nixos-config/config/services/chir.rs/auth.nix

80 lines
2.1 KiB
Nix

{
pkgs,
system,
chir-rs,
config,
...
}: let
d = "$";
dhallConfig = ''
let password = ${config.sops.secrets."services/chir-rs/auth/password".path} as Text
let BaseConfig =
{ Type =
{ database_url : Text
, listen_addr : Text
, redis_url : Text
}
, default.listen_addr = "[::1]:5621"
}
in BaseConfig::{
, database_url = "postgres://auth_chir_rs:${d}{password}@nixos-8gb-fsn1-1.int.chir.rs"
, listen_addr = "[::1]:7954"
, redis_url = "redis://${d}{password}@nixos-8gb-fsn1-1.int.chir.rs:53538/0"
}
'';
in {
systemd.services.auth-chir-rs = {
description = "auth.chir.rs";
after = ["network.target"];
wantedBy = ["multi-user.target"];
script = ''
export CONFIG_FILE=${pkgs.writeText "config.dhall" dhallConfig}
exec ${chir-rs.packages.${system}.chir-rs-auth}/bin/chir-rs-auth
'';
serviceConfig = {
Type = "simple";
User = "auth-chir-rs";
Group = "auth-chir-rs";
Restart = "always";
};
};
sops.secrets."services/chir-rs/auth/password".owner = "auth-chir-rs";
users.users.auth-chir-rs = {
description = "auth.chir.rs";
home = "/var/empty";
useDefaultShell = true;
group = "auth-chir-rs";
isSystemUser = true;
};
users.groups.auth-chir-rs = {};
services.postgresql.ensureDatabases = [
"auth_chir_rs"
];
services.postgresql.ensureUsers = [
{
name = "auth_chir_rs";
ensurePermissions = {
"DATABASE auth_chir_rs" = "ALL PRIVILEGES";
};
}
];
services.redis.servers."auth_chir_rs" = {
enable = config.networking.hostName == "nixos-8gb-fsn1-1";
port = 53538;
save = [];
requirePassFile = config.sops.secrets."services/chir-rs/auth/password".path;
};
networking.firewall.interfaces."wg0".allowedTCPPorts = [53538];
services.caddy.virtualHosts."auth.chir.rs" = {
useACMEHost = "chir.rs";
logFormat = pkgs.lib.mkForce "";
extraConfig = ''
import baseConfig
reverse_proxy http://127.0.0.1:7954 {
trusted_proxies private_ranges
}
'';
};
}