nix-infra/config/hosts/yate/yate.nix

{ pkgs, ... }:

{
  environment.systemPackages = [
    pkgs.yate
    pkgs.git
    pkgs.tcpdump
    pkgs.tmux
  ];

  # Just disable it for now.
  networking.firewall.enable = false;

  users = {
    users.yate = {
      description = "yate service user";
      group = "yate-config";
      isNormalUser = true;
    };

    groups.yate-config = {
      members = [ "colmema-deploy" "chaos" "root" "yate"];
    };
  };

  environment.etc.yate = {
    user = "yate";
    group = "yate-config";
    mode = "symlink";
    source = "/var/lib/yate";
  };

  sops.secrets."git_clone_key" = {
    mode = "0600";
    owner = "yate";
    group = "yate-config";
    restartUnits = [ "yate.service" ];
  };

  systemd.services.yate = {
    enable = true;
    description = "Yate telehony engine";
    unitConfig = {
      After= "network-online.target";
    };
    serviceConfig = {
      ExecStart = "${pkgs.yate}/bin/yate -c /etc/yate -e /etc/yate/share";
      Type="simple";
      Restart="always";
      User="yate";
      Group="yate-config";
      StateDirectory = "yate";
      StateDirectoryMode = "0775";
    };
    wantedBy = [ "default.target" ];
    requires = [ "network-online.target" ];
    preStart = ''
      echo "\n" >> /run/secrets/git_clone_key
      sleep 5
      id
      echo "$(stat -c '%U' /var/lib/yate/.git) owns /var/lib/yate/.git"
      SSH_SUCCESS=1
      ${pkgs.openssh}/bin/ssh -q -i /run/secrets/git_clone_key forgejo@git.hamburg.ccc.de 2> /var/lib/yate/SSH_CHECK_LOG  || SSH_SUCCESS=0
      if [[ $SSH_SUCCESS = 1 && $(stat -c '%U' /var/lib/yate/.git) == *yate* ]]; then
        rm -rf /var/lib/yate/*
        rm -rf /var/lib/yate/.*
        env GIT_SSH_COMMAND="${pkgs.openssh}/bin/ssh -i /run/secrets/git_clone_key" ${pkgs.git}/bin/git clone forgejo@git.hamburg.ccc.de:CCCHH/yate-config.git /var/lib/yate
        ${pkgs.git}/bin/git -C /var/lib/yate config --add safe.directory "/var/lib/yate"
      fi
    '';
    reload= ''
      id
      ${pkgs.git}/bin/git config --global --add safe.directory /var/lib/yate
      /usr/bin/env GIT_SSH_COMMAND="${pkgs.openssh}/bin/ssh -i /run/secrets/git_clone_key" ${pkgs.git}/bin/git -C /var/lib/yate fetch --all
      /usr/bin/env GIT_SSH_COMMAND="${pkgs.openssh}/bin/ssh -i /run/secrets/git_clone_key" ${pkgs.git}/bin/git -C /var/lib/yate reset --hard origin/master
    '';
  };
}