From c709d2a5d364f74acb6f76871c0e74d6c7245b2e Mon Sep 17 00:00:00 2001 From: Florian Klink Date: Sun, 4 May 2025 01:06:43 +0300 Subject: [PATCH] feat(ops/www/cl.snix.dev): deploy buildkite-api-proxy This deploys buildkite-api-proxy at cl.snix.dev/buildkite-status/. Part of #118. Change-Id: Iae927b11acc2163e6edc4ba6e91194e8fa884b0d Reviewed-on: https://cl.snix.dev/c/snix/+/30405 Reviewed-by: edef Tested-by: besadii Autosubmit: Florian Klink --- ops/modules/www/cl.snix.dev.nix | 38 ++++++++++++++++++++++++++++++++- 1 file changed, 37 insertions(+), 1 deletion(-) diff --git a/ops/modules/www/cl.snix.dev.nix b/ops/modules/www/cl.snix.dev.nix index 198b4eaa6..9471c3441 100644 --- a/ops/modules/www/cl.snix.dev.nix +++ b/ops/modules/www/cl.snix.dev.nix @@ -1,4 +1,4 @@ -{ config, ... }: +{ config, depot, ... }: { imports = [ @@ -32,7 +32,43 @@ location = /robots.txt { return 200 'User-agent: *\nAllow: /'; } + + location /buildkite-status/ { + proxy_pass http://buildkite-api-proxy/; + } ''; }; + + services.nginx.upstreams.buildkite-api-proxy = { + servers."unix:/run/buildkite-api-proxy.sock" = { }; + }; + + systemd.services.buildkite-api-proxy = { + serviceConfig = { + LoadCredential = "buildkite-api-token:${config.age.secrets.buildkite-api-proxy-token.path}"; + ExecStart = "${depot.ops.buildkite-api-proxy}/bin/buildkite-api-proxy"; + Restart = "always"; + RestartSec = 5; + User = "buildkite-api-proxy"; + DynamicUser = true; + ProtectHome = true; + ProtectSystem = true; + MemoryDenyWriteExecute = true; + ProtectControlGroups = true; + ProtectKernelModules = true; + ProtectKernelTunables = true; + RestrictNamespaces = true; + RestrictRealtime = true; + SystemCallArchitectures = "native"; + SystemCallFilter = [ + "@system-service" + "~@privileged" + ]; + }; + }; + systemd.sockets.buildkite-api-proxy = { + wantedBy = [ "sockets.target" ]; + socketConfig.ListenStream = "/run/buildkite-api-proxy.sock"; + }; }; }