Merge pull request #179034 from viraptor/go-camo-service
nixos/go-camo: init
This commit is contained in:
commit
8f13ee7049
4 changed files with 106 additions and 0 deletions
|
@ -71,6 +71,8 @@ The pre-existing [services.ankisyncd](#opt-services.ankisyncd.enable) has been m
|
||||||
|
|
||||||
- [TigerBeetle](https://tigerbeetle.com/), a distributed financial accounting database designed for mission critical safety and performance. Available as [services.tigerbeetle](#opt-services.tigerbeetle.enable).
|
- [TigerBeetle](https://tigerbeetle.com/), a distributed financial accounting database designed for mission critical safety and performance. Available as [services.tigerbeetle](#opt-services.tigerbeetle.enable).
|
||||||
|
|
||||||
|
- [go-camo](https://github.com/cactus/go-camo), a secure image proxy server. Available as [services.go-camo](#opt-services.go-camo.enable).
|
||||||
|
|
||||||
- [Clevis](https://github.com/latchset/clevis), a pluggable framework for automated decryption, used to unlock encrypted devices in initrd. Available as [boot.initrd.clevis.enable](#opt-boot.initrd.clevis.enable).
|
- [Clevis](https://github.com/latchset/clevis), a pluggable framework for automated decryption, used to unlock encrypted devices in initrd. Available as [boot.initrd.clevis.enable](#opt-boot.initrd.clevis.enable).
|
||||||
|
|
||||||
- [TuxClocker](https://github.com/Lurkki14/tuxclocker), a hardware control and monitoring program. Available as [programs.tuxclocker](#opt-programs.tuxclocker.enable).
|
- [TuxClocker](https://github.com/Lurkki14/tuxclocker), a hardware control and monitoring program. Available as [programs.tuxclocker](#opt-programs.tuxclocker.enable).
|
||||||
|
|
|
@ -963,6 +963,7 @@
|
||||||
./services/networking/gns3-server.nix
|
./services/networking/gns3-server.nix
|
||||||
./services/networking/gnunet.nix
|
./services/networking/gnunet.nix
|
||||||
./services/networking/go-autoconfig.nix
|
./services/networking/go-autoconfig.nix
|
||||||
|
./services/networking/go-camo.nix
|
||||||
./services/networking/go-neb.nix
|
./services/networking/go-neb.nix
|
||||||
./services/networking/go-shadowsocks2.nix
|
./services/networking/go-shadowsocks2.nix
|
||||||
./services/networking/gobgpd.nix
|
./services/networking/gobgpd.nix
|
||||||
|
|
73
nixos/modules/services/networking/go-camo.nix
Normal file
73
nixos/modules/services/networking/go-camo.nix
Normal file
|
@ -0,0 +1,73 @@
|
||||||
|
{ lib, pkgs, config, ... }:
|
||||||
|
|
||||||
|
let
|
||||||
|
cfg = config.services.go-camo;
|
||||||
|
inherit (lib) mkOption mkEnableOption mkIf mkMerge types optionalString;
|
||||||
|
in
|
||||||
|
{
|
||||||
|
options.services.go-camo = {
|
||||||
|
enable = mkEnableOption "go-camo service";
|
||||||
|
listen = mkOption {
|
||||||
|
type = types.nullOr types.str;
|
||||||
|
default = null;
|
||||||
|
description = "Address:Port to bind to for HTTP (default: 0.0.0.0:8080).";
|
||||||
|
apply = v: optionalString (v != null) "--listen=${v}";
|
||||||
|
};
|
||||||
|
sslListen = mkOption {
|
||||||
|
type = types.nullOr types.str;
|
||||||
|
default = null;
|
||||||
|
description = "Address:Port to bind to for HTTPS.";
|
||||||
|
apply = v: optionalString (v != null) "--ssl-listen=${v}";
|
||||||
|
};
|
||||||
|
sslKey = mkOption {
|
||||||
|
type = types.nullOr types.path;
|
||||||
|
default = null;
|
||||||
|
description = "Path to TLS private key.";
|
||||||
|
apply = v: optionalString (v != null) "--ssl-key=${v}";
|
||||||
|
};
|
||||||
|
sslCert = mkOption {
|
||||||
|
type = types.nullOr types.path;
|
||||||
|
default = null;
|
||||||
|
description = "Path to TLS certificate.";
|
||||||
|
apply = v: optionalString (v != null) "--ssl-cert=${v}";
|
||||||
|
};
|
||||||
|
keyFile = mkOption {
|
||||||
|
type = types.path;
|
||||||
|
default = null;
|
||||||
|
description = ''
|
||||||
|
A file containing the HMAC key to use for signing URLs.
|
||||||
|
The file can contain any string. Can be generated using "openssl rand -base64 18 > the_file".
|
||||||
|
'';
|
||||||
|
};
|
||||||
|
extraOptions = mkOption {
|
||||||
|
type = with types; listOf str;
|
||||||
|
default = [];
|
||||||
|
description = "Extra options passed to the go-camo command.";
|
||||||
|
};
|
||||||
|
};
|
||||||
|
|
||||||
|
config = mkIf cfg.enable {
|
||||||
|
systemd.services.go-camo = {
|
||||||
|
description = "go-camo service";
|
||||||
|
wantedBy = [ "multi-user.target" ];
|
||||||
|
after = [ "network.target" ];
|
||||||
|
environment = {
|
||||||
|
GOCAMO_HMAC_FILE = "%d/hmac";
|
||||||
|
};
|
||||||
|
script = ''
|
||||||
|
export GOCAMO_HMAC=$(cat "$GOCAMO_HMAC_FILE")
|
||||||
|
exec ${lib.escapeShellArgs(lib.lists.remove "" ([ "${pkgs.go-camo}/bin/go-camo" cfg.listen cfg.sslListen cfg.sslKey cfg.sslCert ] ++ cfg.extraOptions))}
|
||||||
|
'';
|
||||||
|
serviceConfig = {
|
||||||
|
NoNewPrivileges = true;
|
||||||
|
ProtectSystem = "strict";
|
||||||
|
DynamicUser = true;
|
||||||
|
User = "gocamo";
|
||||||
|
Group = "gocamo";
|
||||||
|
LoadCredential = [
|
||||||
|
"hmac:${cfg.keyFile}"
|
||||||
|
];
|
||||||
|
};
|
||||||
|
};
|
||||||
|
};
|
||||||
|
}
|
30
nixos/tests/go-camo.nix
Normal file
30
nixos/tests/go-camo.nix
Normal file
|
@ -0,0 +1,30 @@
|
||||||
|
{ system ? builtins.currentSystem, config ? { }
|
||||||
|
, pkgs ? import ../.. { inherit system config; } }:
|
||||||
|
|
||||||
|
with import ../lib/testing-python.nix { inherit system pkgs; };
|
||||||
|
|
||||||
|
{
|
||||||
|
gocamo_file_key = let
|
||||||
|
key_val = "12345678";
|
||||||
|
in
|
||||||
|
makeTest {
|
||||||
|
name = "go-camo-file-key";
|
||||||
|
meta = {
|
||||||
|
maintainers = [ pkgs.lib.maintainers.viraptor ];
|
||||||
|
};
|
||||||
|
|
||||||
|
nodes.machine = { config, pkgs, ... }: {
|
||||||
|
services.go-camo = {
|
||||||
|
enable = true;
|
||||||
|
keyFile = pkgs.writeText "foo" key_val;
|
||||||
|
};
|
||||||
|
};
|
||||||
|
|
||||||
|
# go-camo responds to http requests
|
||||||
|
testScript = ''
|
||||||
|
machine.wait_for_unit("go-camo.service")
|
||||||
|
machine.wait_for_open_port(8080)
|
||||||
|
machine.succeed("curl http://localhost:8080")
|
||||||
|
'';
|
||||||
|
};
|
||||||
|
}
|
Loading…
Reference in a new issue