2023-01-13 19:20:47 +00:00
|
|
|
{
|
|
|
|
pkgs,
|
|
|
|
system,
|
|
|
|
chir-rs,
|
|
|
|
config,
|
|
|
|
...
|
|
|
|
}: let
|
|
|
|
d = "$";
|
|
|
|
dhallConfig = ''
|
|
|
|
let password = ${config.sops.secrets."services/chir-rs/auth/password".path} as Text
|
|
|
|
let BaseConfig =
|
|
|
|
{ Type =
|
|
|
|
{ database_url : Text
|
|
|
|
, listen_addr : Text
|
|
|
|
, redis_url : Text
|
2023-03-11 08:47:09 +00:00
|
|
|
, asset_path : Text
|
2023-01-13 19:20:47 +00:00
|
|
|
}
|
|
|
|
, default.listen_addr = "[::1]:5621"
|
|
|
|
}
|
|
|
|
|
|
|
|
in BaseConfig::{
|
2023-01-14 12:01:31 +00:00
|
|
|
, database_url = "postgres://auth_chir_rs:${d}{password}@nixos-8gb-fsn1-1.int.chir.rs"
|
2023-03-11 16:52:07 +00:00
|
|
|
, listen_addr = "127.0.0.1:7954"
|
2023-01-14 12:01:31 +00:00
|
|
|
, redis_url = "redis://${d}{password}@nixos-8gb-fsn1-1.int.chir.rs:53538/0"
|
2023-03-11 12:49:43 +00:00
|
|
|
, asset_path = "${chir-rs.packages.${system}.chir-rs-auth-web}"
|
2023-01-13 19:20:47 +00:00
|
|
|
}
|
|
|
|
'';
|
|
|
|
in {
|
|
|
|
systemd.services.auth-chir-rs = {
|
|
|
|
description = "auth.chir.rs";
|
|
|
|
after = ["network.target"];
|
|
|
|
wantedBy = ["multi-user.target"];
|
|
|
|
script = ''
|
|
|
|
export CONFIG_FILE=${pkgs.writeText "config.dhall" dhallConfig}
|
2023-03-11 16:43:23 +00:00
|
|
|
export RUST_LOG=info
|
2023-01-13 19:20:47 +00:00
|
|
|
exec ${chir-rs.packages.${system}.chir-rs-auth}/bin/chir-rs-auth
|
|
|
|
'';
|
|
|
|
serviceConfig = {
|
|
|
|
Type = "simple";
|
|
|
|
User = "auth-chir-rs";
|
|
|
|
Group = "auth-chir-rs";
|
|
|
|
Restart = "always";
|
|
|
|
};
|
|
|
|
};
|
|
|
|
sops.secrets."services/chir-rs/auth/password".owner = "auth-chir-rs";
|
|
|
|
users.users.auth-chir-rs = {
|
|
|
|
description = "auth.chir.rs";
|
|
|
|
home = "/var/empty";
|
|
|
|
useDefaultShell = true;
|
|
|
|
group = "auth-chir-rs";
|
|
|
|
isSystemUser = true;
|
|
|
|
};
|
|
|
|
users.groups.auth-chir-rs = {};
|
|
|
|
services.postgresql.ensureDatabases = [
|
|
|
|
"auth_chir_rs"
|
|
|
|
];
|
|
|
|
services.postgresql.ensureUsers = [
|
|
|
|
{
|
|
|
|
name = "auth_chir_rs";
|
|
|
|
ensurePermissions = {
|
|
|
|
"DATABASE auth_chir_rs" = "ALL PRIVILEGES";
|
|
|
|
};
|
|
|
|
}
|
|
|
|
];
|
|
|
|
services.redis.servers."auth_chir_rs" = {
|
2023-01-14 12:01:31 +00:00
|
|
|
enable = config.networking.hostName == "nixos-8gb-fsn1-1";
|
2023-01-13 19:20:47 +00:00
|
|
|
port = 53538;
|
|
|
|
save = [];
|
2023-01-14 12:01:31 +00:00
|
|
|
requirePassFile = config.sops.secrets."services/chir-rs/auth/password".path;
|
2023-03-11 17:05:33 +00:00
|
|
|
bind = null;
|
2023-01-13 19:20:47 +00:00
|
|
|
};
|
2023-01-14 12:01:31 +00:00
|
|
|
networking.firewall.interfaces."wg0".allowedTCPPorts = [53538];
|
2023-01-15 11:12:01 +00:00
|
|
|
services.caddy.virtualHosts."auth.chir.rs" = {
|
|
|
|
useACMEHost = "chir.rs";
|
|
|
|
logFormat = pkgs.lib.mkForce "";
|
|
|
|
extraConfig = ''
|
|
|
|
import baseConfig
|
|
|
|
|
2023-03-11 16:52:07 +00:00
|
|
|
reverse_proxy http://127.0.0.1:7954 {
|
2023-01-15 11:12:01 +00:00
|
|
|
trusted_proxies private_ranges
|
|
|
|
}
|
|
|
|
'';
|
|
|
|
};
|
2023-01-13 19:20:47 +00:00
|
|
|
}
|