servo: add bitmagnet service

hosts/by-name/servo/services/bitmagnet.nix

@@ -0,0 +1,35 @@
+{ config, ... }:
+{
+  services.bitmagnet.enable = true;
+  sane.netns.ovpns.services = [ "bitmagnet" ];
+  sane.ports.ports."3334" = {
+    protocol = [ "tcp" "udp" ];
+    # visibleTo.ovpns = true;  #< not needed: it runs in the ovpns namespace
+    description = "colin-bitmagnet";
+  };
+
+  # bitmagnet web client
+  # unauthenticated, but should be fine to expose:
+  # - WebUI doesn't expose any management/admin interfaces
+  # - Search might be a source for denial-of-service;
+  #   i can address that if/when it becomes a problem
+  services.nginx.virtualHosts."bitmagnet.uninsane.org" = {
+    forceSSL = true;
+    enableACME = true;
+    locations."/" = {
+      proxyPass = "http://${config.sane.netns.ovpns.veth.netns.ipv4}:3333";
+    };
+  };
+  sane.dns.zones."uninsane.org".inet.CNAME."bitmagnet" = "native";
+
+  systemd.services.bitmagnet = {
+    # hardening (systemd-analyze security bitmagnet). base nixos service is already partially hardened.
+    serviceConfig.CapabilityBoundingSet = "";
+    serviceConfig.SystemCallArchitectures = "native";
+    serviceConfig.PrivateDevices = true;
+    serviceConfig.PrivateUsers = true;
+    serviceConfig.ProtectProc = "invisible";
+    serviceConfig.ProcSubset = "pid";
+    serviceConfig.SystemCallFilter = [ "@system-service" "~@privileged" "~@resources" ];
+  };
+}

hosts/by-name/servo/services/default.nix

@@ -1,6 +1,7 @@
 { ... }:
 {
   imports = [
+    ./bitmagnet.nix
     ./coturn.nix
     ./cryptocurrencies
     ./email

hosts/common/ids.nix

@@ -66,6 +66,8 @@
   sane.ids.plugdev.gid = 2421;
   sane.ids.ollama.uid = 2422;
   sane.ids.ollama.gid = 2422;
+  sane.ids.bitmagnet.uid = 2423;
+  sane.ids.bitmagnet.gid = 2423;
   sane.ids.shelvacu.uid = 5431;
 
   sane.ids.colin.uid = 1000;