Cloonar/nixos
2
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

feat: web-arm change to docker and install scana11y

Browse Source
This commit is contained in:
Dominik Polakovics Polakovics
2025-09-09 17:55:43 +02:00
parent 58089e558e
commit b48ec98cb3
6 changed files with 87 additions and 23 deletions
Download Patch File Download Diff File Expand all files Collapse all files

23
hosts/web-arm/configuration.nix
View File

@@ -34,6 +34,11 @@
./modules/web/stack.nix
./sites
# comment out for first build, so ssh key and config is present
# otherwise the build will fail
./modules/sa-core.nix
];
nixpkgs.overlays = [
@@ -76,30 +81,12 @@
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIRQuPqH5fdX3KEw7DXzWEdO3AlUn1oSmtJtHB71ICoH Generated By Termius"
];
systemd.tmpfiles.rules = [
"d /var/lib/nix-ssh-keys 0700 root root -"
];
sops.secrets.gitea-ssh-key = {
path = "/var/lib/nix-ssh-keys/gitea_ed25519";
owner = "root";
group = "root";
mode = "0600";
};
programs.ssh = {
knownHosts = {
"git.cloonar.com" = {
publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIDlUj7eEfS/4+z/3IhFhOTXAfpGEpNv6UWuYSL5OAhus";
};
};
extraConfig = ''
Host gitea-internal
HostName git.cloonar.com
User gitea
Port 22
IdentitiesOnly yes
IdentityFile /var/lib/nix-ssh-keys/gitea_ed25519
StrictHostKeyChecking yes
'';
};
# backups

2
hosts/web-arm/modules/rustdesk.nix
View File

@@ -2,7 +2,7 @@
{
virtualisation = {
podman.enable = true;
docker.enable = true;
oci-containers.containers = {
rustdesk-server = {
image = "rustdesk/rustdesk-server-s6:1";

48
hosts/web-arm/modules/sa-core.nix Normal file
View File

@@ -0,0 +1,48 @@
{ config, pkgs, ... }:
{
virtualisation = {
docker.enable = true;
};
users.users.scana11y_com.extraGroups = [ "docker" ];
systemd.services."scana11y-wohnservice-wien.at" = {
description = "ScanA11y wohnservice-wien.at";
wants = [ "docker.service" ];
after = [ "docker.service" "network-online.target" ];
serviceConfig = {
Type = "oneshot";
User = "scana11y_com";
};
path = [ pkgs.docker pkgs.wkhtmltopdf ];
script = ''
exec ${pkgs.sa-core}/bin/sa-core scan \
-domain=wohnservice-wien.at \
-depth=3 \
-max-pages=100 \
-image=cloonar/sa-core:v0.1.3 \
-output=/var/www/scana11y.com/reports \
-wkhtmltopdf=${pkgs.wkhtmltopdf}/bin/wkhtmltopdf \
-email-server=imap.cloonar.com \
-email-username=office@scana11y.com \
-email-password-file=${config.sops.secrets.sa-core-mailpw.path} \
-email-sender=office@scana11y.com \
-email-recipient=dominik.polakovics@cloonar.com \
-keep 6 \
-webroot=https://scana11y.com/reports
'';
};
systemd.timers."scana11y-wohnservice-wien.at" = {
wantedBy = [ "timers.target" ];
timerConfig = {
OnCalendar = "monthly";
Persistent = true;
RandomizedDelaySec = "1h"; # spread load a bit
};
};
sops.secrets.sa-core-mailpw.owner = "scana11y_com"; # written as root at activation
}

3
hosts/web-arm/overlays/packages.nix
View File

@@ -1,5 +1,4 @@
self: super: {
updns = self.callPackage ../pkgs/updns.nix { };
# vscode-insiders = (super.callPackage ../pkgs/vscode-insiders.nix { });
sa-core = self.callPackage ../pkgs/sa-core.nix { };
}

29
hosts/web-arm/pkgs/sa-core.nix Normal file
View File

@@ -0,0 +1,29 @@
{ lib, buildGoModule, openssh }:
let
saRepoSrc = builtins.fetchGit {
url = "ssh://gitea@git.cloonar.com/ScanA11y/sa-core.git";
rev = "daf955c2dffb5d27593746274c33e6e3043c8227";
};
in
buildGoModule rec {
pname = "sa-core";
version = "0.1.0";
src = saRepoSrc;
vendorHash = "sha256-VAFs6RC8TJSap2ezYJOpfG+zFKBzLsAmaA+qBGmbBAI=";
subPackages = [ "." ];
# Optional tuning
CGO_ENABLED = 0;
ldflags = [ "-s" "-w" ];
doCheck = false;
meta = with lib; {
description = "ScanA11y core service";
license = licenses.mit; # adjust
mainProgram = "sa-core";
};
}

5
hosts/web-arm/secrets.yaml
View File

@@ -23,6 +23,7 @@ nextcloud-secrets: ENC[AES256_GCM,data:FwP+z4B03m0VEFEb8c/UwBKMcWXo+2dnlBAuO4SCV
nextcloud-smb-credentials: ENC[AES256_GCM,data:Ra1iVCP/Y1G87oDrn01JxorTQy6d80POKIVEbHPttrd6x5QgEvvyWIz6rCiK4mEH,iv:6wXHBSwq9P+tHrkB82ZReFXsUOF0rDi2hpZ8jXLU7OE=,tag:Fu4RB0hPyHFpN6YLTtfGDQ==,type:str]
pushover-api-token: ENC[AES256_GCM,data:itcWlyaJi+saBmhLabOOgbOej9yxQgCIiwU9uuOg,iv:dnD12MPZsENogsnCMGpZe1F0cC4eFfefSx7sP9Fl9Mw=,tag:lk1+pkvNab6yG0Sv/+TVIQ==,type:str]
pushover-user-key: ENC[AES256_GCM,data:swXKXMAeCyYbBQNAEEpDTJXjdNmFFVWnhExAqfnn,iv:AZd6phibpwEX97U/SzeiRoFFL3TviSONwOWkPsXdcKc=,tag:+mzfrxHpTWOzb3bEzN3D5Q==,type:str]
sa-core-mailpw: ENC[AES256_GCM,data:U5nM24n5j85J1ZBrzBkmSUsDFjgXqtcIrwK2,iv:Fxq9wkbjZhofcy/WPF6oOWoyajgj2aCserinNyGDfXE=,tag:q1+pGuKLnPGAvFQhQF1b/w==,type:str]
zammad-db-password: ENC[AES256_GCM,data:4LkMM06cs9H/ricsE+2LNin8PIn4MLbi+TaYpESeAhUz7M6JFcoLGdn2Rws3crGuCWVLColh1bv0hALLSYQs2Q==,iv:MIufiAixz6wLp1byQ2tiAx27jJGUAnVGs8KLWLaqk+4=,tag:Wbq6V3661r3Ue942q1jBRg==,type:str]
zammad-key-base: ENC[AES256_GCM,data:IERHJKzK/kRa4P6EfpSzt/9Xj1I0/YGl/Fj8ISA/WQFn4+hu9VqdJzMoVgZexbjhpB+fPWmxwyGBhrsJRf77zJGosRzG+4MPWPw6Yggai6TGbZkxj5St+I7nm9KZbtkCbo3pH3YLXhKCFVZJuSNtBb9Y3sqd0h8XcygMQbaf2Js=,iv:FEZUOBulpPDGUuJztod+r/17MEmojKrOe+HptecMdTo=,tag:ZsFKuUKaCgc01/iDJgbkNQ==,type:str]
updns-token: ENC[AES256_GCM,data:ara0AMf87hw+oBdxwAaOBL0yTyxdbz1qmcA6NuUei1s=,iv:G3JLP4VYMcTszpP6LLl1ygz1LSrjUKM2HwKHtySz5ck=,tag:5E5Z/E790j7jUNDEr4u+dw==,type:str]
@@ -64,7 +65,7 @@ sops:
elpYSDg2Y09Ia1VEaE9yUWRYMlk4V0UKcsiKxtTdtAT7odCCua7wV/3879QEp2YJ
iIVgZIrTg34tEGj8VbACcGINZfid3SSkUM4hnydP72ZOOfijIN21Ew==
-----END AGE ENCRYPTED FILE-----
lastmodified: "2025-09-09T08:23:15Z"
mac: ENC[AES256_GCM,data:3+6fJxps4pKgGfLdwKq2FMhjxSjCqjmO1QUMeyGRjguEsCTbFrHmQmVjYHkTxADdy0oLBjvKzlZ7iucf2ruJUKr7igq8h30xENyFWnnm25k5dyp03rf9fm11Pzp/IHkPISrUptjC5Q6Azuwfvmso2lqWgc2AH9sTZVYpDS/yJlg=,iv:vktpxPUTVQNWGHyNKsRaFVo5Gx7VnvBw9CiXFOZOLj0=,tag:CWr5G7pRPw89m4neLjHsHw==,type:str]
lastmodified: "2025-09-09T09:52:21Z"
mac: ENC[AES256_GCM,data:FXQ0mXR8CZR7kPNbmpjXTLmhPlJlgPaJMP5Z2PA2ZORBwSAzyms+a/FFwRnIzcKk0MJEhJH6rVwWCwo0AlPtcwzL5Cnm+mkW3EgN9jtIZumvvtZwW0zWM99F7UsBTboJnG7kGbkfqqRVC4svv6G7xMkbxKIFqwJTUJqRE5vrqnQ=,iv:cuhcQtpF5TMBqx9x11zcxa+5S0IqMngC2dGfJGU82/4=,tag:GKtEOxWuDzcKa5RtRacQTA==,type:str]
unencrypted_suffix: _unencrypted
version: 3.10.2