{ pkgs, workspace, ... }: let hscloud = workspace; checkinator = hscloud.hswaw.checkinator; name = "checkinator-tracker"; user = name; group = name; socket_dir = "/run/${name}/"; prepare = pkgs.writeShellScriptBin "${name}-prepare" '' rm -rf /mnt/secrets/${name} ${pkgs.coreutils}/bin/install --owner=${user} --mode=500 --directory /mnt/secrets/${name} ${pkgs.coreutils}/bin/install --owner=${user} --mode=400 -t /mnt/secrets/${name} \ /etc/nixos/secrets/${name}/ca.pem \ /etc/nixos/secrets/${name}/cert.pem \ /etc/nixos/secrets/${name}/key.pem rm -rf ${socket_dir} mkdir --mode=700 ${socket_dir} ${pkgs.acl}/bin/setfacl -m "u:${user}:rwx" ${socket_dir} ${pkgs.acl}/bin/setfacl -m "u:checkinator-web:rx" ${socket_dir} ''; config = builtins.toFile "${name}-config.yaml" (pkgs.lib.generators.toYAML {} { # path to dhcpd lease file LEASE_FILE = "/var/lib/dhcp/dhcpd.leases"; # timeout for old leases TIMEOUT = 1500; # optional - local trusted socket GRPC_UNIX_SOCKET = "${socket_dir}/checkinator.sock"; # optional - remote authenticated (TLS cert) socket GRPC_TLS_CERT_DIR = "/mnt/secrets/checkinator-tracker"; GRPC_TLS_CA_CERT = "/mnt/secrets/checkinator-tracker/ca.pem"; GRPC_TLS_ADDRESS = "[::]:2847"; }); in { users.users."${user}" = { group = "${group}"; isSystemUser = true; uid = 1001; }; users.groups."${group}" = {}; systemd.services."${name}" = { description = "Hackerspace Checkinator"; wantedBy = [ "multi-user.target" ]; serviceConfig.User = "${user}"; serviceConfig.Type = "simple"; serviceConfig.ExecStartPre = [ ''!${prepare}/bin/${name}-prepare'' ]; serviceConfig.ExecStart = "${checkinator}/bin/checkinator-tracker ${config}"; serviceConfig.ExecStopPost = [ ''!${pkgs.coreutils}/bin/rm -rf /mnt/secrets/${name}'' ''!${pkgs.coreutils}/bin/rm -rf ${socket_dir}'' ]; }; environment.systemPackages = [ checkinator ]; }