feat(ops/www/cl.snix.dev): deploy buildkite-api-proxy

This deploys buildkite-api-proxy at cl.snix.dev/buildkite-status/. Part of #118. Change-Id: Iae927b11acc2163e6edc4ba6e91194e8fa884b0d Reviewed-on: https://cl.snix.dev/c/snix/+/30405 Reviewed-by: edef <edef@edef.eu> Tested-by: besadii Autosubmit: Florian Klink <flokli@flokli.de>
2025-05-04 01:06:43 +03:00 · 2025-05-04 01:06:43 +03:00 · c709d2a5d3
commit c709d2a5d3
parent d85b322c55
1 changed files with 37 additions and 1 deletions
--- a/ops/modules/www/cl.snix.dev.nix
+++ b/ops/modules/www/cl.snix.dev.nix
@ -1,4 +1,4 @@
-{ config, ... }:
+{ config, depot, ... }:

 {
  imports = [
@ -32,7 +32,43 @@
        location = /robots.txt {
          return 200 'User-agent: *\nAllow: /';
        }
+
+        location /buildkite-status/ {
+          proxy_pass http://buildkite-api-proxy/;
+        }
      '';
    };
+
+    services.nginx.upstreams.buildkite-api-proxy = {
+      servers."unix:/run/buildkite-api-proxy.sock" = { };
+    };
+
+    systemd.services.buildkite-api-proxy = {
+      serviceConfig = {
+        LoadCredential = "buildkite-api-token:${config.age.secrets.buildkite-api-proxy-token.path}";
+        ExecStart = "${depot.ops.buildkite-api-proxy}/bin/buildkite-api-proxy";
+        Restart = "always";
+        RestartSec = 5;
+        User = "buildkite-api-proxy";
+        DynamicUser = true;
+        ProtectHome = true;
+        ProtectSystem = true;
+        MemoryDenyWriteExecute = true;
+        ProtectControlGroups = true;
+        ProtectKernelModules = true;
+        ProtectKernelTunables = true;
+        RestrictNamespaces = true;
+        RestrictRealtime = true;
+        SystemCallArchitectures = "native";
+        SystemCallFilter = [
+          "@system-service"
+          "~@privileged"
+        ];
+      };
+    };
+    systemd.sockets.buildkite-api-proxy = {
+      wantedBy = [ "sockets.target" ];
+      socketConfig.ListenStream = "/run/buildkite-api-proxy.sock";
+    };
  };
 }