From 0b7bf6205fa36e48c597bce55a65820d81cbeaec Mon Sep 17 00:00:00 2001 From: stuebinm Date: Mon, 4 Mar 2024 18:55:18 +0100 Subject: init mollysocket package, module, and deploy it on flora with thanks to networkException, who wrote the initial nix package. --- flake.nix | 3 +- flora/configuration.nix | 2 ++ flora/services/ntfy.nix | 12 +++++++ modules/mollysocket.nix | 92 +++++++++++++++++++++++++++++++++++++++++++++++++ pkgs/mollysocket.nix | 38 ++++++++++++++++++++ pkgs/overlay.nix | 2 ++ secrets/flora.yaml | 6 ++-- 7 files changed, 152 insertions(+), 3 deletions(-) create mode 100644 modules/mollysocket.nix create mode 100644 pkgs/mollysocket.nix diff --git a/flake.nix b/flake.nix index 73e8c89..be32a3e 100644 --- a/flake.nix +++ b/flake.nix @@ -141,7 +141,7 @@ kijetesantakaluotokieni showrt isabelle-utils isabat travelynx crs-tracker crs-php bahnhof-name matrix-to hikari_unstable heartwood radicle-interface radicle-tui - inweb nomsring bookwyrm; + inweb nomsring bookwyrm mollysocket; tests.bookwyrm = nixpkgs.nixosTest ./tests/bookwyrm.nix; }; @@ -149,6 +149,7 @@ nixosModules = { glitchtip = import ./modules/glitchtip.nix; bookwyrm = import ./modules/bookwyrm.nix; + mollysocket = import ./modules/mollysocket.nix; }; }; } diff --git a/flora/configuration.nix b/flora/configuration.nix index 40cd3a5..d124f99 100644 --- a/flora/configuration.nix +++ b/flora/configuration.nix @@ -13,6 +13,8 @@ ./services/ntfy.nix ./services/murmur.nix ./services/monit.nix + + ../modules/mollysocket.nix ]; # Use the GRUB 2 boot loader. diff --git a/flora/services/ntfy.nix b/flora/services/ntfy.nix index 45dcb3c..e00971f 100644 --- a/flora/services/ntfy.nix +++ b/flora/services/ntfy.nix @@ -21,6 +21,18 @@ }; }; + services.mollysocket = { + enable = true; + settings = { + allowed_endpoints = [ "https://ping.stuebinm.eu" ]; + port = 8020; + host = "::"; + }; + environmentFile = "/run/secrets/mollysocket/config.toml"; + }; + + sops.secrets."mollysocket/config.toml" = {}; + services.nginx.virtualHosts."ping.stuebinm.eu" = { enableACME = true; forceSSL = true; diff --git a/modules/mollysocket.nix b/modules/mollysocket.nix new file mode 100644 index 0000000..5ca68c9 --- /dev/null +++ b/modules/mollysocket.nix @@ -0,0 +1,92 @@ +{ lib, pkgs, config, ... }: + +let + cfg = config.services.mollysocket; + configFormat = pkgs.formats.toml { }; + configFile = configFormat.generate "mollysocket-config.toml" cfg.settings; +in +{ + options.services.mollysocket = with lib; { + enable = mkEnableOption + "mollysocket, which allows getting Signal notifications via UnifiedPush"; + + settings = mkOption { + default = {}; + type = with types; attrsOf (oneOf [ str int bool (listOf str) ]); + description = lib.mdDoc '' + Configuration options for mollysocket. See the upstream + [Readme.md](https://github.com/mollyim/mollysocket/blob/main/README.md#configuration) + file for what is permissable here. + ''; + example = { + host = "::"; + port = 8020; + allowed_endpoints = "https://ntfy.example.org"; + }; + }; + + environmentFile = mkOption { + default = null; + type = with types; nullOr path; + description = lib.mdDoc '' + Configuration options set via environment Variables. Useful for e.g. + keeping some values outside of Nix. + ''; + }; + + stateDir = mkOption { + default = "/var/lib/mollysocket"; + type = lib.types.path; + description = lib.mdDoc '' + Directory in which state is kept, unless a custom database location is + set using {option}`services.mollysocket.settings.db`. This directory + will be created automatically. + ''; + }; + + installWrapper = mkOption { + default = true; + type = lib.types.bool; + description = lib.mdDoc '' + Whether to install a mollysocket executable wrapped to use the generated + config into {option}`environment.systemPackages`. + ''; + }; + }; + + config = lib.mkIf cfg.enable { + systemd.services.mollysocket = { + enable = true; + wantedBy = [ "multi-user.target" ]; + serviceConfig = { + ExecStart = "${lib.getExe pkgs.mollysocket} -c ${configFile} server"; + Type = "simple"; + RestrictAddressFamilies = [ "AF_INET" "AF_INET6" ]; + SystemCallFilter = [ "@system-service" "~@privileged" "~@resources" "~@mount" ]; + User = "mollysocket"; + Group = "mollysocket"; + BindPaths = [ cfg.stateDir ]; + WorkingDirectory = cfg.stateDir; + TimeoutStopSec = 5; + KillSignal = "SIGINT"; + }; + }; + + systemd.tmpfiles.rules = [ + "d ${cfg.stateDir} 0750 mollysocket mollysocket - -" + ]; + + users.users.mollysocket = { + isSystemUser = true; + group = "mollysocket"; + }; + users.groups.mollysocket = {}; + + environment.systemPackages = lib.mkIf cfg.installWrapper [ + (pkgs.writeScriptBin "mollysocket" '' + export MOLLY_CONF=${configFile} + exec ${lib.getExe pkgs.mollysocket} "$@" + '') + ]; + }; +} diff --git a/pkgs/mollysocket.nix b/pkgs/mollysocket.nix new file mode 100644 index 0000000..8ac434d --- /dev/null +++ b/pkgs/mollysocket.nix @@ -0,0 +1,38 @@ +{ lib, rustPlatform, fetchFromGitHub, pkg-config, openssl, sqlite, ... }: + +rustPlatform.buildRustPackage rec { + pname = "mollysocket"; + version = "1.2.0"; + + src = fetchFromGitHub { + owner = "mollyim"; + repo = "mollysocket"; + rev = "${version}"; + hash = "sha256-9yXC64i5NeSjsLnjgNtA+qkhE7i+Ku1Cu8B9xDajD9Y="; + }; + + cargoHash = "sha256-vqi18y1Z9Fo1P6ihdN1LCK6Trr7fcfzCsQfPNt0MYNk="; + + nativeBuildInputs = [ pkg-config ]; + + buildInputs = [ openssl sqlite ]; + + checkFlags = [ + # These tests try to contact DNS + "--skip=config::tests::check_wildcard_endpoint" + "--skip=utils::post_allowed::tests::test_allowed" + "--skip=utils::post_allowed::tests::test_not_allowed" + "--skip=utils::post_allowed::tests::test_post" + "--skip=ws::tls::tests::connect_untrusted_server" + "--skip=ws::tls::tests::connect_trusted_server" + ]; + + meta = { + description = + "MollySocket allows getting Signal notifications via UnifiedPush."; + homepage = "https://github.com/mollyim/mollysocket"; + license = lib.licenses.agpl3Plus; + maintainers = with lib.maintainers; [ networkexception ]; + mainProgram = "mollysocket"; + }; +} diff --git a/pkgs/overlay.nix b/pkgs/overlay.nix index 6e654b3..f38e7e0 100644 --- a/pkgs/overlay.nix +++ b/pkgs/overlay.nix @@ -183,4 +183,6 @@ in cp Tangled/inweb $out/bin ''; }) {}; + + mollysocket = self.callPackage ./mollysocket.nix { }; } diff --git a/secrets/flora.yaml b/secrets/flora.yaml index 83daec0..2ea3529 100644 --- a/secrets/flora.yaml +++ b/secrets/flora.yaml @@ -6,6 +6,8 @@ akkoma: jokenDefaultSigner: ENC[AES256_GCM,data:1Wl/N58oiGiGeBHSkJPqLeHOyBmVgLGshAmTyi2H8cu7w/tIHMxW2sd11hhzyq2FCNVsL3Bi+yXgydG7uCl5yw==,iv:criEzJfQMsAUZ7tnIQvr9HOqn7NjBBzXL+rFAgzohPY=,tag:+izDkiUEfwD1+Ym2OuZRnA==,type:str] monit: mail: ENC[AES256_GCM,data:wq+xDelBsyIZRJY0GHrZGPWCF0deLZRZxrU89M93hK1zUIeWP6i7xO3dgKE/A5OAGa350Zbj5v9QTieNFHiGqr9g,iv:APUuS3s+t4VPz24Ppen3u+LFSv+GqO49j9Mq77Mb3lQ=,tag:rNVJGN/lnCuq9Km8lZTkLw==,type:str] +mollysocket: + config.toml: ENC[AES256_GCM,data:FGT6QOpqaf74yKmUFyyeAPLLv1BEtXZvLrUZw9bCG3hjmd2oUqcX2EGSWWICik3bnfgwYtQAnORg,iv:wEaK5COW9Gm7Hux+Kt8/Md+O/ygSWUk65gMnD6Mnw2g=,tag:4AhZs2vVE2oYErJOC5lMEw==,type:str] sops: kms: [] gcp_kms: [] @@ -30,8 +32,8 @@ sops: SEx0Y2tsaGtkV3dMd0t0ejl3WVkwOW8KTpb14yYJ1bOeLquOrmworNqiwYoZSYiQ LkLkXKSGf6T3BrL0t0bM3fgwSQN3k92GGsEZzY7I2hhxZoNXGBOaKg== -----END AGE ENCRYPTED FILE----- - lastmodified: "2024-02-29T15:29:35Z" - mac: ENC[AES256_GCM,data:kQ6+O8Ar7qnRTpuQauxngXvt+KlyqdFw85vjXPQ63vqVKWCrODlTJXD5saC2WQdMuMF3UfPLru1a35TyXxobu+MlvTadVpqUEtRZjtjhAydEA7+HEyvo+pUlmrm+LCrX3ajKhqlbobUE4kdHg0A2BYOlWIPq9CHtvwAC92R7De4=,iv:Gk5hgwEh4D1QLkiVaMRgcnyS2/F1mK/MpSMYjPaVL7U=,tag:noGbtmNC1yTDzUycML3Mpg==,type:str] + lastmodified: "2024-03-04T17:19:00Z" + mac: ENC[AES256_GCM,data:/GOYEzTEn3fxJRidfPzwgfitcUv2S5MRppiiagH+E1wsEJgV3JtlfxuQ9KQlh1tFPgS1p109+w4udP2dstJGKj027tZT0VJr7KYHFrXzKKdqWypINaqLXOibUg17THHn5W+Y/AFU2hQK1MXem5eY2qCBtxJQMU0ermllY4nuHvA=,iv:KlYG0h6NtPyjrNaLXxpKSO/yQkeW6LqmZl9ZvFNwNdY=,tag:SYrr1grlqOgQcHVJkJzWWQ==,type:str] pgp: [] unencrypted_suffix: _unencrypted version: 3.8.1 -- cgit v1.2.3