lights-web/service.nix

{ config, lib, pkgs, ... }:

with lib;
let
  name = "lights-web";
  cfg = config.services."${name}";
  #settingsFormat = pkgs.formats.yaml { };
  #settingsFile = settingsFormat.generate "lights-web-config.yaml" cfg.settings;
  settingsFile = builtins.toFile "${name}-config.yaml" (pkgs.lib.generators.toYAML {} cfg.settings);
in {
  options = {
    services."${name}" = {
      enable = mkEnableOption "${name}";

      settings = mkOption {
        #type = settingsFormat.type;
        default = {};
      };

      domain = mkOption {
        type = types.str;
        default = "lights.waw.hackerspace.pl";
      };
    };
  };

  config = let
      paho = pkgs.fetchFromGitHub {
      owner = "eclipse";
      repo = "paho.mqtt.javascript";
      rev = "v1.0.3";
      sha256 = "1b2dyiydlg7fh9b2lmm4vl46czspkzaflq5caawhgzqdqcz169jb";
    };

    repo = ./.;

    static-files = pkgs.runCommandNoCC "${name}-static-files" {} ''
      mkdir -p $out
      pushd $out
      mkdir -p static;
      ln -s ${repo}/lights_web/static/favicon.png static/
      ln -s ${repo}/lights_web/static/index.html index.html
      ln -s ${paho}/src/paho-mqtt.js static/paho-mqtt.js
      popd
    '';
    lights-web = pkgs.python3Packages.callPackage ./default.nix {};

    user = name;
    python = pkgs.python3.withPackages (pp:[ lights-web pp.gunicorn ]);
    socket_dir = "/run/${name}/";
    secrets_dir = "/run/secrets/${name}/";

    cleanup-script = pkgs.writeShellScript "${name}-cleanup" ''
      rm -rf "${secrets_dir}"
      rm -rf "${socket_dir}"
    '';

    prepare-script = pkgs.writeShellScript "${name}-prepare" ''
      ${cleanup-script}

      ${pkgs.coreutils}/bin/install --owner=${user} --mode=500 --directory ${secrets_dir}
      ${pkgs.coreutils}/bin/install --owner=${user} --mode=400 -t ${secrets_dir} \
        /etc/nixos/secrets/${name}/secrets.yaml \
      
      ${pkgs.coreutils}/bin/install --owner=${user} --mode=700 --directory ${socket_dir}
      ${pkgs.acl}/bin/setfacl -m "u:nginx:rx" ${socket_dir}
    '';
  in mkIf cfg.enable {
    users.users."${user}" = {
      group = "users";
      useDefaultShell = true;
      isSystemUser = true;
    };

    systemd.services."${name}" = {
      description = "Web interface for switching HS lights";
      wantedBy = [ "multi-user.target" ];

      environment = {
        LIGHTS_WEB_SECRETS="${secrets_dir}/secrets.yaml";
        LIGHTS_WEB_CONFIG=settingsFile;
      };

      serviceConfig = {
        User = "${user}";
        Type = "simple";
        ExecStart = "${python}/bin/gunicorn -b unix:${socket_dir}web.sock lights_web:app()";
        ExecStartPre = [ ''!${prepare-script}'' ];
        ExecStopPost = [ ''!${cleanup-script}'' ];
      };
    };

    services.nginx.virtualHosts."${cfg.domain}" =
      {
      locations."/static/" = {
        root = "${static-files}/";
        extraConfig = ''
          include ${pkgs.nginx}/conf/mime.types;
        '';
      };
      locations."/" = {
        proxyPass = "http://unix:${socket_dir}/web.sock";
        extraConfig = ''
          proxy_set_header Host $host;
          proxy_set_header X-Real-IP $remote_addr;
          proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
          proxy_set_header X-Forwarded-Host $host:$server_port;
          proxy_set_header X-Forwarded-Server $host;
          proxy_set_header X-Forwarded-Proto $scheme;
        '';
      };
    };
  };
}