blob: 79b0e833ca0cf868856ee5294c71806c48263e83 (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
|
{ config, lib, pkgs, ... }:
with lib;
let
# Build ngit-grasp package (shared across all instances)
ngit-grasp = pkgs.rustPlatform.buildRustPackage {
pname = "ngit-grasp";
version = "0.1.0";
src = ../.;
cargoLock = {
lockFile = ../Cargo.lock;
outputHashes = {
"nostr-0.44.1" = "sha256-DwcWmwxNUQRR32E3hqbm7PNkGdK8LB3sGtH1Zfrkigk=";
};
};
nativeBuildInputs = with pkgs; [ pkg-config ];
buildInputs = with pkgs; [ openssl ];
# Disable tests during Nix build (many require git in PATH for sandboxing)
# Tests run successfully in dev environment and CI where git is available
doCheck = false;
};
# Per-instance options
instanceOptions = { name, ... }: {
options = {
enable = mkEnableOption "this ngit-grasp instance";
domain = mkOption {
type = types.str;
example = "ngit.example.com";
description =
"Domain where this relay is hosted (used in GRASP validation)";
};
bindAddress = mkOption {
type = types.str;
default = "127.0.0.1";
description = "IP address to bind to";
};
port = mkOption {
type = types.port;
default = 8080;
description = "Port to listen on";
};
dataDir = mkOption {
type = types.path;
default = "/var/lib/ngit-grasp-${name}";
description = "Base directory for data storage";
};
relayName = mkOption {
type = types.nullOr types.str;
default = null;
example = "My GRASP Relay";
description =
"Relay name for NIP-11 (defaults to \${domain} grasp relay)";
};
relayDescription = mkOption {
type = types.str;
default = "Git Nostr Relay - a grasp implementation";
description = "Relay description for NIP-11";
};
relayOwnerNsecFile = mkOption {
type = types.nullOr types.path;
default = null;
example = "/persistent/ngit-grasp/relay-owner.nsec";
description = ''
Path to file containing relay owner's nsec (private key).
If file doesn't exist, ngit-grasp will auto-generate a random nsec and save it.
Takes precedence over relayOwnerNsec if both are set.
'';
};
relayOwnerNsec = mkOption {
type = types.nullOr types.str;
default = null;
example = "nsec1...";
description = ''
Relay owner's nsec (private key) for signing and authentication.
Less secure than relayOwnerNsecFile as it ends up in nix store.
Only used if relayOwnerNsecFile is not set.
'';
};
syncBootstrapRelayUrl = mkOption {
type = types.nullOr types.str;
default = null;
example = "wss://relay.ngit.dev";
description = "Bootstrap relay URL to sync from on startup (optional)";
};
databaseBackend = mkOption {
type = types.enum [ "lmdb" "nostr-db" "memory" ];
default = "lmdb";
description = ''
Database backend type:
- lmdb: LMDB backend (persistent, general purpose)
- nostr-db: NostrDB backend (persistent, optimized for Nostr)
- memory: In-memory database (fastest, no persistence)
'';
};
metricsEnabled = mkOption {
type = types.bool;
default = true;
description = "Enable Prometheus metrics endpoint at /metrics";
};
metricsConnectionPerIpAbuseThreshold = mkOption {
type = types.int;
default = 10;
description =
"Connections per IP before flagging as potential abuse in metrics";
};
metricsTopNRepos = mkOption {
type = types.int;
default = 10;
description = "Number of top bandwidth repos to track in metrics";
};
logLevel = mkOption {
type = types.enum [ "trace" "debug" "info" "warn" "error" ];
default = "info";
description = "Logging level for RUST_LOG environment variable";
};
syncMaxBackoffSecs = mkOption {
type = types.int;
default = 3600;
description =
"Maximum backoff time in seconds for sync relay reconnection (default: 1 hour)";
};
syncDisconnectCheckIntervalSecs = mkOption {
type = types.int;
default = 60;
description = "Interval in seconds for checking disconnected relays";
};
syncBaseBackoffSecs = mkOption {
type = types.int;
default = 5;
description = "Base backoff time in seconds for relay reconnection";
};
syncDisableNegentropy = mkOption {
type = types.bool;
default = false;
description = "Disable NIP-77 negentropy sync (use REQ+EOSE instead)";
};
rejectedHotCacheDurationSecs = mkOption {
type = types.int;
default = 120;
description =
"Hot cache duration in seconds for rejected announcements (default: 2 minutes)";
};
rejectedColdIndexExpirySecs = mkOption {
type = types.int;
default = 604800;
description =
"Cold index expiry in seconds for rejected announcements (default: 7 days)";
};
naughtyListExpirationHours = mkOption {
type = types.int;
default = 12;
description = "Hours before removing relay from naughty list";
};
user = mkOption {
type = types.str;
default = "ngit-grasp-${name}";
description = "User account under which this instance runs";
};
group = mkOption {
type = types.str;
default = "ngit-grasp";
description = "Group under which this instance runs";
};
};
};
# Create systemd service config for an instance
mkService = name: cfg: {
description = "ngit-grasp GRASP relay (${name})";
after = [ "network.target" ];
wantedBy = [ "multi-user.target" ];
environment = {
NGIT_DOMAIN = cfg.domain;
NGIT_BIND_ADDRESS = "${cfg.bindAddress}:${toString cfg.port}";
NGIT_GIT_DATA_PATH = "${cfg.dataDir}/git";
NGIT_RELAY_DATA_PATH = "${cfg.dataDir}/relay";
NGIT_RELAY_DESCRIPTION = cfg.relayDescription;
NGIT_DATABASE_BACKEND = cfg.databaseBackend;
NGIT_METRICS_CONNECTION_PER_IP_ABUSE_THRESHOLD =
toString cfg.metricsConnectionPerIpAbuseThreshold;
NGIT_METRICS_TOP_N_REPOS = toString cfg.metricsTopNRepos;
NGIT_SYNC_MAX_BACKOFF_SECS = toString cfg.syncMaxBackoffSecs;
NGIT_SYNC_DISCONNECT_CHECK_INTERVAL_SECS =
toString cfg.syncDisconnectCheckIntervalSecs;
NGIT_SYNC_BASE_BACKOFF_SECS = toString cfg.syncBaseBackoffSecs;
NGIT_REJECTED_HOT_CACHE_DURATION_SECS =
toString cfg.rejectedHotCacheDurationSecs;
NGIT_REJECTED_COLD_INDEX_EXPIRY_SECS =
toString cfg.rejectedColdIndexExpirySecs;
NGIT_NAUGHTY_LIST_EXPIRATION_HOURS =
toString cfg.naughtyListExpirationHours;
RUST_LOG = cfg.logLevel;
} // optionalAttrs (cfg.relayName != null) {
NGIT_RELAY_NAME = cfg.relayName;
} // optionalAttrs cfg.metricsEnabled { NGIT_METRICS_ENABLED = "true"; }
// optionalAttrs (cfg.syncBootstrapRelayUrl != null) {
NGIT_SYNC_BOOTSTRAP_RELAY_URL = cfg.syncBootstrapRelayUrl;
} // optionalAttrs cfg.syncDisableNegentropy {
NGIT_SYNC_DISABLE_NEGENTROPY = "true";
} // optionalAttrs
(cfg.relayOwnerNsec != null && cfg.relayOwnerNsecFile == null) {
# Only set inline nsec if file is not specified
NGIT_RELAY_OWNER_NSEC = cfg.relayOwnerNsec;
};
serviceConfig = {
Type = "simple";
User = cfg.user;
Group = cfg.group;
# Working directory where .relay-owner.nsec will be created if needed
WorkingDirectory = cfg.dataDir;
# Add git, openssh, and coreutils to PATH for purgatory sync operations
Environment =
"PATH=${pkgs.git}/bin:${pkgs.openssh}/bin:${pkgs.coreutils}/bin";
# Command to run
ExecStart = if cfg.relayOwnerNsecFile != null then
# Use nsec from file - need to use shell to read the file
"${pkgs.bash}/bin/bash -c '${ngit-grasp}/bin/ngit-grasp --relay-owner-nsec \"$(${pkgs.coreutils}/bin/cat ${cfg.relayOwnerNsecFile})\"'"
else
# Let ngit-grasp auto-generate nsec in .relay-owner.nsec file in dataDir
"${ngit-grasp}/bin/ngit-grasp";
# Restart policy
Restart = "always";
RestartSec = "10s";
# Hardening
NoNewPrivileges = true;
PrivateTmp = true;
ProtectSystem = "strict";
ProtectHome = true;
ReadWritePaths = [ cfg.dataDir ];
# If using nsecFile, grant read access
ReadOnlyPaths =
optionals (cfg.relayOwnerNsecFile != null) [ cfg.relayOwnerNsecFile ];
# Additional hardening
ProtectKernelTunables = true;
ProtectKernelModules = true;
ProtectControlGroups = true;
RestrictAddressFamilies = [ "AF_INET" "AF_INET6" "AF_UNIX" ];
RestrictNamespaces = true;
LockPersonality = true;
RestrictRealtime = true;
RestrictSUIDSGID = true;
PrivateDevices = true;
# Capabilities
CapabilityBoundingSet = "";
AmbientCapabilities = "";
# System call filtering
SystemCallFilter = [ "@system-service" "~@privileged" "~@resources" ];
SystemCallErrorNumber = "EPERM";
};
# Directory creation handled by systemd tmpfiles (see config section below)
};
enabledInstances =
filterAttrs (_: cfg: cfg.enable) config.services.ngit-grasp;
in {
options.services.ngit-grasp = mkOption {
type = types.attrsOf (types.submodule instanceOptions);
default = { };
description = ''
ngit-grasp GRASP relay instances.
Multiple instances can be configured with different domains and ports.
Each instance runs as a separate systemd service.
'';
example = literalExpression ''
{
production = {
enable = true;
domain = "ngit.example.com";
port = 8082;
dataDir = "/persistent/ngit-production";
};
testing = {
enable = true;
domain = "ngit-test.example.com";
port = 8083;
dataDir = "/persistent/ngit-testing";
};
}
'';
};
config = mkIf (enabledInstances != { }) {
# Create users for all enabled instances
users.users = mapAttrs' (name: cfg:
nameValuePair cfg.user {
isSystemUser = true;
group = cfg.group;
description = "ngit-grasp service user (${name})";
home = cfg.dataDir;
}) enabledInstances;
# Create shared group (all instances use the same group by default)
users.groups.ngit-grasp = { };
# Create systemd services for all enabled instances
systemd.services = mapAttrs'
(name: cfg: nameValuePair "ngit-grasp-${name}" (mkService name cfg))
enabledInstances;
# Create data directories with proper ownership using tmpfiles
# This runs as root before the service starts
systemd.tmpfiles.rules = flatten (mapAttrsToList (name: cfg: [
"d ${cfg.dataDir} 0750 ${cfg.user} ${cfg.group} -"
"d ${cfg.dataDir}/git 0750 ${cfg.user} ${cfg.group} -"
"d ${cfg.dataDir}/relay 0750 ${cfg.user} ${cfg.group} -"
]) enabledInstances);
};
}
|