Gitiles
Code Review Sign In
gerrit.hackerspace.pl / hscloud / 1bcaa97d870aa95fd40c769e25da6faed24a8ee3 / . / hswaw / machines / customs.hackerspace.pl / checkinator-tracker.nix
blob: 47a5a710a3006dc96f975d9f449b9a1b93c6d33f [file] [log] [blame]
vukobd124bd2021-12-28 15:05:59 +0100[diff] [blame]1{ pkgs, workspace, ... }:
Piotr Dobrowolskia01905a2021-10-16 18:22:46 +0200[diff] [blame]2
3let
vukobd124bd2021-12-28 15:05:59 +0100[diff] [blame]4 hscloud = workspace;
5 checkinator = hscloud.hswaw.checkinator;
Piotr Dobrowolskia01905a2021-10-16 18:22:46 +0200[diff] [blame]6
7 name = "checkinator-tracker";
8 user = name;
9 group = name;
10 socket_dir = "/run/${name}/";
11
12 prepare = pkgs.writeShellScriptBin "${name}-prepare" ''
13 rm -rf /mnt/secrets/${name}
14 ${pkgs.coreutils}/bin/install --owner=${user} --mode=500 --directory /mnt/secrets/${name}
15 ${pkgs.coreutils}/bin/install --owner=${user} --mode=400 -t /mnt/secrets/${name} \
16 /etc/nixos/secrets/${name}/ca.pem \
17 /etc/nixos/secrets/${name}/cert.pem \
18 /etc/nixos/secrets/${name}/key.pem
19
20 rm -rf ${socket_dir}
21 mkdir --mode=700 ${socket_dir}
22 ${pkgs.acl}/bin/setfacl -m "u:${user}:rwx" ${socket_dir}
23 ${pkgs.acl}/bin/setfacl -m "u:checkinator-web:rx" ${socket_dir}
24 '';
25 config = builtins.toFile "${name}-config.yaml" (pkgs.lib.generators.toYAML {} {
vukobd124bd2021-12-28 15:05:59 +0100[diff] [blame]26 # path to dhcpd lease file
vukoee8f1d52022-12-31 01:04:42 +0100[diff] [blame]27 LEASE_FILE = "/var/lib/dhcpd4/dhcpd.leases";
Piotr Dobrowolskia01905a2021-10-16 18:22:46 +0200[diff] [blame]28
29 # timeout for old leases
30 TIMEOUT = 1500;
31
32 # optional - local trusted socket
33 GRPC_UNIX_SOCKET = "${socket_dir}/checkinator.sock";
34
vukobd124bd2021-12-28 15:05:59 +0100[diff] [blame]35 # optional - remote authenticated (TLS cert) socket
Piotr Dobrowolskia01905a2021-10-16 18:22:46 +0200[diff] [blame]36 GRPC_TLS_CERT_DIR = "/mnt/secrets/checkinator-tracker";
37 GRPC_TLS_CA_CERT = "/mnt/secrets/checkinator-tracker/ca.pem";
38 GRPC_TLS_ADDRESS = "[::]:2847";
39 });
40in {
41 users.users."${user}" = {
42 group = "${group}";
Piotr Dobrowolskib6bc3e62021-10-16 21:56:59 +0200[diff] [blame]43 isSystemUser = true;
44 uid = 1001;
Piotr Dobrowolskia01905a2021-10-16 18:22:46 +0200[diff] [blame]45 };
46 users.groups."${group}" = {};
47
48 systemd.services."${name}" = {
49 description = "Hackerspace Checkinator";
50 wantedBy = [ "multi-user.target" ];
51
52 serviceConfig.User = "${user}";
53 serviceConfig.Type = "simple";
vukoee8f1d52022-12-31 01:04:42 +0100[diff] [blame]54
Piotr Dobrowolskia01905a2021-10-16 18:22:46 +0200[diff] [blame]55 serviceConfig.ExecStartPre = [
56 ''!${prepare}/bin/${name}-prepare''
57 ];
58 serviceConfig.ExecStart = "${checkinator}/bin/checkinator-tracker ${config}";
59 serviceConfig.ExecStopPost = [
60 ''!${pkgs.coreutils}/bin/rm -rf /mnt/secrets/${name}''
61 ''!${pkgs.coreutils}/bin/rm -rf ${socket_dir}''
62 ];
63
vukoee8f1d52022-12-31 01:04:42 +0100[diff] [blame]64 serviceConfig.DynamicUser = false;
Piotr Dobrowolskia01905a2021-10-16 18:22:46 +0200[diff] [blame]65 };
66 environment.systemPackages = [ checkinator ];
67}