services: add new yarr service for RSS reading

Signed-off-by: Christoph Heiss <christoph@c8h4.io>
2024-08-18 22:03:19 +02:00 · 2024-08-18 22:03:19 +02:00 · 31076d3f8f
parent 760261f58e
commit 31076d3f8f
4 changed files with 75 additions and 1 deletions
--- a/.sops.yaml
+++ b/.sops.yaml
@ -25,7 +25,7 @@ creation_rules:
          - *christoph_zero
          - *christoph_maui
          - *machine_tank
-  - path_regex: secrets/sops/(alertmanager|fort|matrix-hookshot|vaultwarden|vikunja|wireguard)\.yaml
+  - path_regex: secrets/sops/(alertmanager|fort|matrix-hookshot|vaultwarden|vikunja|wireguard|yarr)\.yaml
    key_groups:
      - age:
          - *christoph_trek
--- a/machines/fort.nix
+++ b/machines/fort.nix
@ -28,6 +28,7 @@ in {
    ../services/vaultwarden.nix
    ../services/vikunja.nix
    ../services/web/c8h4-io.nix
+    ../services/yarr.nix
    ../system/btrfs.nix
    ../system/deploy-target.nix
    ../system/virtual-machine.nix
--- a/secrets/sops/yarr.yaml
+++ b/secrets/sops/yarr.yaml
@ -0,0 +1,49 @@
+yarr:
+    authfile: ENC[AES256_GCM,data:8/bKSHVd6QNID0yu1xf+2VJKlymIKwyrIELq/5Qek0Np46MWOTHitSGGrADvHi4GOr5F1+ffEO+cS7vVaTA51QqTU/2j5a7dwTBh,iv:a1JlkkRTWf6M3AYu2Q6hKxk4HLKPTYuvSABjw9xsnJo=,tag:QbTJf8HB32l/FaAgfvd6KA==,type:str]
+sops:
+    kms: []
+    gcp_kms: []
+    azure_kv: []
+    hc_vault: []
+    age:
+        - recipient: age1kdkzjqy88en4m65s7ld28srupzwaq30gu2e63ylayhqedpgfxews9kf6fy
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBFeWdRZGZpMi9JVGNqTkZC
+            MkY5NGd6U2RxY0h5dXRtVlNrN1A2WDIrVkUwClJxblQxdVJTYXlRbzhBMVR4emJW
+            L2t6OEZ4ZmovQStZQnQwK09KVG52UkEKLS0tIFhXTWNVUlVDb3lvT29kWVErYVJN
+            eEVocS8yajhqejI2cGNJV0lLaWRJTXcKPtlviZgAwHnhdBnPqmKQhGWviP59Ki+V
+            yilU2QeCK7YGnMOn+d3Tdn1gsVvpZQ/hI2jTp8NSPCZ24EZvrANhNw==
+            -----END AGE ENCRYPTED FILE-----
+        - recipient: age1es8273vc2yq89kvs4s84m6qffep86sm924k4my47a5qtau4ueypsgz3kqh
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBkSWVSOEF3a2RLd1pEb1Bz
+            aW92VGcyc29lZkNESWtwdGQ2WnF4YWVGbDJVCklWUjFTV1ExemlBYzZ1TXFhQ1Z5
+            N25pSHZ1MUlHaG4wdnVaeGJOTFBaT2MKLS0tIER0UUtOVkNjc0FnRU1XSlBaaFp1
+            Q0llY3NHODJkUjlqb3lNU0oxbGV0RmMKnwZgsFATcZ5MUYFlwmMwl6DTqF3wUlc3
+            5u8u4OOhwafYUL5umm3WnMPcNkB02rYJiGz/fdB5bgBVvuyHy/na8g==
+            -----END AGE ENCRYPTED FILE-----
+        - recipient: age1ul99nmekam6rs9fpjka32aaxmnjq0p3a8x8drzxwtxa4g2u23anq6p2g6s
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBUeDJXZ1R1UjRPQUFaRkEx
+            N0hhMFFNYy83SHpTRkFqQ01oTTlpeFBxSzFJCnozUEFmUmtqYUxNaWxzWHVGOU5D
+            Y3V3ZGloTmd0b2FCSEdQSUpkOEJCcWsKLS0tIHl1QnNkMys4Q3krMldMLys1WVhK
+            SmFheElYa3lwQzl2THYvNXBwdTBIb0UKFvjT+MVwuneHz4hkyNlv1zaD0u3pAsIV
+            XeX5VA7/AQOShOKGJRMIQq8OYgwZ5naSDBH+o0F2W4V6oAB7Lds40A==
+            -----END AGE ENCRYPTED FILE-----
+        - recipient: age1h96sm0j0k5kjmuf857xurtq7rwk5fhptenjdlkgmadtrz4lm95rqm6ctm2
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBuc1cyM3B2V1JpazF1TDc0
+            d2Q0OTluNG8wN2dVKyswUTFxSWh0d3dzSUFJCnA1VVJQQ1BiNFpENUt5RDNadk9y
+            cU9DbjBnaG1GL1NjVEJveEV5QWQzcVEKLS0tIEFycEx3bWZjZDlnbm9iMmswL2tw
+            NldOcXlZaVRuSWZNNEQrSndkbVZNUGMK/JRE1p3z4VLvE48WXKIx3YynlF79+N/q
+            ohCku6RcyJaFY2aXaM0Wd38EbgtEKtEtoVyCbpMxWBPIeIoiOQfU+g==
+            -----END AGE ENCRYPTED FILE-----
+    lastmodified: "2024-08-18T16:11:57Z"
+    mac: ENC[AES256_GCM,data:qTRq30iepwqvrVI9KVOq2Jmt+31o4rboDj/zkopobIrvI+UnMZBZCCCsdOQ3hjjbeRCfUeq/GhqsdUFsy+L2y8Rj/jvW4A7d7tOASgvqGvW0aDfy8yxtgJETtC05XuToD7QCm7S5URmcc9R8esr7jFmCvpObsuzBAnfLfvk9jF0=,iv:kiB/v5A2NbXSAepjKVy2CO/+X+HoGdasFEaSiasgtQ8=,tag:hgWaRaZcOXDbOGgfhYfvEA==,type:str]
+    pgp: []
+    unencrypted_suffix: _unencrypted
+    version: 3.9.0
--- a/services/yarr.nix
+++ b/services/yarr.nix
@ -0,0 +1,24 @@
+{ config, my, secrets, ... }:
+
+let fqdn = "yarr.${my.domain}";
+in {
+  sops.secrets."yarr/authfile" = {
+    sopsFile = ../secrets/sops/yarr.yaml;
+    restartUnits = [ "yarr.service" ];
+  };
+
+  services.yarr = {
+    enable = true;
+    address = "[::1]";
+    authFilePath = secrets."yarr/authfile".path;
+  };
+
+  services.nginx.virtualHosts.${fqdn} =
+    let inherit (config.services.yarr) address port;
+    in {
+      forceSSL = true;
+      useACMEHost = my.domain;
+      kTLS = true;
+      locations."/".proxyPass = "http://${address}:${toString port}";
+    };
+}