From 0be7395f95ef9aa967dd41ca17ea5ae0855bd3c6 Mon Sep 17 00:00:00 2001 From: Julien Malka Date: Thu, 2 Jan 2025 21:09:06 +0100 Subject: [PATCH] nixos/readeck: init --- .../manual/release-notes/rl-2505.section.md | 2 + nixos/modules/module-list.nix | 1 + nixos/modules/services/web-apps/readeck.nix | 96 +++++++++++++++++++ nixos/tests/all-tests.nix | 1 + nixos/tests/readeck.nix | 24 +++++ pkgs/by-name/re/readeck/package.nix | 2 +- 6 files changed, 125 insertions(+), 1 deletion(-) create mode 100644 nixos/modules/services/web-apps/readeck.nix create mode 100644 nixos/tests/readeck.nix diff --git a/nixos/doc/manual/release-notes/rl-2505.section.md b/nixos/doc/manual/release-notes/rl-2505.section.md index 2d108ac7ce00..3d96fce4b579 100644 --- a/nixos/doc/manual/release-notes/rl-2505.section.md +++ b/nixos/doc/manual/release-notes/rl-2505.section.md @@ -53,6 +53,8 @@ - [Conduwuit](https://conduwuit.puppyirl.gay/), a federated chat server implementing the Matrix protocol, forked from Conduit. Available as [services.conduwuit](#opt-services.conduwuit.enable). +- [Readeck](https://readeck.org/), a read-it later web-application. Available as [services.readeck](#opt-services.readeck.enable). + - [Traccar](https://www.traccar.org/), a modern GPS Tracking Platform. Available as [services.traccar](#opt-services.traccar.enable). - [Schroot](https://codeberg.org/shelter/reschroot), a lightweight virtualisation tool. Securely enter a chroot and run a command or login shell. Available as [programs.schroot](#opt-programs.schroot.enable). diff --git a/nixos/modules/module-list.nix b/nixos/modules/module-list.nix index 06979a4df508..cca17f86e2bc 100644 --- a/nixos/modules/module-list.nix +++ b/nixos/modules/module-list.nix @@ -1549,6 +1549,7 @@ ./services/web-apps/screego.nix ./services/web-apps/sftpgo.nix ./services/web-apps/suwayomi-server.nix + ./services/web-apps/readeck.nix ./services/web-apps/rss-bridge.nix ./services/web-apps/selfoss.nix ./services/web-apps/shiori.nix diff --git a/nixos/modules/services/web-apps/readeck.nix b/nixos/modules/services/web-apps/readeck.nix new file mode 100644 index 000000000000..bd529fa488ef --- /dev/null +++ b/nixos/modules/services/web-apps/readeck.nix @@ -0,0 +1,96 @@ +{ + config, + pkgs, + lib, + ... +}: + +let + inherit (lib) + mkEnableOption + mkPackageOption + mkOption + mkIf + types + ; + cfg = config.services.readeck; + settingsFormat = pkgs.formats.toml { }; + configFile = settingsFormat.generate "readeck.toml" cfg.settings; + +in +{ + + meta.maintainers = [ lib.maintainers.julienmalka ]; + + options = { + services.readeck = { + enable = mkEnableOption "Readeck"; + + package = mkPackageOption pkgs "readeck" { }; + + environmentFile = mkOption { + type = types.nullOr types.path; + description = '' + File containing environment variables to be passed to Readeck. + May be used to provide the Readeck secret key by setting the READECK_SECRET_KEY variable. + ''; + default = null; + }; + + settings = mkOption { + type = settingsFormat.type; + default = { }; + example = { + main.log_level = "debug"; + server.port = 9000; + }; + description = '' + Additional configuration for Readeck, see + + for supported values. + ''; + }; + + }; + }; + + config = mkIf cfg.enable { + systemd.services.readeck = { + description = "Readeck"; + after = [ "network.target" ]; + wantedBy = [ "multi-user.target" ]; + serviceConfig = { + Type = "simple"; + StateDirectory = "readeck"; + WorkingDirectory = "/var/lib/readeck"; + EnvironmentFile = lib.optional (cfg.environmentFile != null) cfg.environmentFile; + DynamicUser = true; + ExecStart = "${lib.getExe cfg.package} serve -config ${configFile}"; + ProtectSystem = "full"; + SystemCallArchitectures = "native"; + MemoryDenyWriteExecute = true; + NoNewPrivileges = true; + PrivateTmp = true; + PrivateDevices = true; + RestrictAddressFamilies = [ + "AF_INET" + "AF_INET6" + "AF_UNIX" + "AF_NETLINK" + ]; + RestrictNamespaces = true; + RestrictRealtime = true; + DevicePolicy = "closed"; + ProtectClock = true; + ProtectHostname = true; + ProtectProc = "invisible"; + ProtectControlGroups = true; + ProtectKernelModules = true; + ProtectKernelTunables = true; + LockPersonality = true; + Restart = "on-failure"; + + }; + }; + }; +} diff --git a/nixos/tests/all-tests.nix b/nixos/tests/all-tests.nix index cf0616886301..1b580458521b 100644 --- a/nixos/tests/all-tests.nix +++ b/nixos/tests/all-tests.nix @@ -889,6 +889,7 @@ in { rathole = handleTest ./rathole.nix {}; readarr = handleTest ./readarr.nix {}; realm = handleTest ./realm.nix {}; + readeck = runTest ./readeck.nix; redis = handleTest ./redis.nix {}; redlib = handleTest ./redlib.nix {}; redmine = handleTestOn [ "x86_64-linux" "aarch64-linux" ] ./redmine.nix {}; diff --git a/nixos/tests/readeck.nix b/nixos/tests/readeck.nix new file mode 100644 index 000000000000..bcac4b152b12 --- /dev/null +++ b/nixos/tests/readeck.nix @@ -0,0 +1,24 @@ +{ lib, ... }: + +{ + name = "readeck"; + meta.maintainers = with lib.maintainers; [ julienmalka ]; + + nodes.machine = + { pkgs, ... }: + { + services.readeck = { + enable = true; + environmentFile = pkgs.writeText "env-file" '' + READECK_SECRET_KEY="verysecretkey" + ''; + }; + }; + + testScript = '' + machine.start() + machine.wait_for_unit("readeck.service") + machine.wait_for_open_port(8000) + machine.succeed("curl --fail http://localhost:8000/login?r=%2F") + ''; +} diff --git a/pkgs/by-name/re/readeck/package.nix b/pkgs/by-name/re/readeck/package.nix index 8c3e857450ff..cf8f768e733d 100644 --- a/pkgs/by-name/re/readeck/package.nix +++ b/pkgs/by-name/re/readeck/package.nix @@ -8,7 +8,7 @@ }: let - + file-compose = buildGoModule { pname = "file-compose"; version = "unstable-2023-10-21";