vuko
/
customs
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
customs/checkinator-web.nix

135 lines
4.1 KiB
Nix
Raw Permalink Blame History

{ pkgs, ... }:
let
old-pkgs = import (fetchTarball {
sha256 = "0kdx3pz0l422d0vvvj3h8mnq65jcg2scb13dc1z1lg2a8cln842z";
url = https://api.github.com/repos/NixOS/nixpkgs/tarball/0bf298df24f721a7f85c580339fb7eeff64b927c;
}) { config = pkgs.config; };
repo = pkgs.fetchgit (builtins.fromJSON
(builtins.readFile ./checkinator-repo.json));
checkinator = old-pkgs.callPackage "${repo}/default.nix" {};
name = "checkinator-web";
user = name;
group = name;
socket_dir = "/run/${name}/";
python = old-pkgs.python3.withPackages (ppackages: with ppackages; [
checkinator
old-pkgs.python3Packages.gunicorn
]);
prepare = pkgs.writeShellScriptBin "${name}-prepare" ''
rm -rf /mnt/secrets/${name}
${pkgs.coreutils}/bin/install --owner=${user} --mode=500 --directory /mnt/secrets/${name}
${pkgs.coreutils}/bin/install --owner=${user} --mode=400 -t /mnt/secrets/${name} \
/etc/nixos/secrets/${name}/secrets.yaml \
/etc/nixos/secrets/${name}/ca.pem \
/etc/nixos/secrets/${name}/cert.pem \
/etc/nixos/secrets/${name}/key.pem
${pkgs.coreutils}/bin/mkdir -m 700 -p /var/checkinator-web/
${pkgs.coreutils}/bin/chown ${user} /var/checkinator-web/
mkdir -p --mode=700 ${socket_dir}
chown ${user} ${socket_dir}
chmod 700 ${socket_dir}
${pkgs.acl}/bin/setfacl -m "u:nginx:rx" ${socket_dir}
'';
config = builtins.toFile "${name}-config.yaml" (pkgs.lib.generators.toYAML {} {
# local sqlite db for storing user and MAC
DB = "/var/checkinator-web/at.db";
# debug option interpreted by flask app
DEBUG = false;
# url to member wiki page
# "${login}" string is replaced by member login (uid)
WIKI_URL = "https://wiki.hackerspace.pl/people:\${login}:start";
CLAIMABLE_PREFIXES = [
"10.8.0."
"2a0d:eb00:4242:0:"
];
CLAIMABLE_EXCLUDE = [ ];
SPACEAUTH_CONSUMER_KEY = "checkinator";
SECRETS_FILE = "/mnt/secrets/checkinator-web/secrets.yaml";
SPECIAL_DEVICES = {
kektops = [ "90:e6:ba:84" ];
esps = [
"ec:fa:bc" "dc:4f:22" "d8:a0:1d" "b4:e6:2d" "ac:d0:74" "a4:7b:9d"
"a0:20:a6" "90:97:d5" "68:c6:3a" "60:01:94" "5c:cf:7f" "54:5a:a6"
"30:ae:a4" "2c:3a:e8" "24:b2:de" "24:0a:c4" "18:fe:34" "38:2b:78"
"bc:dd:c2" "cc:50:e3"
];
vms = [
"52:54:00" # craptrap VMs
];
};
PROXY_FIX = true;
GRPC_TLS_CERT_DIR = "/mnt/secrets/checkinator-web";
GRPC_TLS_CA_CERT = "/mnt/secrets/checkinator-web/ca.pem";
GRPC_TLS_ADDRESS = "[::1]:2847";
});
in {
users.users."${user}" = {
group = "${group}";
useDefaultShell = true;
};
users.groups."${group}" = {};
systemd.services."${name}" = {
description = "Hackerspace Checkinator web interface";
wantedBy = [ "multi-user.target" ];
serviceConfig.User = "${user}";
serviceConfig.Type = "simple";
environment = {
CHECKINATOR_WEB_CONFIG=config;
};
serviceConfig.ExecStartPre = [
''!${prepare}/bin/${name}-prepare''
"${pkgs.writeShellScript "checkinator-dbsetup" ''
if [ ! -e "/var/checkinator-web/at.db" ]
then
${pkgs.sqlite}/bin/sqlite3 /var/checkinator-web/at.db < ${repo}/dbsetup.sql
fi
''}"
];
serviceConfig.workingDirectory = checkinator;
serviceConfig.ExecStart = "${python}/bin/gunicorn -b unix:${socket_dir}/web.sock at.webapp:app";
serviceConfig.ExecStopPost = [
''!${pkgs.coreutils}/bin/rm -rf /mnt/secrets/${name}''
];
};
services.nginx.virtualHosts."at.hackerspace.pl" = {
forceSSL = true;
enableACME = true;
locations."/static/" = {
alias = "${repo}/static/";
};
locations."/" = {
proxyPass = "http://unix://${socket_dir}/web.sock";
extraConfig = ''
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Host $host:$server_port;
proxy_set_header X-Forwarded-Server $host;
proxy_set_header X-Forwarded-Proto $scheme;
'';
};
};
}
Reference in New Issue View Git Blame Copy Permalink