nixos/echoip: init module (#372970)

nixos/doc/manual/release-notes/rl-2505.section.md

@@ -95,6 +95,8 @@
 
 - [InputPlumber](https://github.com/ShadowBlip/InputPlumber/), an open source input router and remapper daemon for Linux. Available as [services.inputplumber](#opt-services.inputplumber.enable).
 
+- [echoip](https://github.com/mpolden/echoip), a simple service for looking up your IP address. Available as [services.echoip](#opt-services.echoip.enable).
+
 - [Buffyboard](https://gitlab.postmarketos.org/postmarketOS/buffybox/-/tree/master/buffyboard), a framebuffer on-screen keyboard. Available as [services.buffyboard](option.html#opt-services.buffyboard).
 
 - [KanBoard](https://github.com/kanboard/kanboard), a project management tool that focuses on the Kanban methodology. Available as [services.kanboard](#opt-services.kanboard.enable).

nixos/modules/module-list.nix

@@ -1465,6 +1465,7 @@
   ./services/web-apps/documize.nix
   ./services/web-apps/dokuwiki.nix
   ./services/web-apps/dolibarr.nix
+  ./services/web-apps/echoip.nix
   ./services/web-apps/eintopf.nix
   ./services/web-apps/engelsystem.nix
   ./services/web-apps/ethercalc.nix

nixos/modules/services/web-apps/echoip.nix

@@ -0,0 +1,121 @@
+{
+  config,
+  lib,
+  pkgs,
+  ...
+}:
+let
+  cfg = config.services.echoip;
+in
+{
+  meta.maintainers = with lib.maintainers; [ defelo ];
+
+  options.services.echoip = {
+    enable = lib.mkEnableOption "echoip";
+
+    package = lib.mkPackageOption pkgs "echoip" { };
+
+    virtualHost = lib.mkOption {
+      type = lib.types.nullOr lib.types.str;
+      description = ''
+        Name of the nginx virtual host to use and setup. If null, do not setup anything.
+      '';
+      default = null;
+    };
+
+    extraArgs = lib.mkOption {
+      type = lib.types.listOf lib.types.str;
+      description = "Extra command line arguments to pass to echoip. See <https://github.com/mpolden/echoip> for details.";
+      default = [ ];
+    };
+
+    listenAddress = lib.mkOption {
+      type = lib.types.str;
+      description = "The address echoip should listen on";
+      default = ":8080";
+      example = "127.0.0.1:8000";
+    };
+
+    enablePortLookup = lib.mkEnableOption "port lookup";
+
+    enableReverseHostnameLookups = lib.mkEnableOption "reverse hostname lookups";
+
+    remoteIpHeader = lib.mkOption {
+      type = lib.types.nullOr lib.types.str;
+      description = "Header to trust for remote IP, if present";
+      default = null;
+      example = "X-Real-IP";
+    };
+  };
+
+  config = lib.mkIf cfg.enable {
+    systemd.services.echoip = {
+      wantedBy = [ "multi-user.target" ];
+
+      wants = [ "network-online.target" ];
+      after = [ "network-online.target" ];
+
+      serviceConfig = {
+        User = "echoip";
+        Group = "echoip";
+        DynamicUser = true;
+        ExecStart = lib.escapeShellArgs (
+          [
+            (lib.getExe cfg.package)
+            "-l"
+            cfg.listenAddress
+          ]
+          ++ lib.optional cfg.enablePortLookup "-p"
+          ++ lib.optional cfg.enableReverseHostnameLookups "-r"
+          ++ lib.optionals (cfg.remoteIpHeader != null) [
+            "-H"
+            cfg.remoteIpHeader
+          ]
+          ++ cfg.extraArgs
+        );
+
+        # Hardening
+        CapabilityBoundingSet = [ "" ];
+        DeviceAllow = [ "" ];
+        LockPersonality = true;
+        PrivateDevices = true;
+        PrivateTmp = true;
+        PrivateUsers = true;
+        ProcSubset = "pid";
+        ProtectClock = true;
+        ProtectControlGroups = true;
+        ProtectHome = true;
+        ProtectHostname = true;
+        ProtectKernelLogs = true;
+        ProtectKernelModules = true;
+        ProtectKernelTunables = true;
+        ProtectProc = "invisible";
+        ProtectSystem = "strict";
+        RestrictAddressFamilies = [
+          "AF_INET"
+          "AF_INET6"
+          "AF_UNIX"
+        ];
+        RestrictNamespaces = true;
+        RestrictRealtime = true;
+        RestrictSUIDSGID = true;
+        SystemCallArchitectures = "native";
+      };
+    };
+
+    services.nginx = lib.mkIf (cfg.virtualHost != null) {
+      enable = true;
+      virtualHosts.${cfg.virtualHost} = {
+        locations."/" = {
+          proxyPass = "http://${cfg.listenAddress}";
+          recommendedProxySettings = true;
+        };
+      };
+    };
+
+    services.echoip = lib.mkIf (cfg.virtualHost != null) {
+      listenAddress = lib.mkDefault "127.0.0.1:8080";
+      remoteIpHeader = "X-Real-IP";
+    };
+  };
+}

nixos/tests/all-tests.nix

@@ -294,6 +294,7 @@ in {
   early-mount-options = handleTest ./early-mount-options.nix {};
   ec2-config = (handleTestOn ["x86_64-linux"] ./ec2.nix {}).boot-ec2-config or {};
   ec2-nixops = (handleTestOn ["x86_64-linux"] ./ec2.nix {}).boot-ec2-nixops or {};
+  echoip = handleTest ./echoip.nix {};
   ecryptfs = handleTest ./ecryptfs.nix {};
   fscrypt = handleTest ./fscrypt.nix {};
   fastnetmon-advanced = runTest ./fastnetmon-advanced.nix;

nixos/tests/echoip.nix

@@ -0,0 +1,29 @@
+import ./make-test-python.nix (
+  { lib, ... }:
+  {
+    name = "echoip";
+    meta.maintainers = with lib.maintainers; [ defelo ];
+
+    nodes.machine = {
+      services.echoip = {
+        enable = true;
+        virtualHost = "echoip.local";
+      };
+
+      networking.hosts = {
+        "127.0.0.1" = [ "echoip.local" ];
+        "::1" = [ "echoip.local" ];
+      };
+    };
+
+    testScript = ''
+      machine.wait_for_unit("echoip.service")
+      machine.wait_for_open_port(8080)
+
+      resp = machine.succeed("curl -4 http://echoip.local/ip")
+      assert resp.strip() == "127.0.0.1"
+      resp = machine.succeed("curl -6 http://echoip.local/ip")
+      assert resp.strip() == "::1"
+    '';
+  }
+)

pkgs/by-name/ec/echoip/package.nix

@@ -3,17 +3,18 @@
   buildGoModule,
   fetchFromGitHub,
   makeWrapper,
+  nixosTests,
 }:
 
 buildGoModule {
   pname = "echoip";
-  version = "unstable-2021-08-03";
+  version = "unstable-2023-05-21";
 
   src = fetchFromGitHub {
     owner = "mpolden";
     repo = "echoip";
-    rev = "ffa6674637a5bf906d78ae6675f9a4680a78ab7b";
+    rev = "d84665c26cf7df612061e9c35abe325ba9d86b8d";
-    sha256 = "sha256-yN7PIwoIi2SPwwFWnHDoXnwvKohkPPf4kVsNxHLpqCE=";
+    hash = "sha256-7qc1NZu0hC1np/EKf5fU5Cnd7ikC1+tIrYOXhxK/++Y=";
   };
 
   vendorHash = "sha256-lXYpkeGpBK+WGHqyLxJz7kS3t7a55q55QQLTqtxzroc=";
@@ -26,15 +27,18 @@ buildGoModule {
       --add-flags "-t $out/share/echoip/html"
   '';
 
-  doCheck = false;
+  passthru = {
+    tests = { inherit (nixosTests) echoip; };
+  };
 
-  meta = with lib; {
+  meta = {
     description = "IP address lookup service";
     homepage = "https://github.com/mpolden/echoip";
-    license = licenses.bsd3;
+    license = lib.licenses.bsd3;
-    maintainers = with maintainers; [
+    maintainers = with lib.maintainers; [
       rvolosatovs
       SuperSandro2000
+      defelo
     ];
     mainProgram = "echoip";
   };