139 lines
3.7 KiB
Nix
139 lines
3.7 KiB
Nix
{ config, lib, pkgs, ... }:
|
|
|
|
let
|
|
inherit (lib) mkIf mkOption types;
|
|
|
|
cfg = config.services.bitvend;
|
|
|
|
bitvendUser = "bitvend";
|
|
bitvendGroup = "bitvend";
|
|
|
|
bitvend = (import ./default.nix);
|
|
cfgFile = pkgs.writeText "bitvend.cfg"
|
|
''
|
|
SQLALCHEMY_DATABASE_URI = 'sqlite:///${cfg.stateDir}/bitvend.db'
|
|
SPACEAUTH_CONSUMER_KEY = '${cfg.spaceauthConsumerKey}'
|
|
SPACEAUTH_CONSUMER_SECRET = '${cfg.spaceauthConsumerSecret}'
|
|
BLOCKCYPHER_TOKEN = '${cfg.blockcypherToken}'
|
|
SECRET_KEY = '${cfg.secretKey}'
|
|
'';
|
|
legoHook = pkgs.runCommand "lego-hook-wrapped" {
|
|
buildInputs = [ pkgs.makeWrapper ];
|
|
} ''
|
|
makeWrapper ${./lego-hook.sh} $out \
|
|
--prefix PATH : ${lib.makeBinPath [ pkgs.curl pkgs.bash ]}
|
|
'';
|
|
|
|
in {
|
|
options.services.bitvend = {
|
|
enable = mkOption {
|
|
type = types.bool;
|
|
default = false;
|
|
description = "Whether to enable bitvend";
|
|
};
|
|
stateDir = mkOption {
|
|
type = types.path;
|
|
default = "/var/db/bitvend";
|
|
description = "Location of bitvend's config/data directory";
|
|
};
|
|
spaceauthConsumerKey = mkOption {
|
|
type = types.str;
|
|
default = "";
|
|
description = "spaceauth consumer key";
|
|
};
|
|
spaceauthConsumerSecret = mkOption {
|
|
type = types.str;
|
|
default = "";
|
|
description = "spaceauth consumer secret";
|
|
};
|
|
blockcypherToken = mkOption {
|
|
type = types.str;
|
|
default = "";
|
|
description = "blockcypher token";
|
|
};
|
|
secretKey = mkOption {
|
|
type = types.str;
|
|
default = "";
|
|
description = "blockcypher token";
|
|
};
|
|
hostName = mkOption {
|
|
type = types.str;
|
|
default = "vending.waw.hackerspace.pl";
|
|
description = "hostname";
|
|
};
|
|
acmeToken = mkOption {
|
|
type = types.str;
|
|
default = "";
|
|
description = "Let's Encrypt proxy API authentication token";
|
|
};
|
|
};
|
|
config = mkIf cfg.enable {
|
|
ids.uids.bitvend = 2137;
|
|
ids.gids.bitvend = 2137;
|
|
|
|
users.users.bitvend = {
|
|
name = bitvendUser;
|
|
group = bitvendGroup;
|
|
uid = config.ids.uids.bitvend;
|
|
description = "Bitvend daemon user";
|
|
home = cfg.stateDir;
|
|
extraGroups = [ "dialout" ];
|
|
};
|
|
users.groups.bitvend = {
|
|
name = bitvendGroup;
|
|
gid = config.ids.gids.bitvend;
|
|
};
|
|
systemd.services.bitvend = {
|
|
environment = {
|
|
BITVEND_SETTINGS = cfgFile;
|
|
};
|
|
wantedBy = [ "multi-user.target" ];
|
|
script = ''
|
|
${bitvend}/bin/bitvend-run.py
|
|
'';
|
|
serviceConfig = {
|
|
User = bitvendUser;
|
|
};
|
|
};
|
|
systemd.tmpfiles.rules = [
|
|
"d '${cfg.stateDir}' 0750 '${bitvendUser}' '${bitvendGroup}' - -"
|
|
];
|
|
networking.firewall.allowedTCPPorts = [ 80 443 ];
|
|
|
|
security.acme.acceptTerms = true;
|
|
security.acme.email = "informatic@hackerspace.pl";
|
|
security.acme.certs."${cfg.hostName}" = {
|
|
dnsProvider = "exec";
|
|
dnsPropagationCheck = false;
|
|
webroot = lib.mkForce null;
|
|
credentialsFile = pkgs.writeText "acme-creds" ''
|
|
EXEC_PATH=${legoHook}
|
|
API_URL=https://ns1-waw.hackerspace.pl
|
|
API_TOKEN=${cfg.acmeToken}
|
|
'';
|
|
};
|
|
|
|
services.nginx = {
|
|
enable = true;
|
|
recommendedProxySettings = true;
|
|
appendHttpConfig = ''
|
|
proxy_cache_path /tmp/nginx-cache levels=1:2 keys_zone=qrcode_cache:10m max_size=50m inactive=60m;
|
|
'';
|
|
virtualHosts."${cfg.hostName}" = {
|
|
forceSSL = true;
|
|
enableACME = true;
|
|
locations."/" = {
|
|
proxyPass = "http://127.0.0.1:5000";
|
|
};
|
|
locations."/qrcode/" = {
|
|
proxyPass = "http://127.0.0.1:5000";
|
|
extraConfig = ''
|
|
add_header X-Proxy-Cache $upstream_cache_status;
|
|
proxy_cache qrcode_cache;
|
|
'';
|
|
};
|
|
};
|
|
};
|
|
};
|
|
}
|