Update from update-inputs-2024-09-12-04-20

config/hosts/seras/configuration.nix

@@ -20,4 +20,11 @@
       "2a0f:be01:0:100::169/128" 
     ];
   };
+
+  kyouma.ooklaserver = {
+    enable = true;
+    openFirewall = true;
+    domain = "speedtest.kyouma.net";
+    settings.openSSL.server.minimumTLSProtocol = "1.3";
+  };
 }

flake.lock

@@ -11,11 +11,11 @@
         "nixpkgs-stable": "nixpkgs-stable"
       },
       "locked": {
-        "lastModified": 1725815284,
+        "lastModified": 1726069220,
-        "narHash": "sha256-nVWCR86XDjx9Tq6RHsNvhD03nNzIeKKc7UTPnXLyrDY=",
+        "narHash": "sha256-dAUWlC8uMJX9iovycfvJcg5nm3PzqJIRAOwN4z322zM=",
         "owner": "zhaofengli",
         "repo": "attic",
-        "rev": "aec90814a4ecbc40171d57eeef97c5cab4aaa7b4",
+        "rev": "416687e59c4f0b32742423458cab2c5ff8fe748a",
         "type": "github"
       },
       "original": {
@@ -569,11 +569,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1725948275,
+        "lastModified": 1726036828,
-        "narHash": "sha256-4QOPemDQ9VRLQaAdWuvdDBhh+lEUOAnSMHhdr4nS1mk=",
+        "narHash": "sha256-ZQHbpyti0jcAKnwQY1lwmooecLmSG6wX1JakQ/eZNeM=",
         "owner": "nix-community",
         "repo": "home-manager",
-        "rev": "e5fa72bad0c6f533e8d558182529ee2acc9454fe",
+        "rev": "8a1671642826633586d12ac3158e463c7a50a112",
         "type": "github"
       },
       "original": {
@@ -922,11 +922,11 @@
     },
     "nixpkgs_4": {
       "locked": {
-        "lastModified": 1725634671,
+        "lastModified": 1725983898,
-        "narHash": "sha256-v3rIhsJBOMLR8e/RNWxr828tB+WywYIoajrZKFM+0Gg=",
+        "narHash": "sha256-4b3A9zPpxAxLnkF9MawJNHDtOOl6ruL0r6Og1TEDGCE=",
         "owner": "nixos",
         "repo": "nixpkgs",
-        "rev": "574d1eac1c200690e27b8eb4e24887f8df7ac27c",
+        "rev": "1355a0cbfeac61d785b7183c0caaec1f97361b43",
         "type": "github"
       },
       "original": {
@@ -953,11 +953,11 @@
         "treefmt-nix": "treefmt-nix_2"
       },
       "locked": {
-        "lastModified": 1726000537,
+        "lastModified": 1726027257,
-        "narHash": "sha256-Y1dEuf2wZkg2rhE8sf73x9K0zknUald4Ia6zXnGEfjg=",
+        "narHash": "sha256-hsdIfpIB5wzEehgOSaifBJwY3Tn0P0wiU9pTf8nRBQc=",
         "owner": "nix-community",
         "repo": "nixvim",
-        "rev": "fc7e9b29271a03459191955f78d4128451b7cd81",
+        "rev": "11c133e89e4090c43445a2c3b5af2322831d7219",
         "type": "github"
       },
       "original": {

flake.nix

@@ -7,7 +7,6 @@
     attic = {
       url = "github:zhaofengli/attic";
       inputs.nixpkgs.follows = "nixpkgs";
-      inputs.flake-utils.follows = "flake-utils";
     };
     disko = {
       url = "github:nix-community/disko";

modules/default.nix

@@ -4,6 +4,7 @@
     ./graphical
     ./machine-type
     ./nginx
+    ./ooklaserver
     ./update-nixfiles
   ];
 }

modules/ooklaserver/default.nix

@@ -0,0 +1,169 @@
+{ config, lib, pkgs, ... }: 
+let
+  cfg = config.kyouma.ooklaserver;
+in {
+  options = {
+    kyouma.ooklaserver = let 
+      inherit (lib) mkOption types;
+    in {
+      enable = lib.mkEnableOption "ookla speedtest server";
+      package = lib.mkPackageOption pkgs "ooklaserver" {};
+      domain = mkOption {
+        description = "Domain to use.";
+        default = null;
+        type = with types; nullOr nonEmptyStr;
+      };
+      openFirewall = mkOption {
+        description = "Whether to open the firewall for the specified ports.";
+        default = false;
+        type = types.bool;
+      };
+      tcpPorts = mkOption {
+        description = ''
+          The server listens on TCP port 5060 and 8080 by default. These ports are required for
+          speedtest.net servers, although more can be added.
+        '';
+        default = [ 5060 8080 ];
+        type = with types; listOf port;
+      };
+      udpPorts = mkOption {
+        description = ''
+          The server listens on UDP port 5060 and 8080 by default. These ports are required for
+          speedtest.net servers, although more can be added.
+        '';
+        default = [ 5060 8080 ];
+        type = with types; listOf port;
+      };
+      settings = mkOption {
+        description = ''
+          OoklaServer configuration written as Nix expression.
+          Comma seperated values should be written as list.
+        '';
+        default = {};
+        type = with lib.types; let 
+          valueType = nullOr (oneOf [
+            bool
+            int
+            str
+            (attrsOf valueType)
+            (listOf (oneOf [ port str ]))
+          ]);
+        in valueType;
+      };
+    };
+  };
+  config = lib.mkIf cfg.enable {
+    security.acme.certs.${cfg.domain} = {
+      reloadServices = [ "ooklaserver.service" ];
+      webroot = "/var/lib/acme/acme-challenge";
+    };
+
+    networking.firewall = lib.mkIf cfg.openFirewall {
+      allowedUDPPorts = cfg.udpPorts;
+      allowedTCPPorts = cfg.tcpPorts;
+    };
+
+    kyouma.ooklaserver.settings = let
+      inherit (lib) mkDefault;
+    in {
+      OoklaServer = {
+        inherit (cfg) tcpPorts udpPorts;
+        enableAutoUpdate = false;
+        ssl.useLetsEncrypt = false;
+        useIPv6 = mkDefault true;
+        allowedDomains = mkDefault [ "*.ookla.com" "*.speedtest.net" ];
+        userAgentFilterEnabled = mkDefault true;
+        workerThreadPool = {
+          capacity = mkDefault 30000;
+          stackSizeBytes = mkDefault 102400;
+        };
+        ipTracking = {
+          gcIntervalMinutes = mkDefault 5;
+          maxIdleAgeMinutes = mkDefault 35;
+          slidingWindowBucketLengthMinutes = mkDefault 5;
+          metricTopIpCount = mkDefault 5;
+          maxConnPerIp = mkDefault 500;
+          maxConnPerBucketPerIp = mkDefault 20000;
+        };
+        clientAuthToken.denyInvalid = mkDefault true;
+        websocket.frameSizeLimitBytes = mkDefault 5242880;
+        http.maxHeadersSize = mkDefault 65536;
+      };
+      openSSL.server = {
+        certificateFile = "/run/credentials/${config.systemd.services.ooklaserver.name}/cert.pem";
+        privateKeyFile = "/run/credentials/${config.systemd.services.ooklaserver.name}/key.pem";
+        minimumTLSProtocol = mkDefault "1.2";
+      };
+      logging.loggers.app = {
+        name = mkDefault "Application";
+        channel = {
+          class = mkDefault "ConsoleChannel";
+          pattern = mkDefault "[%p] %t";
+        };
+        level = mkDefault "information";
+      };
+    };
+
+    systemd.services.ooklaserver = let 
+      configFile = let
+        anyToString = arg: if (lib.isBool arg) then
+          lib.boolToString arg
+        else if (lib.isList arg) then 
+          lib.concatStringsSep "," (map (val: toString val) arg)
+        else toString arg;
+      in
+        with lib; lib.pipe cfg.settings [
+        (mapAttrsRecursive (path: val: "${concatStringsSep "." path} = ${anyToString val}"))
+        (collect isString)
+        (concatLines)
+        (pkgs.writeTextDir "bin/OoklaServer.properties")
+      ];
+      packageWithCfg = pkgs.symlinkJoin {
+        name = "${cfg.package.name}-with-config";
+        paths = [ cfg.package configFile ];
+      };
+    in {
+      description = "Ookla speedtest server daemon";
+      wantedBy = [ "multi-user.target" ];
+      wants = [ "network-online.target" ];
+
+      serviceConfig = {
+        Type = "simple";
+        Restart = "always";
+
+        User = "ooklaserver";
+        Group = "ooklaserver";
+        DynamicUser = true;
+
+        LoadCredential = [
+          "cert.pem:${config.security.acme.certs.${cfg.domain}.directory}/cert.pem"
+          "key.pem:${config.security.acme.certs.${cfg.domain}.directory}/key.pem"
+        ];
+        ExecStart = "${packageWithCfg}/bin/OoklaServer"; 
+        WorkingDirectory = packageWithCfg;
+        SyslogIdentifier = "ooklaserver";
+
+        ReadOnlyPaths = [ packageWithCfg ];
+        RestrictSUIDSGID = true;
+        RestrictNamespaces = true;
+        PrivateTmp = true;
+        PrivateDevices = true;
+        PrivateUsers = true;
+        ProtectHostname = true;
+        ProtectClock = true;
+        ProtectKernelTunables = true;
+        ProtectKernelModules = true;
+        ProtectKernelLogs = true;
+        ProtectControlGroups = true;
+        ProtectSystem = "strict";
+        ProtectHome = true;
+        ProtectProc = "invisible";
+        SystemCallArchitectures = "native";
+        SystemCallFilter = "@system-service";
+        SystemCallErrorNumber = "EPERM";
+        LockPersonality = true;
+        NoNewPrivileges = true;
+      };
+    };
+  };
+}

pkgs/update-nixfiles/update-nixfiles.sh

@@ -42,7 +42,7 @@ wait_for_hydra () {
   local hydra_rev
   local counter
   counter=0
-  git_rev="$(gitin rev-parse update-inputs)"
+  git_rev="$(git -C "${ROOT}/nixfiles" rev-parse update-inputs)"
   while true; do
     hydra_rev="$(curl -s -L -H "Accept: application/json" "${JOBSET_URL}/latest-eval" | jq -r .flake | sed -E "s/.+&rev=(.*)/\1/g")"
     if [[ "${git_rev}" == "${hydra_rev}" ]]; then