105 lines
2.5 KiB
Nix
105 lines
2.5 KiB
Nix
|
{ config, lib, pkgs, ... }:
|
||
|
|
||
|
with lib;
|
||
|
|
||
|
let
|
||
|
cfg = config.within.services.mi;
|
||
|
mi = with pkgs;
|
||
|
import
|
||
|
(fetchFromGitHub (builtins.fromJSON (builtins.readFile ./source.json))) { };
|
||
|
in {
|
||
|
options.within.services.mi = {
|
||
|
enable = mkEnableOption "Activates mi (a personal API)";
|
||
|
useACME = mkEnableOption "Enables ACME for cert stuff";
|
||
|
|
||
|
port = mkOption {
|
||
|
type = types.int;
|
||
|
default = 38288;
|
||
|
example = 9001;
|
||
|
description = "The port number mi should listen on for HTTP traffic";
|
||
|
};
|
||
|
|
||
|
domain = mkOption {
|
||
|
type = types.str;
|
||
|
default = "mi.within.website";
|
||
|
example = "mi.within.website";
|
||
|
description =
|
||
|
"The domain name that nginx should check against for HTTP hostnames";
|
||
|
};
|
||
|
};
|
||
|
|
||
|
config = mkIf cfg.enable {
|
||
|
users.users.mi = {
|
||
|
createHome = true;
|
||
|
description = "github.com/Xe/mi";
|
||
|
isSystemUser = true;
|
||
|
group = "within";
|
||
|
home = "/srv/within/mi";
|
||
|
extraGroups = [ "keys" ];
|
||
|
};
|
||
|
|
||
|
age.secrets.mi = {
|
||
|
file = ../../secret/mi.toml.age;
|
||
|
path = "/srv/within/mi/Rocket.toml";
|
||
|
owner = "mi";
|
||
|
group = "within";
|
||
|
mode = "0400";
|
||
|
};
|
||
|
|
||
|
systemd.services.mi = {
|
||
|
wantedBy = [ "multi-user.target" ];
|
||
|
after = [ "mi-key.service" "systemd-resolved.service" ];
|
||
|
wants = [ "mi-key.service" "systemd-resolved.service" ];
|
||
|
|
||
|
serviceConfig = {
|
||
|
User = "mi";
|
||
|
Group = "within";
|
||
|
Restart = "on-failure";
|
||
|
WorkingDirectory = "/srv/within/mi";
|
||
|
RestartSec = "30s";
|
||
|
Type = "notify";
|
||
|
};
|
||
|
|
||
|
script = ''
|
||
|
export ROCKET_PORT=${toString cfg.port}
|
||
|
exec ${mi}/bin/mi-backend
|
||
|
'';
|
||
|
};
|
||
|
|
||
|
systemd.services.mi-package-updater = {
|
||
|
wantedBy = [ "multi-user.target" ];
|
||
|
after = [ "mi-key.service" ];
|
||
|
wants = [ "mi-key.service" ];
|
||
|
|
||
|
serviceConfig = {
|
||
|
User = "mi";
|
||
|
Group = "within";
|
||
|
WorkingDirectory = "/srv/within/mi";
|
||
|
Type = "oneshot";
|
||
|
};
|
||
|
|
||
|
script = ''
|
||
|
export DATABASE_URL=./mi.db
|
||
|
exec ${mi}/bin/package_track
|
||
|
'';
|
||
|
|
||
|
startAt = "*-*-* 00:00:00"; # daily
|
||
|
};
|
||
|
|
||
|
services.nginx.virtualHosts."mi" = {
|
||
|
serverName = "${cfg.domain}";
|
||
|
locations."/" = {
|
||
|
proxyPass = "http://127.0.0.1:${toString cfg.port}";
|
||
|
proxyWebsockets = true;
|
||
|
};
|
||
|
forceSSL = cfg.useACME;
|
||
|
useACMEHost = "within.website";
|
||
|
extraConfig = ''
|
||
|
access_log /var/log/nginx/mi.access.log;
|
||
|
'';
|
||
|
};
|
||
|
|
||
|
services.cfdyndns = mkIf cfg.useACME { records = [ "${cfg.domain}" ]; };
|
||
|
};
|
||
|
}
|