Introduce spaceapid running at spaceapi.hamburg.ccc.de

This commit is contained in:
June 2023-11-05 00:03:20 +01:00
parent 26a1fe0e84
commit c2e46406e1
5 changed files with 107 additions and 0 deletions

View file

@ -6,5 +6,6 @@
./networking.nix
./nginx.nix
./virtualHosts
./spaceapid.nix
];
}

View file

@ -0,0 +1,55 @@
{ pkgs-unstable, ... }:
let
spaceapidSrc = builtins.fetchGit {
url = "https://gitlab.hamburg.ccc.de/ccchh/spaceapid.git";
ref = "main";
rev = "1a9922d5f148cc3b315afee7fc43cd3c41e69798";
};
spaceapid = pkgs-unstable.buildGoModule {
pname = "spaceapid";
version = "main";
src = spaceapidSrc;
# Since spaceapid doesn't have any dependencies, we can set this to null and
# use the nonexistend vendored dependencies.
vendorHash = null;
};
in
{
users.users.spaceapi = {
isSystemUser = true;
group = "spaceapi";
};
users.groups.spaceapi = { };
systemd.services.spaceapid = {
enable = true;
description = "Daemon hosting the SpaceAPI";
unitConfig = {
Wants = [ "network-online.target" ];
After = [ "network.target" "network-online.target" ];
};
serviceConfig = {
ExecStart = "${spaceapid}/bin/spaceapid";
User = "spaceapi";
Group = "spaceapi";
Restart = "on-failure";
Environment = "DOORIS_USERNAME=dooris SPACE_API_JSON_TEMPLATE_PATH=${spaceapidSrc}/ccchh-template.json";
EnvironmentFile = "/secrets/spaceapid-environment-secrets.secret";
};
wantedBy = [ "multi-user.target" ];
};
deployment.keys = {
"spaceapid-environment-secrets.secret" = {
keyCommand = [ "pass" "noc/vm-secrets/chaosknoten/public-web-static/spaceapid-environment-secrets" ];
destDir = "/secrets";
user = "spaceapi";
group = "spaceapi";
permissions = "0640";
uploadAt = "pre-activation";
};
};
}

View file

@ -5,5 +5,6 @@
./branding-resources.hamburg.ccc.de.nix
./element.hamburg.ccc.de.nix
./next.hamburg.ccc.de.nix
./spaceapi.hamburg.ccc.de.nix
];
}

View file

@ -0,0 +1,46 @@
{ pkgs, ... }:
{
services.nginx.virtualHosts = {
"acme-spaceapi.hamburg.ccc.de" = {
enableACME = true;
serverName = "spaceapi.hamburg.ccc.de";
listen = [
{
addr = "0.0.0.0";
port = 31820;
}
];
};
"spaceapi.hamburg.ccc.de" = {
forceSSL = true;
useACMEHost = "spaceapi.hamburg.ccc.de";
listen = [
{
addr = "0.0.0.0";
port = 8443;
ssl = true;
extraParameters = [ "proxy_protocol" ];
}
];
locations."/" = {
proxyPass = "http://127.0.0.1:8080";
};
extraConfig = ''
# Make use of the ngx_http_realip_module to set the $remote_addr and
# $remote_port to the client address and client port, when using proxy
# protocol.
# First set our proxy protocol proxy as trusted.
set_real_ip_from 172.31.17.140;
# Then tell the realip_module to get the addreses from the proxy protocol
# header.
real_ip_header proxy_protocol;
'';
};
};
}

View file

@ -18,6 +18,7 @@
outputs = { nixpkgs, nixpkgs-unstable, nixos-generators, ... }:
let
pkgs-unstable = nixpkgs-unstable.legacyPackages."x86_64-linux";
# Shairport Sync 4.3.1 (with nqptp 1.2.4) with metadata, MQTT and AirPlay 2 support.
shairportSync431ExtendedNixpkgsUnstableOverlay = final: prev: {
shairport-sync = (prev.shairport-sync.override { enableMetadata = true; enableAirplay2 = true; }).overrideAttrs (finalAttr: previousAttr: {
@ -65,6 +66,9 @@
audio-hauptraum-kueche = nixpkgs-unstable.legacyPackages."x86_64-linux".extend shairportSync431ExtendedNixpkgsUnstableOverlay;
audio-hauptraum-tafel = nixpkgs-unstable.legacyPackages."x86_64-linux".extend shairportSync431ExtendedNixpkgsUnstableOverlay;
};
nodeSpecialArgs = {
public-web-static = { inherit pkgs-unstable; };
};
};
audio-hauptraum-kueche = {