diff --git a/flake.nix b/flake.nix index 9079cb4..8d02d74 100644 --- a/flake.nix +++ b/flake.nix @@ -89,7 +89,10 @@ }; demo-server = nixpkgs.lib.nixosSystem { system = "aarch64-linux"; - modules = [ ./nix/demo-server ]; + modules = [ + ./nix/demo-server + { _module.args.localArchtikaPackage = self.packages."aarch64-linux".default; } + ]; }; }; diff --git a/nix/demo-server/default.nix b/nix/demo-server/default.nix index 32bf029..d88bced 100644 --- a/nix/demo-server/default.nix +++ b/nix/demo-server/default.nix @@ -1,6 +1,9 @@ -{ pkgs, ... }: +{ pkgs, localArchtikaPackage, ... }: { - imports = [ ./hardware-configuration.nix ]; + imports = [ + ./hardware-configuration.nix + ../module.nix + ]; boot = { loader = { @@ -19,9 +22,16 @@ nixpkgs.config.allowUnfree = true; - networking.networkmanager.enable = true; - - networking.hostName = "archtika-demo-server"; + networking = { + hostName = "archtika-demo-server"; + networkmanager.enable = true; + firewall = { + allowedTCPPorts = [ + 10000 + 15000 + ]; + }; + }; security.pam = { sshAgentAuth.enable = true; @@ -52,5 +62,11 @@ settings.PasswordAuthentication = false; }; + services.archtika = { + enable = true; + package = localArchtikaPackage; + jwtSecret = "a42kVyAhTImYxZeebZkApoAZLmf0VtDA"; + }; + system.stateVersion = "24.11"; } diff --git a/nix/module.nix b/nix/module.nix index 63265a3..7e27dcf 100644 --- a/nix/module.nix +++ b/nix/module.nix @@ -35,8 +35,8 @@ in }; jwtSecret = mkOption { - type = types.str; - description = "JWT secret for archtika."; + type = types.either types.str types.path; + description = "JWT secret for archtika. Can be a string or a path to a file containing the secret"; }; port = mkOption { @@ -82,13 +82,19 @@ in Restart = "always"; }; - script = '' - ${pkgs.postgresql_16}/bin/psql postgres://postgres@localhost:5432/${cfg.databaseName} -c "ALTER DATABASE ${cfg.databaseName} SET \"app.jwt_secret\" TO '${cfg.jwtSecret}'" + script = + let + getSecret = if isPath cfg.jwtSecret then "cat ${cfg.jwtSecret}" else "echo -n '${cfg.jwtSecret}'"; + in + '' + JWT_SECRET=$(${getSecret}) - ${pkgs.dbmate}/bin/dbmate --url postgres://postgres@localhost:5432/archtika?sslmode=disable --migrations-dir ${cfg.package}/rest-api/db/migrations up + ${pkgs.postgresql_16}/bin/psql postgres://postgres@localhost:5432/${cfg.databaseName} -c "ALTER DATABASE ${cfg.databaseName} SET \"app.jwt_secret\" TO '$JWT_SECRET'" - PGRST_SERVER_PORT=${toString cfg.port} PGRST_DB_SCHEMAS="api" PGRST_DB_ANON_ROLE="anon" PGRST_OPENAPI_MODE="ignore-privileges" PGRST_DB_URI="postgres://authenticator@localhost:5432/${cfg.databaseName}" PGRST_JWT_SECRET="${cfg.jwtSecret}" ${pkgs.postgrest}/bin/postgrest - ''; + ${pkgs.dbmate}/bin/dbmate --url postgres://postgres@localhost:5432/archtika?sslmode=disable --migrations-dir ${cfg.package}/rest-api/db/migrations up + + PGRST_SERVER_PORT=${toString cfg.port} PGRST_DB_SCHEMAS="api" PGRST_DB_ANON_ROLE="anon" PGRST_OPENAPI_MODE="ignore-privileges" PGRST_DB_URI="postgres://authenticator@localhost:5432/${cfg.databaseName}" PGRST_JWT_SECRET="$JWT_SECRET" ${pkgs.postgrest}/bin/postgrest + ''; }; systemd.services.archtika-web = { diff --git a/nix/package.nix b/nix/package.nix index 871801e..08f5a3d 100644 --- a/nix/package.nix +++ b/nix/package.nix @@ -13,7 +13,7 @@ let inherit pname version; name = "archtika-web-app"; src = ../web-app; - npmDepsHash = "sha256-DmIII/x5ANlEpKtnZC/JlbVAvhbgnSiNn8hkj+qVCZY="; + npmDepsHash = "sha256-FHmDvKyfQ33MWABmqL59PxIL47MMvevaiJhGTwXivFI="; npmFlags = [ "--legacy-peer-deps" ]; installPhase = '' mkdir -p $out/web-app