nixos-config/config/services/chir-rs.nix

90 lines
No EOL
2.5 KiB
Nix

{ lib, pkgs, config, chir-rs, system, ... }:
let staticDir = pkgs.stdenvNoCC.mkDerivation {
name = "static";
buildPhase = "true";
src = pkgs.emptyDirectory;
installPhase = ''
mkdir $out
for f in ${chir-rs.packages.${system}.chir-rs-fe}/*; do
ln -sv $f $out
done
ln -sv ${chir-rs.packages.${system}.art-assets} $out/img
'';
};
auxCfg = pkgs.writeText "config.dhall" ''
${./chir-rs.dhall}
{
staticDir = "${staticDir}",
connectionString = "postgres://chir_rs:" ++ (${config.sops.secrets."services/chir-rs/database-password".path} as Text) ++ @nixos-8gb-fsn1-1.int.chir.rs/chir_rs",
signUpKey = ${config.sops.secrets."services/chir-rs/signup-secret".path} as Text,
nodeName = "${config.networking.hostName}"
}
'';
in
{
systemd.services.chir-rs = {
enable = true;
wantedBy = ["multi-user.target"];
after = ["network.target"];
serviceConfig = {
Restart = "always";
PrivateTmp = true;
WorkingDirectory = "/tmp";
User = "chir-rs";
CapabilityBoundingSet = [""];
DeviceAllow = [""];
LockPersonality = true;
MemoryDenyWriteExecute = true;
NoNewPrivileges = true;
PrivateDevices = true;
ProtectClock = true;
ProtectControlGroups = true;
ProtectHome = true;
ProtectHostname = true;
ProtectKernelLogs = true;
ProtectKernelModules = true;
ProtectKernelTunables = true;
ProtectSystem = "strict";
RemoveIPC = true;
RestrictAddressFamilies = ["AF_INET" "AF_INET6"];
RestrictNamespaces = true;
RestrictRealtime = true;
RestrictSUIDSGID = true;
SystemCallArchitectures = "native";
UMask = "0077";
ExeStart = ''
${chir-rs.packages.${system}.chir-rs} ${auxCfg}
'';
};
};
sops.secrets."services/chir-rs/database-password".owner = "chir-rs";
sops.secrets."services/chir-rs/signup-secret".owner = "chir-rs";
services.postgresql.ensureDatabases = [
"chir_rs"
];
services.postgresql.ensureUsers = [
{
name = "chir_rs";
ensurePermissions = {
"DATABASE chir_rs" = "ALL PRIVILEGES";
};
}
];
services.caddy.virtualHosts."lotte-test.chir.rs" = {
useACMEHost = "chir.rs";
logFormat = lib.mkForce "";
extraConfig = ''
import baseConfig
reverse_proxy http://[::1]:57448 {
trusted_proxies private_ranges
}
'';
};
users.users.chir-rs = {
description = "Chir.rs domain server";
isSystemUser = true;
group = "chir-rs";
};
users.groups.chir-rs = {};
}