From 0b8aa971923e44bef50a222da6b433b9e51e634d Mon Sep 17 00:00:00 2001 From: Sebastien Bourdeauducq Date: Mon, 7 Feb 2022 14:31:37 +0800 Subject: [PATCH] nixbld: run AFWS server --- nixbld-etc-nixos/afws-module.nix | 38 ++++++++++++++++++++++++++++++ nixbld-etc-nixos/configuration.nix | 11 +++++---- 2 files changed, 45 insertions(+), 4 deletions(-) create mode 100644 nixbld-etc-nixos/afws-module.nix diff --git a/nixbld-etc-nixos/afws-module.nix b/nixbld-etc-nixos/afws-module.nix new file mode 100644 index 00000000..61658629 --- /dev/null +++ b/nixbld-etc-nixos/afws-module.nix @@ -0,0 +1,38 @@ +{ config, pkgs, lib, ... }: +with lib; +let + afws = pkgs.callPackage ./afws { inherit pkgs; }; +in +{ + options.services.afws = { + enable = mkOption { + type = types.bool; + default = false; + description = "Enable AFWS server"; + }; + }; + + config = mkIf config.services.afws.enable { + systemd.services.afws = { + description = "AFWS server"; + wantedBy = [ "multi-user.target" ]; + serviceConfig = { + User = "afws"; + Group = "afws"; + ExecStart = "${afws}/bin/afws_server"; + }; + path = [ pkgs.nix_2_4 pkgs.git ]; + }; + + users.users.afws = { + name = "afws"; + group = "afws"; + description = "AFWS server user"; + isSystemUser = true; + createHome = false; + home = "/var/lib/afws"; + useDefaultShell = true; + }; + users.extraGroups.afws = {}; + }; +} diff --git a/nixbld-etc-nixos/configuration.nix b/nixbld-etc-nixos/configuration.nix index 48ff0567..472c840c 100644 --- a/nixbld-etc-nixos/configuration.nix +++ b/nixbld-etc-nixos/configuration.nix @@ -17,6 +17,7 @@ in ./hardware-configuration.nix ./backup-module.nix ./github-backup-module.nix + ./afws-module.nix ./rt.nix ]; @@ -59,7 +60,7 @@ in hostName = "nixbld"; hostId = "e423f012"; firewall = { - allowedTCPPorts = [ 80 443 ]; + allowedTCPPorts = [ 80 443 7402 ]; allowedUDPPorts = [ 53 67 ]; trustedInterfaces = [ netifLan ]; }; @@ -222,6 +223,7 @@ in iw nvme-cli borgbackup + (callPackage ./afws { inherit pkgs; }) ]; # Some programs need SUID wrappers, can be configured further or are @@ -273,7 +275,7 @@ in users.extraUsers.sb = { isNormalUser = true; - extraGroups = ["lp" "scanner"]; + extraGroups = ["lp" "scanner" "afws"]; openssh.authorizedKeys.keys = [ "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCyPk5WyFoWSvF4ozehxcVBoZ+UHgrI7VW/OoQfFFwIQe0qvetUZBMZwR2FwkLPAMZV8zz1v4EfncudEkVghy4P+/YVLlDjqDq9zwZnh8Nd/ifu84wmcNWHT2UcqnhjniCdshL8a44memzABnxfLLv+sXhP2x32cJAamo5y6fukr2qLp2jbXzR+3sv3klE0ruUXis/BR1lLqNJEYP8jB6fLn2sLKinnZPfn6DwVOk10mGeQsdME/eGl3phpjhODH9JW5V2V5nJBbC0rBnq+78dyArKVqjPSmIcSy72DEIpTctnMEN1W34BGrnsDd5Xd/DKxKxHKTMCHtZRwLC2X0NWN" "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCMALVC8RDTHec+PC8y1s3tcpUAODgq6DEzQdHDf/cyvDMfmCaPiMxfIdmkns5lMa03hymIfSmLUF0jFFDc7biRp7uf9AAXNsrTmplHii0l0McuOOZGlSdZM4eL817P7UwJqFMxJyFXDjkubhQiX6kp25Kfuj/zLnupRCaiDvE7ho/xay6Jrv0XLz935TPDwkc7W1asLIvsZLheB+sRz9SMOb9gtrvk5WXZl5JTOFOLu+JaRwQLHL/xdcHJTOod7tqHYfpoC5JHrEwKzbhTOwxZBQBfTQjQktKENQtBxXHTe71rUEWfEZQGg60/BC4BrRmh4qJjlJu3v4VIhC7SSHn1" @@ -282,6 +284,7 @@ in }; users.extraUsers.rj = { isNormalUser = true; + extraGroups = ["afws"]; }; users.extraUsers.backupdl = { isNormalUser = true; @@ -293,7 +296,7 @@ in }; users.extraUsers.occheung = { isNormalUser = true; - extraGroups = ["lp" "scanner"]; + extraGroups = ["lp" "scanner" "afws"]; openssh.authorizedKeys.keys = [ "ecdsa-sha2-nistp384 AAAAE2VjZHNhLXNoYTItbmlzdHAzODQAAAAIbmlzdHAzODQAAABhBPEvmWmxpFpMgp5fpjKud8ev0cyf/+X5fEpQt/YD/+u4mbvZYPE300DLqQ0h/qjgvaGMz1ndf4idYnRdy+plJEC/+hmlRW5NlcpAr3S/LYAisacgKToFVl+MlBo+emS9Ig==" ]; @@ -404,7 +407,7 @@ in ]; }; }; - + services.afws.enable = true; nix.extraOptions = '' secret-key-files = /etc/nixos/secret/nixbld.m-labs.hk-1