add kiwix web app

2023-10-01 23:41:40 +03:00 · 2023-10-01 23:41:40 +03:00 · 099646c511
commit 099646c511
parent 5f54779a06
5 changed files with 119 additions and 0 deletions
--- a/machines/Home-Hypervisor/dns-mapping.nix
+++ b/machines/Home-Hypervisor/dns-mapping.nix
@ -61,6 +61,7 @@
        "turn.ataraxiadev.com" = "coturn.pve";
        "vw.ataraxiadev.com" = "ataraxiadev.com";
        "webmail.ataraxiadev.com" = "ataraxiadev.com";
+        "wiki.ataraxiadev.com" = "ataraxiadev.com";
        "www.ataraxiadev.com" = "ataraxiadev.com";
      };
    };
--- a/machines/NixOS-VPS/hardware/dns-mapping.nix
+++ b/machines/NixOS-VPS/hardware/dns-mapping.nix
@ -43,6 +43,7 @@
    { name = "turn.ataraxiadev.com"; type = "A"; value = "100.64.0.3"; }
    { name = "vw.ataraxiadev.com"; type = "A"; value = "100.64.0.3"; }
    { name = "webmail.ataraxiadev.com"; type = "A"; value = "100.64.0.3"; }
+    { name = "wiki.ataraxiadev.com"; type = "A"; value = "100.64.0.3"; }

    { name = "ataraxiadev.com"; type = "AAAA"; value = "fd7a:115c:a1e0::3"; }
    { name = "api.ataraxiadev.com"; type = "AAAA"; value = "fd7a:115c:a1e0::3"; }
@ -87,5 +88,6 @@
    { name = "turn.ataraxiadev.com"; type = "AAAA"; value = "fd7a:115c:a1e0::3"; }
    { name = "vw.ataraxiadev.com"; type = "AAAA"; value = "fd7a:115c:a1e0::3"; }
    { name = "webmail.ataraxiadev.com"; type = "AAAA"; value = "fd7a:115c:a1e0::3"; }
+    { name = "wiki.ataraxiadev.com"; type = "AAAA"; value = "fd7a:115c:a1e0::3"; }
  ];
 }
--- a/modules/kiwix-serve.nix
+++ b/modules/kiwix-serve.nix
@ -0,0 +1,102 @@
+{ config, lib, pkgs, ... }:
+
+with lib;
+let
+  cfg = config.services.kiwix-serve;
+in
+{
+  options = {
+    services.kiwix-serve = {
+      enable = mkOption {
+        default = false;
+        type = types.bool;
+      };
+      package = mkOption {
+        type = types.package;
+        default = pkgs.kiwix-tools;
+        defaultText = literalExpression "pkgs.kiwix-tools";
+        description = lib.mdDoc "The package that provides `bin/kiwix-serve`";
+      };
+      port = mkOption {
+        type = types.port;
+        default = 80;
+        description = lib.mdDoc "Port number to listen on";
+      };
+      listenAddress = mkOption {
+        type = types.str;
+        default = "127.0.0.1";
+        description = lib.mdDoc "IP address to listen on";
+      };
+      zimPaths = mkOption {
+        default = null;
+        type = types.nullOr (types.nonEmptyListOf (types.either types.str types.path));
+        description = lib.mdDoc "ZIM file path(s)";
+      };
+      zimDir = mkOption {
+        default = null;
+        type = types.nullOr (types.either types.str types.path);
+        description = lib.mdDoc "ZIM directory";
+      };
+    };
+  };
+
+  config = mkIf cfg.enable {
+    systemd.services.kiwix-serve = {
+      description = "Deliver ZIM file(s) articles via HTTP";
+      after = [ "network.target" ];
+      wantedBy = [ "multi-user.target" ];
+
+      serviceConfig = let
+        bindsPrivilegedPort = (0 < cfg.port && cfg.port < 1024);
+        maybeZimPaths = lib.optionals (cfg.zimPaths != null) cfg.zimPaths;
+        maybeZimDir = lib.optionals (cfg.zimDir != null) ["-l" "/tmp/library.xml"];
+        args = ["-i" cfg.listenAddress] ++ ["-p" cfg.port] ++ maybeZimDir ++ maybeZimPaths;
+
+        manage-lib = pkgs.writeShellScript "kiwix-manage-library" ''
+          for f in "${cfg.zimDir}"/*.zim; do
+            if [[ -f "$f" ]]; then
+              ( set -x; ${cfg.package}/bin/kiwix-manage "/tmp/library.xml" add $f )
+            fi
+          done
+        '';
+      in {
+        ExecStartPre = lib.mkIf (cfg.zimDir != null) manage-lib;
+        ExecStart = "${cfg.package}/bin/kiwix-serve ${lib.escapeShellArgs args}";
+        Type = "simple";
+        Restart = "on-failure";
+        TimeoutStartSec = 600;
+
+        AmbientCapabilities   = [""] ++ lib.optional bindsPrivilegedPort "CAP_NET_BIND_SERVICE";
+        CapabilityBoundingSet = [""] ++ lib.optional bindsPrivilegedPort "CAP_NET_BIND_SERVICE";
+        DeviceAllow = "";
+        DynamicUser = true;
+        LockPersonality = true;
+        MemoryDenyWriteExecute = true;
+        NoNewPrivileges = true;
+        PrivateDevices = true;
+        PrivateMounts = true;
+        PrivateTmp = true;
+        PrivateIPC = true;
+        PrivateUsers = true;
+        ProcSubset = "pid";
+        ProtectClock = true;
+        ProtectControlGroups = true;
+        ProtectHome = true;
+        ProtectHostname = true;
+        ProtectKernelLogs = true;
+        ProtectKernelModules = true;
+        ProtectKernelTunables = true;
+        ProtectProc = "noaccess";
+        ProtectSystem = "strict";
+        RemoveIPC = true;
+        RestrictAddressFamilies = [ "AF_UNIX" "AF_INET" "AF_INET6" "AF_NETLINK" ];
+        RestrictNamespaces = true;
+        RestrictRealtime = true;
+        RestrictSUIDSGID = true;
+        SystemCallArchitectures = "native";
+        SystemCallFilter = [];
+        SystemCallErrorNumber = "EPERM";
+      };
+    };
+  };
+}
--- a/profiles/servers/nginx.nix
+++ b/profiles/servers/nginx.nix
@ -79,6 +79,7 @@ in {
        "cache.ataraxiadev.com"
        "docs.ataraxiadev.com"
        "cal.ataraxiadev.com"
+        "wiki.ataraxiadev.com"

        "matrix.ataraxiadev.com"
        "dimension.ataraxiadev.com"
@ -371,6 +372,12 @@ in {
          '' + proxySettings;
        };
      } // default;
+      "wiki.ataraxiadev.com" = {
+        locations."/" = {
+          proxyPass = "http://127.0.0.1:8190";
+          extraConfig = proxySettings;
+        };
+      };
    };
  };

--- a/profiles/servers/wiki.nix
+++ b/profiles/servers/wiki.nix
@ -0,0 +1,7 @@
+{ config, pkgs, lib, ... }: {
+  services.kiwix-serve = {
+    enable = true;
+    port = 8190;
+    zimDir = "/media/nas/media-stack/torrents/other";
+  };
+}