nixos-config/config/services/chir-rs.nix

{ lib, pkgs, config, chir-rs, system, ... }: 
let staticDir = pkgs.stdenvNoCC.mkDerivation {
  name = "static";
  buildPhase = "true";
  src = pkgs.emptyDirectory;
  installPhase = ''
    mkdir $out
    for f in ${chir-rs.packages.${system}.chir-rs-fe}/*; do
      ln -sv $f $out
    done
    ln -sv ${chir-rs.packages.${system}.art-assets} $out/img
  '';
};
auxCfg = pkgs.writeText "config.dhall" ''
${./chir-rs.dhall}
{
  staticDir = "${staticDir}",
  connectionString = "postgres://chir_rs:" ++ (${config.sops.secrets."services/chir-rs/database-password".path} as Text) ++ @nixos-8gb-fsn1-1.int.chir.rs/chir_rs",
  signUpKey = ${config.sops.secrets."services/chir-rs/signup-secret".path} as Text,
  nodeName = "${config.networking.hostName}"
}
'';
in
{
  systemd.services.chir-rs = {
    enable = true;
    wantedBy = ["multi-user.target"];
    after = ["network.target"];
    serviceConfig = {
      Restart = "always";
      PrivateTmp = true;
      WorkingDirectory = "/tmp";
      User = "chir-rs";
      CapabilityBoundingSet = [""];
      DeviceAllow = [""];
      LockPersonality = true;
      MemoryDenyWriteExecute = true;
      NoNewPrivileges = true;
      PrivateDevices = true;
      ProtectClock = true;
      ProtectControlGroups = true;
      ProtectHome = true;
      ProtectHostname = true;
      ProtectKernelLogs = true;
      ProtectKernelModules = true;
      ProtectKernelTunables = true;
      ProtectSystem = "strict";
      RemoveIPC = true;
      RestrictAddressFamilies = ["AF_INET" "AF_INET6"];
      RestrictNamespaces = true;
      RestrictRealtime = true;
      RestrictSUIDSGID = true;
      SystemCallArchitectures = "native";
      UMask = "0077";
      ExeStart = ''
        ${chir-rs.packages.${system}.chir-rs} ${auxCfg}
      '';
    };
  };
  sops.secrets."services/chir-rs/database-password".owner = "chir-rs";
  sops.secrets."services/chir-rs/signup-secret".owner = "chir-rs";
    services.postgresql.ensureDatabases = [
    "chir_rs"
  ];
  services.postgresql.ensureUsers = [
    {
      name = "chir_rs";
      ensurePermissions = {
        "DATABASE chir_rs" = "ALL PRIVILEGES";
      };
    }
  ];
  services.caddy.virtualHosts."lotte-test.chir.rs" = {
    useACMEHost = "chir.rs";
    logFormat = lib.mkForce "";
    extraConfig = ''
      import baseConfig

      reverse_proxy http://[::1]:57448 {
        trusted_proxies private_ranges
      }
    '';
  };
  users.users.chir-rs = {
    description = "Chir.rs domain server";
    isSystemUser = true;
    group = "chir-rs";
  };
  users.groups.chir-rs = {};
}
update and add chir.rs 2023-09-25 18:58:50 +00:00			`{ lib, pkgs, config, chir-rs, system, ... }:`
			`let staticDir = pkgs.stdenvNoCC.mkDerivation {`
			`name = "static";`
			`buildPhase = "true";`
			`src = pkgs.emptyDirectory;`
			`installPhase = ''`
			`mkdir $out`
			`for f in ${chir-rs.packages.${system}.chir-rs-fe}/*; do`
			`ln -sv $f $out`
			`done`
			`ln -sv ${chir-rs.packages.${system}.art-assets} $out/img`
			`'';`
			`};`
			`auxCfg = pkgs.writeText "config.dhall" ''`
			`${./chir-rs.dhall}`
			`{`
			`staticDir = "${staticDir}",`
			`connectionString = "postgres://chir_rs:" ++ (${config.sops.secrets."services/chir-rs/database-password".path} as Text) ++ @nixos-8gb-fsn1-1.int.chir.rs/chir_rs",`
			`signUpKey = ${config.sops.secrets."services/chir-rs/signup-secret".path} as Text,`
			`nodeName = "${config.networking.hostName}"`
			`}`
			`'';`
			`in`
			`{`
			`systemd.services.chir-rs = {`
			`enable = true;`
			`wantedBy = ["multi-user.target"];`
			`after = ["network.target"];`
			`serviceConfig = {`
			`Restart = "always";`
			`PrivateTmp = true;`
			`WorkingDirectory = "/tmp";`
			`User = "chir-rs";`
			`CapabilityBoundingSet = [""];`
			`DeviceAllow = [""];`
			`LockPersonality = true;`
			`MemoryDenyWriteExecute = true;`
			`NoNewPrivileges = true;`
			`PrivateDevices = true;`
			`ProtectClock = true;`
			`ProtectControlGroups = true;`
			`ProtectHome = true;`
			`ProtectHostname = true;`
			`ProtectKernelLogs = true;`
			`ProtectKernelModules = true;`
			`ProtectKernelTunables = true;`
			`ProtectSystem = "strict";`
			`RemoveIPC = true;`
			`RestrictAddressFamilies = ["AF_INET" "AF_INET6"];`
			`RestrictNamespaces = true;`
			`RestrictRealtime = true;`
			`RestrictSUIDSGID = true;`
			`SystemCallArchitectures = "native";`
			`UMask = "0077";`
			`ExeStart = ''`
			`${chir-rs.packages.${system}.chir-rs} ${auxCfg}`
			`'';`
			`};`
			`};`
			`sops.secrets."services/chir-rs/database-password".owner = "chir-rs";`
			`sops.secrets."services/chir-rs/signup-secret".owner = "chir-rs";`
			`services.postgresql.ensureDatabases = [`
			`"chir_rs"`
			`];`
			`services.postgresql.ensureUsers = [`
			`{`
			`name = "chir_rs";`
			`ensurePermissions = {`
			`"DATABASE chir_rs" = "ALL PRIVILEGES";`
			`};`
			`}`
			`];`
			`services.caddy.virtualHosts."lotte-test.chir.rs" = {`
			`useACMEHost = "chir.rs";`
			`logFormat = lib.mkForce "";`
			`extraConfig = ''`
			`import baseConfig`

			`reverse_proxy http://[::1]:57448 {`
			`trusted_proxies private_ranges`
			`}`
			`'';`
			`};`
			`users.users.chir-rs = {`
			`description = "Chir.rs domain server";`
			`isSystemUser = true;`
			`group = "chir-rs";`
			`};`
			`users.groups.chir-rs = {};`
			`}`