hswaw/machines/customs.hackerspace.pl/checkinator-tracker.nix - hscloud - Gitiles

 { pkgs, workspace, ... }:

 let
   hscloud = workspace;
   checkinator = hscloud.hswaw.checkinator;

   name = "checkinator-tracker";
   user = name;
   group = name;
   socket_dir = "/run/${name}/";

   prepare = pkgs.writeShellScriptBin "${name}-prepare" ''
     rm -rf /mnt/secrets/${name}
     ${pkgs.coreutils}/bin/install --owner=${user} --mode=500 --directory /mnt/secrets/${name}
     ${pkgs.coreutils}/bin/install --owner=${user} --mode=400 -t /mnt/secrets/${name} \
       /etc/nixos/secrets/${name}/ca.pem \
       /etc/nixos/secrets/${name}/cert.pem \
       /etc/nixos/secrets/${name}/key.pem

     rm -rf ${socket_dir}
     mkdir --mode=700 ${socket_dir}
     ${pkgs.acl}/bin/setfacl -m "u:${user}:rwx" ${socket_dir}
     ${pkgs.acl}/bin/setfacl -m "u:checkinator-web:rx" ${socket_dir}
   '';
   config = builtins.toFile "${name}-config.yaml" (pkgs.lib.generators.toYAML {} {
     # path to dhcpd lease file
     LEASE_FILE = "/var/lib/dhcpd4/dhcpd.leases";
     KEA_LEASE_FILE = "/var/lib/kea/dhcp4.leases";
     DHCP_SERVER = "kea";

     # timeout for old leases
     TIMEOUT = 1500;

     # optional - local trusted socket
     GRPC_UNIX_SOCKET = "${socket_dir}/checkinator.sock";

     # optional - remote authenticated (TLS cert) socket
     GRPC_TLS_CERT_DIR = "/mnt/secrets/checkinator-tracker";
     GRPC_TLS_CA_CERT = "/mnt/secrets/checkinator-tracker/ca.pem";
     GRPC_TLS_ADDRESS = "[::]:2847";
   });
 in {
   users.users."${user}" = {
     group           = "${group}";
     isSystemUser = true;
     uid = 1001;
   };
   users.groups."${group}" = {};

   systemd.services."${name}" = {
     description = "Hackerspace Checkinator";
     wantedBy    = [ "multi-user.target" ];

     serviceConfig.User = "${user}";
     serviceConfig.Type = "simple";

     serviceConfig.ExecStartPre = [
       ''!${prepare}/bin/${name}-prepare''
     ];
     serviceConfig.ExecStart = "${checkinator}/bin/checkinator-tracker ${config}";
     serviceConfig.ExecStopPost = [
       ''!${pkgs.coreutils}/bin/rm -rf /mnt/secrets/${name}''
       ''!${pkgs.coreutils}/bin/rm -rf ${socket_dir}''
     ];

     serviceConfig.DynamicUser = false;
   };
   environment.systemPackages = [ checkinator ];
 }
	{ pkgs, workspace, ... }:

	let
	hscloud = workspace;
	checkinator = hscloud.hswaw.checkinator;

	name = "checkinator-tracker";
	user = name;
	group = name;
	socket_dir = "/run/${name}/";

	prepare = pkgs.writeShellScriptBin "${name}-prepare" ''
	rm -rf /mnt/secrets/${name}
	${pkgs.coreutils}/bin/install --owner=${user} --mode=500 --directory /mnt/secrets/${name}
	${pkgs.coreutils}/bin/install --owner=${user} --mode=400 -t /mnt/secrets/${name} \
	/etc/nixos/secrets/${name}/ca.pem \
	/etc/nixos/secrets/${name}/cert.pem \
	/etc/nixos/secrets/${name}/key.pem

	rm -rf ${socket_dir}
	mkdir --mode=700 ${socket_dir}
	${pkgs.acl}/bin/setfacl -m "u:${user}:rwx" ${socket_dir}
	${pkgs.acl}/bin/setfacl -m "u:checkinator-web:rx" ${socket_dir}
	'';
	config = builtins.toFile "${name}-config.yaml" (pkgs.lib.generators.toYAML {} {
	# path to dhcpd lease file
	LEASE_FILE = "/var/lib/dhcpd4/dhcpd.leases";
	KEA_LEASE_FILE = "/var/lib/kea/dhcp4.leases";
	DHCP_SERVER = "kea";

	# timeout for old leases
	TIMEOUT = 1500;

	# optional - local trusted socket
	GRPC_UNIX_SOCKET = "${socket_dir}/checkinator.sock";

	# optional - remote authenticated (TLS cert) socket
	GRPC_TLS_CERT_DIR = "/mnt/secrets/checkinator-tracker";
	GRPC_TLS_CA_CERT = "/mnt/secrets/checkinator-tracker/ca.pem";
	GRPC_TLS_ADDRESS = "[::]:2847";
	});
	in {
	users.users."${user}" = {
	group = "${group}";
	isSystemUser = true;
	uid = 1001;
	};
	users.groups."${group}" = {};

	systemd.services."${name}" = {
	description = "Hackerspace Checkinator";
	wantedBy = [ "multi-user.target" ];

	serviceConfig.User = "${user}";
	serviceConfig.Type = "simple";

	serviceConfig.ExecStartPre = [
	''!${prepare}/bin/${name}-prepare''
	];
	serviceConfig.ExecStart = "${checkinator}/bin/checkinator-tracker ${config}";
	serviceConfig.ExecStopPost = [
	''!${pkgs.coreutils}/bin/rm -rf /mnt/secrets/${name}''
	''!${pkgs.coreutils}/bin/rm -rf ${socket_dir}''
	];

	serviceConfig.DynamicUser = false;
	};
	environment.systemPackages = [ checkinator ];
	}