mirror of
https://git.pvv.ntnu.no/Drift/pvv-nixos-config.git
synced 2024-12-04 19:40:07 +01:00
b07cd5fbf6
#133 Reviewed-on: https://git.pvv.ntnu.no/Drift/pvv-nixos-config/pulls/90 Reviewed-by: Oystein Kristoffer Tveit <oysteikt@pvv.ntnu.no> Co-authored-by: Alf Helge Jakobsen <alfhj@stud.ntnu.no> Co-committed-by: Alf Helge Jakobsen <alfhj@stud.ntnu.no>
95 lines
3.3 KiB
Nix
95 lines
3.3 KiB
Nix
{ pkgs, lib, config, ... }:
|
|
let
|
|
galleryDir = config.services.pvv-nettsiden.settings.GALLERY.DIR;
|
|
transferDir = "${config.services.pvv-nettsiden.settings.GALLERY.DIR}-transfer";
|
|
in {
|
|
users.users.${config.services.pvv-nettsiden.user} = {
|
|
useDefaultShell = true;
|
|
|
|
# This is pushed from microbel:/var/www/www-gallery/build-gallery.sh
|
|
openssh.authorizedKeys.keys = [
|
|
''command="${pkgs.rrsync}/bin/rrsync -wo ${transferDir}",restrict,no-agent-forwarding,no-port-forwarding,no-pty,no-X11-forwarding ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIjHhC2dikhWs/gG+m7qP1eSohWzTehn4ToNzDSOImyR gallery-publish''
|
|
];
|
|
};
|
|
|
|
systemd.paths.pvv-nettsiden-gallery-update = {
|
|
wantedBy = [ "multi-user.target" ];
|
|
pathConfig = {
|
|
PathChanged = "${transferDir}/gallery.tar.gz";
|
|
Unit = "pvv-nettsiden-gallery-update.service";
|
|
MakeDirectory = true;
|
|
};
|
|
};
|
|
|
|
systemd.services.pvv-nettsiden-gallery-update = {
|
|
path = with pkgs; [ imagemagick gnutar gzip ];
|
|
|
|
script = ''
|
|
tar ${lib.cli.toGNUCommandLineShell {} {
|
|
extract = true;
|
|
file = "${transferDir}/gallery.tar.gz";
|
|
directory = ".";
|
|
}}
|
|
|
|
# Delete files and directories that exists in the gallery that don't exist in the tarball
|
|
filesToRemove=$(uniq -u <(sort <(find . -not -path "./.thumbnails*") <(tar -tf ${transferDir}/gallery.tar.gz | sed 's|/$||')))
|
|
while IFS= read fname; do
|
|
rm -f "$fname" ||:
|
|
rm -f ".thumbnails/$fname.png" ||:
|
|
done <<< "$filesToRemove"
|
|
|
|
find . -type d -empty -delete
|
|
|
|
mkdir -p .thumbnails
|
|
images=$(find . -type f -not -path "./.thumbnails*")
|
|
|
|
while IFS= read fname; do
|
|
# Skip this file if an up-to-date thumbnail already exists
|
|
if [ -f ".thumbnails/$fname.png" ] && \
|
|
[ "$(date -R -r "$fname")" == "$(date -R -r ".thumbnails/$fname.png")" ]
|
|
then
|
|
continue
|
|
fi
|
|
|
|
echo "Creating thumbnail for $fname"
|
|
mkdir -p $(dirname ".thumbnails/$fname")
|
|
convert -define jpeg:size=200x200 "$fname" -thumbnail 300 -auto-orient ".thumbnails/$fname.png" ||:
|
|
touch -m -d "$(date -R -r "$fname")" ".thumbnails/$fname.png"
|
|
done <<< "$images"
|
|
'';
|
|
|
|
serviceConfig = {
|
|
WorkingDirectory = galleryDir;
|
|
User = config.services.pvv-nettsiden.user;
|
|
Group = config.services.pvv-nettsiden.group;
|
|
|
|
AmbientCapabilities = [ "" ];
|
|
CapabilityBoundingSet = [ "" ];
|
|
DeviceAllow = [ "" ];
|
|
LockPersonality = true;
|
|
MemoryDenyWriteExecute = true;
|
|
NoNewPrivileges = true; # disable for third party rotate scripts
|
|
PrivateDevices = true;
|
|
PrivateNetwork = true; # disable for mail delivery
|
|
PrivateTmp = true;
|
|
ProtectClock = true;
|
|
ProtectControlGroups = true;
|
|
ProtectHome = true; # disable for userdir logs
|
|
ProtectHostname = true;
|
|
ProtectKernelLogs = true;
|
|
ProtectKernelModules = true;
|
|
ProtectKernelTunables = true;
|
|
ProtectProc = "invisible";
|
|
ProtectSystem = "full";
|
|
RestrictNamespaces = true;
|
|
RestrictRealtime = true;
|
|
RestrictSUIDSGID = true; # disable for creating setgid directories
|
|
SocketBindDeny = [ "any" ];
|
|
SystemCallArchitectures = "native";
|
|
SystemCallFilter = [
|
|
"@system-service"
|
|
];
|
|
};
|
|
};
|
|
}
|