module.nix: init

This isn't great, but hey, it works.
2020-02-12 16:38:28 +01:00 · 2020-02-12 16:38:28 +01:00 · 25b41d6496
parent 75c222852b
commit 25b41d6496
2 changed files with 111 additions and 0 deletions
--- a/bitvend/init.py
+++ b/bitvend/init.py
@ -30,6 +30,7 @@ def bitvend_user_loader(username, profile=None):
 def create_app():
    app = flask.Flask(__name__)
    app.config.from_object('bitvend.default_settings')
+    print('Loading extra settings from {}...'.format(os.environ.get('BITVEND_SETTINGS', '')))
    app.config.from_pyfile(os.environ.get('BITVEND_SETTINGS', ''), silent=True)

    # Use proper proxy headers, this fixes invalid scheme in
--- a/module.nix
+++ b/module.nix
@ -0,0 +1,110 @@
+{ config, lib, pkgs, ... }:
+
+let
+  inherit (lib) mkIf mkOption types;
+
+  cfg = config.services.bitvend;
+
+  bitvendUser = "bitvend";
+  bitvendGroup = "bitvend";
+
+  bitvend = (import ./default.nix);
+  cfgFile = pkgs.writeText "bitvend.cfg"
+    ''
+      SQLALCHEMY_DATABASE_URI = 'sqlite:///${cfg.stateDir}/bitvend.db'
+      SPACEAUTH_CONSUMER_KEY = '${cfg.spaceauthConsumerKey}'
+      SPACEAUTH_CONSUMER_SECRET = '${cfg.spaceauthConsumerSecret}'
+      BLOCKCYPHER_TOKEN = '${cfg.blockcypherToken}'
+      SECRET_KEY = '${cfg.secretKey}'
+    '';
+
+
+in {
+  options.services.bitvend = {
+    enable = mkOption {
+      type = types.bool;
+      default = false;
+      description = "Whether to enable bitvend";
+    };
+    stateDir = mkOption {
+      type = types.path;
+      default = "/var/db/bitvend";
+      description = "Location of bitvend's config/data directory";
+    };
+    spaceauthConsumerKey = mkOption {
+      type = types.str;
+      default = "";
+      description = "spaceauth consumer key";
+    };
+    spaceauthConsumerSecret = mkOption {
+      type = types.str;
+      default = "";
+      description = "spaceauth consumer secret";
+    };
+    blockcypherToken = mkOption {
+      type = types.str;
+      default = "";
+      description = "blockcypher token";
+    };
+    secretKey = mkOption {
+      type = types.str;
+      default = "";
+      description = "blockcypher token";
+    };
+    hostName = mkOption {
+      type = types.str;
+      default = "vending.waw.hackerspace.pl";
+      description = "hostname";
+    };
+  };
+  config = mkIf cfg.enable {
+    ids.uids.bitvend = 2137;
+    ids.gids.bitvend = 2137;
+
+    users.users.bitvend = {
+      name = bitvendUser;
+      group = bitvendGroup;
+      uid = config.ids.uids.bitvend;
+      description = "Bitvend daemon user";
+      home = cfg.stateDir;
+    };
+    users.groups.bitvend = {
+      name = bitvendGroup;
+      gid = config.ids.gids.bitvend;
+    };
+    systemd.services.bitvend = {
+      environment = {
+        BITVEND_SETTINGS = cfgFile;
+      };
+      wantedBy = [ "multi-user.target" ];
+      script = ''
+        ${bitvend}/bin/bitvend-run.py
+      '';
+      serviceConfig = {
+        User = bitvendUser;
+      };
+    };
+    systemd.tmpfiles.rules = [
+      "d '${cfg.stateDir}' 0750 '${bitvendUser}' '${bitvendGroup}' - -"
+    ];
+    networking.firewall.allowedTCPPorts = [ 80 443 ];
+    services.nginx = {
+      enable = true;
+      appendHttpConfig = ''
+        proxy_cache_path /tmp/nginx-cache levels=1:2 keys_zone=qrcode_cache:10m max_size=50m inactive=60m;
+      '';
+      virtualHosts."${cfg.hostName}" = {
+        locations."/" = {
+          proxyPass = "http://127.0.0.1:5000";
+        };
+        locations."/qrcode/" = {
+          proxyPass = "http://127.0.0.1:5000";
+          extraConfig = ''
+            add_header X-Proxy-Cache $upstream_cache_status;
+            proxy_cache qrcode_cache;
+          '';
+        };
+      };
+    };
+  };
+}