vuko | bd124bd | 2021-12-28 15:05:59 +0100 | [diff] [blame] | 1 | { pkgs, workspace, ... }: |
Piotr Dobrowolski | a01905a | 2021-10-16 18:22:46 +0200 | [diff] [blame] | 2 | |
| 3 | let |
vuko | bd124bd | 2021-12-28 15:05:59 +0100 | [diff] [blame] | 4 | hscloud = workspace; |
| 5 | checkinator = hscloud.hswaw.checkinator; |
Piotr Dobrowolski | a01905a | 2021-10-16 18:22:46 +0200 | [diff] [blame] | 6 | |
| 7 | name = "checkinator-web"; |
| 8 | user = name; |
| 9 | group = name; |
| 10 | socket_dir = "/run/${name}/"; |
| 11 | |
Piotr Dobrowolski | 6c69fcd | 2021-10-17 00:32:25 +0200 | [diff] [blame] | 12 | python = pkgs.python3.withPackages (ppackages: with ppackages; [ |
Piotr Dobrowolski | a01905a | 2021-10-16 18:22:46 +0200 | [diff] [blame] | 13 | checkinator |
Piotr Dobrowolski | 6c69fcd | 2021-10-17 00:32:25 +0200 | [diff] [blame] | 14 | pkgs.python3Packages.gunicorn |
Piotr Dobrowolski | a01905a | 2021-10-16 18:22:46 +0200 | [diff] [blame] | 15 | ]); |
| 16 | |
| 17 | prepare = pkgs.writeShellScriptBin "${name}-prepare" '' |
| 18 | rm -rf /mnt/secrets/${name} |
| 19 | ${pkgs.coreutils}/bin/install --owner=${user} --mode=500 --directory /mnt/secrets/${name} |
| 20 | ${pkgs.coreutils}/bin/install --owner=${user} --mode=400 -t /mnt/secrets/${name} \ |
| 21 | /etc/nixos/secrets/${name}/secrets.yaml \ |
| 22 | /etc/nixos/secrets/${name}/ca.pem \ |
| 23 | /etc/nixos/secrets/${name}/cert.pem \ |
| 24 | /etc/nixos/secrets/${name}/key.pem |
| 25 | |
| 26 | ${pkgs.coreutils}/bin/mkdir -m 700 -p /var/checkinator-web/ |
| 27 | ${pkgs.coreutils}/bin/chown ${user} /var/checkinator-web/ |
| 28 | |
| 29 | mkdir -p --mode=700 ${socket_dir} |
| 30 | chown ${user} ${socket_dir} |
| 31 | chmod 700 ${socket_dir} |
| 32 | ${pkgs.acl}/bin/setfacl -m "u:nginx:rx" ${socket_dir} |
| 33 | ''; |
| 34 | |
| 35 | config = builtins.toFile "${name}-config.yaml" (pkgs.lib.generators.toYAML {} { |
vuko | bd124bd | 2021-12-28 15:05:59 +0100 | [diff] [blame] | 36 | # local sqlite db for storing user and MAC |
Piotr Dobrowolski | a01905a | 2021-10-16 18:22:46 +0200 | [diff] [blame] | 37 | DB = "/var/checkinator-web/at.db"; |
vuko | ee8f1d5 | 2022-12-31 01:04:42 +0100 | [diff] [blame] | 38 | |
Piotr Dobrowolski | a01905a | 2021-10-16 18:22:46 +0200 | [diff] [blame] | 39 | # debug option interpreted by flask app |
| 40 | DEBUG = false; |
vuko | ee8f1d5 | 2022-12-31 01:04:42 +0100 | [diff] [blame] | 41 | |
Piotr Dobrowolski | a01905a | 2021-10-16 18:22:46 +0200 | [diff] [blame] | 42 | # url to member wiki page |
| 43 | # "${login}" string is replaced by member login (uid) |
| 44 | WIKI_URL = "https://wiki.hackerspace.pl/people:\${login}:start"; |
vuko | ee8f1d5 | 2022-12-31 01:04:42 +0100 | [diff] [blame] | 45 | |
Piotr Dobrowolski | a01905a | 2021-10-16 18:22:46 +0200 | [diff] [blame] | 46 | CLAIMABLE_PREFIXES = [ |
| 47 | "10.8.0." |
| 48 | "2a0d:eb00:4242:0:" |
| 49 | ]; |
| 50 | CLAIMABLE_EXCLUDE = [ ]; |
vuko | ee8f1d5 | 2022-12-31 01:04:42 +0100 | [diff] [blame] | 51 | |
Piotr Dobrowolski | a01905a | 2021-10-16 18:22:46 +0200 | [diff] [blame] | 52 | SPACEAUTH_CONSUMER_KEY = "checkinator"; |
| 53 | SECRETS_FILE = "/mnt/secrets/checkinator-web/secrets.yaml"; |
vuko | ee8f1d5 | 2022-12-31 01:04:42 +0100 | [diff] [blame] | 54 | |
Piotr Dobrowolski | a01905a | 2021-10-16 18:22:46 +0200 | [diff] [blame] | 55 | SPECIAL_DEVICES = { |
| 56 | kektops = [ "90:e6:ba:84" ]; |
| 57 | esps = [ |
| 58 | "ec:fa:bc" "dc:4f:22" "d8:a0:1d" "b4:e6:2d" "ac:d0:74" "a4:7b:9d" |
| 59 | "a0:20:a6" "90:97:d5" "68:c6:3a" "60:01:94" "5c:cf:7f" "54:5a:a6" |
| 60 | "30:ae:a4" "2c:3a:e8" "24:b2:de" "24:0a:c4" "18:fe:34" "38:2b:78" |
| 61 | "bc:dd:c2" "cc:50:e3" "84:0d:8e" |
| 62 | ]; |
| 63 | vms = [ |
| 64 | "52:54:00" # craptrap VMs |
| 65 | ]; |
| 66 | }; |
vuko | ee8f1d5 | 2022-12-31 01:04:42 +0100 | [diff] [blame] | 67 | |
Piotr Dobrowolski | a01905a | 2021-10-16 18:22:46 +0200 | [diff] [blame] | 68 | PROXY_FIX = true; |
vuko | ee8f1d5 | 2022-12-31 01:04:42 +0100 | [diff] [blame] | 69 | |
Piotr Dobrowolski | a01905a | 2021-10-16 18:22:46 +0200 | [diff] [blame] | 70 | GRPC_TLS_CERT_DIR = "/mnt/secrets/checkinator-web"; |
| 71 | GRPC_TLS_CA_CERT = "/mnt/secrets/checkinator-web/ca.pem"; |
| 72 | GRPC_TLS_ADDRESS = "[::1]:2847"; |
| 73 | }); |
| 74 | in { |
| 75 | users.users."${user}" = { |
| 76 | group = "${group}"; |
Piotr Dobrowolski | b6bc3e6 | 2021-10-16 21:56:59 +0200 | [diff] [blame] | 77 | isSystemUser = true; |
| 78 | uid = 1002; |
Piotr Dobrowolski | a01905a | 2021-10-16 18:22:46 +0200 | [diff] [blame] | 79 | }; |
| 80 | users.groups."${group}" = {}; |
| 81 | |
| 82 | systemd.services."${name}" = { |
| 83 | description = "Hackerspace Checkinator web interface"; |
| 84 | wantedBy = [ "multi-user.target" ]; |
| 85 | |
| 86 | serviceConfig.User = "${user}"; |
| 87 | serviceConfig.Type = "simple"; |
vuko | ee8f1d5 | 2022-12-31 01:04:42 +0100 | [diff] [blame] | 88 | |
Piotr Dobrowolski | a01905a | 2021-10-16 18:22:46 +0200 | [diff] [blame] | 89 | environment = { |
| 90 | CHECKINATOR_WEB_CONFIG=config; |
| 91 | }; |
| 92 | |
| 93 | serviceConfig.ExecStartPre = [ |
| 94 | ''!${prepare}/bin/${name}-prepare'' |
| 95 | "${pkgs.writeShellScript "checkinator-dbsetup" '' |
| 96 | if [ ! -e "/var/checkinator-web/at.db" ] |
| 97 | then |
Piotr Dobrowolski | 6c69fcd | 2021-10-17 00:32:25 +0200 | [diff] [blame] | 98 | ${pkgs.sqlite}/bin/sqlite3 /var/checkinator-web/at.db < ${checkinator}/dbsetup.sql |
Piotr Dobrowolski | a01905a | 2021-10-16 18:22:46 +0200 | [diff] [blame] | 99 | fi |
| 100 | ''}" |
| 101 | ]; |
vuko | ee8f1d5 | 2022-12-31 01:04:42 +0100 | [diff] [blame] | 102 | serviceConfig.WorkingDirectory = checkinator; |
Piotr Dobrowolski | a01905a | 2021-10-16 18:22:46 +0200 | [diff] [blame] | 103 | serviceConfig.ExecStart = "${python}/bin/gunicorn -b unix:${socket_dir}/web.sock at.webapp:app"; |
| 104 | serviceConfig.ExecStopPost = [ |
| 105 | ''!${pkgs.coreutils}/bin/rm -rf /mnt/secrets/${name}'' |
| 106 | ]; |
| 107 | |
vuko | ee8f1d5 | 2022-12-31 01:04:42 +0100 | [diff] [blame] | 108 | serviceConfig.DynamicUser = false; |
| 109 | |
Piotr Dobrowolski | a01905a | 2021-10-16 18:22:46 +0200 | [diff] [blame] | 110 | }; |
| 111 | |
| 112 | services.nginx.virtualHosts."at.hackerspace.pl" = { |
| 113 | forceSSL = true; |
| 114 | enableACME = true; |
| 115 | |
| 116 | locations."/static/" = { |
Piotr Dobrowolski | 6c69fcd | 2021-10-17 00:32:25 +0200 | [diff] [blame] | 117 | alias = "${checkinator}/static/"; |
Piotr Dobrowolski | a01905a | 2021-10-16 18:22:46 +0200 | [diff] [blame] | 118 | }; |
| 119 | locations."/" = { |
| 120 | proxyPass = "http://unix://${socket_dir}/web.sock"; |
| 121 | extraConfig = '' |
| 122 | proxy_set_header Host $host; |
| 123 | proxy_set_header X-Real-IP $remote_addr; |
| 124 | proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; |
vuko | ee8f1d5 | 2022-12-31 01:04:42 +0100 | [diff] [blame] | 125 | proxy_set_header X-Forwarded-Host $host:$server_port; |
| 126 | proxy_set_header X-Forwarded-Server $host; |
| 127 | proxy_set_header X-Forwarded-Proto $scheme; |
Piotr Dobrowolski | a01905a | 2021-10-16 18:22:46 +0200 | [diff] [blame] | 128 | ''; |
| 129 | }; |
| 130 | }; |
| 131 | } |