diff --git a/flake.lock b/flake.lock index ee428c0..0c1b965 100644 --- a/flake.lock +++ b/flake.lock @@ -73,11 +73,11 @@ ] }, "locked": { - "lastModified": 1722555600, - "narHash": "sha256-XOQkdLafnb/p9ij77byFQjDf5m5QYl9b2REiVClC+x4=", + "lastModified": 1725234343, + "narHash": "sha256-+ebgonl3NbiKD2UD0x4BszCZQ6sTfL4xioaM49o5B3Y=", "owner": "hercules-ci", "repo": "flake-parts", - "rev": "8471fe90ad337a8074e957b69ca4d0089218391d", + "rev": "567b938d64d4b4112ee253b9274472dc3a346eb6", "type": "github" }, "original": { @@ -136,11 +136,11 @@ ] }, "locked": { - "lastModified": 1724435763, - "narHash": "sha256-UNky3lJNGQtUEXT2OY8gMxejakSWPTfWKvpFkpFlAfM=", + "lastModified": 1725180166, + "narHash": "sha256-fzssXuGR/mCeGbzM1ExaTqDz7QDGta3WA4jJsZyRruo=", "owner": "nix-community", "repo": "home-manager", - "rev": "c2cd2a52e02f1dfa1c88f95abeb89298d46023be", + "rev": "471e3eb0a114265bcd62d11d58ba8d3421ee68eb", "type": "github" }, "original": { @@ -152,11 +152,11 @@ }, "nixpkgs": { "locked": { - "lastModified": 1724479785, - "narHash": "sha256-pP3Azj5d6M5nmG68Fu4JqZmdGt4S4vqI5f8te+E/FTw=", + "lastModified": 1725432240, + "narHash": "sha256-+yj+xgsfZaErbfYM3T+QvEE2hU7UuE+Jf0fJCJ8uPS0=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "d0e1602ddde669d5beb01aec49d71a51937ed7be", + "rev": "ad416d066ca1222956472ab7d0555a6946746a80", "type": "github" }, "original": { @@ -168,11 +168,11 @@ }, "nur": { "locked": { - "lastModified": 1724704503, - "narHash": "sha256-QcZKCI9d5UNuQt6UFQSNhQwzXnXDF8jgCy7julsbnvg=", + "lastModified": 1725551138, + "narHash": "sha256-4tSFz+wu2NvB41MLF68PDLM3gu8lg1hjgtgikbRq6Zo=", "owner": "nix-community", "repo": "NUR", - "rev": "6b1fa8a8dec17eb73962a0eac8e04f2df1439448", + "rev": "06bc57134f691188397ebeffa9b88552cc8090d3", "type": "github" }, "original": { @@ -194,11 +194,11 @@ ] }, "locked": { - "lastModified": 1724440431, - "narHash": "sha256-9etXEOUtzeMgqg1u0wp+EdwG7RpmrAZ2yX516bMj2aE=", + "lastModified": 1725513492, + "narHash": "sha256-tyMUA6NgJSvvQuzB7A1Sf8+0XCHyfSPRx/b00o6K0uo=", "owner": "cachix", "repo": "pre-commit-hooks.nix", - "rev": "c8a54057aae480c56e28ef3e14e4960628ac495b", + "rev": "7570de7b9b504cfe92025dd1be797bf546f66528", "type": "github" }, "original": { diff --git a/hosts/nixos/porthos/secrets/pdf-edit/login.age b/hosts/nixos/porthos/secrets/pdf-edit/login.age new file mode 100644 index 0000000..7f13f88 --- /dev/null +++ b/hosts/nixos/porthos/secrets/pdf-edit/login.age @@ -0,0 +1,8 @@ +age-encryption.org/v1 +-> ssh-ed25519 cKojmg VYlHgHSLpfKb5bn1XA3aCpfX7M23DgbraLxxOfo9PDk +Rj+mDvAsWX3WwpuhTrOubmo17j/aud5+P87df5bosBA +-> ssh-ed25519 jPowng o9ZFaYrITZ6DjWw07Vk/+TkuU187/ytlEK4sw7G32G4 +zmxlpDvDDEgQFqBVARXeX1ABhvfJ4uAHfa6mIxXzjAY +--- k/d9FWW8/OSo8EllwOBV74pZyX918u54jEljGk3ATUc +4+2{hE7!ҭGA`ׁ_@ߗR_6JL4v,6%#^  BOF|7ܽL]jR +B۾as]xS pbo#J1Q=t}5>O{+. M"7ey \ No newline at end of file diff --git a/hosts/nixos/porthos/secrets/secrets.nix b/hosts/nixos/porthos/secrets/secrets.nix index a9b9c51..a8a9819 100644 --- a/hosts/nixos/porthos/secrets/secrets.nix +++ b/hosts/nixos/porthos/secrets/secrets.nix @@ -77,6 +77,8 @@ in "paperless/password.age".publicKeys = all; "paperless/secret-key.age".publicKeys = all; + "pdf-edit/login.age".publicKeys = all; + "podgrab/password.age".publicKeys = all; "pyload/credentials.age".publicKeys = all; diff --git a/modules/nixos/services/default.nix b/modules/nixos/services/default.nix index e877c8f..1211ee6 100644 --- a/modules/nixos/services/default.nix +++ b/modules/nixos/services/default.nix @@ -26,6 +26,7 @@ ./nginx ./nix-cache ./paperless + ./pdf-edit ./podgrab ./postgresql ./postgresql-backup diff --git a/modules/nixos/services/pdf-edit/default.nix b/modules/nixos/services/pdf-edit/default.nix new file mode 100644 index 0000000..d59507b --- /dev/null +++ b/modules/nixos/services/pdf-edit/default.nix @@ -0,0 +1,73 @@ +{ config, lib, ... }: +let + cfg = config.my.services.pdf-edit; +in +{ + options.my.services.pdf-edit = with lib; { + enable = mkEnableOption "PDF edition service"; + + port = mkOption { + type = types.port; + default = 8089; + example = 8080; + description = "Internal port for webui"; + }; + + loginFile = mkOption { + type = types.str; + example = "/run/secrets/pdf-edit/login.env"; + description = '' + `SECURITY_INITIALLOGIN_USERNAME` and `SECURITY_INITIALLOGIN_PASSWORD` + defined in the format of 'EnvironmentFile' (see `systemd.exec(5)`). + ''; + }; + }; + + config = lib.mkIf cfg.enable { + services.stirling-pdf = lib.mkIf cfg.enable { + enable = true; + + environment = { + SERVER_PORT = cfg.port; + SECURITY_CSRFDISABLED = "false"; + + SYSTEM_SHOWUPDATE = "false"; # We don't care about update notifications + INSTALL_BOOK_AND_ADVANCED_HTML_OPS = "true"; # Installed by the module + + SECURITY_ENABLELOGIN = "true"; + SECURITY_LOGINATTEMPTCOUNT = "-1"; # Rely on fail2ban instead + }; + + environmentFiles = [ cfg.loginFile ]; + }; + + my.services.nginx.virtualHosts = { + pdf-edit = { + inherit (cfg) port; + + extraConfig = { + # Allow upload of PDF files up to 1G + locations."/".extraConfig = '' + client_max_body_size 1G; + ''; + }; + }; + }; + + services.fail2ban.jails = { + stirling-pdf = '' + enabled = true + filter = stirling-pdf + port = http,https + ''; + }; + + environment.etc = { + "fail2ban/filter.d/stirling-pdf.conf".text = '' + [Definition] + failregex = ^.*Failed login attempt from IP: $ + journalmatch = _SYSTEMD_UNIT=stirling-pdf.service + ''; + }; + }; +}