diff --git a/config/hosts/public-web-static/default.nix b/config/hosts/public-web-static/default.nix index 8e051ce..60487fe 100644 --- a/config/hosts/public-web-static/default.nix +++ b/config/hosts/public-web-static/default.nix @@ -6,5 +6,6 @@ ./networking.nix ./nginx.nix ./virtualHosts + ./spaceapid.nix ]; } diff --git a/config/hosts/public-web-static/spaceapid.nix b/config/hosts/public-web-static/spaceapid.nix new file mode 100644 index 0000000..5df9a06 --- /dev/null +++ b/config/hosts/public-web-static/spaceapid.nix @@ -0,0 +1,55 @@ +{ pkgs-unstable, ... }: + +let + spaceapidSrc = builtins.fetchGit { + url = "https://gitlab.hamburg.ccc.de/ccchh/spaceapid.git"; + ref = "main"; + rev = "1a9922d5f148cc3b315afee7fc43cd3c41e69798"; + }; + spaceapid = pkgs-unstable.buildGoModule { + pname = "spaceapid"; + version = "main"; + + src = spaceapidSrc; + + # Since spaceapid doesn't have any dependencies, we can set this to null and + # use the nonexistend vendored dependencies. + vendorHash = null; + }; +in +{ + users.users.spaceapi = { + isSystemUser = true; + group = "spaceapi"; + }; + users.groups.spaceapi = { }; + + systemd.services.spaceapid = { + enable = true; + description = "Daemon hosting the SpaceAPI"; + unitConfig = { + Wants = [ "network-online.target" ]; + After = [ "network.target" "network-online.target" ]; + }; + serviceConfig = { + ExecStart = "${spaceapid}/bin/spaceapid"; + User = "spaceapi"; + Group = "spaceapi"; + Restart = "on-failure"; + Environment = "DOORIS_USERNAME=dooris SPACE_API_JSON_TEMPLATE_PATH=${spaceapidSrc}/ccchh-template.json"; + EnvironmentFile = "/secrets/spaceapid-environment-secrets.secret"; + }; + wantedBy = [ "multi-user.target" ]; + }; + + deployment.keys = { + "spaceapid-environment-secrets.secret" = { + keyCommand = [ "pass" "noc/vm-secrets/chaosknoten/public-web-static/spaceapid-environment-secrets" ]; + destDir = "/secrets"; + user = "spaceapi"; + group = "spaceapi"; + permissions = "0640"; + uploadAt = "pre-activation"; + }; + }; +} diff --git a/config/hosts/public-web-static/virtualHosts/default.nix b/config/hosts/public-web-static/virtualHosts/default.nix index b4c4a06..6b5398a 100644 --- a/config/hosts/public-web-static/virtualHosts/default.nix +++ b/config/hosts/public-web-static/virtualHosts/default.nix @@ -5,5 +5,6 @@ ./branding-resources.hamburg.ccc.de.nix ./element.hamburg.ccc.de.nix ./next.hamburg.ccc.de.nix + ./spaceapi.hamburg.ccc.de.nix ]; } diff --git a/config/hosts/public-web-static/virtualHosts/spaceapi.hamburg.ccc.de.nix b/config/hosts/public-web-static/virtualHosts/spaceapi.hamburg.ccc.de.nix new file mode 100644 index 0000000..21303dc --- /dev/null +++ b/config/hosts/public-web-static/virtualHosts/spaceapi.hamburg.ccc.de.nix @@ -0,0 +1,46 @@ +{ pkgs, ... }: + +{ + services.nginx.virtualHosts = { + "acme-spaceapi.hamburg.ccc.de" = { + enableACME = true; + serverName = "spaceapi.hamburg.ccc.de"; + + listen = [ + { + addr = "0.0.0.0"; + port = 31820; + } + ]; + }; + + "spaceapi.hamburg.ccc.de" = { + forceSSL = true; + useACMEHost = "spaceapi.hamburg.ccc.de"; + + listen = [ + { + addr = "0.0.0.0"; + port = 8443; + ssl = true; + extraParameters = [ "proxy_protocol" ]; + } + ]; + + locations."/" = { + proxyPass = "http://127.0.0.1:8080"; + }; + + extraConfig = '' + # Make use of the ngx_http_realip_module to set the $remote_addr and + # $remote_port to the client address and client port, when using proxy + # protocol. + # First set our proxy protocol proxy as trusted. + set_real_ip_from 172.31.17.140; + # Then tell the realip_module to get the addreses from the proxy protocol + # header. + real_ip_header proxy_protocol; + ''; + }; + }; +} diff --git a/flake.nix b/flake.nix index 60c0e3b..4409302 100644 --- a/flake.nix +++ b/flake.nix @@ -18,6 +18,7 @@ outputs = { nixpkgs, nixpkgs-unstable, nixos-generators, ... }: let + pkgs-unstable = nixpkgs-unstable.legacyPackages."x86_64-linux"; # Shairport Sync 4.3.1 (with nqptp 1.2.4) with metadata, MQTT and AirPlay 2 support. shairportSync431ExtendedNixpkgsUnstableOverlay = final: prev: { shairport-sync = (prev.shairport-sync.override { enableMetadata = true; enableAirplay2 = true; }).overrideAttrs (finalAttr: previousAttr: { @@ -65,6 +66,9 @@ audio-hauptraum-kueche = nixpkgs-unstable.legacyPackages."x86_64-linux".extend shairportSync431ExtendedNixpkgsUnstableOverlay; audio-hauptraum-tafel = nixpkgs-unstable.legacyPackages."x86_64-linux".extend shairportSync431ExtendedNixpkgsUnstableOverlay; }; + nodeSpecialArgs = { + public-web-static = { inherit pkgs-unstable; }; + }; }; audio-hauptraum-kueche = {