From 8785ba394d1c73ea7016044d3d0a9c49221ee575 Mon Sep 17 00:00:00 2001
From: Defelo <mail@defelo.de>
Date: Sat, 11 Jan 2025 15:55:02 +0100
Subject: [PATCH 1/3] echoip: unstable-2021-08-03 -> unstable-2023-05-21

---
 pkgs/by-name/ec/echoip/package.nix | 15 +++++++--------
 1 file changed, 7 insertions(+), 8 deletions(-)

diff --git a/pkgs/by-name/ec/echoip/package.nix b/pkgs/by-name/ec/echoip/package.nix
index 7c8d1f13114b..688237ecbba1 100644
--- a/pkgs/by-name/ec/echoip/package.nix
+++ b/pkgs/by-name/ec/echoip/package.nix
@@ -7,13 +7,13 @@
 
 buildGoModule {
   pname = "echoip";
-  version = "unstable-2021-08-03";
+  version = "unstable-2023-05-21";
 
   src = fetchFromGitHub {
     owner = "mpolden";
     repo = "echoip";
-    rev = "ffa6674637a5bf906d78ae6675f9a4680a78ab7b";
-    sha256 = "sha256-yN7PIwoIi2SPwwFWnHDoXnwvKohkPPf4kVsNxHLpqCE=";
+    rev = "d84665c26cf7df612061e9c35abe325ba9d86b8d";
+    hash = "sha256-7qc1NZu0hC1np/EKf5fU5Cnd7ikC1+tIrYOXhxK/++Y=";
   };
 
   vendorHash = "sha256-lXYpkeGpBK+WGHqyLxJz7kS3t7a55q55QQLTqtxzroc=";
@@ -26,15 +26,14 @@ buildGoModule {
       --add-flags "-t $out/share/echoip/html"
   '';
 
-  doCheck = false;
-
-  meta = with lib; {
+  meta = {
     description = "IP address lookup service";
     homepage = "https://github.com/mpolden/echoip";
-    license = licenses.bsd3;
-    maintainers = with maintainers; [
+    license = lib.licenses.bsd3;
+    maintainers = with lib.maintainers; [
       rvolosatovs
       SuperSandro2000
+      defelo
     ];
     mainProgram = "echoip";
   };

From 6a6d7de921636776f024e80e9f57f205a46cb734 Mon Sep 17 00:00:00 2001
From: Defelo <mail@defelo.de>
Date: Sat, 11 Jan 2025 16:57:41 +0100
Subject: [PATCH 2/3] nixos/echoip: init module

---
 .../manual/release-notes/rl-2505.section.md   |   2 +
 nixos/modules/module-list.nix                 |   1 +
 nixos/modules/services/web-apps/echoip.nix    | 121 ++++++++++++++++++
 3 files changed, 124 insertions(+)
 create mode 100644 nixos/modules/services/web-apps/echoip.nix

diff --git a/nixos/doc/manual/release-notes/rl-2505.section.md b/nixos/doc/manual/release-notes/rl-2505.section.md
index c4b58c97b254..1193be34eb82 100644
--- a/nixos/doc/manual/release-notes/rl-2505.section.md
+++ b/nixos/doc/manual/release-notes/rl-2505.section.md
@@ -93,6 +93,8 @@
 
 - [InputPlumber](https://github.com/ShadowBlip/InputPlumber/), an open source input router and remapper daemon for Linux. Available as [services.inputplumber](#opt-services.inputplumber.enable).
 
+- [echoip](https://github.com/mpolden/echoip), a simple service for looking up your IP address. Available as [services.echoip](#opt-services.echoip.enable).
+
 - [Buffyboard](https://gitlab.postmarketos.org/postmarketOS/buffybox/-/tree/master/buffyboard), a framebuffer on-screen keyboard. Available as [services.buffyboard](option.html#opt-services.buffyboard).
 
 - [KanBoard](https://github.com/kanboard/kanboard), a project management tool that focuses on the Kanban methodology. Available as [services.kanboard](#opt-services.kanboard.enable).
diff --git a/nixos/modules/module-list.nix b/nixos/modules/module-list.nix
index b5b6fd8c0e2f..9dcb07248e5c 100644
--- a/nixos/modules/module-list.nix
+++ b/nixos/modules/module-list.nix
@@ -1458,6 +1458,7 @@
   ./services/web-apps/documize.nix
   ./services/web-apps/dokuwiki.nix
   ./services/web-apps/dolibarr.nix
+  ./services/web-apps/echoip.nix
   ./services/web-apps/eintopf.nix
   ./services/web-apps/engelsystem.nix
   ./services/web-apps/ethercalc.nix
diff --git a/nixos/modules/services/web-apps/echoip.nix b/nixos/modules/services/web-apps/echoip.nix
new file mode 100644
index 000000000000..4bfba2ae138a
--- /dev/null
+++ b/nixos/modules/services/web-apps/echoip.nix
@@ -0,0 +1,121 @@
+{
+  config,
+  lib,
+  pkgs,
+  ...
+}:
+let
+  cfg = config.services.echoip;
+in
+{
+  meta.maintainers = with lib.maintainers; [ defelo ];
+
+  options.services.echoip = {
+    enable = lib.mkEnableOption "echoip";
+
+    package = lib.mkPackageOption pkgs "echoip" { };
+
+    virtualHost = lib.mkOption {
+      type = lib.types.nullOr lib.types.str;
+      description = ''
+        Name of the nginx virtual host to use and setup. If null, do not setup anything.
+      '';
+      default = null;
+    };
+
+    extraArgs = lib.mkOption {
+      type = lib.types.listOf lib.types.str;
+      description = "Extra command line arguments to pass to echoip. See <https://github.com/mpolden/echoip> for details.";
+      default = [ ];
+    };
+
+    listenAddress = lib.mkOption {
+      type = lib.types.str;
+      description = "The address echoip should listen on";
+      default = ":8080";
+      example = "127.0.0.1:8000";
+    };
+
+    enablePortLookup = lib.mkEnableOption "port lookup";
+
+    enableReverseHostnameLookups = lib.mkEnableOption "reverse hostname lookups";
+
+    remoteIpHeader = lib.mkOption {
+      type = lib.types.nullOr lib.types.str;
+      description = "Header to trust for remote IP, if present";
+      default = null;
+      example = "X-Real-IP";
+    };
+  };
+
+  config = lib.mkIf cfg.enable {
+    systemd.services.echoip = {
+      wantedBy = [ "multi-user.target" ];
+
+      wants = [ "network-online.target" ];
+      after = [ "network-online.target" ];
+
+      serviceConfig = {
+        User = "echoip";
+        Group = "echoip";
+        DynamicUser = true;
+        ExecStart = lib.escapeShellArgs (
+          [
+            (lib.getExe cfg.package)
+            "-l"
+            cfg.listenAddress
+          ]
+          ++ lib.optional cfg.enablePortLookup "-p"
+          ++ lib.optional cfg.enableReverseHostnameLookups "-r"
+          ++ lib.optionals (cfg.remoteIpHeader != null) [
+            "-H"
+            cfg.remoteIpHeader
+          ]
+          ++ cfg.extraArgs
+        );
+
+        # Hardening
+        CapabilityBoundingSet = [ "" ];
+        DeviceAllow = [ "" ];
+        LockPersonality = true;
+        PrivateDevices = true;
+        PrivateTmp = true;
+        PrivateUsers = true;
+        ProcSubset = "pid";
+        ProtectClock = true;
+        ProtectControlGroups = true;
+        ProtectHome = true;
+        ProtectHostname = true;
+        ProtectKernelLogs = true;
+        ProtectKernelModules = true;
+        ProtectKernelTunables = true;
+        ProtectProc = "invisible";
+        ProtectSystem = "strict";
+        RestrictAddressFamilies = [
+          "AF_INET"
+          "AF_INET6"
+          "AF_UNIX"
+        ];
+        RestrictNamespaces = true;
+        RestrictRealtime = true;
+        RestrictSUIDSGID = true;
+        SystemCallArchitectures = "native";
+      };
+    };
+
+    services.nginx = lib.mkIf (cfg.virtualHost != null) {
+      enable = true;
+      virtualHosts.${cfg.virtualHost} = {
+        locations."/" = {
+          proxyPass = "http://${cfg.listenAddress}";
+          recommendedProxySettings = true;
+        };
+      };
+    };
+
+    services.echoip = lib.mkIf (cfg.virtualHost != null) {
+      listenAddress = lib.mkDefault "127.0.0.1:8080";
+      remoteIpHeader = "X-Real-IP";
+    };
+  };
+}

From 96dd35f07d7f362d821a2a33a450ec8815abce24 Mon Sep 17 00:00:00 2001
From: Defelo <mail@defelo.de>
Date: Sat, 11 Jan 2025 16:57:57 +0100
Subject: [PATCH 3/3] nixos/tests/echoip: init

---
 nixos/tests/all-tests.nix          |  1 +
 nixos/tests/echoip.nix             | 29 +++++++++++++++++++++++++++++
 pkgs/by-name/ec/echoip/package.nix |  5 +++++
 3 files changed, 35 insertions(+)
 create mode 100644 nixos/tests/echoip.nix

diff --git a/nixos/tests/all-tests.nix b/nixos/tests/all-tests.nix
index be546f2acc3a..5d6d92415bfd 100644
--- a/nixos/tests/all-tests.nix
+++ b/nixos/tests/all-tests.nix
@@ -294,6 +294,7 @@ in {
   early-mount-options = handleTest ./early-mount-options.nix {};
   ec2-config = (handleTestOn ["x86_64-linux"] ./ec2.nix {}).boot-ec2-config or {};
   ec2-nixops = (handleTestOn ["x86_64-linux"] ./ec2.nix {}).boot-ec2-nixops or {};
+  echoip = handleTest ./echoip.nix {};
   ecryptfs = handleTest ./ecryptfs.nix {};
   fscrypt = handleTest ./fscrypt.nix {};
   fastnetmon-advanced = runTest ./fastnetmon-advanced.nix;
diff --git a/nixos/tests/echoip.nix b/nixos/tests/echoip.nix
new file mode 100644
index 000000000000..036018b26438
--- /dev/null
+++ b/nixos/tests/echoip.nix
@@ -0,0 +1,29 @@
+import ./make-test-python.nix (
+  { lib, ... }:
+  {
+    name = "echoip";
+    meta.maintainers = with lib.maintainers; [ defelo ];
+
+    nodes.machine = {
+      services.echoip = {
+        enable = true;
+        virtualHost = "echoip.local";
+      };
+
+      networking.hosts = {
+        "127.0.0.1" = [ "echoip.local" ];
+        "::1" = [ "echoip.local" ];
+      };
+    };
+
+    testScript = ''
+      machine.wait_for_unit("echoip.service")
+      machine.wait_for_open_port(8080)
+
+      resp = machine.succeed("curl -4 http://echoip.local/ip")
+      assert resp.strip() == "127.0.0.1"
+      resp = machine.succeed("curl -6 http://echoip.local/ip")
+      assert resp.strip() == "::1"
+    '';
+  }
+)
diff --git a/pkgs/by-name/ec/echoip/package.nix b/pkgs/by-name/ec/echoip/package.nix
index 688237ecbba1..0b533cc7b3b2 100644
--- a/pkgs/by-name/ec/echoip/package.nix
+++ b/pkgs/by-name/ec/echoip/package.nix
@@ -3,6 +3,7 @@
   buildGoModule,
   fetchFromGitHub,
   makeWrapper,
+  nixosTests,
 }:
 
 buildGoModule {
@@ -26,6 +27,10 @@ buildGoModule {
       --add-flags "-t $out/share/echoip/html"
   '';
 
+  passthru = {
+    tests = { inherit (nixosTests) echoip; };
+  };
+
   meta = {
     description = "IP address lookup service";
     homepage = "https://github.com/mpolden/echoip";