{ pkgs, workspace, ... }: let hscloud = workspace; checkinator = hscloud.hswaw.checkinator; name = "checkinator-web"; user = name; group = name; socket_dir = "/run/${name}/"; python = pkgs.python3.withPackages (ppackages: with ppackages; [ checkinator pkgs.python3Packages.gunicorn ]); prepare = pkgs.writeShellScriptBin "${name}-prepare" '' rm -rf /mnt/secrets/${name} ${pkgs.coreutils}/bin/install --owner=${user} --mode=500 --directory /mnt/secrets/${name} ${pkgs.coreutils}/bin/install --owner=${user} --mode=400 -t /mnt/secrets/${name} \ /etc/nixos/secrets/${name}/secrets.yaml \ /etc/nixos/secrets/${name}/ca.pem \ /etc/nixos/secrets/${name}/cert.pem \ /etc/nixos/secrets/${name}/key.pem ${pkgs.coreutils}/bin/mkdir -m 700 -p /var/checkinator-web/ ${pkgs.coreutils}/bin/chown ${user} /var/checkinator-web/ mkdir -p --mode=700 ${socket_dir} chown ${user} ${socket_dir} chmod 700 ${socket_dir} ${pkgs.acl}/bin/setfacl -m "u:nginx:rx" ${socket_dir} ''; config = builtins.toFile "${name}-config.yaml" (pkgs.lib.generators.toYAML {} { # local sqlite db for storing user and MAC DB = "/var/checkinator-web/at.db"; # debug option interpreted by flask app DEBUG = false; # url to member wiki page # "${login}" string is replaced by member login (uid) WIKI_URL = "https://wiki.hackerspace.pl/people:\${login}:start"; CLAIMABLE_PREFIXES = [ "10.8.0." "2a0d:eb00:4242:0:" ]; CLAIMABLE_EXCLUDE = [ ]; SPACEAUTH_CONSUMER_KEY = "checkinator"; SECRETS_FILE = "/mnt/secrets/checkinator-web/secrets.yaml"; SPECIAL_DEVICES = { kektops = [ "90:e6:ba:84" ]; esps = [ "ec:fa:bc" "dc:4f:22" "d8:a0:1d" "b4:e6:2d" "ac:d0:74" "a4:7b:9d" "a0:20:a6" "90:97:d5" "68:c6:3a" "60:01:94" "5c:cf:7f" "54:5a:a6" "30:ae:a4" "2c:3a:e8" "24:b2:de" "24:0a:c4" "18:fe:34" "38:2b:78" "bc:dd:c2" "cc:50:e3" "84:0d:8e" ]; vms = [ "52:54:00" # craptrap VMs ]; }; PROXY_FIX = true; GRPC_TLS_CERT_DIR = "/mnt/secrets/checkinator-web"; GRPC_TLS_CA_CERT = "/mnt/secrets/checkinator-web/ca.pem"; GRPC_TLS_ADDRESS = "[::1]:2847"; }); in { users.users."${user}" = { group = "${group}"; isSystemUser = true; uid = 1002; }; users.groups."${group}" = {}; systemd.services."${name}" = { description = "Hackerspace Checkinator web interface"; wantedBy = [ "multi-user.target" ]; serviceConfig.User = "${user}"; serviceConfig.Type = "simple"; environment = { CHECKINATOR_WEB_CONFIG=config; }; serviceConfig.ExecStartPre = [ ''!${prepare}/bin/${name}-prepare'' "${pkgs.writeShellScript "checkinator-dbsetup" '' if [ ! -e "/var/checkinator-web/at.db" ] then ${pkgs.sqlite}/bin/sqlite3 /var/checkinator-web/at.db < ${checkinator}/dbsetup.sql fi ''}" ]; serviceConfig.WorkingDirectory = checkinator; serviceConfig.ExecStart = "${python}/bin/gunicorn -b unix:${socket_dir}/web.sock at.webapp:app"; serviceConfig.ExecStopPost = [ ''!${pkgs.coreutils}/bin/rm -rf /mnt/secrets/${name}'' ]; serviceConfig.DynamicUser = false; }; services.nginx.virtualHosts."at.hackerspace.pl" = { forceSSL = true; enableACME = true; locations."/static/" = { alias = "${checkinator}/static/"; }; locations."/" = { proxyPass = "http://unix://${socket_dir}/web.sock"; extraConfig = '' proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Host $host:$server_port; proxy_set_header X-Forwarded-Server $host; proxy_set_header X-Forwarded-Proto $scheme; ''; }; }; }