nixos-config/config/services/chir-rs.nix

96 lines
2.6 KiB
Nix

{
lib,
pkgs,
config,
chir-rs,
system,
...
}: let
staticDir = pkgs.stdenvNoCC.mkDerivation {
name = "static";
buildPhase = "true";
src = pkgs.emptyDirectory;
installPhase = ''
mkdir $out
for f in ${chir-rs.packages.${system}.chir-rs-fe}/*; do
ln -sv $f $out
done
ln -sv ${chir-rs.packages.${system}.art-assets} $out/img
'';
};
auxCfg = pkgs.writeText "config.dhall" ''
${./chir-rs.dhall} {
staticDir = "${staticDir}",
connectionString = "postgres://chir_rs:" ++ (${config.sops.secrets."services/chir-rs/database-password".path} as Text) ++ "@nixos-8gb-fsn1-1.int.chir.rs/chir_rs",
signUpKey = ${config.sops.secrets."services/chir-rs/signup-secret".path} as Text,
nodeName = "${config.networking.hostName}"
}
'';
in {
systemd.services.chir-rs = {
enable = true;
wantedBy = ["multi-user.target"];
after = ["network.target"];
serviceConfig = {
Restart = "always";
PrivateTmp = true;
WorkingDirectory = "/tmp";
User = "chir-rs";
CapabilityBoundingSet = [""];
DeviceAllow = [""];
LockPersonality = true;
MemoryDenyWriteExecute = true;
NoNewPrivileges = true;
PrivateDevices = true;
ProtectClock = true;
ProtectControlGroups = true;
ProtectHome = true;
ProtectHostname = true;
ProtectKernelLogs = true;
ProtectKernelModules = true;
ProtectKernelTunables = true;
ProtectSystem = "strict";
RemoveIPC = true;
RestrictAddressFamilies = ["AF_INET" "AF_INET6"];
RestrictNamespaces = true;
RestrictRealtime = true;
RestrictSUIDSGID = true;
SystemCallArchitectures = "native";
UMask = "0077";
ExecStart = ''
${chir-rs.packages.${system}.chir-rs}/bin/chir-rs
'';
};
environment = {
CHIR_RS_CONFIG = "${auxCfg}";
};
};
sops.secrets."services/chir-rs/database-password".owner = "chir-rs";
sops.secrets."services/chir-rs/signup-secret".owner = "chir-rs";
services.postgresql.ensureDatabases = [
"chir_rs"
];
services.postgresql.ensureUsers = [
{
name = "chir_rs";
ensureDBOwnership = true;
}
];
services.caddy.virtualHosts."lotte-test.chir.rs" = {
useACMEHost = "chir.rs";
logFormat = lib.mkForce "";
extraConfig = ''
import baseConfig
reverse_proxy http://127.0.0.1:62936 {
trusted_proxies private_ranges
}
'';
};
users.users.chir-rs = {
description = "Chir.rs domain server";
isSystemUser = true;
group = "chir-rs";
};
users.groups.chir-rs = {};
}