2024-10-04 10:14:05 +02:00
|
|
|
{
|
|
|
|
lib,
|
|
|
|
pkgs,
|
|
|
|
config,
|
|
|
|
chir-rs,
|
|
|
|
system,
|
|
|
|
...
|
|
|
|
}: let
|
|
|
|
staticDir = pkgs.stdenvNoCC.mkDerivation {
|
|
|
|
name = "static";
|
|
|
|
buildPhase = "true";
|
|
|
|
src = pkgs.emptyDirectory;
|
|
|
|
installPhase = ''
|
|
|
|
mkdir $out
|
|
|
|
for f in ${chir-rs.packages.${system}.chir-rs-fe}/*; do
|
|
|
|
ln -sv $f $out
|
|
|
|
done
|
|
|
|
ln -sv ${chir-rs.packages.${system}.art-assets} $out/img
|
|
|
|
'';
|
|
|
|
};
|
|
|
|
auxCfg = pkgs.writeText "config.dhall" ''
|
|
|
|
${./chir-rs.dhall} {
|
|
|
|
staticDir = "${staticDir}",
|
|
|
|
connectionString = "postgres://chir_rs:" ++ (${config.sops.secrets."services/chir-rs/database-password".path} as Text) ++ "@nixos-8gb-fsn1-1.int.chir.rs/chir_rs",
|
|
|
|
signUpKey = ${config.sops.secrets."services/chir-rs/signup-secret".path} as Text,
|
|
|
|
nodeName = "${config.networking.hostName}"
|
|
|
|
}
|
|
|
|
'';
|
|
|
|
in {
|
|
|
|
systemd.services.chir-rs = {
|
|
|
|
enable = true;
|
|
|
|
wantedBy = ["multi-user.target"];
|
|
|
|
after = ["network.target"];
|
|
|
|
serviceConfig = {
|
|
|
|
Restart = "always";
|
|
|
|
PrivateTmp = true;
|
|
|
|
WorkingDirectory = "/tmp";
|
|
|
|
User = "chir-rs";
|
|
|
|
CapabilityBoundingSet = [""];
|
|
|
|
DeviceAllow = [""];
|
|
|
|
LockPersonality = true;
|
|
|
|
MemoryDenyWriteExecute = true;
|
|
|
|
NoNewPrivileges = true;
|
|
|
|
PrivateDevices = true;
|
|
|
|
ProtectClock = true;
|
|
|
|
ProtectControlGroups = true;
|
|
|
|
ProtectHome = true;
|
|
|
|
ProtectHostname = true;
|
|
|
|
ProtectKernelLogs = true;
|
|
|
|
ProtectKernelModules = true;
|
|
|
|
ProtectKernelTunables = true;
|
|
|
|
ProtectSystem = "strict";
|
|
|
|
RemoveIPC = true;
|
|
|
|
RestrictAddressFamilies = ["AF_INET" "AF_INET6"];
|
|
|
|
RestrictNamespaces = true;
|
|
|
|
RestrictRealtime = true;
|
|
|
|
RestrictSUIDSGID = true;
|
|
|
|
SystemCallArchitectures = "native";
|
|
|
|
UMask = "0077";
|
|
|
|
ExecStart = ''
|
|
|
|
${chir-rs.packages.${system}.chir-rs}/bin/chir-rs
|
|
|
|
'';
|
|
|
|
};
|
|
|
|
environment = {
|
|
|
|
CHIR_RS_CONFIG = "${auxCfg}";
|
|
|
|
};
|
|
|
|
};
|
|
|
|
sops.secrets."services/chir-rs/database-password".owner = "chir-rs";
|
|
|
|
sops.secrets."services/chir-rs/signup-secret".owner = "chir-rs";
|
|
|
|
services.postgresql.ensureDatabases = [
|
|
|
|
"chir_rs"
|
|
|
|
];
|
|
|
|
services.postgresql.ensureUsers = [
|
|
|
|
{
|
|
|
|
name = "chir_rs";
|
2024-10-04 10:26:26 +02:00
|
|
|
ensureDBOwnership = true;
|
2024-10-04 10:14:05 +02:00
|
|
|
}
|
|
|
|
];
|
|
|
|
services.caddy.virtualHosts."lotte-test.chir.rs" = {
|
|
|
|
useACMEHost = "chir.rs";
|
|
|
|
logFormat = lib.mkForce "";
|
|
|
|
extraConfig = ''
|
|
|
|
import baseConfig
|
|
|
|
|
|
|
|
reverse_proxy http://127.0.0.1:62936 {
|
|
|
|
trusted_proxies private_ranges
|
|
|
|
}
|
|
|
|
'';
|
|
|
|
};
|
|
|
|
users.users.chir-rs = {
|
|
|
|
description = "Chir.rs domain server";
|
|
|
|
isSystemUser = true;
|
|
|
|
group = "chir-rs";
|
|
|
|
};
|
|
|
|
users.groups.chir-rs = {};
|
|
|
|
}
|