Merge pull request #179034 from viraptor/go-camo-service

nixos/go-camo: init
This commit is contained in:
Sandro 2024-02-17 22:12:13 +01:00 committed by GitHub
commit 8f13ee7049
No known key found for this signature in database
GPG key ID: B5690EEEBB952194
4 changed files with 106 additions and 0 deletions

View file

@ -71,6 +71,8 @@ The pre-existing [services.ankisyncd](#opt-services.ankisyncd.enable) has been m
- [TigerBeetle](https://tigerbeetle.com/), a distributed financial accounting database designed for mission critical safety and performance. Available as [services.tigerbeetle](#opt-services.tigerbeetle.enable). - [TigerBeetle](https://tigerbeetle.com/), a distributed financial accounting database designed for mission critical safety and performance. Available as [services.tigerbeetle](#opt-services.tigerbeetle.enable).
- [go-camo](https://github.com/cactus/go-camo), a secure image proxy server. Available as [services.go-camo](#opt-services.go-camo.enable).
- [Clevis](https://github.com/latchset/clevis), a pluggable framework for automated decryption, used to unlock encrypted devices in initrd. Available as [boot.initrd.clevis.enable](#opt-boot.initrd.clevis.enable). - [Clevis](https://github.com/latchset/clevis), a pluggable framework for automated decryption, used to unlock encrypted devices in initrd. Available as [boot.initrd.clevis.enable](#opt-boot.initrd.clevis.enable).
- [TuxClocker](https://github.com/Lurkki14/tuxclocker), a hardware control and monitoring program. Available as [programs.tuxclocker](#opt-programs.tuxclocker.enable). - [TuxClocker](https://github.com/Lurkki14/tuxclocker), a hardware control and monitoring program. Available as [programs.tuxclocker](#opt-programs.tuxclocker.enable).

View file

@ -963,6 +963,7 @@
./services/networking/gns3-server.nix ./services/networking/gns3-server.nix
./services/networking/gnunet.nix ./services/networking/gnunet.nix
./services/networking/go-autoconfig.nix ./services/networking/go-autoconfig.nix
./services/networking/go-camo.nix
./services/networking/go-neb.nix ./services/networking/go-neb.nix
./services/networking/go-shadowsocks2.nix ./services/networking/go-shadowsocks2.nix
./services/networking/gobgpd.nix ./services/networking/gobgpd.nix

View file

@ -0,0 +1,73 @@
{ lib, pkgs, config, ... }:
let
cfg = config.services.go-camo;
inherit (lib) mkOption mkEnableOption mkIf mkMerge types optionalString;
in
{
options.services.go-camo = {
enable = mkEnableOption "go-camo service";
listen = mkOption {
type = types.nullOr types.str;
default = null;
description = "Address:Port to bind to for HTTP (default: 0.0.0.0:8080).";
apply = v: optionalString (v != null) "--listen=${v}";
};
sslListen = mkOption {
type = types.nullOr types.str;
default = null;
description = "Address:Port to bind to for HTTPS.";
apply = v: optionalString (v != null) "--ssl-listen=${v}";
};
sslKey = mkOption {
type = types.nullOr types.path;
default = null;
description = "Path to TLS private key.";
apply = v: optionalString (v != null) "--ssl-key=${v}";
};
sslCert = mkOption {
type = types.nullOr types.path;
default = null;
description = "Path to TLS certificate.";
apply = v: optionalString (v != null) "--ssl-cert=${v}";
};
keyFile = mkOption {
type = types.path;
default = null;
description = ''
A file containing the HMAC key to use for signing URLs.
The file can contain any string. Can be generated using "openssl rand -base64 18 > the_file".
'';
};
extraOptions = mkOption {
type = with types; listOf str;
default = [];
description = "Extra options passed to the go-camo command.";
};
};
config = mkIf cfg.enable {
systemd.services.go-camo = {
description = "go-camo service";
wantedBy = [ "multi-user.target" ];
after = [ "network.target" ];
environment = {
GOCAMO_HMAC_FILE = "%d/hmac";
};
script = ''
export GOCAMO_HMAC=$(cat "$GOCAMO_HMAC_FILE")
exec ${lib.escapeShellArgs(lib.lists.remove "" ([ "${pkgs.go-camo}/bin/go-camo" cfg.listen cfg.sslListen cfg.sslKey cfg.sslCert ] ++ cfg.extraOptions))}
'';
serviceConfig = {
NoNewPrivileges = true;
ProtectSystem = "strict";
DynamicUser = true;
User = "gocamo";
Group = "gocamo";
LoadCredential = [
"hmac:${cfg.keyFile}"
];
};
};
};
}

30
nixos/tests/go-camo.nix Normal file
View file

@ -0,0 +1,30 @@
{ system ? builtins.currentSystem, config ? { }
, pkgs ? import ../.. { inherit system config; } }:
with import ../lib/testing-python.nix { inherit system pkgs; };
{
gocamo_file_key = let
key_val = "12345678";
in
makeTest {
name = "go-camo-file-key";
meta = {
maintainers = [ pkgs.lib.maintainers.viraptor ];
};
nodes.machine = { config, pkgs, ... }: {
services.go-camo = {
enable = true;
keyFile = pkgs.writeText "foo" key_val;
};
};
# go-camo responds to http requests
testScript = ''
machine.wait_for_unit("go-camo.service")
machine.wait_for_open_port(8080)
machine.succeed("curl http://localhost:8080")
'';
};
}