hswaw
/
bitvend
4
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
bitvend/module.nix

140 lines
3.7 KiB
Nix
Raw Permalink Blame History

{ config, lib, pkgs, ... }:
let
inherit (lib) mkIf mkOption types;
cfg = config.services.bitvend;
bitvendUser = "bitvend";
bitvendGroup = "bitvend";
bitvend = (import ./default.nix);
cfgFile = pkgs.writeText "bitvend.cfg"
''
SQLALCHEMY_DATABASE_URI = 'sqlite:///${cfg.stateDir}/bitvend.db'
SPACEAUTH_CONSUMER_KEY = '${cfg.spaceauthConsumerKey}'
SPACEAUTH_CONSUMER_SECRET = '${cfg.spaceauthConsumerSecret}'
BLOCKCYPHER_TOKEN = '${cfg.blockcypherToken}'
SECRET_KEY = '${cfg.secretKey}'
'';
legoHook = pkgs.runCommand "lego-hook-wrapped" {
buildInputs = [ pkgs.makeWrapper ];
} ''
makeWrapper ${./lego-hook.sh} $out \
--prefix PATH : ${lib.makeBinPath [ pkgs.curl pkgs.bash ]}
'';
in {
options.services.bitvend = {
enable = mkOption {
type = types.bool;
default = false;
description = "Whether to enable bitvend";
};
stateDir = mkOption {
type = types.path;
default = "/var/db/bitvend";
description = "Location of bitvend's config/data directory";
};
spaceauthConsumerKey = mkOption {
type = types.str;
default = "";
description = "spaceauth consumer key";
};
spaceauthConsumerSecret = mkOption {
type = types.str;
default = "";
description = "spaceauth consumer secret";
};
blockcypherToken = mkOption {
type = types.str;
default = "";
description = "blockcypher token";
};
secretKey = mkOption {
type = types.str;
default = "";
description = "blockcypher token";
};
hostName = mkOption {
type = types.str;
default = "vending.waw.hackerspace.pl";
description = "hostname";
};
acmeToken = mkOption {
type = types.str;
default = "";
description = "Let's Encrypt proxy API authentication token";
};
};
config = mkIf cfg.enable {
ids.uids.bitvend = 2137;
ids.gids.bitvend = 2137;
users.users.bitvend = {
name = bitvendUser;
group = bitvendGroup;
uid = config.ids.uids.bitvend;
description = "Bitvend daemon user";
home = cfg.stateDir;
extraGroups = [ "dialout" ];
};
users.groups.bitvend = {
name = bitvendGroup;
gid = config.ids.gids.bitvend;
};
systemd.services.bitvend = {
environment = {
BITVEND_SETTINGS = cfgFile;
};
wantedBy = [ "multi-user.target" ];
script = ''
${bitvend}/bin/bitvend-run.py
'';
serviceConfig = {
User = bitvendUser;
Restart = "always";
};
};
systemd.tmpfiles.rules = [
"d '${cfg.stateDir}' 0750 '${bitvendUser}' '${bitvendGroup}' - -"
];
networking.firewall.allowedTCPPorts = [ 80 443 ];
security.acme.acceptTerms = true;
security.acme.email = "informatic@hackerspace.pl";
security.acme.certs."${cfg.hostName}" = {
dnsProvider = "exec";
dnsPropagationCheck = false;
webroot = lib.mkForce null;
credentialsFile = pkgs.writeText "acme-creds" ''
EXEC_PATH=${legoHook}
API_URL=https://ns1-waw.hackerspace.pl
API_TOKEN=${cfg.acmeToken}
'';
};
services.nginx = {
enable = true;
recommendedProxySettings = true;
appendHttpConfig = ''
proxy_cache_path /tmp/nginx-cache levels=1:2 keys_zone=qrcode_cache:10m max_size=50m inactive=60m;
'';
virtualHosts."${cfg.hostName}" = {
forceSSL = true;
enableACME = true;
locations."/" = {
proxyPass = "http://127.0.0.1:5000";
};
locations."/qrcode/" = {
proxyPass = "http://127.0.0.1:5000";
extraConfig = ''
add_header X-Proxy-Cache $upstream_cache_status;
proxy_cache qrcode_cache;
'';
};
};
};
};
}
Reference in New Issue View Git Blame Copy Permalink