infra/services/lix-s3/garage-ephemeral-key.nix

{ wrap }:
{ lib, pkgs, config, ... }:
let
  garage-ephemeral-key = pkgs.writers.writePython3Bin
    "garage-ephemeral-key"
    { libraries = [ pkgs.python3.pkgs.requests ]; }
    (builtins.readFile ./garage_ephemeral_key.py);

  # the usual copy pasta of systemd-analyze security satisfying rules
  containment = {
    DynamicUser = true;
    CapabilityBoundingSet = "";
    NoNewPrivileges = true;
    PrivateTmp = true;
    PrivateUsers = true;
    PrivateDevices = true;
    ProtectHome = true;
    ProtectClock = true;
    ProtectProc = "noaccess";
    ProcSubset = "pid";
    UMask = "0077";
    ProtectKernelLogs = true;
    ProtectKernelModules = true;
    ProtectKernelTunables = true;
    ProtectControlGroups = true;
    ProtectHostname = true;
    RestrictSUIDSGID = true;
    RestrictRealtime = true;
    RestrictNamespaces = true;
    LockPersonality = true;
    RemoveIPC = true;
    SystemCallFilter = [ "@system-service" "~@privileged" ];
    RestrictAddressFamilies = [ "AF_INET" "AF_INET6" ];
    MemoryDenyWriteExecute = true;
    SystemCallArchitectures = "native";
  };
in
{
  _file = ./garage-ephemeral-key.nix;

  environment.systemPackages = [
    (wrap garage-ephemeral-key "garage-ephemeral-key")
  ];

  # Clean expired ephemeral keys every 2 minutes
  systemd.timers.garage-ephemeral-key-clean = {
    wantedBy = [ "multi-user.target" ];
    timerConfig = {
      # Every 2 minutes.
      OnCalendar = "*-*-* *:00/2";
    };
  };

  systemd.services.garage-ephemeral-key-clean = {
    after = [ "garage.service" ];
    wants = [ "garage.service" ];
    serviceConfig = {
      ExecStart = "${lib.getExe garage-ephemeral-key} clean";

      EnvironmentFile = config.age.secrets.garage.path;
    } // containment;
  };
}
feat: add cache.lix.systems Introduces a full-fleged self-hosted S3 NixOS module with various knobs to perform NGINX-based redirects and s3-revproxy endpoints. Signed-off-by: Raito Bezarius <masterancpp@gmail.com> 2024-10-07 13:21:03 +00:00			`{ wrap }:`
			`{ lib, pkgs, config, ... }:`
			`let`
			`garage-ephemeral-key = pkgs.writers.writePython3Bin`
			`"garage-ephemeral-key"`
			`{ libraries = [ pkgs.python3.pkgs.requests ]; }`
			`(builtins.readFile ./garage_ephemeral_key.py);`

			`# the usual copy pasta of systemd-analyze security satisfying rules`
			`containment = {`
			`DynamicUser = true;`
			`CapabilityBoundingSet = "";`
			`NoNewPrivileges = true;`
			`PrivateTmp = true;`
			`PrivateUsers = true;`
			`PrivateDevices = true;`
			`ProtectHome = true;`
			`ProtectClock = true;`
			`ProtectProc = "noaccess";`
			`ProcSubset = "pid";`
			`UMask = "0077";`
			`ProtectKernelLogs = true;`
			`ProtectKernelModules = true;`
			`ProtectKernelTunables = true;`
			`ProtectControlGroups = true;`
			`ProtectHostname = true;`
			`RestrictSUIDSGID = true;`
			`RestrictRealtime = true;`
			`RestrictNamespaces = true;`
			`LockPersonality = true;`
			`RemoveIPC = true;`
			`SystemCallFilter = [ "@system-service" "~@privileged" ];`
			`RestrictAddressFamilies = [ "AF_INET" "AF_INET6" ];`
			`MemoryDenyWriteExecute = true;`
			`SystemCallArchitectures = "native";`
			`};`
			`in`
			`{`
			`_file = ./garage-ephemeral-key.nix;`

			`environment.systemPackages = [`
			`(wrap garage-ephemeral-key "garage-ephemeral-key")`
			`];`

			`# Clean expired ephemeral keys every 2 minutes`
			`systemd.timers.garage-ephemeral-key-clean = {`
			`wantedBy = [ "multi-user.target" ];`
			`timerConfig = {`
			`# Every 2 minutes.`
			`OnCalendar = "--* *:00/2";`
			`};`
			`};`

			`systemd.services.garage-ephemeral-key-clean = {`
			`after = [ "garage.service" ];`
			`wants = [ "garage.service" ];`
			`serviceConfig = {`
			`ExecStart = "${lib.getExe garage-ephemeral-key} clean";`

			`EnvironmentFile = config.age.secrets.garage.path;`
			`} // containment;`
			`};`
			`}`