add servicepoint-tanks service

flake.lock

@@ -1,5 +1,49 @@
 {
   "nodes": {
+    "binding": {
+      "inputs": {
+        "binding": "binding_2",
+        "nixpkgs": [
+          "servicepoint-tanks",
+          "nixpkgs"
+        ]
+      },
+      "locked": {
+        "lastModified": 1759096792,
+        "narHash": "sha256-CW4D1yJecw7Id6AxIEJOW3OpcX3Y4Ehng76/YlR1I9w=",
+        "ref": "refs/heads/main",
+        "rev": "8df2996504866f3193fbe51860ab173d25724e5e",
+        "revCount": 307,
+        "type": "git",
+        "url": "https://git.berlin.ccc.de/servicepoint/servicepoint-binding-csharp.git"
+      },
+      "original": {
+        "type": "git",
+        "url": "https://git.berlin.ccc.de/servicepoint/servicepoint-binding-csharp.git"
+      }
+    },
+    "binding_2": {
+      "inputs": {
+        "nixpkgs": [
+          "servicepoint-tanks",
+          "binding",
+          "nixpkgs"
+        ]
+      },
+      "locked": {
+        "lastModified": 1759093963,
+        "narHash": "sha256-nis9Xps/P1f/v9FC3LoMLGGCOMMbdrOniDSklqLsH8o=",
+        "ref": "refs/heads/main",
+        "rev": "44ef4bb6d707c46af1bed6244f17a16f26f246c1",
+        "revCount": 304,
+        "type": "git",
+        "url": "https://git.berlin.ccc.de/servicepoint/servicepoint-binding-uniffi.git"
+      },
+      "original": {
+        "type": "git",
+        "url": "https://git.berlin.ccc.de/servicepoint/servicepoint-binding-uniffi.git"
+      }
+    },
     "fenix": {
       "inputs": {
         "nixpkgs": [
@@ -281,6 +325,7 @@
         "nixpkgs-unstable": "nixpkgs-unstable",
         "servicepoint-cli": "servicepoint-cli",
         "servicepoint-simulator": "servicepoint-simulator",
+        "servicepoint-tanks": "servicepoint-tanks",
         "zerforschen-plus": "zerforschen-plus"
       }
     },
@@ -362,6 +407,27 @@
         "url": "https://git.berlin.ccc.de/servicepoint/servicepoint-simulator.git"
       }
     },
+    "servicepoint-tanks": {
+      "inputs": {
+        "binding": "binding",
+        "nixpkgs": [
+          "nixpkgs"
+        ]
+      },
+      "locked": {
+        "lastModified": 1760271116,
+        "narHash": "sha256-cdQwPsIryhPrv3Cr99Wupmlj7zycJWk+tDH24TbpqFY=",
+        "ref": "refs/heads/main",
+        "rev": "f814eeedc16455c0c9c2c83e28e227633ae4b52a",
+        "revCount": 217,
+        "type": "git",
+        "url": "https://git.berlin.ccc.de/vinzenz/servicepoint-tanks.git"
+      },
+      "original": {
+        "type": "git",
+        "url": "https://git.berlin.ccc.de/vinzenz/servicepoint-tanks.git"
+      }
+    },
     "systems": {
       "locked": {
         "lastModified": 1681028828,

flake.nix

@@ -14,6 +14,11 @@
       inputs.nixpkgs-stable.follows = "nixpkgs";
     };
 
+    nix-vscode-extensions = {
+      url = "github:nix-community/nix-vscode-extensions";
+      inputs.nixpkgs.follows = "nixpkgs";
+    };
+
     zerforschen-plus = {
       url = "git+https://git.berlin.ccc.de/vinzenz/zerforschen.plus";
       inputs.nixpkgs.follows = "nixpkgs";
@@ -29,8 +34,8 @@
       inputs.nixpkgs.follows = "nixpkgs";
     };
 
-    nix-vscode-extensions = {
-      url = "github:nix-community/nix-vscode-extensions";
+    servicepoint-tanks = {
+      url = "git+https://git.berlin.ccc.de/vinzenz/servicepoint-tanks.git";
       inputs.nixpkgs.follows = "nixpkgs";
     };
   };
@@ -43,10 +48,10 @@
       niri,
       zerforschen-plus,
       nixpkgs-unstable,
+      nix-vscode-extensions,
       servicepoint-cli,
       servicepoint-simulator,
-      nix-vscode-extensions,
-      ...
+      servicepoint-tanks,
     }:
     let
       devices = {
@@ -247,10 +252,12 @@
             self.nixosModules.nix-ld
             self.nixosModules.quiet-boot
             self.nixosModules.firmware-updates
+            self.nixosModules.servicepoint-tanks
 
             home-manager.nixosModules.home-manager
             servicepoint-simulator.nixosModules.default
             servicepoint-cli.nixosModules.default
+            servicepoint-tanks.nixosModules.default
           ])
           ++ additional-modules;
         }

homeConfigurations/vinzenz/vscode.nix

@@ -22,6 +22,7 @@
             mkhl.direnv
             muhammad-sammy.csharp
             davidanson.vscode-markdownlint
+            #mermaidchart.vscode-mermaid-chart
           ]
           ++ (with pkgs.vscode-extensions; [
             vadimcn.vscode-lldb

nixosConfigurations/vinzenz-lpt2/default.nix

@@ -42,5 +42,13 @@
       8776
       1337
     ];
+
+    services.servicepoint-tanks = {
+      enable = true;
+      urls = [
+        "http://localhost:5666"
+        "http://localhost:5667"
+      ];
+    };
   };
 }

nixosModules/servicepoint-tanks.nix

@@ -0,0 +1,121 @@
+{
+  pkgs,
+  config,
+  lib,
+  ...
+}:
+let
+  cfg = config.services.servicepoint-tanks;
+  default-user-name = "servicepoint-tanks";
+in
+{
+  options.services.servicepoint-tanks = {
+    enable = lib.mkEnableOption "servicepoint-tanks";
+    package = lib.mkPackageOption pkgs "servicepoint-tanks" { };
+    urls = lib.mkOption {
+      default = [ "http://localhost:5000" ];
+      description = ''
+        Configures which protocol to bind on which host:port combination.
+      '';
+      type = lib.types.listOf lib.types.str;
+      example = [
+        "http://0.0.0.0"
+        "http://localhost:5000"
+        # TODO: allow HTTPS
+      ];
+    };
+    user = lib.mkOption {
+      default = default-user-name;
+      description = ''
+        The user under which servicepoint-tanks is run.
+
+        This module utilizes systemd's DynamicUser feature. See the corresponding section in
+        {manpage}`systemd.exec(5)` for more details.
+      '';
+      type = lib.types.str;
+    };
+    group = lib.mkOption {
+      default = default-user-name;
+      description = ''
+        The group under which servicepoint-tanks is run.
+
+        This module utilizes systemd's DynamicUser feature. See the corresponding section in
+        {manpage}`systemd.exec(5)` for more details.
+      '';
+      type = lib.types.str;
+    };
+  };
+
+  config = lib.mkIf cfg.enable {
+    users = {
+      users = lib.mkIf (cfg.user == default-user-name) {
+        "${default-user-name}" = {
+          isSystemUser = true;
+          group = cfg.group;
+        };
+      };
+
+      groups = lib.mkIf (cfg.group == default-user-name) {
+        "${default-user-name}" = { };
+      };
+    };
+
+    systemd.services.sericepoint-tanks = {
+      description = "Run the servicepoint-tanks server";
+      wantedBy = [ "multi-user.target" ];
+      after = [ "network-online.target" ];
+      wants = [ "network-online.target" ];
+
+      environment = {
+        ASPNETCORE_URLS = "${lib.strings.concatStringsSep ";" cfg.urls}";
+      };
+
+      serviceConfig = {
+        User = cfg.user;
+        Group = cfg.group;
+        DynamicUser = true;
+
+        Type = "exec";
+        ExecStart = "${lib.getBin cfg.package}/bin/TanksServer";
+
+        # hardening
+        NoNewPrivileges = true;
+        CapabilityBoundingSet = null;
+        SystemCallFilter = [
+          "@system-service"
+          "~@privileged"
+        ];
+        SystemCallArchitectures = "native";
+        AmbientCapabilities = "";
+        PrivateMounts = true;
+        PrivateUsers = true;
+        PrivateTmp = true;
+        PrivateDevices = true;
+        ProtectHome = true;
+        ProtectClock = true;
+        ProtectHostname = true;
+        ProtectKernelLogs = true;
+        ProtectKernelModules = true;
+        ProtectKernelTunables = true;
+        ProtectProc = "invisible";
+        ProtectSystem = "strict";
+        ProtectControlGroups = "strict";
+        LockPersonality = true;
+        RemoveIPC = true;
+        RestrictRealtime = true;
+        RestrictSUIDSGID = true;
+        RestrictNamespaces = true;
+        RestrictAddressFamilies = [
+          "AF_INET"
+          "AF_INET6"
+
+          # TODO: enable unix domain socket bind
+          # "AF_UNIX"
+        ];
+
+        # TODO: try fully AOT build with:
+        #MemoryDenyWriteExecute = true;
+      };
+    };
+  };
+}