| { pkgs, workspace, ... }: |
| |
| let |
| hscloud = workspace; |
| checkinator = hscloud.hswaw.checkinator; |
| |
| name = "checkinator-web"; |
| user = name; |
| group = name; |
| socket_dir = "/run/${name}/"; |
| |
| python = pkgs.python3.withPackages (ppackages: with ppackages; [ |
| checkinator |
| pkgs.python3Packages.gunicorn |
| ]); |
| |
| prepare = pkgs.writeShellScriptBin "${name}-prepare" '' |
| rm -rf /mnt/secrets/${name} |
| ${pkgs.coreutils}/bin/install --owner=${user} --mode=500 --directory /mnt/secrets/${name} |
| ${pkgs.coreutils}/bin/install --owner=${user} --mode=400 -t /mnt/secrets/${name} \ |
| /etc/nixos/secrets/${name}/secrets.yaml \ |
| /etc/nixos/secrets/${name}/ca.pem \ |
| /etc/nixos/secrets/${name}/cert.pem \ |
| /etc/nixos/secrets/${name}/key.pem |
| |
| ${pkgs.coreutils}/bin/mkdir -m 700 -p /var/checkinator-web/ |
| ${pkgs.coreutils}/bin/chown ${user} /var/checkinator-web/ |
| |
| mkdir -p --mode=700 ${socket_dir} |
| chown ${user} ${socket_dir} |
| chmod 700 ${socket_dir} |
| ${pkgs.acl}/bin/setfacl -m "u:nginx:rx" ${socket_dir} |
| ''; |
| |
| config = builtins.toFile "${name}-config.yaml" (pkgs.lib.generators.toYAML {} { |
| # local sqlite db for storing user and MAC |
| DB = "/var/checkinator-web/at.db"; |
| |
| # debug option interpreted by flask app |
| DEBUG = false; |
| |
| # url to member wiki page |
| # "${login}" string is replaced by member login (uid) |
| WIKI_URL = "https://wiki.hackerspace.pl/people:\${login}:start"; |
| |
| CLAIMABLE_PREFIXES = [ |
| "10.8.0." |
| "2a0d:eb00:4242:0:" |
| ]; |
| CLAIMABLE_EXCLUDE = [ ]; |
| |
| SPACEAUTH_CONSUMER_KEY = "checkinator"; |
| SECRETS_FILE = "/mnt/secrets/checkinator-web/secrets.yaml"; |
| |
| SPECIAL_DEVICES = { |
| kektops = [ "90:e6:ba:84" ]; |
| esps = [ |
| "ec:fa:bc" "dc:4f:22" "d8:a0:1d" "b4:e6:2d" "ac:d0:74" "a4:7b:9d" |
| "a0:20:a6" "90:97:d5" "68:c6:3a" "60:01:94" "5c:cf:7f" "54:5a:a6" |
| "30:ae:a4" "2c:3a:e8" "24:b2:de" "24:0a:c4" "18:fe:34" "38:2b:78" |
| "bc:dd:c2" "cc:50:e3" "84:0d:8e" |
| ]; |
| vms = [ |
| "52:54:00" # craptrap VMs |
| ]; |
| }; |
| |
| PROXY_FIX = true; |
| |
| GRPC_TLS_CERT_DIR = "/mnt/secrets/checkinator-web"; |
| GRPC_TLS_CA_CERT = "/mnt/secrets/checkinator-web/ca.pem"; |
| GRPC_TLS_ADDRESS = "[::1]:2847"; |
| }); |
| in { |
| users.users."${user}" = { |
| group = "${group}"; |
| isSystemUser = true; |
| uid = 1002; |
| }; |
| users.groups."${group}" = {}; |
| |
| systemd.services."${name}" = { |
| description = "Hackerspace Checkinator web interface"; |
| wantedBy = [ "multi-user.target" ]; |
| |
| serviceConfig.User = "${user}"; |
| serviceConfig.Type = "simple"; |
| |
| environment = { |
| CHECKINATOR_WEB_CONFIG=config; |
| }; |
| |
| serviceConfig.ExecStartPre = [ |
| ''!${prepare}/bin/${name}-prepare'' |
| "${pkgs.writeShellScript "checkinator-dbsetup" '' |
| if [ ! -e "/var/checkinator-web/at.db" ] |
| then |
| ${pkgs.sqlite}/bin/sqlite3 /var/checkinator-web/at.db < ${checkinator}/dbsetup.sql |
| fi |
| ''}" |
| ]; |
| serviceConfig.workingDirectory = checkinator; |
| serviceConfig.ExecStart = "${python}/bin/gunicorn -b unix:${socket_dir}/web.sock at.webapp:app"; |
| serviceConfig.ExecStopPost = [ |
| ''!${pkgs.coreutils}/bin/rm -rf /mnt/secrets/${name}'' |
| ]; |
| |
| }; |
| |
| services.nginx.virtualHosts."at.hackerspace.pl" = { |
| forceSSL = true; |
| enableACME = true; |
| |
| locations."/static/" = { |
| alias = "${checkinator}/static/"; |
| }; |
| locations."/" = { |
| proxyPass = "http://unix://${socket_dir}/web.sock"; |
| extraConfig = '' |
| proxy_set_header Host $host; |
| proxy_set_header X-Real-IP $remote_addr; |
| proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; |
| proxy_set_header X-Forwarded-Host $host:$server_port; |
| proxy_set_header X-Forwarded-Server $host; |
| proxy_set_header X-Forwarded-Proto $scheme; |
| ''; |
| }; |
| }; |
| } |