Gitiles
Code Review Sign In
gerrit.hackerspace.pl / hscloud / 6f6187c61c1483a31685f76e87a5bcad52a2684e / . / hswaw / machines / customs.hackerspace.pl / checkinator-web.nix
blob: 26da70209911a731d3f327cf208d5dddc520a47d [file] [log] [blame]
Piotr Dobrowolskia01905a2021-10-16 18:22:46 +0200[diff] [blame]1{ pkgs, ... }:
2
3let
4 old-pkgs = import (fetchTarball {
5 sha256 = "0kdx3pz0l422d0vvvj3h8mnq65jcg2scb13dc1z1lg2a8cln842z";
6 url = https://api.github.com/repos/NixOS/nixpkgs/tarball/0bf298df24f721a7f85c580339fb7eeff64b927c;
7 }) { config = pkgs.config; };
8
9 repo = pkgs.fetchgit (builtins.fromJSON
10 (builtins.readFile ./checkinator-repo.json));
11 checkinator = old-pkgs.callPackage "${repo}/default.nix" {};
12
13 name = "checkinator-web";
14 user = name;
15 group = name;
16 socket_dir = "/run/${name}/";
17
18 python = old-pkgs.python3.withPackages (ppackages: with ppackages; [
19 checkinator
20 old-pkgs.python3Packages.gunicorn
21 ]);
22
23 prepare = pkgs.writeShellScriptBin "${name}-prepare" ''
24 rm -rf /mnt/secrets/${name}
25 ${pkgs.coreutils}/bin/install --owner=${user} --mode=500 --directory /mnt/secrets/${name}
26 ${pkgs.coreutils}/bin/install --owner=${user} --mode=400 -t /mnt/secrets/${name} \
27 /etc/nixos/secrets/${name}/secrets.yaml \
28 /etc/nixos/secrets/${name}/ca.pem \
29 /etc/nixos/secrets/${name}/cert.pem \
30 /etc/nixos/secrets/${name}/key.pem
31
32 ${pkgs.coreutils}/bin/mkdir -m 700 -p /var/checkinator-web/
33 ${pkgs.coreutils}/bin/chown ${user} /var/checkinator-web/
34
35 mkdir -p --mode=700 ${socket_dir}
36 chown ${user} ${socket_dir}
37 chmod 700 ${socket_dir}
38 ${pkgs.acl}/bin/setfacl -m "u:nginx:rx" ${socket_dir}
39 '';
40
41 config = builtins.toFile "${name}-config.yaml" (pkgs.lib.generators.toYAML {} {
42 # local sqlite db for storing user and MAC
43 DB = "/var/checkinator-web/at.db";
44
45 # debug option interpreted by flask app
46 DEBUG = false;
47
48 # url to member wiki page
49 # "${login}" string is replaced by member login (uid)
50 WIKI_URL = "https://wiki.hackerspace.pl/people:\${login}:start";
51
52 CLAIMABLE_PREFIXES = [
53 "10.8.0."
54 "2a0d:eb00:4242:0:"
55 ];
56 CLAIMABLE_EXCLUDE = [ ];
57
58 SPACEAUTH_CONSUMER_KEY = "checkinator";
59 SECRETS_FILE = "/mnt/secrets/checkinator-web/secrets.yaml";
60
61 SPECIAL_DEVICES = {
62 kektops = [ "90:e6:ba:84" ];
63 esps = [
64 "ec:fa:bc" "dc:4f:22" "d8:a0:1d" "b4:e6:2d" "ac:d0:74" "a4:7b:9d"
65 "a0:20:a6" "90:97:d5" "68:c6:3a" "60:01:94" "5c:cf:7f" "54:5a:a6"
66 "30:ae:a4" "2c:3a:e8" "24:b2:de" "24:0a:c4" "18:fe:34" "38:2b:78"
67 "bc:dd:c2" "cc:50:e3" "84:0d:8e"
68 ];
69 vms = [
70 "52:54:00" # craptrap VMs
71 ];
72 };
73
74 PROXY_FIX = true;
75
76 GRPC_TLS_CERT_DIR = "/mnt/secrets/checkinator-web";
77 GRPC_TLS_CA_CERT = "/mnt/secrets/checkinator-web/ca.pem";
78 GRPC_TLS_ADDRESS = "[::1]:2847";
79 });
80in {
81 users.users."${user}" = {
82 group = "${group}";
Piotr Dobrowolskib6bc3e62021-10-16 21:56:59 +0200[diff] [blame]83 isSystemUser = true;
84 uid = 1002;
Piotr Dobrowolskia01905a2021-10-16 18:22:46 +0200[diff] [blame]85 };
86 users.groups."${group}" = {};
87
88 systemd.services."${name}" = {
89 description = "Hackerspace Checkinator web interface";
90 wantedBy = [ "multi-user.target" ];
91
92 serviceConfig.User = "${user}";
93 serviceConfig.Type = "simple";
94
95 environment = {
96 CHECKINATOR_WEB_CONFIG=config;
97 };
98
99 serviceConfig.ExecStartPre = [
100 ''!${prepare}/bin/${name}-prepare''
101 "${pkgs.writeShellScript "checkinator-dbsetup" ''
102 if [ ! -e "/var/checkinator-web/at.db" ]
103 then
104 ${pkgs.sqlite}/bin/sqlite3 /var/checkinator-web/at.db < ${repo}/dbsetup.sql
105 fi
106 ''}"
107 ];
108 serviceConfig.workingDirectory = checkinator;
109 serviceConfig.ExecStart = "${python}/bin/gunicorn -b unix:${socket_dir}/web.sock at.webapp:app";
110 serviceConfig.ExecStopPost = [
111 ''!${pkgs.coreutils}/bin/rm -rf /mnt/secrets/${name}''
112 ];
113
114 };
115
116 services.nginx.virtualHosts."at.hackerspace.pl" = {
117 forceSSL = true;
118 enableACME = true;
119
120 locations."/static/" = {
121 alias = "${repo}/static/";
122 };
123 locations."/" = {
124 proxyPass = "http://unix://${socket_dir}/web.sock";
125 extraConfig = ''
126 proxy_set_header Host $host;
127 proxy_set_header X-Real-IP $remote_addr;
128 proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
129 proxy_set_header X-Forwarded-Host $host:$server_port;
130 proxy_set_header X-Forwarded-Server $host;
131 proxy_set_header X-Forwarded-Proto $scheme;
132 '';
133 };
134 };
135}