Gitiles
Code Review Sign In
gerrit.hackerspace.pl / hscloud / aa077968f948f12b848559ac8c67c93a6a47b7a0 / . / hswaw / machines / customs.hackerspace.pl / laserproxy / service.nix
blob: e76c51f08471a5b1accc3fd06ae7bffffe32190d [file] [log] [blame]
Piotr Dobrowolskia01905a2021-10-16 18:22:46 +0200[diff] [blame]1{ pkgs, workspace, ... }:
2
3let
4 name = "laserproxy";
5 user = name;
6 group = name;
vukoaa077962022-12-21 02:45:31 +0100[diff] [blame^]7
8 # Building hscloud bazel from nix is often broken on master branch. Building
9 # laserproxy from older hscloud is not a pretty solution, but seem like a
10 # best option for now.
11 # TODO use upstream laserproxy when CI testing is added
12 # see https://issues.hackerspace.pl/issues/9
13 laserproxy =
14 let
15 old = pkgs.fetchgit {
16 url = "https://gerrit.hackerspace.pl/hscloud.git";
17 rev = "5319e611b2be9241c01994eb8e42bd349bb6eabb";
18 sha256 = "sha256-KdVAlaXHW2CE2kJoOT0jJ+a20u6HPAgx5g/7ifX8iqU=";
19 };
20 old-patched = pkgs.runCommandNoCC "hscloud" { } ''
21 cp -r "${old}" $out
22 chmod +w $out/WORKSPACE $out/default.nix
23
24 # backport passing system to allow (pure) builds from flakes
25 chmod +w $out/default.nix
26 echo "{ system ? builtins.currentSystem, ... }@args:" > $out/default.nix
27 sed -e '1d' -e 's/import nixpkgsSrc {/\0 inherit system; /g' ${old}/default.nix >> $out/default.nix
28
29 # hotfix failing bazel build:
30 #
31 # Label '//hswaw/site:deps.bzl' is invalid because 'hswaw/site' is not
32 # a package; perhaps you meant to put the colon here:
33 # '//:hswaw/site/deps.bzl'?
34 chmod +w $out/WORKSPACE
35 sed '/hswaw.site.deps/d' "${old}/WORKSPACE" > $out/WORKSPACE
36 '';
37 in
38 (import old-patched { inherit (pkgs) system; }).hswaw.laserproxy;
39
40in
41{
Piotr Dobrowolskia01905a2021-10-16 18:22:46 +0200[diff] [blame]42 users.users."${user}" = {
vukoaa077962022-12-21 02:45:31 +0100[diff] [blame^]43 group = "${group}";
Piotr Dobrowolskib6bc3e62021-10-16 21:56:59 +0200[diff] [blame]44 isSystemUser = true;
45 uid = 1004;
Piotr Dobrowolskia01905a2021-10-16 18:22:46 +0200[diff] [blame]46 };
vukoaa077962022-12-21 02:45:31 +0100[diff] [blame^]47 users.groups."${group}" = { };
Piotr Dobrowolskia01905a2021-10-16 18:22:46 +0200[diff] [blame]48
49 systemd.services."${name}" = {
vukoaa077962022-12-21 02:45:31 +0100[diff] [blame^]50 description = "HSWAW lasercutter proxy";
51 wantedBy = [ "multi-user.target" ];
52 after = [ "network-addresses-laser.service" ];
Piotr Dobrowolskia01905a2021-10-16 18:22:46 +0200[diff] [blame]53
54 serviceConfig.User = "${user}";
55 serviceConfig.Type = "simple";
vukoe8a5d8f2022-06-26 19:09:43 +0200[diff] [blame]56 serviceConfig.Restart = "always";
57 serviceConfig.RestartSec = "30";
vukoaa077962022-12-21 02:45:31 +0100[diff] [blame^]58 serviceConfig.ExecStart = "${laserproxy}/bin/laserproxy -logtostderr -hspki_disable -web_address 127.0.0.1:2137";
Piotr Dobrowolskia01905a2021-10-16 18:22:46 +0200[diff] [blame]59 };
60
61 services.nginx.virtualHosts."laser.waw.hackerspace.pl" = {
62 listen = [
vukoaa077962022-12-21 02:45:31 +0100[diff] [blame^]63 { addr = "10.8.1.2"; port = 80; ssl = false; }
64 # TODO fix certs / virtual hosts on customs and enable this
65 # { addr = "10.8.1.2"; port=433; ssl=true; }
Piotr Dobrowolskia01905a2021-10-16 18:22:46 +0200[diff] [blame]66 ];
67 locations."/" = {
68 proxyPass = "http://127.0.0.1:2137/";
69 extraConfig = ''
70 proxy_set_header Host $host;
71 proxy_set_header X-Real-IP $remote_addr;
72 proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
vukoaa077962022-12-21 02:45:31 +0100[diff] [blame^]73 proxy_set_header X-Forwarded-Host $host:$server_port;
74 proxy_set_header X-Forwarded-Server $host;
75 proxy_set_header X-Forwarded-Proto $scheme;
Piotr Dobrowolskia01905a2021-10-16 18:22:46 +0200[diff] [blame]76
77 allow 10.0.0.0/8;
78 deny all;
79 '';
80 };
81 };
Piotr Dobrowolskia01905a2021-10-16 18:22:46 +0200[diff] [blame]82}