From cdf9817bc8eb5cd44ecc9b1e5bc46537233e6225 Mon Sep 17 00:00:00 2001 From: fleaz Date: Wed, 4 Oct 2023 23:08:14 +0200 Subject: [PATCH] added stuff from morph --- cpthook/default.nix | 19 +++++ default.nix | 13 +++ gotosocial/gotosocial.nix | 0 hacompanion/default.nix | 19 +++++ modules/default.nix | 5 ++ modules/gotosocial.nix | 169 ++++++++++++++++++++++++++++++++++++++ pulse-secure/default.nix | 121 +++++++++++++++++++++++++++ pytapo/default.nix | 40 +++++++++ test.nix | 9 ++ 9 files changed, 395 insertions(+) create mode 100644 cpthook/default.nix create mode 100644 default.nix create mode 100644 gotosocial/gotosocial.nix create mode 100644 hacompanion/default.nix create mode 100644 modules/default.nix create mode 100644 modules/gotosocial.nix create mode 100644 pulse-secure/default.nix create mode 100644 pytapo/default.nix create mode 100644 test.nix diff --git a/cpthook/default.nix b/cpthook/default.nix new file mode 100644 index 0000000..0cdf36d --- /dev/null +++ b/cpthook/default.nix @@ -0,0 +1,19 @@ +{ lib +, buildGoModule +, pkgs +, fetchFromGitHub +}: + +buildGoModule rec { + pname = "cpthook"; + version = "0.7.1"; + + src = fetchFromGitHub { + owner = "fleaz"; + repo = "CptHook"; + hash = "sha256-SfqybLrTF9TDz4t/zPDojlZngVDxKGLTlNs9T34LfMU="; + rev = "v${version}"; + }; + + vendorSha256 = "sha256-iKIH36pYK6x5ReCz6wiw5SWoiyMBfmr2K4ToWI/V6xQ="; +} diff --git a/default.nix b/default.nix new file mode 100644 index 0000000..87eb2cf --- /dev/null +++ b/default.nix @@ -0,0 +1,13 @@ +self: super: { + hacompanion = super.callPackage ./hacompanion { }; + cpthook = super.callPackage ./cpthook { }; + + python3 = super.python3.override { + packageOverrides = python-self: python-super: { + pytapo = python-super.callPackage ./pytapo { }; + }; + }; + + gotosocial = super.callPackage ./gotosocial { }; + pulse-secure = super.callPackage ./pulse-secure { }; +} diff --git a/gotosocial/gotosocial.nix b/gotosocial/gotosocial.nix new file mode 100644 index 0000000..e69de29 diff --git a/hacompanion/default.nix b/hacompanion/default.nix new file mode 100644 index 0000000..554ab6a --- /dev/null +++ b/hacompanion/default.nix @@ -0,0 +1,19 @@ +{ lib +, buildGoModule +, pkgs +, fetchFromGitHub +}: + +buildGoModule rec { + pname = "hacompanion"; + version = "1.0.5"; + + src = fetchFromGitHub { + owner = "tobias-kuendig"; + repo = "hacompanion"; + hash = "sha256-wNxE2TrO/TPVzwyn+LRfu6v9mUf3CeB5vdNNJM4rMAI="; + rev = "v${version}"; + }; + + vendorSha256 = "sha256-ZZ8nxN+zUeFhSXyoHLMgzeFllnIkKdoVnbVK5KjrLEQ="; +} diff --git a/modules/default.nix b/modules/default.nix new file mode 100644 index 0000000..9a55f3a --- /dev/null +++ b/modules/default.nix @@ -0,0 +1,5 @@ +{ + imports = [ + ./gotosocial.nix + ]; +} diff --git a/modules/gotosocial.nix b/modules/gotosocial.nix new file mode 100644 index 0000000..d2940ab --- /dev/null +++ b/modules/gotosocial.nix @@ -0,0 +1,169 @@ +{ config, lib, pkgs, ... }: +let + cfg = config.services.gotosocial; + settingsFormat = pkgs.formats.yaml { }; + configFile = settingsFormat.generate "config.yml" cfg.settings; + defaultSettings = { + application-name = "gotosocial"; + + protocol = "https"; + + bind-address = "127.0.0.1"; + port = 8080; + + storage-local-base-path = "/var/lib/gotosocial/storage"; + + db-type = "sqlite"; + db-address = "/var/lib/gotosocial/database.sqlite"; + }; + gotosocial-admin = pkgs.writeShellScriptBin "gotosocial-admin" '' + exec systemd-run \ + -u gotosocial-admin.service \ + -p Group=gotosocial \ + -p User=gotosocial \ + -q -t -G --wait --service-type=exec \ + ${cfg.package}/bin/gotosocial --config-path ${configFile} admin "$@" + ''; +in +{ + meta.doc = ./gotosocial.md; + meta.maintainers = with lib.maintainers; [ misuzu ]; + + options.services.gotosocial = { + enable = lib.mkEnableOption (lib.mdDoc "ActivityPub social network server"); + + package = lib.mkPackageOptionMD pkgs "gotosocial" { }; + + openFirewall = lib.mkOption { + type = lib.types.bool; + default = false; + description = lib.mdDoc '' + Open the configured port in the firewall. + Using a reverse proxy instead is highly recommended. + ''; + }; + + setupPostgresqlDB = lib.mkOption { + type = lib.types.bool; + default = false; + description = lib.mdDoc '' + Whether to setup a local postgres database and populate the + `db-type` fields in `services.gotosocial.settings`. + ''; + }; + + settings = lib.mkOption { + type = settingsFormat.type; + default = defaultSettings; + example = { + application-name = "My GoToSocial"; + host = "gotosocial.example.com"; + }; + description = lib.mdDoc '' + Contents of the GoToSocial YAML config. + Please refer to the + [documentation](https://docs.gotosocial.org/en/latest/configuration/) + and + [example config](https://github.com/superseriousbusiness/gotosocial/blob/main/example/config.yaml). + Please note that the `host` option cannot be changed later so it is important to configure this correctly before you start GoToSocial. + ''; + }; + + environmentFile = lib.mkOption { + type = lib.types.nullOr lib.types.path; + description = lib.mdDoc '' + File path containing environment variables for configuring the GoToSocial service + in the format of an EnvironmentFile as described by systemd.exec(5). + This option could be used to pass sensitive configuration to the GoToSocial daemon. + Please refer to the Environment Variables section in the + [documentation](https://docs.gotosocial.org/en/latest/configuration/). + ''; + default = null; + example = "/root/nixos/secrets/gotosocial.env"; + }; + + }; + + config = lib.mkIf cfg.enable { + assertions = [ + { + assertion = cfg.settings.host or null != null; + message = '' + You have to define a hostname for GoToSocial (`services.gotosocial.settings.host`), it cannot be changed later without starting over! + ''; + } + ]; + + services.gotosocial.settings = (lib.mapAttrs (name: lib.mkDefault) ( + defaultSettings // { + web-asset-base-dir = "${cfg.package}/share/gotosocial/web/assets/"; + web-template-base-dir = "${cfg.package}/share/gotosocial/web/template/"; + } + )) // (lib.optionalAttrs cfg.setupPostgresqlDB { + db-type = "postgres"; + db-address = "/run/postgresql"; + db-database = "gotosocial"; + db-user = "gotosocial"; + }); + + environment.systemPackages = [ gotosocial-admin ]; + + users.groups.gotosocial = { }; + users.users.gotosocial = { + group = "gotosocial"; + isSystemUser = true; + }; + + networking.firewall = lib.mkIf cfg.openFirewall { + allowedTCPPorts = [ cfg.settings.port ]; + }; + + services.postgresql = lib.mkIf cfg.setupPostgresqlDB { + enable = true; + ensureDatabases = [ "gotosocial" ]; + ensureUsers = [ + { + name = "gotosocial"; + ensurePermissions = { + "DATABASE gotosocial" = "ALL PRIVILEGES"; + }; + } + ]; + }; + + systemd.services.gotosocial = { + description = "ActivityPub social network server"; + wantedBy = [ "multi-user.target" ]; + after = [ "network.target" ] + ++ lib.optional cfg.setupPostgresqlDB "postgresql.service"; + requires = lib.optional cfg.setupPostgresqlDB "postgresql.service"; + restartTriggers = [ configFile ]; + + serviceConfig = { + EnvironmentFile = lib.mkIf (cfg.environmentFile != null) cfg.environmentFile; + ExecStart = "${cfg.package}/bin/gotosocial --config-path ${configFile} server start"; + Restart = "on-failure"; + Group = "gotosocial"; + User = "gotosocial"; + StateDirectory = "gotosocial"; + WorkingDirectory = "/var/lib/gotosocial"; + + # Security options: + # Based on https://github.com/superseriousbusiness/gotosocial/blob/v0.8.1/example/gotosocial.service + AmbientCapabilities = lib.optional (cfg.settings.port < 1024) "CAP_NET_BIND_SERVICE"; + NoNewPrivileges = true; + PrivateTmp = true; + PrivateDevices = true; + RestrictAddressFamilies = "AF_UNIX AF_INET AF_INET6"; + RestrictNamespaces = true; + RestrictRealtime = true; + DevicePolicy = "closed"; + ProtectSystem = "full"; + ProtectControlGroups = true; + ProtectKernelModules = true; + ProtectKernelTunables = true; + LockPersonality = true; + }; + }; + }; +} diff --git a/pulse-secure/default.nix b/pulse-secure/default.nix new file mode 100644 index 0000000..4054675 --- /dev/null +++ b/pulse-secure/default.nix @@ -0,0 +1,121 @@ +{ lib +, stdenv +, buildFHSEnv + + # Required for handling RPM package +, fetchurl +, rpmextract + + # Runtime dependencies +, gcc +, openssl +, gtk4 +, gtk3 +, gtkmm3 +, libsoup +, cairomm +, webkitgtk +, libbsd +, libuuid +, glib +, atkmm +, glibmm +, pangomm +, pango +, at-spi2-atk +, cairo +, libsigcxx +, gdk-pixbuf +, procps +, logger +}: + +let + pname = "pulse-secure"; + version = "22.3r1.0-b18209"; + + meta = with lib; { + description = "Ivanti Pulse-Secure VPN client"; + sourceProvenance = with sourceTypes; [ binaryNativeCode ]; + license = licenses.unfree; + platforms = [ "x86_64-linux" ]; + }; + + pulse-secure = stdenv.mkDerivation { + inherit pname version meta; + + src = fetchurl { + #url = "https://dl.sva.de/pulsesecure/linux/ps-pulse-linux-${version}-64bit-installer.rpm"; + url = "https://gml.noaa.gov/aftp/pub/cornwall/VPN%20Client/old/ps-pulse-linux-${version}-64bit-installer.rpm"; + hash = "sha256-COKhB7+W1ridXF86O3309b5u1FgxukAfGYMf16Ie4Rs="; + }; + + unpackPhase = '' + ${rpmextract}/bin/rpmextract $src + ''; + + installPhase = '' + runHook preInstall + + mkdir -p $out + + # executables + cp -rv ./opt/pulsesecure/bin $out/bin + + # libs + cp -rv ./opt/pulsesecure/lib/dispatch/ $out/lib/ + cp -rv ./opt/pulsesecure/lib/JUNS/ $out/lib/ + cp -rv ./opt/pulsesecure/lib/dsOpenSSL/ $out/lib/ + + ls -la $out + ls -la $out/lib + + # documentation + cp -rv ./usr/share/man $out/ + + # Desktop file + mkdir -p $out/share/applications + cp -v ./opt/pulsesecure/resource/pulse.desktop $out/share/applications/ + cp -rv ./opt/pulsesecure/resource $out/ + + # DBUS + mkdir -p $out/share/dbus-1/system.d + cp ./opt/pulsesecure/lib/JUNS/net.psecure.pulse.conf $out/share/dbus-1/system.d/net.psecure.pulse.conf + + runHook postInstall + ''; + + }; +in +buildFHSEnv { + inherit meta; + name = pname; + + targetPkgs = pkgs: [ + pulse-secure + ]; + + multiPkgs = pkgs: [ + gcc + openssl + gtk3 + gtkmm3 + gtk4 + libsoup + cairomm + webkitgtk + libbsd + libuuid + glib + atkmm + glibmm + pangomm + pango + at-spi2-atk + cairo + libsigcxx + gdk-pixbuf + ]; + + runScript = "pulseUI"; +} diff --git a/pytapo/default.nix b/pytapo/default.nix new file mode 100644 index 0000000..1a8ee76 --- /dev/null +++ b/pytapo/default.nix @@ -0,0 +1,40 @@ +{ lib +, buildPythonPackage +, fetchPypi + +# propagates +, pycryptodome +, requests +, urllib3 +}: + +buildPythonPackage rec { + pname = "pytapo"; + version = "2.9.2"; + format = "setuptools"; + + src = fetchPypi { + inherit pname version; + hash = "sha256-LW14uDQBqIVsigOzO0bNTpjY7Fk0IWAeDMPEuWM/nOo="; + }; + + propagatedBuildInputs = [ + pycryptodome + requests + urllib3 + ]; + + pythonImportsCheck = [ + "pytapo" + ]; + + # Tests require actual hardware + doCheck = false; + + meta = with lib; { + description = "Python library for communication with Tapo Cameras "; + homepage = "https://github.com/JurajNyiri/pytapo"; + license = with licenses; [ mit ]; + maintainers = with maintainers; [ fleaz ]; + }; +} diff --git a/test.nix b/test.nix new file mode 100644 index 0000000..dbc8428 --- /dev/null +++ b/test.nix @@ -0,0 +1,9 @@ +{ pkgs ? import { overlays = [ (import ./default.nix) ]; } }: + +pkgs.mkShell { + buildInputs = with pkgs; [ + cpthook + hacompanion + pulse-secure + ]; +}