fabian/nix
1
0
Fork 2
Code Issues 16 Pull requests Projects Releases Packages Wiki Activity
nix/trivionomicon/modules/socialpredict/sys.nix

102 lines
2.3 KiB
Nix
Raw Blame History

{
cfg,
doctrine,
lib,
pkgs,
...
}: {
services = {
nginx = lib.mkIf (cfg.domain != null) {
enable = true;
virtualHosts.${cfg.domain} = lib.mkMerge [
cfg.nginx
{
locations = {
"/" = {
root = "${cfg.frontend}";
index = "index.html";
tryFiles = "$uri $uri/ /index.html =404";
};
"/api/" = {
proxyPass = "http://localhost:${toString cfg.backendPort}/";
};
"= /env-config.js" = {
alias = "${pkgs.writeText "socialpredict-env-config.js" ''
window.__ENV__ = {
DOMAIN_URL: "https://${cfg.domain}",
API_URL: "https://${cfg.domain}/api"
};
''}";
};
};
}
];
};
postgresql = {
enable = true;
ensureUsers = [
{
name = cfg.user;
ensureDBOwnership = cfg.user == cfg.database;
}
];
ensureDatabases = [cfg.database];
};
};
systemd.services.socialpredict = {
after = ["postgresql.service"];
wants = ["postgresql.service"];
wantedBy = ["multi-user.target"];
environment = {
ADMIN_PASSWORD = cfg.initialAdminPassword;
BACKEND_PORT = toString cfg.backendPort;
POSTGRES_URL = "postgresql:///${cfg.database}?host=/var/run/postgresql";
};
serviceConfig = {
Group = cfg.group;
User = cfg.user;
ExecStart = lib.getExe cfg.backend;
KeyringMode = "private";
LockPersonality = true;
MemoryDenyWriteExecute = true;
NoNewPrivileges = true;
PrivateMounts = "yes";
PrivateTmp = "yes";
ProtectControlGroups = true;
ProtectHome = "yes";
ProtectHostname = true;
ProtectKernelModules = true;
ProtectKernelTunables = true;
ProtectSystem = "strict";
RemoveIPC = true;
RestrictAddressFamilies = ["AF_UNIX" "AF_INET" "AF_INET6"];
RestrictNamespaces = true;
RestrictRealtime = true;
RestrictSUIDSGID = true;
SystemCallArchitectures = "native";
ReadWritePaths = [
"/var/run/postgresql"
];
};
};
users = {
groups.${cfg.group} = {};
users.${cfg.user} = {
inherit (cfg) group;
isSystemUser = true;
};
};
}
Reference in a new issue View git blame Copy permalink