Piotr Dobrowolski | a01905a | 2021-10-16 18:22:46 +0200 | [diff] [blame] | 1 | { pkgs, ... }: |
| 2 | |
| 3 | let |
| 4 | old-pkgs = import (fetchTarball { |
| 5 | sha256 = "0kdx3pz0l422d0vvvj3h8mnq65jcg2scb13dc1z1lg2a8cln842z"; |
| 6 | url = https://api.github.com/repos/NixOS/nixpkgs/tarball/0bf298df24f721a7f85c580339fb7eeff64b927c; |
| 7 | }) { config = pkgs.config; }; |
| 8 | |
| 9 | repo = pkgs.fetchgit (builtins.fromJSON |
| 10 | (builtins.readFile ./checkinator-repo.json)); |
| 11 | checkinator = old-pkgs.callPackage "${repo}/default.nix" {}; |
| 12 | |
| 13 | name = "checkinator-tracker"; |
| 14 | user = name; |
| 15 | group = name; |
| 16 | socket_dir = "/run/${name}/"; |
| 17 | |
| 18 | prepare = pkgs.writeShellScriptBin "${name}-prepare" '' |
| 19 | rm -rf /mnt/secrets/${name} |
| 20 | ${pkgs.coreutils}/bin/install --owner=${user} --mode=500 --directory /mnt/secrets/${name} |
| 21 | ${pkgs.coreutils}/bin/install --owner=${user} --mode=400 -t /mnt/secrets/${name} \ |
| 22 | /etc/nixos/secrets/${name}/ca.pem \ |
| 23 | /etc/nixos/secrets/${name}/cert.pem \ |
| 24 | /etc/nixos/secrets/${name}/key.pem |
| 25 | |
| 26 | rm -rf ${socket_dir} |
| 27 | mkdir --mode=700 ${socket_dir} |
| 28 | ${pkgs.acl}/bin/setfacl -m "u:${user}:rwx" ${socket_dir} |
| 29 | ${pkgs.acl}/bin/setfacl -m "u:checkinator-web:rx" ${socket_dir} |
| 30 | ''; |
| 31 | config = builtins.toFile "${name}-config.yaml" (pkgs.lib.generators.toYAML {} { |
| 32 | # path to dhcpd lease file |
| 33 | LEASE_FILE = "/var/lib/dhcp/dhcpd.leases"; |
| 34 | |
| 35 | # timeout for old leases |
| 36 | TIMEOUT = 1500; |
| 37 | |
| 38 | # optional - local trusted socket |
| 39 | GRPC_UNIX_SOCKET = "${socket_dir}/checkinator.sock"; |
| 40 | |
| 41 | # optional - remote authenticated (TLS cert) socket |
| 42 | GRPC_TLS_CERT_DIR = "/mnt/secrets/checkinator-tracker"; |
| 43 | GRPC_TLS_CA_CERT = "/mnt/secrets/checkinator-tracker/ca.pem"; |
| 44 | GRPC_TLS_ADDRESS = "[::]:2847"; |
| 45 | }); |
| 46 | in { |
| 47 | users.users."${user}" = { |
| 48 | group = "${group}"; |
Piotr Dobrowolski | b6bc3e6 | 2021-10-16 21:56:59 +0200 | [diff] [blame] | 49 | isSystemUser = true; |
| 50 | uid = 1001; |
Piotr Dobrowolski | a01905a | 2021-10-16 18:22:46 +0200 | [diff] [blame] | 51 | }; |
| 52 | users.groups."${group}" = {}; |
| 53 | |
| 54 | systemd.services."${name}" = { |
| 55 | description = "Hackerspace Checkinator"; |
| 56 | wantedBy = [ "multi-user.target" ]; |
| 57 | |
| 58 | serviceConfig.User = "${user}"; |
| 59 | serviceConfig.Type = "simple"; |
| 60 | |
| 61 | serviceConfig.ExecStartPre = [ |
| 62 | ''!${prepare}/bin/${name}-prepare'' |
| 63 | ]; |
| 64 | serviceConfig.ExecStart = "${checkinator}/bin/checkinator-tracker ${config}"; |
| 65 | serviceConfig.ExecStopPost = [ |
| 66 | ''!${pkgs.coreutils}/bin/rm -rf /mnt/secrets/${name}'' |
| 67 | ''!${pkgs.coreutils}/bin/rm -rf ${socket_dir}'' |
| 68 | ]; |
| 69 | |
| 70 | }; |
| 71 | environment.systemPackages = [ checkinator ]; |
| 72 | } |