hswaw/machines/customs.hackerspace.pl/laserproxy/service.nix - hscloud - Gitiles

 { pkgs, workspace, ... }:

 let
   name = "laserproxy";
   user = name;
   group = name;

   # Building hscloud bazel from nix is often broken on master branch. Building
   # laserproxy from older hscloud is not a pretty solution, but seem like a
   # best option for now.
   # TODO use upstream laserproxy when CI testing is added
   # see https://issues.hackerspace.pl/issues/9
   laserproxy =
     let
       old = pkgs.fetchgit {
         url = "https://gerrit.hackerspace.pl/hscloud.git";
         rev = "5319e611b2be9241c01994eb8e42bd349bb6eabb";
         sha256 = "sha256-KdVAlaXHW2CE2kJoOT0jJ+a20u6HPAgx5g/7ifX8iqU=";
       };
       old-patched = pkgs.runCommandNoCC "hscloud" { } ''
         cp -r "${old}" $out
         chmod +w $out/WORKSPACE $out/default.nix

         # backport passing system to allow (pure) builds from flakes
         chmod +w $out/default.nix
         echo "{ system ? builtins.currentSystem, ... }@args:" > $out/default.nix
         sed -e '1d' -e 's/import nixpkgsSrc {/\0 inherit system; /g' ${old}/default.nix >> $out/default.nix

         # hotfix failing bazel build:
         #
         #   Label '//hswaw/site:deps.bzl' is invalid because 'hswaw/site' is not
         #   a package; perhaps you meant to put the colon here:
         #   '//:hswaw/site/deps.bzl'?
         chmod +w $out/WORKSPACE
         sed '/hswaw.site.deps/d' "${old}/WORKSPACE" > $out/WORKSPACE
       '';
     in
     (import old-patched { inherit (pkgs) system; }).hswaw.laserproxy;

 in
 {
   users.users."${user}" = {
     group = "${group}";
     isSystemUser = true;
     uid = 1004;
   };
   users.groups."${group}" = { };

   systemd.services."${name}" = {
     description = "HSWAW lasercutter proxy";
     wantedBy = [ "multi-user.target" ];
     after = [ "network-addresses-laser.service" ];

     serviceConfig.User = "${user}";
     serviceConfig.Type = "simple";
     serviceConfig.Restart = "always";
     serviceConfig.RestartSec = "30";
     serviceConfig.ExecStart = "${laserproxy}/bin/laserproxy -logtostderr -hspki_disable -web_address 127.0.0.1:2137";
   };

   services.nginx.virtualHosts."laser.waw.hackerspace.pl" = {
     listen = [
       { addr = "10.8.1.2"; port = 80; ssl = false; }
       # TODO fix certs / virtual hosts on customs and enable this
       # { addr = "10.8.1.2"; port=433; ssl=true; }
     ];
     locations."/" = {
       proxyPass = "http://127.0.0.1:2137/";
       extraConfig = ''
         proxy_set_header Host $host;
         proxy_set_header X-Real-IP $remote_addr;
         proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
         proxy_set_header X-Forwarded-Host $host:$server_port;
         proxy_set_header X-Forwarded-Server $host;
         proxy_set_header X-Forwarded-Proto $scheme;

         allow 10.0.0.0/8;
         deny all;
       '';
     };
   };
 }
	{ pkgs, workspace, ... }:

	let
	name = "laserproxy";
	user = name;
	group = name;

	# Building hscloud bazel from nix is often broken on master branch. Building
	# laserproxy from older hscloud is not a pretty solution, but seem like a
	# best option for now.
	# TODO use upstream laserproxy when CI testing is added
	# see https://issues.hackerspace.pl/issues/9
	laserproxy =
	let
	old = pkgs.fetchgit {
	url = "https://gerrit.hackerspace.pl/hscloud.git";
	rev = "5319e611b2be9241c01994eb8e42bd349bb6eabb";
	sha256 = "sha256-KdVAlaXHW2CE2kJoOT0jJ+a20u6HPAgx5g/7ifX8iqU=";
	};
	old-patched = pkgs.runCommandNoCC "hscloud" { } ''
	cp -r "${old}" $out
	chmod +w $out/WORKSPACE $out/default.nix

	# backport passing system to allow (pure) builds from flakes
	chmod +w $out/default.nix
	echo "{ system ? builtins.currentSystem, ... }@args:" > $out/default.nix
	sed -e '1d' -e 's/import nixpkgsSrc {/\0 inherit system; /g' ${old}/default.nix >> $out/default.nix

	# hotfix failing bazel build:
	#
	# Label '//hswaw/site:deps.bzl' is invalid because 'hswaw/site' is not
	# a package; perhaps you meant to put the colon here:
	# '//:hswaw/site/deps.bzl'?
	chmod +w $out/WORKSPACE
	sed '/hswaw.site.deps/d' "${old}/WORKSPACE" > $out/WORKSPACE
	'';
	in
	(import old-patched { inherit (pkgs) system; }).hswaw.laserproxy;

	in
	{
	users.users."${user}" = {
	group = "${group}";
	isSystemUser = true;
	uid = 1004;
	};
	users.groups."${group}" = { };

	systemd.services."${name}" = {
	description = "HSWAW lasercutter proxy";
	wantedBy = [ "multi-user.target" ];
	after = [ "network-addresses-laser.service" ];

	serviceConfig.User = "${user}";
	serviceConfig.Type = "simple";
	serviceConfig.Restart = "always";
	serviceConfig.RestartSec = "30";
	serviceConfig.ExecStart = "${laserproxy}/bin/laserproxy -logtostderr -hspki_disable -web_address 127.0.0.1:2137";
	};

	services.nginx.virtualHosts."laser.waw.hackerspace.pl" = {
	listen = [
	{ addr = "10.8.1.2"; port = 80; ssl = false; }
	# TODO fix certs / virtual hosts on customs and enable this
	# { addr = "10.8.1.2"; port=433; ssl=true; }
	];
	locations."/" = {
	proxyPass = "http://127.0.0.1:2137/";
	extraConfig = ''
	proxy_set_header Host $host;
	proxy_set_header X-Real-IP $remote_addr;
	proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
	proxy_set_header X-Forwarded-Host $host:$server_port;
	proxy_set_header X-Forwarded-Server $host;
	proxy_set_header X-Forwarded-Proto $scheme;

	allow 10.0.0.0/8;
	deny all;
	'';
	};
	};
	}