forked from hswaw/hscloud
132 lines
3.8 KiB
Nix
132 lines
3.8 KiB
Nix
{ pkgs, workspace, ... }:
|
|
|
|
let
|
|
hscloud = workspace;
|
|
checkinator = hscloud.hswaw.checkinator;
|
|
|
|
name = "checkinator-web";
|
|
user = name;
|
|
group = name;
|
|
socket_dir = "/run/${name}/";
|
|
|
|
python = pkgs.python3.withPackages (ppackages: with ppackages; [
|
|
checkinator
|
|
pkgs.python3Packages.gunicorn
|
|
]);
|
|
|
|
prepare = pkgs.writeShellScriptBin "${name}-prepare" ''
|
|
rm -rf /mnt/secrets/${name}
|
|
${pkgs.coreutils}/bin/install --owner=${user} --mode=500 --directory /mnt/secrets/${name}
|
|
${pkgs.coreutils}/bin/install --owner=${user} --mode=400 -t /mnt/secrets/${name} \
|
|
/etc/nixos/secrets/${name}/secrets.yaml \
|
|
/etc/nixos/secrets/${name}/ca.pem \
|
|
/etc/nixos/secrets/${name}/cert.pem \
|
|
/etc/nixos/secrets/${name}/key.pem
|
|
|
|
${pkgs.coreutils}/bin/mkdir -m 700 -p /var/checkinator-web/
|
|
${pkgs.coreutils}/bin/chown ${user} /var/checkinator-web/
|
|
|
|
mkdir -p --mode=700 ${socket_dir}
|
|
chown ${user} ${socket_dir}
|
|
chmod 700 ${socket_dir}
|
|
${pkgs.acl}/bin/setfacl -m "u:nginx:rx" ${socket_dir}
|
|
'';
|
|
|
|
config = builtins.toFile "${name}-config.yaml" (pkgs.lib.generators.toYAML {} {
|
|
# local sqlite db for storing user and MAC
|
|
DB = "/var/checkinator-web/at.db";
|
|
|
|
# debug option interpreted by flask app
|
|
DEBUG = false;
|
|
|
|
# url to member wiki page
|
|
# "${login}" string is replaced by member login (uid)
|
|
WIKI_URL = "https://wiki.hackerspace.pl/people:\${login}:start";
|
|
|
|
CLAIMABLE_PREFIXES = [
|
|
"10.8.0."
|
|
"2a0d:eb00:4242:0:"
|
|
];
|
|
CLAIMABLE_EXCLUDE = [ ];
|
|
|
|
SPACEAUTH_CONSUMER_KEY = "checkinator";
|
|
SECRETS_FILE = "/mnt/secrets/checkinator-web/secrets.yaml";
|
|
|
|
SPECIAL_DEVICES = {
|
|
kektops = [ "90:e6:ba:84" ];
|
|
esps = [
|
|
"ec:fa:bc" "dc:4f:22" "d8:a0:1d" "b4:e6:2d" "ac:d0:74" "a4:7b:9d"
|
|
"a0:20:a6" "90:97:d5" "68:c6:3a" "60:01:94" "5c:cf:7f" "54:5a:a6"
|
|
"30:ae:a4" "2c:3a:e8" "24:b2:de" "24:0a:c4" "18:fe:34" "38:2b:78"
|
|
"bc:dd:c2" "cc:50:e3" "84:0d:8e"
|
|
];
|
|
vms = [
|
|
"52:54:00" # craptrap VMs
|
|
];
|
|
};
|
|
|
|
PROXY_FIX = true;
|
|
|
|
GRPC_TLS_CERT_DIR = "/mnt/secrets/checkinator-web";
|
|
GRPC_TLS_CA_CERT = "/mnt/secrets/checkinator-web/ca.pem";
|
|
GRPC_TLS_ADDRESS = "[::1]:2847";
|
|
});
|
|
in {
|
|
users.users."${user}" = {
|
|
group = "${group}";
|
|
isSystemUser = true;
|
|
uid = 1002;
|
|
};
|
|
users.groups."${group}" = {};
|
|
|
|
systemd.services."${name}" = {
|
|
description = "Hackerspace Checkinator web interface";
|
|
wantedBy = [ "multi-user.target" ];
|
|
|
|
serviceConfig.User = "${user}";
|
|
serviceConfig.Type = "simple";
|
|
|
|
environment = {
|
|
CHECKINATOR_WEB_CONFIG=config;
|
|
};
|
|
|
|
serviceConfig.ExecStartPre = [
|
|
''!${prepare}/bin/${name}-prepare''
|
|
"${pkgs.writeShellScript "checkinator-dbsetup" ''
|
|
if [ ! -e "/var/checkinator-web/at.db" ]
|
|
then
|
|
${pkgs.sqlite}/bin/sqlite3 /var/checkinator-web/at.db < ${checkinator}/dbsetup.sql
|
|
fi
|
|
''}"
|
|
];
|
|
serviceConfig.WorkingDirectory = checkinator;
|
|
serviceConfig.ExecStart = "${python}/bin/gunicorn -b unix:${socket_dir}/web.sock at.webapp:app";
|
|
serviceConfig.ExecStopPost = [
|
|
''!${pkgs.coreutils}/bin/rm -rf /mnt/secrets/${name}''
|
|
];
|
|
|
|
serviceConfig.DynamicUser = false;
|
|
|
|
};
|
|
|
|
services.nginx.virtualHosts."at.hackerspace.pl" = {
|
|
forceSSL = true;
|
|
enableACME = true;
|
|
|
|
locations."/static/" = {
|
|
alias = "${checkinator}/static/";
|
|
};
|
|
locations."/" = {
|
|
proxyPass = "http://unix://${socket_dir}/web.sock";
|
|
extraConfig = ''
|
|
proxy_set_header Host $host;
|
|
proxy_set_header X-Real-IP $remote_addr;
|
|
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
|
|
proxy_set_header X-Forwarded-Host $host:$server_port;
|
|
proxy_set_header X-Forwarded-Server $host;
|
|
proxy_set_header X-Forwarded-Proto $scheme;
|
|
'';
|
|
};
|
|
};
|
|
}
|