168 lines
5 KiB
Nix
168 lines
5 KiB
Nix
{ config, pkgs, lib, ... }:
|
|
let
|
|
cfg = config.services.lenticular-cloud;
|
|
python = pkgs.python3;
|
|
format = pkgs.formats.json {};
|
|
types = lib.types;
|
|
config_oauth_secret = "${cfg.settings.DATA_FOLDER}/lenticular_oauth_secret.toml";
|
|
python_env = python.withPackages (ps: with ps; [ lenticular-cloud gevent setuptools ]);
|
|
in
|
|
{
|
|
options = with lib.options; {
|
|
services.lenticular-cloud = {
|
|
enable = mkEnableOption "lenticluar service enable";
|
|
domain = mkOption {
|
|
type = lib.types.str;
|
|
example = "example.com";
|
|
};
|
|
username = mkOption {
|
|
type = lib.types.str;
|
|
description = mdDoc "user to run the service";
|
|
default = "lenticular_cloud";
|
|
};
|
|
service_domain = mkOption {
|
|
type = lib.types.str;
|
|
example = "account.example.com";
|
|
};
|
|
settings = mkOption {
|
|
description = mdDoc ''
|
|
Lenticular cloud settings
|
|
'';
|
|
|
|
default = { };
|
|
|
|
type = types.submodule {
|
|
freeformType = format.type;
|
|
options = {
|
|
DOMAIN = mkOption {
|
|
type = types.str;
|
|
description = mdDoc "Top level Domain of the service";
|
|
default = cfg.domain;
|
|
};
|
|
PUBLIC_URL = mkOption {
|
|
type = types.str;
|
|
description = mdDoc "public service url";
|
|
default = "https://${cfg.service_domain}";
|
|
};
|
|
ADMINS = mkOption {
|
|
type = types.listOf types.str;
|
|
description = mdDoc "list of admin users";
|
|
example = [ "tuxcoder" ];
|
|
};
|
|
DATA_FOLDER = mkOption {
|
|
type = types.str;
|
|
default = "/var/lib/${cfg.username}";
|
|
};
|
|
PKI_PATH = mkOption {
|
|
type = types.str;
|
|
default = "${cfg.settings.DATA_FOLDER}/pki";
|
|
};
|
|
SQLALCHEMY_DATABASE_URI = mkOption {
|
|
type = types.str;
|
|
default = "postgresql://${cfg.username}@/${cfg.username}?host=/run/postgresql";
|
|
};
|
|
HYDRA_ADMIN_URL = mkOption {
|
|
type = types.str;
|
|
default = "https://${config.services.ory-hydra.admin_domain}";
|
|
};
|
|
HYDRA_PUBLIC_URL = mkOption {
|
|
type = types.str;
|
|
default = "https://${config.services.ory-hydra.public_domain}";
|
|
};
|
|
};
|
|
};
|
|
};
|
|
};
|
|
};
|
|
config = {
|
|
environment.systemPackages = [ pkgs.lenticular-cloud ];
|
|
|
|
nixpkgs.overlays = [
|
|
(import ./overlay.nix)
|
|
];
|
|
|
|
users = {
|
|
groups."${cfg.username}" = {
|
|
};
|
|
users."${cfg.username}" = {
|
|
createHome = true;
|
|
home = "/var/lib/${cfg.username}";
|
|
description = "web server";
|
|
extraGroups = [
|
|
# "ory-hydra"
|
|
];
|
|
group = cfg.username;
|
|
isSystemUser = true;
|
|
};
|
|
};
|
|
|
|
services.postgresql = {
|
|
enable = true;
|
|
ensureDatabases = [ cfg.username ];
|
|
ensureUsers = [
|
|
{
|
|
name = cfg.username;
|
|
ensureDBOwnership = true;
|
|
}
|
|
];
|
|
};
|
|
|
|
services.ory-hydra.settings = {
|
|
urls = {
|
|
login = "${cfg.settings.PUBLIC_URL}/auth/login";
|
|
logout = "${cfg.settings.PUBLIC_URL}/auth/logout";
|
|
consent = "${cfg.settings.PUBLIC_URL}/auth/consent";
|
|
error = "${cfg.settings.PUBLIC_URL}/auth/error";
|
|
};
|
|
};
|
|
|
|
services.nginx.enable = true;
|
|
services.nginx.virtualHosts."${cfg.service_domain}" = {
|
|
addSSL = true;
|
|
enableACME = true;
|
|
serverName = cfg.service_domain;
|
|
locations."/" = {
|
|
recommendedProxySettings = true;
|
|
proxyPass = "http://unix:/run/${cfg.username}/web.sock";
|
|
};
|
|
};
|
|
users.users.nginx.extraGroups = [ cfg.username ];
|
|
|
|
systemd.services.lenticular-cloud = {
|
|
description = "lenticular account";
|
|
after = [ "network.target" ];
|
|
wantedBy = [ "multi-user.target" ];
|
|
requires = [ "ory-hydra.service" "postgresql.service" ];
|
|
enable = cfg.enable;
|
|
|
|
environment = let
|
|
config_file = format.generate "lenticular-cloud.json" cfg.settings;
|
|
in {
|
|
# CONFIG_FILE = "/etc/lenticular_cloud/production.conf";
|
|
CONFIG_FILE = "${config_file}:${config_oauth_secret}";
|
|
};
|
|
preStart = ''
|
|
if [[ ! -e "${config_oauth_secret}" ]]; then
|
|
SECRET_KEY=`${pkgs.openssl}/bin/openssl rand --hex 16`
|
|
echo 'OAUTH_SECRET="$${SECRET_KEY}"' > ${config_oauth_secret}
|
|
echo "oauth secreted generated"
|
|
fi
|
|
${pkgs.lenticular-cloud}/bin/lenticular_cloud-cli db_upgrade
|
|
'';
|
|
|
|
serviceConfig = {
|
|
Type = "simple";
|
|
WorkingDirectory = cfg.settings.DATA_FOLDER;
|
|
User = cfg.username;
|
|
ExecStart = ''${python_env}/bin/gunicorn lenticular_cloud.wsgi --name lenticular_cloud \
|
|
--workers 2 --log-level=info \
|
|
--bind=unix:/run/${cfg.username}/web.sock \
|
|
-k gevent'';
|
|
Restart = "on-failure";
|
|
RuntimeDirectory = cfg.username;
|
|
};
|
|
};
|
|
|
|
};
|
|
}
|