Gitiles
Code Review Sign In
gerrit.hackerspace.pl / hscloud / 3125aa118635afeba6989bc978512ddedf54a6e2 / . / hswaw / machines / customs.hackerspace.pl / checkinator-web.nix
blob: 356064ea0b88f194d20c836a0170609df329f36e [file] [log] [blame]
vukobd124bd2021-12-28 15:05:59 +0100[diff] [blame]1{ pkgs, workspace, ... }:
Piotr Dobrowolskia01905a2021-10-16 18:22:46 +0200[diff] [blame]2
3let
vukobd124bd2021-12-28 15:05:59 +0100[diff] [blame]4 hscloud = workspace;
5 checkinator = hscloud.hswaw.checkinator;
Piotr Dobrowolskia01905a2021-10-16 18:22:46 +0200[diff] [blame]6
7 name = "checkinator-web";
8 user = name;
9 group = name;
10 socket_dir = "/run/${name}/";
11
Piotr Dobrowolski6c69fcd2021-10-17 00:32:25 +0200[diff] [blame]12 python = pkgs.python3.withPackages (ppackages: with ppackages; [
Piotr Dobrowolskia01905a2021-10-16 18:22:46 +0200[diff] [blame]13 checkinator
Piotr Dobrowolski6c69fcd2021-10-17 00:32:25 +0200[diff] [blame]14 pkgs.python3Packages.gunicorn
Piotr Dobrowolskia01905a2021-10-16 18:22:46 +0200[diff] [blame]15 ]);
16
17 prepare = pkgs.writeShellScriptBin "${name}-prepare" ''
18 rm -rf /mnt/secrets/${name}
19 ${pkgs.coreutils}/bin/install --owner=${user} --mode=500 --directory /mnt/secrets/${name}
20 ${pkgs.coreutils}/bin/install --owner=${user} --mode=400 -t /mnt/secrets/${name} \
21 /etc/nixos/secrets/${name}/secrets.yaml \
22 /etc/nixos/secrets/${name}/ca.pem \
23 /etc/nixos/secrets/${name}/cert.pem \
24 /etc/nixos/secrets/${name}/key.pem
25
26 ${pkgs.coreutils}/bin/mkdir -m 700 -p /var/checkinator-web/
27 ${pkgs.coreutils}/bin/chown ${user} /var/checkinator-web/
28
29 mkdir -p --mode=700 ${socket_dir}
30 chown ${user} ${socket_dir}
31 chmod 700 ${socket_dir}
32 ${pkgs.acl}/bin/setfacl -m "u:nginx:rx" ${socket_dir}
33 '';
34
35 config = builtins.toFile "${name}-config.yaml" (pkgs.lib.generators.toYAML {} {
vukobd124bd2021-12-28 15:05:59 +0100[diff] [blame]36 # local sqlite db for storing user and MAC
Piotr Dobrowolskia01905a2021-10-16 18:22:46 +0200[diff] [blame]37 DB = "/var/checkinator-web/at.db";
vukoee8f1d52022-12-31 01:04:42 +0100[diff] [blame]38
Piotr Dobrowolskia01905a2021-10-16 18:22:46 +0200[diff] [blame]39 # debug option interpreted by flask app
40 DEBUG = false;
vukoee8f1d52022-12-31 01:04:42 +0100[diff] [blame]41
Piotr Dobrowolskia01905a2021-10-16 18:22:46 +0200[diff] [blame]42 # url to member wiki page
43 # "${login}" string is replaced by member login (uid)
44 WIKI_URL = "https://wiki.hackerspace.pl/people:\${login}:start";
vukoee8f1d52022-12-31 01:04:42 +0100[diff] [blame]45
Piotr Dobrowolskia01905a2021-10-16 18:22:46 +0200[diff] [blame]46 CLAIMABLE_PREFIXES = [
47 "10.8.0."
48 "2a0d:eb00:4242:0:"
49 ];
50 CLAIMABLE_EXCLUDE = [ ];
vukoee8f1d52022-12-31 01:04:42 +0100[diff] [blame]51
Piotr Dobrowolskia01905a2021-10-16 18:22:46 +0200[diff] [blame]52 SPACEAUTH_CONSUMER_KEY = "checkinator";
53 SECRETS_FILE = "/mnt/secrets/checkinator-web/secrets.yaml";
vukoee8f1d52022-12-31 01:04:42 +0100[diff] [blame]54
Piotr Dobrowolskia01905a2021-10-16 18:22:46 +0200[diff] [blame]55 SPECIAL_DEVICES = {
56 kektops = [ "90:e6:ba:84" ];
57 esps = [
58 "ec:fa:bc" "dc:4f:22" "d8:a0:1d" "b4:e6:2d" "ac:d0:74" "a4:7b:9d"
59 "a0:20:a6" "90:97:d5" "68:c6:3a" "60:01:94" "5c:cf:7f" "54:5a:a6"
60 "30:ae:a4" "2c:3a:e8" "24:b2:de" "24:0a:c4" "18:fe:34" "38:2b:78"
61 "bc:dd:c2" "cc:50:e3" "84:0d:8e"
62 ];
63 vms = [
64 "52:54:00" # craptrap VMs
65 ];
66 };
vukoee8f1d52022-12-31 01:04:42 +0100[diff] [blame]67
Piotr Dobrowolskia01905a2021-10-16 18:22:46 +0200[diff] [blame]68 PROXY_FIX = true;
vukoee8f1d52022-12-31 01:04:42 +0100[diff] [blame]69
Piotr Dobrowolskia01905a2021-10-16 18:22:46 +0200[diff] [blame]70 GRPC_TLS_CERT_DIR = "/mnt/secrets/checkinator-web";
71 GRPC_TLS_CA_CERT = "/mnt/secrets/checkinator-web/ca.pem";
72 GRPC_TLS_ADDRESS = "[::1]:2847";
73 });
74in {
75 users.users."${user}" = {
76 group = "${group}";
Piotr Dobrowolskib6bc3e62021-10-16 21:56:59 +0200[diff] [blame]77 isSystemUser = true;
78 uid = 1002;
Piotr Dobrowolskia01905a2021-10-16 18:22:46 +0200[diff] [blame]79 };
80 users.groups."${group}" = {};
81
82 systemd.services."${name}" = {
83 description = "Hackerspace Checkinator web interface";
84 wantedBy = [ "multi-user.target" ];
85
86 serviceConfig.User = "${user}";
87 serviceConfig.Type = "simple";
vukoee8f1d52022-12-31 01:04:42 +0100[diff] [blame]88
Piotr Dobrowolskia01905a2021-10-16 18:22:46 +0200[diff] [blame]89 environment = {
90 CHECKINATOR_WEB_CONFIG=config;
91 };
92
93 serviceConfig.ExecStartPre = [
94 ''!${prepare}/bin/${name}-prepare''
95 "${pkgs.writeShellScript "checkinator-dbsetup" ''
96 if [ ! -e "/var/checkinator-web/at.db" ]
97 then
Piotr Dobrowolski6c69fcd2021-10-17 00:32:25 +0200[diff] [blame]98 ${pkgs.sqlite}/bin/sqlite3 /var/checkinator-web/at.db < ${checkinator}/dbsetup.sql
Piotr Dobrowolskia01905a2021-10-16 18:22:46 +0200[diff] [blame]99 fi
100 ''}"
101 ];
vukoee8f1d52022-12-31 01:04:42 +0100[diff] [blame]102 serviceConfig.WorkingDirectory = checkinator;
Piotr Dobrowolskia01905a2021-10-16 18:22:46 +0200[diff] [blame]103 serviceConfig.ExecStart = "${python}/bin/gunicorn -b unix:${socket_dir}/web.sock at.webapp:app";
104 serviceConfig.ExecStopPost = [
105 ''!${pkgs.coreutils}/bin/rm -rf /mnt/secrets/${name}''
106 ];
107
vukoee8f1d52022-12-31 01:04:42 +0100[diff] [blame]108 serviceConfig.DynamicUser = false;
109
Piotr Dobrowolskia01905a2021-10-16 18:22:46 +0200[diff] [blame]110 };
111
112 services.nginx.virtualHosts."at.hackerspace.pl" = {
113 forceSSL = true;
114 enableACME = true;
115
116 locations."/static/" = {
Piotr Dobrowolski6c69fcd2021-10-17 00:32:25 +0200[diff] [blame]117 alias = "${checkinator}/static/";
Piotr Dobrowolskia01905a2021-10-16 18:22:46 +0200[diff] [blame]118 };
119 locations."/" = {
120 proxyPass = "http://unix://${socket_dir}/web.sock";
121 extraConfig = ''
122 proxy_set_header Host $host;
123 proxy_set_header X-Real-IP $remote_addr;
124 proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
vukoee8f1d52022-12-31 01:04:42 +0100[diff] [blame]125 proxy_set_header X-Forwarded-Host $host:$server_port;
126 proxy_set_header X-Forwarded-Server $host;
127 proxy_set_header X-Forwarded-Proto $scheme;
Piotr Dobrowolskia01905a2021-10-16 18:22:46 +0200[diff] [blame]128 '';
129 };
130 };
131}