forked from hswaw/hscloud
83 lines
2.7 KiB
Nix
83 lines
2.7 KiB
Nix
{ pkgs, workspace, ... }:
|
|
|
|
let
|
|
name = "laserproxy";
|
|
user = name;
|
|
group = name;
|
|
|
|
# Building hscloud bazel from nix is often broken on master branch. Building
|
|
# laserproxy from older hscloud is not a pretty solution, but seem like a
|
|
# best option for now.
|
|
# TODO use upstream laserproxy when CI testing is added
|
|
# see https://issues.hackerspace.pl/issues/9
|
|
laserproxy =
|
|
let
|
|
old = pkgs.fetchgit {
|
|
url = "https://gerrit.hackerspace.pl/hscloud.git";
|
|
rev = "5319e611b2be9241c01994eb8e42bd349bb6eabb";
|
|
sha256 = "sha256-KdVAlaXHW2CE2kJoOT0jJ+a20u6HPAgx5g/7ifX8iqU=";
|
|
};
|
|
old-patched = pkgs.runCommandNoCC "hscloud" { } ''
|
|
cp -r "${old}" $out
|
|
chmod +w $out/WORKSPACE $out/default.nix
|
|
|
|
# backport passing system to allow (pure) builds from flakes
|
|
chmod +w $out/default.nix
|
|
echo "{ system ? builtins.currentSystem, ... }@args:" > $out/default.nix
|
|
sed -e '1d' -e 's/import nixpkgsSrc {/\0 inherit system; /g' ${old}/default.nix >> $out/default.nix
|
|
|
|
# hotfix failing bazel build:
|
|
#
|
|
# Label '//hswaw/site:deps.bzl' is invalid because 'hswaw/site' is not
|
|
# a package; perhaps you meant to put the colon here:
|
|
# '//:hswaw/site/deps.bzl'?
|
|
chmod +w $out/WORKSPACE
|
|
sed '/hswaw.site.deps/d' "${old}/WORKSPACE" > $out/WORKSPACE
|
|
'';
|
|
in
|
|
(import old-patched { inherit (pkgs) system; }).hswaw.laserproxy;
|
|
|
|
in
|
|
{
|
|
users.users."${user}" = {
|
|
group = "${group}";
|
|
isSystemUser = true;
|
|
uid = 1004;
|
|
};
|
|
users.groups."${group}" = { };
|
|
|
|
systemd.services."${name}" = {
|
|
description = "HSWAW lasercutter proxy";
|
|
wantedBy = [ "multi-user.target" ];
|
|
after = [ "network-addresses-laser.service" ];
|
|
|
|
serviceConfig.User = "${user}";
|
|
serviceConfig.Type = "simple";
|
|
serviceConfig.Restart = "always";
|
|
serviceConfig.RestartSec = "30";
|
|
serviceConfig.ExecStart = "${laserproxy}/bin/laserproxy -logtostderr -hspki_disable -web_address 127.0.0.1:2137";
|
|
};
|
|
|
|
services.nginx.virtualHosts."laser.waw.hackerspace.pl" = {
|
|
listen = [
|
|
{ addr = "10.8.1.2"; port = 80; ssl = false; }
|
|
# TODO fix certs / virtual hosts on customs and enable this
|
|
# { addr = "10.8.1.2"; port=433; ssl=true; }
|
|
];
|
|
locations."/" = {
|
|
proxyPass = "http://127.0.0.1:2137/";
|
|
extraConfig = ''
|
|
proxy_set_header Host $host;
|
|
proxy_set_header X-Real-IP $remote_addr;
|
|
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
|
|
proxy_set_header X-Forwarded-Host $host:$server_port;
|
|
proxy_set_header X-Forwarded-Server $host;
|
|
proxy_set_header X-Forwarded-Proto $scheme;
|
|
|
|
allow 10.0.0.0/8;
|
|
deny all;
|
|
'';
|
|
};
|
|
};
|
|
}
|