nixos-config/config/services/chir.rs/auth.nix

85 lines
2.3 KiB
Nix
Raw Normal View History

2023-01-13 19:20:47 +00:00
{
pkgs,
system,
chir-rs,
config,
...
}: let
d = "$";
dhallConfig = ''
let password = ${config.sops.secrets."services/chir-rs/auth/password".path} as Text
let BaseConfig =
{ Type =
{ database_url : Text
, listen_addr : Text
, redis_url : Text
2023-03-11 08:47:09 +00:00
, asset_path : Text
2023-01-13 19:20:47 +00:00
}
, default.listen_addr = "[::1]:5621"
}
in BaseConfig::{
2023-01-14 12:01:31 +00:00
, database_url = "postgres://auth_chir_rs:${d}{password}@nixos-8gb-fsn1-1.int.chir.rs"
2023-03-11 16:52:07 +00:00
, listen_addr = "127.0.0.1:7954"
2023-01-14 12:01:31 +00:00
, redis_url = "redis://${d}{password}@nixos-8gb-fsn1-1.int.chir.rs:53538/0"
2023-03-11 12:49:43 +00:00
, asset_path = "${chir-rs.packages.${system}.chir-rs-auth-web}"
2023-01-13 19:20:47 +00:00
}
'';
in {
systemd.services.auth-chir-rs = {
description = "auth.chir.rs";
after = ["network.target"];
wantedBy = ["multi-user.target"];
script = ''
export CONFIG_FILE=${pkgs.writeText "config.dhall" dhallConfig}
2023-03-11 16:43:23 +00:00
export RUST_LOG=info
2023-01-13 19:20:47 +00:00
exec ${chir-rs.packages.${system}.chir-rs-auth}/bin/chir-rs-auth
'';
serviceConfig = {
Type = "simple";
User = "auth-chir-rs";
Group = "auth-chir-rs";
Restart = "always";
};
};
sops.secrets."services/chir-rs/auth/password".owner = "auth-chir-rs";
users.users.auth-chir-rs = {
description = "auth.chir.rs";
home = "/var/empty";
useDefaultShell = true;
group = "auth-chir-rs";
isSystemUser = true;
};
users.groups.auth-chir-rs = {};
services.postgresql.ensureDatabases = [
"auth_chir_rs"
];
services.postgresql.ensureUsers = [
{
name = "auth_chir_rs";
ensurePermissions = {
"DATABASE auth_chir_rs" = "ALL PRIVILEGES";
};
}
];
services.redis.servers."auth_chir_rs" = {
2023-01-14 12:01:31 +00:00
enable = config.networking.hostName == "nixos-8gb-fsn1-1";
2023-01-13 19:20:47 +00:00
port = 53538;
save = [];
2023-01-14 12:01:31 +00:00
requirePassFile = config.sops.secrets."services/chir-rs/auth/password".path;
2023-03-11 17:05:33 +00:00
bind = null;
2023-01-13 19:20:47 +00:00
};
2023-01-14 12:01:31 +00:00
networking.firewall.interfaces."wg0".allowedTCPPorts = [53538];
2023-01-15 11:12:01 +00:00
services.caddy.virtualHosts."auth.chir.rs" = {
useACMEHost = "chir.rs";
logFormat = pkgs.lib.mkForce "";
extraConfig = ''
import baseConfig
2023-03-11 16:52:07 +00:00
reverse_proxy http://127.0.0.1:7954 {
2023-01-15 11:12:01 +00:00
trusted_proxies private_ranges
}
'';
};
2023-01-13 19:20:47 +00:00
}