From 9c840ba61ddc162e68e6fe0c580737280884d6d5 Mon Sep 17 00:00:00 2001 From: Vinzenz Schroeter Date: Sun, 12 Oct 2025 15:16:44 +0200 Subject: [PATCH] add servicepoint-tanks service --- flake.lock | 66 ++++++++++ flake.nix | 15 ++- homeConfigurations/vinzenz/vscode.nix | 1 + nixosConfigurations/vinzenz-lpt2/default.nix | 8 ++ nixosModules/servicepoint-tanks.nix | 121 +++++++++++++++++++ 5 files changed, 207 insertions(+), 4 deletions(-) create mode 100644 nixosModules/servicepoint-tanks.nix diff --git a/flake.lock b/flake.lock index f0e3317..5b7de92 100644 --- a/flake.lock +++ b/flake.lock @@ -1,5 +1,49 @@ { "nodes": { + "binding": { + "inputs": { + "binding": "binding_2", + "nixpkgs": [ + "servicepoint-tanks", + "nixpkgs" + ] + }, + "locked": { + "lastModified": 1759096792, + "narHash": "sha256-CW4D1yJecw7Id6AxIEJOW3OpcX3Y4Ehng76/YlR1I9w=", + "ref": "refs/heads/main", + "rev": "8df2996504866f3193fbe51860ab173d25724e5e", + "revCount": 307, + "type": "git", + "url": "https://git.berlin.ccc.de/servicepoint/servicepoint-binding-csharp.git" + }, + "original": { + "type": "git", + "url": "https://git.berlin.ccc.de/servicepoint/servicepoint-binding-csharp.git" + } + }, + "binding_2": { + "inputs": { + "nixpkgs": [ + "servicepoint-tanks", + "binding", + "nixpkgs" + ] + }, + "locked": { + "lastModified": 1759093963, + "narHash": "sha256-nis9Xps/P1f/v9FC3LoMLGGCOMMbdrOniDSklqLsH8o=", + "ref": "refs/heads/main", + "rev": "44ef4bb6d707c46af1bed6244f17a16f26f246c1", + "revCount": 304, + "type": "git", + "url": "https://git.berlin.ccc.de/servicepoint/servicepoint-binding-uniffi.git" + }, + "original": { + "type": "git", + "url": "https://git.berlin.ccc.de/servicepoint/servicepoint-binding-uniffi.git" + } + }, "fenix": { "inputs": { "nixpkgs": [ @@ -281,6 +325,7 @@ "nixpkgs-unstable": "nixpkgs-unstable", "servicepoint-cli": "servicepoint-cli", "servicepoint-simulator": "servicepoint-simulator", + "servicepoint-tanks": "servicepoint-tanks", "zerforschen-plus": "zerforschen-plus" } }, @@ -362,6 +407,27 @@ "url": "https://git.berlin.ccc.de/servicepoint/servicepoint-simulator.git" } }, + "servicepoint-tanks": { + "inputs": { + "binding": "binding", + "nixpkgs": [ + "nixpkgs" + ] + }, + "locked": { + "lastModified": 1760271116, + "narHash": "sha256-cdQwPsIryhPrv3Cr99Wupmlj7zycJWk+tDH24TbpqFY=", + "ref": "refs/heads/main", + "rev": "f814eeedc16455c0c9c2c83e28e227633ae4b52a", + "revCount": 217, + "type": "git", + "url": "https://git.berlin.ccc.de/vinzenz/servicepoint-tanks.git" + }, + "original": { + "type": "git", + "url": "https://git.berlin.ccc.de/vinzenz/servicepoint-tanks.git" + } + }, "systems": { "locked": { "lastModified": 1681028828, diff --git a/flake.nix b/flake.nix index 863a4c0..b9d02da 100644 --- a/flake.nix +++ b/flake.nix @@ -14,6 +14,11 @@ inputs.nixpkgs-stable.follows = "nixpkgs"; }; + nix-vscode-extensions = { + url = "github:nix-community/nix-vscode-extensions"; + inputs.nixpkgs.follows = "nixpkgs"; + }; + zerforschen-plus = { url = "git+https://git.berlin.ccc.de/vinzenz/zerforschen.plus"; inputs.nixpkgs.follows = "nixpkgs"; @@ -29,8 +34,8 @@ inputs.nixpkgs.follows = "nixpkgs"; }; - nix-vscode-extensions = { - url = "github:nix-community/nix-vscode-extensions"; + servicepoint-tanks = { + url = "git+https://git.berlin.ccc.de/vinzenz/servicepoint-tanks.git"; inputs.nixpkgs.follows = "nixpkgs"; }; }; @@ -43,10 +48,10 @@ niri, zerforschen-plus, nixpkgs-unstable, + nix-vscode-extensions, servicepoint-cli, servicepoint-simulator, - nix-vscode-extensions, - ... + servicepoint-tanks, }: let devices = { @@ -247,10 +252,12 @@ self.nixosModules.nix-ld self.nixosModules.quiet-boot self.nixosModules.firmware-updates + self.nixosModules.servicepoint-tanks home-manager.nixosModules.home-manager servicepoint-simulator.nixosModules.default servicepoint-cli.nixosModules.default + servicepoint-tanks.nixosModules.default ]) ++ additional-modules; } diff --git a/homeConfigurations/vinzenz/vscode.nix b/homeConfigurations/vinzenz/vscode.nix index c4ff381..73a09f3 100644 --- a/homeConfigurations/vinzenz/vscode.nix +++ b/homeConfigurations/vinzenz/vscode.nix @@ -22,6 +22,7 @@ mkhl.direnv muhammad-sammy.csharp davidanson.vscode-markdownlint + #mermaidchart.vscode-mermaid-chart ] ++ (with pkgs.vscode-extensions; [ vadimcn.vscode-lldb diff --git a/nixosConfigurations/vinzenz-lpt2/default.nix b/nixosConfigurations/vinzenz-lpt2/default.nix index 255dd7a..8d42e68 100644 --- a/nixosConfigurations/vinzenz-lpt2/default.nix +++ b/nixosConfigurations/vinzenz-lpt2/default.nix @@ -42,5 +42,13 @@ 8776 1337 ]; + + services.servicepoint-tanks = { + enable = true; + urls = [ + "http://localhost:5666" + "http://localhost:5667" + ]; + }; }; } diff --git a/nixosModules/servicepoint-tanks.nix b/nixosModules/servicepoint-tanks.nix new file mode 100644 index 0000000..67709f8 --- /dev/null +++ b/nixosModules/servicepoint-tanks.nix @@ -0,0 +1,121 @@ +{ + pkgs, + config, + lib, + ... +}: +let + cfg = config.services.servicepoint-tanks; + default-user-name = "servicepoint-tanks"; +in +{ + options.services.servicepoint-tanks = { + enable = lib.mkEnableOption "servicepoint-tanks"; + package = lib.mkPackageOption pkgs "servicepoint-tanks" { }; + urls = lib.mkOption { + default = [ "http://localhost:5000" ]; + description = '' + Configures which protocol to bind on which host:port combination. + ''; + type = lib.types.listOf lib.types.str; + example = [ + "http://0.0.0.0" + "http://localhost:5000" + # TODO: allow HTTPS + ]; + }; + user = lib.mkOption { + default = default-user-name; + description = '' + The user under which servicepoint-tanks is run. + + This module utilizes systemd's DynamicUser feature. See the corresponding section in + {manpage}`systemd.exec(5)` for more details. + ''; + type = lib.types.str; + }; + group = lib.mkOption { + default = default-user-name; + description = '' + The group under which servicepoint-tanks is run. + + This module utilizes systemd's DynamicUser feature. See the corresponding section in + {manpage}`systemd.exec(5)` for more details. + ''; + type = lib.types.str; + }; + }; + + config = lib.mkIf cfg.enable { + users = { + users = lib.mkIf (cfg.user == default-user-name) { + "${default-user-name}" = { + isSystemUser = true; + group = cfg.group; + }; + }; + + groups = lib.mkIf (cfg.group == default-user-name) { + "${default-user-name}" = { }; + }; + }; + + systemd.services.sericepoint-tanks = { + description = "Run the servicepoint-tanks server"; + wantedBy = [ "multi-user.target" ]; + after = [ "network-online.target" ]; + wants = [ "network-online.target" ]; + + environment = { + ASPNETCORE_URLS = "${lib.strings.concatStringsSep ";" cfg.urls}"; + }; + + serviceConfig = { + User = cfg.user; + Group = cfg.group; + DynamicUser = true; + + Type = "exec"; + ExecStart = "${lib.getBin cfg.package}/bin/TanksServer"; + + # hardening + NoNewPrivileges = true; + CapabilityBoundingSet = null; + SystemCallFilter = [ + "@system-service" + "~@privileged" + ]; + SystemCallArchitectures = "native"; + AmbientCapabilities = ""; + PrivateMounts = true; + PrivateUsers = true; + PrivateTmp = true; + PrivateDevices = true; + ProtectHome = true; + ProtectClock = true; + ProtectHostname = true; + ProtectKernelLogs = true; + ProtectKernelModules = true; + ProtectKernelTunables = true; + ProtectProc = "invisible"; + ProtectSystem = "strict"; + ProtectControlGroups = "strict"; + LockPersonality = true; + RemoveIPC = true; + RestrictRealtime = true; + RestrictSUIDSGID = true; + RestrictNamespaces = true; + RestrictAddressFamilies = [ + "AF_INET" + "AF_INET6" + + # TODO: enable unix domain socket bind + # "AF_UNIX" + ]; + + # TODO: try fully AOT build with: + #MemoryDenyWriteExecute = true; + }; + }; + }; +}