| { pkgs, workspace, ... }: |
| |
| let |
| name = "laserproxy"; |
| user = name; |
| group = name; |
| |
| # Building hscloud bazel from nix is often broken on master branch. Building |
| # laserproxy from older hscloud is not a pretty solution, but seem like a |
| # best option for now. |
| # TODO use upstream laserproxy when CI testing is added |
| # see https://issues.hackerspace.pl/issues/9 |
| laserproxy = |
| let |
| old = pkgs.fetchgit { |
| url = "https://gerrit.hackerspace.pl/hscloud.git"; |
| rev = "5319e611b2be9241c01994eb8e42bd349bb6eabb"; |
| sha256 = "sha256-KdVAlaXHW2CE2kJoOT0jJ+a20u6HPAgx5g/7ifX8iqU="; |
| }; |
| old-patched = pkgs.runCommandNoCC "hscloud" { } '' |
| cp -r "${old}" $out |
| chmod +w $out/WORKSPACE $out/default.nix |
| |
| # backport passing system to allow (pure) builds from flakes |
| chmod +w $out/default.nix |
| echo "{ system ? builtins.currentSystem, ... }@args:" > $out/default.nix |
| sed -e '1d' -e 's/import nixpkgsSrc {/\0 inherit system; /g' ${old}/default.nix >> $out/default.nix |
| |
| # hotfix failing bazel build: |
| # |
| # Label '//hswaw/site:deps.bzl' is invalid because 'hswaw/site' is not |
| # a package; perhaps you meant to put the colon here: |
| # '//:hswaw/site/deps.bzl'? |
| chmod +w $out/WORKSPACE |
| sed '/hswaw.site.deps/d' "${old}/WORKSPACE" > $out/WORKSPACE |
| ''; |
| in |
| (import old-patched { inherit (pkgs) system; }).hswaw.laserproxy; |
| |
| in |
| { |
| users.users."${user}" = { |
| group = "${group}"; |
| isSystemUser = true; |
| uid = 1004; |
| }; |
| users.groups."${group}" = { }; |
| |
| systemd.services."${name}" = { |
| description = "HSWAW lasercutter proxy"; |
| wantedBy = [ "multi-user.target" ]; |
| after = [ "network-addresses-laser.service" ]; |
| |
| serviceConfig.User = "${user}"; |
| serviceConfig.Type = "simple"; |
| serviceConfig.Restart = "always"; |
| serviceConfig.RestartSec = "30"; |
| serviceConfig.ExecStart = "${laserproxy}/bin/laserproxy -logtostderr -hspki_disable -web_address 127.0.0.1:2137"; |
| }; |
| |
| services.nginx.virtualHosts."laser.waw.hackerspace.pl" = { |
| listen = [ |
| { addr = "10.8.1.2"; port = 80; ssl = false; } |
| # TODO fix certs / virtual hosts on customs and enable this |
| # { addr = "10.8.1.2"; port=433; ssl=true; } |
| ]; |
| locations."/" = { |
| proxyPass = "http://127.0.0.1:2137/"; |
| extraConfig = '' |
| proxy_set_header Host $host; |
| proxy_set_header X-Real-IP $remote_addr; |
| proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; |
| proxy_set_header X-Forwarded-Host $host:$server_port; |
| proxy_set_header X-Forwarded-Server $host; |
| proxy_set_header X-Forwarded-Proto $scheme; |
| |
| allow 10.0.0.0/8; |
| deny all; |
| ''; |
| }; |
| }; |
| } |