From 2eed715fbfd05a536d9f9756c656ba242fd0800a Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Stanis=C5=82aw=20Pitucha?= <git@viraptor.info>
Date: Sun, 26 Jun 2022 01:20:59 +1000
Subject: [PATCH] nixos/go-camo: init

---
 .../manual/release-notes/rl-2405.section.md   |  2 +
 nixos/modules/module-list.nix                 |  1 +
 nixos/modules/services/networking/go-camo.nix | 73 +++++++++++++++++++
 nixos/tests/go-camo.nix                       | 30 ++++++++
 4 files changed, 106 insertions(+)
 create mode 100644 nixos/modules/services/networking/go-camo.nix
 create mode 100644 nixos/tests/go-camo.nix

diff --git a/nixos/doc/manual/release-notes/rl-2405.section.md b/nixos/doc/manual/release-notes/rl-2405.section.md
index 70ee02183f4f..74563bf44344 100644
--- a/nixos/doc/manual/release-notes/rl-2405.section.md
+++ b/nixos/doc/manual/release-notes/rl-2405.section.md
@@ -71,6 +71,8 @@ The pre-existing [services.ankisyncd](#opt-services.ankisyncd.enable) has been m
 
 - [TigerBeetle](https://tigerbeetle.com/), a distributed financial accounting database designed for mission critical safety and performance. Available as [services.tigerbeetle](#opt-services.tigerbeetle.enable).
 
+- [go-camo](https://github.com/cactus/go-camo), a secure image proxy server. Available as [services.go-camo](#opt-services.go-camo.enable).
+
 - [Clevis](https://github.com/latchset/clevis), a pluggable framework for automated decryption, used to unlock encrypted devices in initrd. Available as [boot.initrd.clevis.enable](#opt-boot.initrd.clevis.enable).
 
 - [TuxClocker](https://github.com/Lurkki14/tuxclocker), a hardware control and monitoring program. Available as [programs.tuxclocker](#opt-programs.tuxclocker.enable).
diff --git a/nixos/modules/module-list.nix b/nixos/modules/module-list.nix
index deb7b382e3d1..af26e31b1cbf 100644
--- a/nixos/modules/module-list.nix
+++ b/nixos/modules/module-list.nix
@@ -963,6 +963,7 @@
   ./services/networking/gns3-server.nix
   ./services/networking/gnunet.nix
   ./services/networking/go-autoconfig.nix
+  ./services/networking/go-camo.nix
   ./services/networking/go-neb.nix
   ./services/networking/go-shadowsocks2.nix
   ./services/networking/gobgpd.nix
diff --git a/nixos/modules/services/networking/go-camo.nix b/nixos/modules/services/networking/go-camo.nix
new file mode 100644
index 000000000000..cb3b6eade464
--- /dev/null
+++ b/nixos/modules/services/networking/go-camo.nix
@@ -0,0 +1,73 @@
+{ lib, pkgs, config, ... }:
+
+let
+  cfg = config.services.go-camo;
+  inherit (lib) mkOption mkEnableOption mkIf mkMerge types optionalString;
+in
+{
+  options.services.go-camo = {
+    enable = mkEnableOption "go-camo service";
+    listen = mkOption {
+      type = types.nullOr types.str;
+      default = null;
+      description = "Address:Port to bind to for HTTP (default: 0.0.0.0:8080).";
+      apply = v: optionalString (v != null) "--listen=${v}";
+    };
+    sslListen = mkOption {
+      type = types.nullOr types.str;
+      default = null;
+      description = "Address:Port to bind to for HTTPS.";
+      apply = v: optionalString (v != null) "--ssl-listen=${v}";
+    };
+    sslKey = mkOption {
+      type = types.nullOr types.path;
+      default = null;
+      description = "Path to TLS private key.";
+      apply = v: optionalString (v != null) "--ssl-key=${v}";
+    };
+    sslCert = mkOption {
+      type = types.nullOr types.path;
+      default = null;
+      description = "Path to TLS certificate.";
+      apply = v: optionalString (v != null) "--ssl-cert=${v}";
+    };
+    keyFile = mkOption {
+      type = types.path;
+      default = null;
+      description = ''
+        A file containing the HMAC key to use for signing URLs.
+        The file can contain any string. Can be generated using "openssl rand -base64 18 > the_file".
+      '';
+    };
+    extraOptions = mkOption {
+      type = with types; listOf str;
+      default = [];
+      description = "Extra options passed to the go-camo command.";
+    };
+  };
+
+  config = mkIf cfg.enable {
+    systemd.services.go-camo = {
+      description = "go-camo service";
+      wantedBy = [ "multi-user.target" ];
+      after = [ "network.target" ];
+      environment = {
+        GOCAMO_HMAC_FILE = "%d/hmac";
+      };
+      script = ''
+        export GOCAMO_HMAC=$(cat "$GOCAMO_HMAC_FILE")
+        exec ${lib.escapeShellArgs(lib.lists.remove "" ([ "${pkgs.go-camo}/bin/go-camo" cfg.listen cfg.sslListen cfg.sslKey cfg.sslCert ] ++ cfg.extraOptions))}
+      '';
+      serviceConfig = {
+        NoNewPrivileges = true;
+        ProtectSystem = "strict";
+        DynamicUser = true;
+        User = "gocamo";
+        Group = "gocamo";
+        LoadCredential = [
+          "hmac:${cfg.keyFile}"
+        ];
+      };
+    };
+  };
+}
diff --git a/nixos/tests/go-camo.nix b/nixos/tests/go-camo.nix
new file mode 100644
index 000000000000..513964c31c43
--- /dev/null
+++ b/nixos/tests/go-camo.nix
@@ -0,0 +1,30 @@
+{ system ? builtins.currentSystem, config ? { }
+, pkgs ? import ../.. { inherit system config; } }:
+
+with import ../lib/testing-python.nix { inherit system pkgs; };
+
+{
+  gocamo_file_key = let
+      key_val = "12345678";
+    in
+    makeTest {
+    name = "go-camo-file-key";
+    meta = {
+      maintainers = [ pkgs.lib.maintainers.viraptor ];
+    };
+
+    nodes.machine = { config, pkgs, ... }: {
+      services.go-camo = {
+        enable = true;
+        keyFile = pkgs.writeText "foo" key_val;
+      };
+    };
+
+    # go-camo responds to http requests
+    testScript = ''
+      machine.wait_for_unit("go-camo.service")
+      machine.wait_for_open_port(8080)
+      machine.succeed("curl http://localhost:8080")
+    '';
+  };
+}