From 1d14174ad5af7f882c10b6dada711c8d88ddcc55 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Kier=C3=A1n=20Meinhardt?= <kmein@posteo.de>
Date: Thu, 2 Oct 2025 18:30:08 +0200
Subject: [PATCH] go-webring

---
 flake.nix                     |   3 +
 modules/go-webring.nix        | 142 ++++++++++++++++++++++++++++++++++
 packages/go-webring.nix       |  21 +++++
 systems/ful/configuration.nix |   1 +
 systems/ful/go-webring.nix    |  38 +++++++++
 5 files changed, 205 insertions(+)
 create mode 100644 modules/go-webring.nix
 create mode 100644 packages/go-webring.nix
 create mode 100644 systems/ful/go-webring.nix

diff --git a/flake.nix b/flake.nix
index 88f035d..46c3a28 100644
--- a/flake.nix
+++ b/flake.nix
@@ -146,6 +146,7 @@
         power-action = import modules/power-action.nix;
         system-dependent = import modules/system-dependent.nix;
         telegram-bot = import modules/telegram-bot.nix;
+        go-webring = import modules/go-webring.nix;
       };
 
       lib = {
@@ -207,6 +208,7 @@
             agenix.nixosModules.default
             inputs.self.nixosModules.passport
             inputs.self.nixosModules.panoptikon
+            inputs.self.nixosModules.go-webring
             inputs.self.nixosModules.htgen
             inputs.stockholm.nixosModules.reaktor2
             retiolum.nixosModules.retiolum
@@ -399,6 +401,7 @@
         q = pkgs.callPackage packages/q.nix {};
         qrpaste = pkgs.callPackage packages/qrpaste.nix {};
         random-zeno = pkgs.callPackage packages/random-zeno.nix {};
+        go-webring = pkgs.callPackage packages/go-webring.nix {};
         rfc = pkgs.callPackage packages/rfc.nix {};
         gimp = pkgs.callPackage packages/gimp.nix {};
         scanned = pkgs.callPackage packages/scanned.nix {};
diff --git a/modules/go-webring.nix b/modules/go-webring.nix
new file mode 100644
index 0000000..2a7cbf1
--- /dev/null
+++ b/modules/go-webring.nix
@@ -0,0 +1,142 @@
+{
+  config,
+  lib,
+  pkgs,
+  ...
+}:
+
+let
+  inherit (lib)
+    mkEnableOption
+    mkPackageOption
+    mkOption
+    types
+    literalExpression
+    mkIf
+    ;
+  cfg = config.services.go-webring;
+
+  defaultAddress = "127.0.0.1:2857";
+in
+
+{
+  options = {
+    services.go-webring = {
+      enable = mkEnableOption "go-webring";
+
+      package = mkPackageOption pkgs "go-webring" { };
+
+      contactInstructions = mkOption {
+        type = types.nullOr types.str;
+        default = null;
+        description = "Contact instructions for errors";
+        example = "contact the admin and let them know what's up";
+      };
+
+      host = mkOption {
+        type = types.str;
+        description = "Host this webring runs on, primarily used for validation";
+        example = "my-webri.ng";
+      };
+
+      homePageTemplate = mkOption {
+        type = types.str;
+        description = ''
+          This should be any HTML file with the string "{{ . }}" placed
+          wherever you want the table of members inserted. This table is
+          plain HTML so you can style it with CSS.
+        '';
+      };
+
+      listenAddress = mkOption {
+        type = types.str;
+        default = defaultAddress;
+        description = "Host and port go-webring will listen on";
+      };
+
+      members = mkOption {
+        type = types.listOf (
+          types.submodule {
+            options = {
+              username = mkOption {
+                type = types.str;
+                description = "Member's name";
+              };
+              site = mkOption {
+                type = types.str;
+                description = "Member's site URL";
+              };
+            };
+          }
+        );
+        description = "List of members in the webring";
+      };
+    };
+  };
+
+  config = mkIf cfg.enable {
+    systemd.services.go-webring = {
+      description = "go-webring service";
+      wantedBy = [ "multi-user.target" ];
+      after = [ "network.target" ];
+      requires = [ "network.target" ];
+      serviceConfig = {
+        Type = "notify";
+        ExecStart = ''
+          ${lib.getExe cfg.package} \
+            ${lib.optionalString (cfg.contactInstructions != null) ("--contact " + lib.escapeShellArg cfg.contactInstructions)} \
+            --host ${cfg.host} \
+            --index ${pkgs.writeText "index.html" cfg.homePageTemplate} \
+            --listen ${cfg.listenAddress} \
+            --members ${
+              pkgs.writeText "list.txt" (
+                lib.concatMapStringsSep "\n" (member: member.username + " " + member.site) cfg.members
+              )
+            }
+        '';
+        User = "go-webring";
+        DynamicUser = true;
+        RuntimeDirectory = "go-webring";
+        WorkingDirectory = "/var/lib/go-webring";
+        StateDirectory = "go-webring";
+        RuntimeDirectoryMode = "0750";
+        WatchdogSec = 60;
+        WatchdogSignal = "SIGKILL";
+        Restart = "always";
+        RestartSec = 5;
+
+        # Hardening
+        CapabilityBoundingSet = [ "" ];
+        DeviceAllow = [ "" ];
+        LockPersonality = true;
+        MemoryDenyWriteExecute = true;
+        PrivateDevices = true;
+        PrivateUsers = true;
+        ProcSubset = "pid";
+        ProtectClock = true;
+        ProtectControlGroups = true;
+        ProtectHome = true;
+        ProtectHostname = true;
+        ProtectKernelLogs = true;
+        ProtectKernelModules = true;
+        ProtectKernelTunables = true;
+        ProtectProc = "invisible";
+        RestrictAddressFamilies = [
+          "AF_INET"
+          "AF_INET6"
+          "AF_UNIX"
+        ];
+        RestrictNamespaces = true;
+        RestrictRealtime = true;
+        RestrictSUIDSGID = true;
+        SystemCallArchitectures = "native";
+        SystemCallFilter = [
+          "@system-service"
+          "~@privileged"
+        ];
+        UMask = "0077";
+      };
+    };
+    environment.systemPackages = [ cfg.package ];
+  };
+}
diff --git a/packages/go-webring.nix b/packages/go-webring.nix
new file mode 100644
index 0000000..18824ca
--- /dev/null
+++ b/packages/go-webring.nix
@@ -0,0 +1,21 @@
+{ buildGoModule, fetchgit, lib }:
+buildGoModule {
+  pname = "go-webring";
+  version = "2024-12-18";
+
+  src = fetchgit {
+    url = "https://git.sr.ht/~amolith/go-webring";
+    rev = "0b5b1bf21ff91119ea2dd042ee9fe94e9d1cd8d4";
+    hash = "sha256-az6vBOGiZmzfsMjYUacXMHhDeRDmVI/arCKCpHeTcns=";
+  };
+
+  vendorHash = "sha256-3PnXB8AfZtgmYEPJuh0fwvG38dtngoS/lxyx3H+rvFs=";
+
+  meta = {
+    mainProgram = "go-webring";
+    description = "Simple webring implementation";
+    homepage = "https://git.sr.ht/~amolith/go-webring";
+    license = lib.licenses.bsd2; # cc0 as well
+    maintainers = [ lib.maintainers.kmein ];
+  };
+}
diff --git a/systems/ful/configuration.nix b/systems/ful/configuration.nix
index f2e5f24..5ff1977 100644
--- a/systems/ful/configuration.nix
+++ b/systems/ful/configuration.nix
@@ -12,6 +12,7 @@ in {
     ./radio.nix
     ./panoptikon.nix
     ./hledger.nix
+    ./go-webring.nix
     ./gemini.nix
     ./wallabag.nix
     ./alew.nix
diff --git a/systems/ful/go-webring.nix b/systems/ful/go-webring.nix
new file mode 100644
index 0000000..65b7981
--- /dev/null
+++ b/systems/ful/go-webring.nix
@@ -0,0 +1,38 @@
+{ config, niveumPackages ,... }:
+let
+  port = 2857;
+in
+{
+  services.go-webring = {
+    enable = true;
+    host = "dichtungsring.kmein.de";
+    listenAddress = "127.0.0.1:${toString port}";
+    package = niveumPackages.go-webring;
+    members = [
+      { username = "meteora"; site = "meteora.xn--kiern-0qa.de"; }
+      { username = "huldra"; site = "huldras-halbtraum.com"; }
+    ];
+    homePageTemplate = ''
+      <!DOCTYPE html>
+      <html lang="de">
+      <head>
+        <meta charset="UTF-8">
+        <meta name="viewport" content="width=device-width, initial-scale=1.0">
+        <title>Dichtungsring</title>
+      </head>
+      <body>
+        <h1>Willkommen beim Dichtungs-Ring</h1>
+        <section id="members">
+        {{ . }}
+        </section>
+      </body>
+      </html>
+    '';
+  };
+
+  services.nginx.virtualHosts."dichtungsring.kmein.de" = {
+    enableACME = true;
+    forceSSL = true;
+    locations."/".proxyPass = "http://${config.services.go-webring.listenAddress}";
+  };
+}