nixos/echoip: init module

2025-01-11 16:57:41 +01:00 · 2025-01-11 16:57:41 +01:00 · 6a6d7de921
commit 6a6d7de921
parent 8785ba394d
3 changed files with 124 additions and 0 deletions
--- a/nixos/doc/manual/release-notes/rl-2505.section.md
+++ b/nixos/doc/manual/release-notes/rl-2505.section.md
@ -93,6 +93,8 @@

 - [InputPlumber](https://github.com/ShadowBlip/InputPlumber/), an open source input router and remapper daemon for Linux. Available as [services.inputplumber](#opt-services.inputplumber.enable).

+- [echoip](https://github.com/mpolden/echoip), a simple service for looking up your IP address. Available as [services.echoip](#opt-services.echoip.enable).
+
 - [Buffyboard](https://gitlab.postmarketos.org/postmarketOS/buffybox/-/tree/master/buffyboard), a framebuffer on-screen keyboard. Available as [services.buffyboard](option.html#opt-services.buffyboard).

 - [KanBoard](https://github.com/kanboard/kanboard), a project management tool that focuses on the Kanban methodology. Available as [services.kanboard](#opt-services.kanboard.enable).
--- a/nixos/modules/module-list.nix
+++ b/nixos/modules/module-list.nix
@ -1458,6 +1458,7 @@
  ./services/web-apps/documize.nix
  ./services/web-apps/dokuwiki.nix
  ./services/web-apps/dolibarr.nix
+  ./services/web-apps/echoip.nix
  ./services/web-apps/eintopf.nix
  ./services/web-apps/engelsystem.nix
  ./services/web-apps/ethercalc.nix
--- a/nixos/modules/services/web-apps/echoip.nix
+++ b/nixos/modules/services/web-apps/echoip.nix
@ -0,0 +1,121 @@
+{
+  config,
+  lib,
+  pkgs,
+  ...
+}:
+let
+  cfg = config.services.echoip;
+in
+{
+  meta.maintainers = with lib.maintainers; [ defelo ];
+
+  options.services.echoip = {
+    enable = lib.mkEnableOption "echoip";
+
+    package = lib.mkPackageOption pkgs "echoip" { };
+
+    virtualHost = lib.mkOption {
+      type = lib.types.nullOr lib.types.str;
+      description = ''
+        Name of the nginx virtual host to use and setup. If null, do not setup anything.
+      '';
+      default = null;
+    };
+
+    extraArgs = lib.mkOption {
+      type = lib.types.listOf lib.types.str;
+      description = "Extra command line arguments to pass to echoip. See <https://github.com/mpolden/echoip> for details.";
+      default = [ ];
+    };
+
+    listenAddress = lib.mkOption {
+      type = lib.types.str;
+      description = "The address echoip should listen on";
+      default = ":8080";
+      example = "127.0.0.1:8000";
+    };
+
+    enablePortLookup = lib.mkEnableOption "port lookup";
+
+    enableReverseHostnameLookups = lib.mkEnableOption "reverse hostname lookups";
+
+    remoteIpHeader = lib.mkOption {
+      type = lib.types.nullOr lib.types.str;
+      description = "Header to trust for remote IP, if present";
+      default = null;
+      example = "X-Real-IP";
+    };
+  };
+
+  config = lib.mkIf cfg.enable {
+    systemd.services.echoip = {
+      wantedBy = [ "multi-user.target" ];
+
+      wants = [ "network-online.target" ];
+      after = [ "network-online.target" ];
+
+      serviceConfig = {
+        User = "echoip";
+        Group = "echoip";
+        DynamicUser = true;
+        ExecStart = lib.escapeShellArgs (
+          [
+            (lib.getExe cfg.package)
+            "-l"
+            cfg.listenAddress
+          ]
+          ++ lib.optional cfg.enablePortLookup "-p"
+          ++ lib.optional cfg.enableReverseHostnameLookups "-r"
+          ++ lib.optionals (cfg.remoteIpHeader != null) [
+            "-H"
+            cfg.remoteIpHeader
+          ]
+          ++ cfg.extraArgs
+        );
+
+        # Hardening
+        CapabilityBoundingSet = [ "" ];
+        DeviceAllow = [ "" ];
+        LockPersonality = true;
+        PrivateDevices = true;
+        PrivateTmp = true;
+        PrivateUsers = true;
+        ProcSubset = "pid";
+        ProtectClock = true;
+        ProtectControlGroups = true;
+        ProtectHome = true;
+        ProtectHostname = true;
+        ProtectKernelLogs = true;
+        ProtectKernelModules = true;
+        ProtectKernelTunables = true;
+        ProtectProc = "invisible";
+        ProtectSystem = "strict";
+        RestrictAddressFamilies = [
+          "AF_INET"
+          "AF_INET6"
+          "AF_UNIX"
+        ];
+        RestrictNamespaces = true;
+        RestrictRealtime = true;
+        RestrictSUIDSGID = true;
+        SystemCallArchitectures = "native";
+      };
+    };
+
+    services.nginx = lib.mkIf (cfg.virtualHost != null) {
+      enable = true;
+      virtualHosts.${cfg.virtualHost} = {
+        locations."/" = {
+          proxyPass = "http://${cfg.listenAddress}";
+          recommendedProxySettings = true;
+        };
+      };
+    };
+
+    services.echoip = lib.mkIf (cfg.virtualHost != null) {
+      listenAddress = lib.mkDefault "127.0.0.1:8080";
+      remoteIpHeader = "X-Real-IP";
+    };
+  };
+}