diff --git a/hosts/web-arm/configuration.nix b/hosts/web-arm/configuration.nix index acabb98..f0c0201 100644 --- a/hosts/web-arm/configuration.nix +++ b/hosts/web-arm/configuration.nix @@ -38,6 +38,7 @@ # comment out for first build, so ssh key and config is present # otherwise the build will fail ./modules/sa-core.nix + ./modules/scana11y.nix ]; diff --git a/hosts/web-arm/modules/sa-core.nix b/hosts/web-arm/modules/sa-core.nix index c00b4d7..d2adced 100644 --- a/hosts/web-arm/modules/sa-core.nix +++ b/hosts/web-arm/modules/sa-core.nix @@ -1,48 +1,123 @@ -{ config, pkgs, ... }: +{ config, lib, pkgs, ... }: + +with lib; + +let + cfg = config.services.sa-core; + + instanceOpts = { name, ... }: + { + options = { + domain = mkOption { + type = types.nullOr types.str; + default = null; + description = lib.mdDoc '' + Domain of the website to scan. Defaults to attribute name in instances. + ''; + example = "example.org"; + }; + + email = mkOption { + type = types.str; + default = "office@scana11y.com"; + description = lib.mdDoc '' + Email where to send scan reports. + ''; + example = "example.org"; + }; + + maxPages = mkOption { + type = types.int; + default = 100; + description = lib.mdDoc '' + Maximum number of pages to scan. + ''; + example = "100"; + }; + + timerConfig = mkOption { + type = types.attrs; + default = { + OnCalendar = "monthly"; + Persistent = true; + RandomizedDelaySec = "1h"; # spread load a bit + }; + description = lib.mdDoc '' + Configuration for the systemd timer. + ''; + }; + }; + }; +in { - virtualisation = { - docker.enable = true; - }; - - users.users.scana11y_com.extraGroups = [ "docker" ]; - - systemd.services."scana11y-wohnservice-wien.at" = { - description = "ScanA11y wohnservice-wien.at"; - wants = [ "docker.service" ]; - after = [ "docker.service" "network-online.target" ]; - serviceConfig = { - Type = "oneshot"; - User = "scana11y_com"; - }; - - path = [ pkgs.docker pkgs.wkhtmltopdf ]; - - script = '' - exec ${pkgs.sa-core}/bin/sa-core scan \ - -domain=wohnservice-wien.at \ - -depth=3 \ - -max-pages=100 \ - -image=cloonar/sa-core:v0.1.3 \ - -output=/var/www/scana11y.com/public/reports \ - -wkhtmltopdf=${pkgs.wkhtmltopdf}/bin/wkhtmltopdf \ - -email-server=imap.cloonar.com \ - -email-username=office@scana11y.com \ - -email-password-file=${config.sops.secrets.sa-core-mailpw.path} \ - -email-sender=office@scana11y.com \ - -email-recipient=dominik.polakovics@cloonar.com \ - -keep 6 \ - -webroot=https://scana11y.com/reports - ''; - }; - - systemd.timers."scana11y-wohnservice-wien.at" = { - wantedBy = [ "timers.target" ]; - timerConfig = { - OnCalendar = "monthly"; - Persistent = true; - RandomizedDelaySec = "1h"; # spread load a bit + options.services.sa-core = { + instances = mkOption { + type = types.attrsOf (types.submodule instanceOpts); + default = {}; + description = lib.mdDoc "Define ScanA11y instances here."; + example = literalExpression '' + { + "example.org" = { + domain = "example.org"; + email = "test@example.org"; + }; + } + ''; }; }; - sops.secrets.sa-core-mailpw.owner = "scana11y_com"; # written as root at activation + config = { + virtualisation = { + docker.enable = true; + }; + + systemd.timers = mapAttrs' (instance: instanceOpts: + let + domain = if instanceOpts.domain != null then instanceOpts.domain else instance; + in + nameValuePair ("sa-core-" + domain) { + wantedBy = [ "timers.target" ]; + timerConfig = instanceOpts.timerConfig; + } + ) cfg.instances; + + systemd.services = mapAttrs' (instance: instanceOpts: + let + domain = if instanceOpts.domain != null then instanceOpts.domain else instance; + maxPages = if instanceOpts.maxPages != null then toString instanceOpts.maxPages else "100"; + in + nameValuePair ("sa-core-" + domain) { + description = "ScanA11y ${domain}"; + wants = [ "docker.service" ]; + after = [ "docker.service" "network-online.target" ]; + serviceConfig = { + Type = "oneshot"; + User = "scana11y_com"; + Group= "nginx"; + SupplementaryGroups = "docker"; + }; + + path = [ pkgs.docker pkgs.wkhtmltopdf ]; + + script = '' + exec ${pkgs.sa-core}/bin/sa-core scan \ + -domain=${domain} \ + -depth=3 \ + -max-pages=${maxPages} \ + -image=cloonar/sa-core:v0.1.3 \ + -output=/var/www/scana11y.com/public/reports \ + -wkhtmltopdf=${pkgs.wkhtmltopdf}/bin/wkhtmltopdf \ + -email-server=imap.cloonar.com \ + -email-username=office@scana11y.com \ + -email-password-file=${config.sops.secrets.sa-core-mailpw.path} \ + -email-sender=office@scana11y.com \ + -email-recipient=${instanceOpts.email} \ + -keep 6 \ + -webroot=https://scana11y.com/reports + ''; + } + ) cfg.instances; + + sops.secrets.sa-core-mailpw.owner = "scana11y_com"; + }; } diff --git a/hosts/web-arm/modules/scana11y.nix b/hosts/web-arm/modules/scana11y.nix new file mode 100644 index 0000000..f685644 --- /dev/null +++ b/hosts/web-arm/modules/scana11y.nix @@ -0,0 +1,8 @@ +{ config, pkgs, ... }: +{ + services.sa-core.instances = { + "wohnservice-wien.at" = { + email = "dominik.polakovics@cloonar.com"; + }; + }; +} diff --git a/hosts/web-arm/pkgs/sa-core.nix b/hosts/web-arm/pkgs/sa-core.nix index 0c3933a..d09c48d 100644 --- a/hosts/web-arm/pkgs/sa-core.nix +++ b/hosts/web-arm/pkgs/sa-core.nix @@ -2,13 +2,13 @@ let saRepoSrc = builtins.fetchGit { url = "ssh://gitea@git.cloonar.com/ScanA11y/sa-core.git"; - rev = "844c5a6b95ae28ab17da127011d1f027680d1a9a"; + rev = "0d33fdb79b62c270d230ad307341ae107be96600"; }; in buildGoModule rec { pname = "sa-core"; - version = "0.2.0"; + version = "0.3.2"; src = saRepoSrc;