{ cfg, doctrine, lib, pkgs, ... }: { services = { nginx = lib.mkIf (cfg.domain != null) { enable = true; virtualHosts.${cfg.domain} = lib.mkMerge [ cfg.nginx { locations = { "/" = { root = "${cfg.frontend}"; index = "index.html"; tryFiles = "$uri $uri/ /index.html =404"; }; "/api/" = { proxyPass = "http://localhost:${toString cfg.backendPort}/"; }; "= /env-config.js" = { alias = "${pkgs.writeText "socialpredict-env-config.js" '' window.__ENV__ = { DOMAIN_URL: "https://${cfg.domain}", API_URL: "https://${cfg.domain}/api" }; ''}"; }; }; } ]; }; postgresql = { enable = true; ensureUsers = [ { name = cfg.user; ensureDBOwnership = cfg.user == cfg.database; } ]; ensureDatabases = [cfg.database]; }; }; systemd.services.socialpredict = { after = ["postgresql.service"]; wants = ["postgresql.service"]; wantedBy = ["multi-user.target"]; environment = { ADMIN_PASSWORD = cfg.initialAdminPassword; BACKEND_PORT = toString cfg.backendPort; POSTGRES_URL = "postgresql:///${cfg.database}?host=/var/run/postgresql"; }; serviceConfig = { Group = cfg.group; User = cfg.user; ExecStart = lib.getExe cfg.backend; KeyringMode = "private"; LockPersonality = true; MemoryDenyWriteExecute = true; NoNewPrivileges = true; PrivateMounts = "yes"; PrivateTmp = "yes"; ProtectControlGroups = true; ProtectHome = "yes"; ProtectHostname = true; ProtectKernelModules = true; ProtectKernelTunables = true; ProtectSystem = "strict"; RemoveIPC = true; RestrictAddressFamilies = ["AF_UNIX" "AF_INET" "AF_INET6"]; RestrictNamespaces = true; RestrictRealtime = true; RestrictSUIDSGID = true; SystemCallArchitectures = "native"; ReadWritePaths = [ "/var/run/postgresql" ]; }; }; users = { groups.${cfg.group} = {}; users.${cfg.user} = { inherit (cfg) group; isSystemUser = true; }; }; }