix")
+  config,
+  lib,
+  pkgs,
+  modulesPath,
+  ...
+}: {
+  imports = [
+    (modulesPath + "/installer/scan/not-detected.nix")
  ];

-  boot.initrd.availableKernelModules = [ "xhci_pci" "ahci" "nvme" "sd_mod" ];
-  boot.initrd.kernelModules = [ ];
-  boot.kernelModules = [ "kvm-intel" ];
-  boot.extraModulePackages = [ ];
+  boot = {
+    initrd.availableKernelModules = ["xhci_pci" "ahci" "nvme" "sd_mod"];
+    initrd.kernelModules = [];
+    kernelModules = ["kvm-intel"];
+    extraModulePackages = [];
+  };

  # fileSystems."/" =
  #   { device = "/dev/disk/by-uuid/33b7e681-d92a-40db-a172-b797591a1e2e";
@ -24,19 +30,19 @@
  #     options = [ "fmask=0022" "dmask=0022" ];
  #   };

-  fileSystems."/" =
-    { device = "/dev/disk/by-uuid/2ce4b2b1-0083-43b2-bd8d-0e8cd21b1ef6";
+  fileSystems."/" = {
+    device = "/dev/disk/by-uuid/2ce4b2b1-0083-43b2-bd8d-0e8cd21b1ef6";
    fsType = "ext4";
  };

-  fileSystems."/boot" =
-    { device = "/dev/disk/by-uuid/AE71-FD70";
+  fileSystems."/boot" = {
+    device = "/dev/disk/by-uuid/AE71-FD70";
    fsType = "vfat";
-      options = [ "fmask=0022" "dmask=0022" ];
+    options = ["fmask=0022" "dmask=0022"];
  };

-  swapDevices =
-    [ { device = "/dev/disk/by-uuid/f5af06e8-e285-4565-abc3-fdd0ddde4736"; }
+  swapDevices = [
+    {device = "/dev/disk/by-uuid/f5af06e8-e285-4565-abc3-fdd0ddde4736";}
  ];

  nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
--- a/secrets/default.nix
+++ b/secrets/default.nix
@ -22,6 +22,10 @@ in {
      file = ./derek-bot.age;
      owner = "derek-bot";
    };
+    derek-site = isEnabled "derek-site" {
+      file = ./derek-bot.age;
+      owner = "derek-site";
+    };
    # matrix-registration = isEnabled "matrix" {
    #   file = ./matrix-registration.age;
    #   owner = abstrServiceUser "matrix-continuwuity";
--- a/secrets/derek-bot.age
+++ b/secrets/derek-bot.age
--- a/secrets/derek-site.age
+++ b/secrets/derek-site.age
--- a/secrets/secrets.nix
+++ b/secrets/secrets.nix
@ -16,6 +16,7 @@ in {
  "password.age".publicKeys = keys;
  "jsw-bot.age".publicKeys = keys;
  "derek-bot.age".publicKeys = keys;
+  "derek-site.age".publicKeys = keys;
  "matrix-registration.age".publicKeys = keys;
  "mail-admin.age".publicKeys = keys;
  "zitadel-key.age".publicKeys = keys;
--- a/system/server/default.nix
+++ b/system/server/default.nix
@ -7,6 +7,7 @@ in {
    ./jsw-bot.nix
    ./caddy.nix
    ./derek-bot.nix
+    ./derek-site.nix
    ./forgejo.nix
    ./immich.nix
    ./index
--- a/system/server/derek-bot.nix
+++ b/system/server/derek-bot.nix
@ -76,7 +76,37 @@ in {
    users.groups.${userGroup} = {};
    users.users.${userGroup} = {
      group = userGroup;
-      isSystemUser = true;
+      isNormalUser = true;
+      home = "/home/${userGroup}";
    };
+    security.polkit.extraConfig = ''
+	polkit.addRule(function(action, subject) {
+	    polkit.log("Rule triggered. Action: " + action.id + " Unit: " + action.lookup("unit") + " User: " + subject.user);
+
+	    // For journalctl access
+	    if ((action.id == "org.freedesktop.systemd1.manage-units" || 
+		 action.id == "org.freedesktop.systemd1.unit-journal") &&
+		action.lookup("unit") == "${userGroup}.service" &&
+		subject.user == "${userGroup}") {
+		polkit.log("ALLOWING access for " + subject.user);
+		return polkit.Result.YES;
+	    }
+	});
+      polkit.addRule(function(action, subject) {
+	  if (
+	      subject.user == "${userGroup}" &&
+	      (
+		action.id == "org.freedesktop.login1.power-off" ||
+		action.id == "org.freedesktop.login1.power-off-ignore-inhibit" ||
+		action.id == "org.freedesktop.login1.power-off-multiple-sessions" ||
+		action.id == "org.freedesktop.login1.reboot" ||
+		action.id == "org.freedesktop.login1.reboot-ignore-inhibit" ||
+		action.id == "org.freedesktop.login1.reboot-multiple-sessions"
+	      )
+	  ) {
+	      return polkit.Result.NO;
+	  }
+      });
+    '';
  };
 }
--- a/system/server/derek-site.nix
+++ b/system/server/derek-site.nix
@ -0,0 +1,77 @@
+{
+  config,
+  pkgs,
+  lib,
+  ...
+}: let
+  name = "derek-site";
+  cfg = config.niksos.server.${name}.enable;
+
+  userGroup = name;
+  gitRepo = "https://github.com/Definitely-Not-A-Dolphin/Geen-Dolfijn";
+
+  inherit (lib) getExe mkEnableOption mkIf;
+  bash = getExe pkgs.bash;
+
+  varLib = "/var/lib/";
+  mainDir = "${varLib}${userGroup}";
+  programDir = "${mainDir}/program";
+  denoDir = "${mainDir}/deno";
+
+  path = builtins.concatStringsSep ":" (map (x: "${x}/bin/") [pkgs.coreutils pkgs.deno pkgs.git]);
+  run = pkgs.writeShellScriptBin "geen-dolfijn" ''
+    cd "${programDir}"
+    export $(grep -v '^#' "${config.age.secrets.${userGroup}.path}" | xargs)
+
+    deno run preview
+  '';
+in {
+  options.niksos.server.${name}.enable = mkEnableOption name;
+
+  config = mkIf cfg {
+    systemd.services.${userGroup} = {
+      enable = true;
+      after = ["network.target"];
+      wantedBy = ["default.target"];
+      description = userGroup;
+
+      environment = {
+        "DENO_DIR" = denoDir;
+        "PATH" = lib.mkForce path;
+      };
+
+      preStart = ''
+        export PATH=${path}
+
+        cd "${mainDir}"
+        chown -R ${userGroup}:${userGroup} ${mainDir}/* || echo
+
+        if [ ! -d "${programDir}" ]; then
+          git clone "${gitRepo}" "${programDir}"
+        fi
+        chmod -R 750 ${mainDir}/* || echo
+
+        cd "${programDir}"
+        git fetch
+        git reset --hard origin/HEAD
+
+        DENO_DIR=${denoDir} deno i
+      '';
+
+      serviceConfig = {
+        StateDirectory = userGroup;
+        ExecStart = getExe run;
+        User = userGroup;
+        Group = userGroup;
+        Restart = "always";
+        RuntimeMaxSec = 1 * 60 * 60; # 1h * 60min * 60s
+      };
+    };
+
+    users.groups.${userGroup} = {};
+    users.users.${userGroup} = {
+      group = userGroup;
+      isSystemUser = true;
+    };
+  };
+}
--- a/system/server/lib/extractWebOptions.nix
+++ b/system/server/lib/extractWebOptions.nix
@ -11,8 +11,8 @@
    then ""
    else "${cfg.subDomain}.";
 in
-  cfg // 
-  {
+  cfg
+  // {
    domain = "${subDomain}${baseDomain}";
    inherit baseDomain subDomain;
  }
Author	SHA1	Message	Date
Jurn Wubben	876c9ee88d	Started on implementing derek's site	2025-09-30 18:51:38 +02:00
Jurn Wubben	a0638fdff3	Updated permissions	2025-09-30 16:49:52 +00:00
Jurn Wubben	05948d31c2	Updated secrets	2025-09-23 08:10:26 +00:00