From b48ec98cb33b7306b7d95261cdbcfe0094f68e9c Mon Sep 17 00:00:00 2001 From: Dominik Polakovics Date: Tue, 9 Sep 2025 17:55:43 +0200 Subject: [PATCH] feat: web-arm change to docker and install scana11y --- hosts/web-arm/configuration.nix | 23 +++----------- hosts/web-arm/modules/rustdesk.nix | 2 +- hosts/web-arm/modules/sa-core.nix | 48 +++++++++++++++++++++++++++++ hosts/web-arm/overlays/packages.nix | 3 +- hosts/web-arm/pkgs/sa-core.nix | 29 +++++++++++++++++ hosts/web-arm/secrets.yaml | 5 +-- 6 files changed, 87 insertions(+), 23 deletions(-) create mode 100644 hosts/web-arm/modules/sa-core.nix create mode 100644 hosts/web-arm/pkgs/sa-core.nix diff --git a/hosts/web-arm/configuration.nix b/hosts/web-arm/configuration.nix index 6f66689..acabb98 100644 --- a/hosts/web-arm/configuration.nix +++ b/hosts/web-arm/configuration.nix @@ -34,6 +34,11 @@ ./modules/web/stack.nix ./sites + + # comment out for first build, so ssh key and config is present + # otherwise the build will fail + ./modules/sa-core.nix + ]; nixpkgs.overlays = [ @@ -76,30 +81,12 @@ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIRQuPqH5fdX3KEw7DXzWEdO3AlUn1oSmtJtHB71ICoH Generated By Termius" ]; - systemd.tmpfiles.rules = [ - "d /var/lib/nix-ssh-keys 0700 root root -" - ]; - sops.secrets.gitea-ssh-key = { - path = "/var/lib/nix-ssh-keys/gitea_ed25519"; - owner = "root"; - group = "root"; - mode = "0600"; - }; programs.ssh = { knownHosts = { "git.cloonar.com" = { publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIDlUj7eEfS/4+z/3IhFhOTXAfpGEpNv6UWuYSL5OAhus"; }; }; - extraConfig = '' - Host gitea-internal - HostName git.cloonar.com - User gitea - Port 22 - IdentitiesOnly yes - IdentityFile /var/lib/nix-ssh-keys/gitea_ed25519 - StrictHostKeyChecking yes - ''; }; # backups diff --git a/hosts/web-arm/modules/rustdesk.nix b/hosts/web-arm/modules/rustdesk.nix index 047aa1b..b21ed12 100644 --- a/hosts/web-arm/modules/rustdesk.nix +++ b/hosts/web-arm/modules/rustdesk.nix @@ -2,7 +2,7 @@ { virtualisation = { - podman.enable = true; + docker.enable = true; oci-containers.containers = { rustdesk-server = { image = "rustdesk/rustdesk-server-s6:1"; diff --git a/hosts/web-arm/modules/sa-core.nix b/hosts/web-arm/modules/sa-core.nix new file mode 100644 index 0000000..bac004f --- /dev/null +++ b/hosts/web-arm/modules/sa-core.nix @@ -0,0 +1,48 @@ +{ config, pkgs, ... }: +{ + virtualisation = { + docker.enable = true; + }; + + users.users.scana11y_com.extraGroups = [ "docker" ]; + + systemd.services."scana11y-wohnservice-wien.at" = { + description = "ScanA11y wohnservice-wien.at"; + wants = [ "docker.service" ]; + after = [ "docker.service" "network-online.target" ]; + serviceConfig = { + Type = "oneshot"; + User = "scana11y_com"; + }; + + path = [ pkgs.docker pkgs.wkhtmltopdf ]; + + script = '' + exec ${pkgs.sa-core}/bin/sa-core scan \ + -domain=wohnservice-wien.at \ + -depth=3 \ + -max-pages=100 \ + -image=cloonar/sa-core:v0.1.3 \ + -output=/var/www/scana11y.com/reports \ + -wkhtmltopdf=${pkgs.wkhtmltopdf}/bin/wkhtmltopdf \ + -email-server=imap.cloonar.com \ + -email-username=office@scana11y.com \ + -email-password-file=${config.sops.secrets.sa-core-mailpw.path} \ + -email-sender=office@scana11y.com \ + -email-recipient=dominik.polakovics@cloonar.com \ + -keep 6 \ + -webroot=https://scana11y.com/reports + ''; + }; + + systemd.timers."scana11y-wohnservice-wien.at" = { + wantedBy = [ "timers.target" ]; + timerConfig = { + OnCalendar = "monthly"; + Persistent = true; + RandomizedDelaySec = "1h"; # spread load a bit + }; + }; + + sops.secrets.sa-core-mailpw.owner = "scana11y_com"; # written as root at activation +} diff --git a/hosts/web-arm/overlays/packages.nix b/hosts/web-arm/overlays/packages.nix index 8b4c50d..f3c2bca 100644 --- a/hosts/web-arm/overlays/packages.nix +++ b/hosts/web-arm/overlays/packages.nix @@ -1,5 +1,4 @@ self: super: { updns = self.callPackage ../pkgs/updns.nix { }; - - # vscode-insiders = (super.callPackage ../pkgs/vscode-insiders.nix { }); + sa-core = self.callPackage ../pkgs/sa-core.nix { }; } diff --git a/hosts/web-arm/pkgs/sa-core.nix b/hosts/web-arm/pkgs/sa-core.nix new file mode 100644 index 0000000..f8b9bc5 --- /dev/null +++ b/hosts/web-arm/pkgs/sa-core.nix @@ -0,0 +1,29 @@ +{ lib, buildGoModule, openssh }: +let + saRepoSrc = builtins.fetchGit { + url = "ssh://gitea@git.cloonar.com/ScanA11y/sa-core.git"; + rev = "daf955c2dffb5d27593746274c33e6e3043c8227"; + }; +in + +buildGoModule rec { + pname = "sa-core"; + version = "0.1.0"; + + src = saRepoSrc; + + vendorHash = "sha256-VAFs6RC8TJSap2ezYJOpfG+zFKBzLsAmaA+qBGmbBAI="; + + subPackages = [ "." ]; + + # Optional tuning + CGO_ENABLED = 0; + ldflags = [ "-s" "-w" ]; + doCheck = false; + + meta = with lib; { + description = "ScanA11y core service"; + license = licenses.mit; # adjust + mainProgram = "sa-core"; + }; +} diff --git a/hosts/web-arm/secrets.yaml b/hosts/web-arm/secrets.yaml index fa90dde..6473060 100644 --- a/hosts/web-arm/secrets.yaml +++ b/hosts/web-arm/secrets.yaml @@ -23,6 +23,7 @@ nextcloud-secrets: ENC[AES256_GCM,data:FwP+z4B03m0VEFEb8c/UwBKMcWXo+2dnlBAuO4SCV nextcloud-smb-credentials: ENC[AES256_GCM,data:Ra1iVCP/Y1G87oDrn01JxorTQy6d80POKIVEbHPttrd6x5QgEvvyWIz6rCiK4mEH,iv:6wXHBSwq9P+tHrkB82ZReFXsUOF0rDi2hpZ8jXLU7OE=,tag:Fu4RB0hPyHFpN6YLTtfGDQ==,type:str] pushover-api-token: ENC[AES256_GCM,data:itcWlyaJi+saBmhLabOOgbOej9yxQgCIiwU9uuOg,iv:dnD12MPZsENogsnCMGpZe1F0cC4eFfefSx7sP9Fl9Mw=,tag:lk1+pkvNab6yG0Sv/+TVIQ==,type:str] pushover-user-key: ENC[AES256_GCM,data:swXKXMAeCyYbBQNAEEpDTJXjdNmFFVWnhExAqfnn,iv:AZd6phibpwEX97U/SzeiRoFFL3TviSONwOWkPsXdcKc=,tag:+mzfrxHpTWOzb3bEzN3D5Q==,type:str] +sa-core-mailpw: ENC[AES256_GCM,data:U5nM24n5j85J1ZBrzBkmSUsDFjgXqtcIrwK2,iv:Fxq9wkbjZhofcy/WPF6oOWoyajgj2aCserinNyGDfXE=,tag:q1+pGuKLnPGAvFQhQF1b/w==,type:str] zammad-db-password: ENC[AES256_GCM,data:4LkMM06cs9H/ricsE+2LNin8PIn4MLbi+TaYpESeAhUz7M6JFcoLGdn2Rws3crGuCWVLColh1bv0hALLSYQs2Q==,iv:MIufiAixz6wLp1byQ2tiAx27jJGUAnVGs8KLWLaqk+4=,tag:Wbq6V3661r3Ue942q1jBRg==,type:str] zammad-key-base: ENC[AES256_GCM,data:IERHJKzK/kRa4P6EfpSzt/9Xj1I0/YGl/Fj8ISA/WQFn4+hu9VqdJzMoVgZexbjhpB+fPWmxwyGBhrsJRf77zJGosRzG+4MPWPw6Yggai6TGbZkxj5St+I7nm9KZbtkCbo3pH3YLXhKCFVZJuSNtBb9Y3sqd0h8XcygMQbaf2Js=,iv:FEZUOBulpPDGUuJztod+r/17MEmojKrOe+HptecMdTo=,tag:ZsFKuUKaCgc01/iDJgbkNQ==,type:str] updns-token: ENC[AES256_GCM,data:ara0AMf87hw+oBdxwAaOBL0yTyxdbz1qmcA6NuUei1s=,iv:G3JLP4VYMcTszpP6LLl1ygz1LSrjUKM2HwKHtySz5ck=,tag:5E5Z/E790j7jUNDEr4u+dw==,type:str] @@ -64,7 +65,7 @@ sops: elpYSDg2Y09Ia1VEaE9yUWRYMlk4V0UKcsiKxtTdtAT7odCCua7wV/3879QEp2YJ iIVgZIrTg34tEGj8VbACcGINZfid3SSkUM4hnydP72ZOOfijIN21Ew== -----END AGE ENCRYPTED FILE----- - lastmodified: "2025-09-09T08:23:15Z" - mac: ENC[AES256_GCM,data:3+6fJxps4pKgGfLdwKq2FMhjxSjCqjmO1QUMeyGRjguEsCTbFrHmQmVjYHkTxADdy0oLBjvKzlZ7iucf2ruJUKr7igq8h30xENyFWnnm25k5dyp03rf9fm11Pzp/IHkPISrUptjC5Q6Azuwfvmso2lqWgc2AH9sTZVYpDS/yJlg=,iv:vktpxPUTVQNWGHyNKsRaFVo5Gx7VnvBw9CiXFOZOLj0=,tag:CWr5G7pRPw89m4neLjHsHw==,type:str] + lastmodified: "2025-09-09T09:52:21Z" + mac: ENC[AES256_GCM,data:FXQ0mXR8CZR7kPNbmpjXTLmhPlJlgPaJMP5Z2PA2ZORBwSAzyms+a/FFwRnIzcKk0MJEhJH6rVwWCwo0AlPtcwzL5Cnm+mkW3EgN9jtIZumvvtZwW0zWM99F7UsBTboJnG7kGbkfqqRVC4svv6G7xMkbxKIFqwJTUJqRE5vrqnQ=,iv:cuhcQtpF5TMBqx9x11zcxa+5S0IqMngC2dGfJGU82/4=,tag:GKtEOxWuDzcKa5RtRacQTA==,type:str] unencrypted_suffix: _unencrypted version: 3.10.2