| { config, lib, pkgs, ... }: |
| |
| let |
| cfg = config.hswaw.doorman-proxy; |
| inherit (lib) types; |
| |
| name = "doorman-proxy"; |
| user = name; |
| group = name; |
| |
| python = pkgs.python3.withPackages (pp: [ |
| (pp.callPackage ./default.nix {}) |
| pp.gunicorn |
| ]); |
| |
| in { |
| options.hswaw.doorman-proxy = { |
| enable = lib.mkEnableOption "Doorman LDAP proxy"; |
| address = lib.mkOption { |
| type = types.str; |
| default = "127.0.0.1"; |
| }; |
| port = lib.mkOption { |
| type = types.int; |
| default = 8080; |
| }; |
| password-file = lib.mkOption { |
| type = types.nullOr types.str; |
| default = null; |
| }; |
| }; |
| |
| config = lib.mkIf cfg.enable { |
| users.users."${user}" = { |
| group = "${group}"; |
| useDefaultShell = true; |
| isSystemUser = true; |
| }; |
| users.groups."${group}" = {}; |
| |
| systemd.services."${name}" = { |
| description = "Hackerspace Access Control Ldap Proxy"; |
| wantedBy = [ "multi-user.target" ]; |
| |
| serviceConfig = { |
| User = "${user}"; |
| Type = "simple"; |
| RemainAfterExit = true; |
| DynamicUser = false; |
| |
| RuntimeDirectory = "doorman-proxy"; |
| ExecStartPre = let |
| secrets-dir = "\${RUNTIME_DIRECTORY}/secrets"; |
| in |
| [ |
| ''!${pkgs.coreutils}/bin/install --owner=${user} --mode=700 --directory "${secrets-dir}"'' |
| ''!${pkgs.coreutils}/bin/install --owner=${user} --mode=700 --no-target-directory "${cfg.password-file}" "${secrets-dir}/ac-ldap-password.txt"'' |
| ]; |
| ExecStart = ''${python}/bin/gunicorn --log-level debug --chdir "''${RUNTIME_DIRECTORY}" --bind "${cfg.address}:${builtins.toString cfg.port}" doormanproxy:app''; |
| }; |
| }; |
| }; |
| } |