From cfee37ad901d3c7ca4ded9c8d5e9310a56cdcb14 Mon Sep 17 00:00:00 2001 From: thiloho <123883702+thiloho@users.noreply.github.com> Date: Fri, 9 Aug 2024 20:12:31 +0200 Subject: [PATCH] Move nix code into separate files and directory and create basic module --- flake.nix | 118 +++++------------------------------ nix/dev-vm.nix | 84 +++++++++++++++++++++++++ nix/module-test.nix | 49 +++++++++++++++ module.nix => nix/module.nix | 74 ++++++---------------- 4 files changed, 169 insertions(+), 156 deletions(-) create mode 100644 nix/dev-vm.nix create mode 100644 nix/module-test.nix rename module.nix => nix/module.nix (56%) diff --git a/flake.nix b/flake.nix index 79a359e..48c3797 100644 --- a/flake.nix +++ b/flake.nix @@ -23,10 +23,8 @@ in { api = pkgs.mkShell { - packages = with pkgs; [ dbmate ]; - shellHook = '' - alias dbmate="dbmate --url postgres://postgres@localhost:15432/archtika?sslmode=disable" + alias dbmate="${pkgs.dbmate}/bin/dbmate --url postgres://postgres@localhost:15432/archtika?sslmode=disable" alias formatsql="${pkgs.pgformatter}/bin/pg_format -s 2 -f 2 -U 2 -i db/migrations/*.sql" ''; }; @@ -40,6 +38,7 @@ pkgs = nixpkgs.legacyPackages.${system}; in { + module-test = self.nixosConfigurations.${system}.module-test.config.system.build.vm; dev-vm = self.nixosConfigurations.${system}.dev-vm.config.system.build.vm; web = pkgs.buildNpmPackage { @@ -93,112 +92,27 @@ ); nixosConfigurations = forAllSystems (system: { - dev-vm = nixpkgs.lib.nixosSystem { + module-test = nixpkgs.lib.nixosSystem { inherit system; modules = [ - self.nixosModules.dev-vm - { - virtualisation = - nixpkgs.lib.optionalAttrs - (nixpkgs.lib.elem system [ - "x86_64-darwin" - "aarch64-darwin" - ]) - { - vmVariant = { - virtualisation.host.pkgs = nixpkgs.legacyPackages.${system}; - }; - }; - } + ./nix/module-test.nix + { _module.args.archtikaPackages = self.packages.${system}; } ]; }; + dev-vm = nixpkgs.lib.nixosSystem { + inherit system; + modules = [ ./nix/dev-vm.nix ]; + }; }); - nixosModules.dev-vm = - { - pkgs, - lib, - modulesPath, - ... - }: - { - imports = [ "${modulesPath}/virtualisation/qemu-vm.nix" ]; - - networking = { - hostName = "archtika"; - firewall.enable = false; + nixosModules = { + archtika = + { pkgs, ... }: + { + imports = [ ./nix/module.nix ]; + _module.args.archtikaPackages = self.packages.${pkgs.system}; }; - - nix.settings.experimental-features = [ "nix-command flakes" ]; - - users.users.dev = { - isNormalUser = true; - extraGroups = [ "wheel" ]; - password = "dev"; - }; - - systemd.tmpfiles.rules = [ "d /var/www/archtika-websites 0777 root root -" ]; - - virtualisation = { - graphics = false; - sharedDirectories = { - websites = { - source = "/var/www/archtika-websites"; - target = "/var/www/archtika-websites"; - }; - }; - # Alternatively a bridge network for QEMU could be setup, but requires much more effort - forwardPorts = [ - { - from = "host"; - host.port = 15432; - guest.port = 5432; - } - { - from = "host"; - host.port = 18000; - guest.port = 80; - } - ]; - }; - - services = { - postgresql = { - enable = true; - package = pkgs.postgresql_16; - ensureDatabases = [ "archtika" ]; - authentication = lib.mkForce '' - local all all trust - host all all all trust - ''; - enableTCPIP = true; - extraPlugins = with pkgs.postgresql16Packages; [ pgjwt ]; - }; - nginx = { - enable = true; - virtualHosts."_" = { - listen = [ - { - addr = "0.0.0.0"; - port = 80; - } - ]; - locations = { - "/" = { - root = "/var/www/archtika-websites"; - index = "index.html"; - tryFiles = "$uri $uri/ $uri/index.html =404"; - extraConfig = '' - autoindex on; - ''; - }; - }; - }; - }; - }; - - system.stateVersion = "24.05"; - }; + }; formatter = forAllSystems ( system: diff --git a/nix/dev-vm.nix b/nix/dev-vm.nix new file mode 100644 index 0000000..d33b512 --- /dev/null +++ b/nix/dev-vm.nix @@ -0,0 +1,84 @@ +{ + pkgs, + lib, + modulesPath, + ... +}: +{ + imports = [ "${modulesPath}/virtualisation/qemu-vm.nix" ]; + + networking = { + hostName = "archtika"; + firewall.enable = false; + }; + + nix.settings.experimental-features = [ "nix-command flakes" ]; + + users.users.dev = { + isNormalUser = true; + extraGroups = [ "wheel" ]; + password = "dev"; + }; + + systemd.tmpfiles.rules = [ "d /var/www/archtika-websites 0777 root root -" ]; + + virtualisation = { + graphics = false; + sharedDirectories = { + websites = { + source = "/var/www/archtika-websites"; + target = "/var/www/archtika-websites"; + }; + }; + # Alternatively a bridge network for QEMU could be setup, but requires much more effort + forwardPorts = [ + { + from = "host"; + host.port = 15432; + guest.port = 5432; + } + { + from = "host"; + host.port = 18000; + guest.port = 80; + } + ]; + }; + + services = { + postgresql = { + enable = true; + package = pkgs.postgresql_16; + ensureDatabases = [ "archtika" ]; + authentication = lib.mkForce '' + local all all trust + host all all all trust + ''; + enableTCPIP = true; + extraPlugins = with pkgs.postgresql16Packages; [ pgjwt ]; + }; + nginx = { + enable = true; + virtualHosts."_" = { + listen = [ + { + addr = "0.0.0.0"; + port = 80; + } + ]; + locations = { + "/" = { + root = "/var/www/archtika-websites"; + index = "index.html"; + tryFiles = "$uri $uri/ $uri/index.html =404"; + extraConfig = '' + autoindex on; + ''; + }; + }; + }; + }; + }; + + system.stateVersion = "24.05"; +} diff --git a/nix/module-test.nix b/nix/module-test.nix new file mode 100644 index 0000000..fc1fb02 --- /dev/null +++ b/nix/module-test.nix @@ -0,0 +1,49 @@ +{ + pkgs, + lib, + modulesPath, + ... +}: +{ + imports = [ + "${modulesPath}/virtualisation/qemu-vm.nix" + ./module.nix + ]; + + networking = { + hostName = "archtika-module-test"; + firewall.enable = false; + }; + + nix.settings.experimental-features = [ "nix-command flakes" ]; + + users.users.dev = { + isNormalUser = true; + extraGroups = [ "wheel" ]; + password = "dev"; + }; + + virtualisation = { + graphics = false; + # Alternatively a bridge network for QEMU could be setup, but requires much more effort + forwardPorts = [ + { + from = "host"; + host.port = 13000; + guest.port = 3000; + } + { + from = "host"; + host.port = 14000; + guest.port = 4000; + } + ]; + }; + + services.archtika = { + enable = true; + jwtSecret = "test-secret"; + }; + + system.stateVersion = "24.05"; +} diff --git a/module.nix b/nix/module.nix similarity index 56% rename from module.nix rename to nix/module.nix index fbc0353..211b1a8 100644 --- a/module.nix +++ b/nix/module.nix @@ -2,6 +2,7 @@ config, lib, pkgs, + archtikaPackages, ... }: @@ -67,54 +68,50 @@ in "network.target" "postgresql.service" ]; - environment = { - PGRST_DB_URI = "postgres://authenticator@localhost:5432/${cfg.databaseName}"; - PGRST_JWT_SECRET = cfg.jwtSecret; - }; serviceConfig = { - ExecStart = "${pkgs.postgrest}/bin/postgrest"; User = cfg.user; Group = cfg.group; Restart = "always"; }; + + script = '' + ${pkgs.postgresql_16}/bin/psql postgres://postgres@localhost:5432/${cfg.databaseName} -c "ALTER DATABASE ${cfg.databaseName} SET \"app.jwt_secret\" TO '${cfg.jwtSecret}'" + + ${pkgs.dbmate}/bin/dbmate --url postgres://postgres@localhost:5432/archtika?sslmode=disable --migrations-dir ${archtikaPackages.api}/migrations up + + PGRST_SERVER_PORT=${toString cfg.port} PGRST_DB_SCHEMAS="api" PGRST_DB_ANON_ROLE="anon" PGRST_OPENAPI_MODE="ignore-privileges" PGRST_DB_URI="postgres://authenticator@localhost:5432/${cfg.databaseName}" PGRST_JWT_SECRET="${cfg.jwtSecret}" ${pkgs.postgrest}/bin/postgrest + ''; }; systemd.services.archtika-web = { - description = "Archtika Web App service"; + description = "archtika Web App service"; wantedBy = [ "multi-user.target" ]; after = [ "network.target" ]; - environment = { - ORIGIN = "https://${cfg.domain}"; - HOST = "127.0.0.1"; - PORT = toString cfg.webAppPort; - }; serviceConfig = { - ExecStart = "${pkgs.nodejs_22}/bin/node ${pkgs.callPackage ../packages/web.nix { }}"; User = cfg.user; Group = cfg.group; Restart = "always"; }; + + script = '' + ORIGIN=http://localhost:${toString cfg.webAppPort} PORT=${toString cfg.webAppPort} ${pkgs.nodejs_22}/bin/node ${archtikaPackages.web} + ''; }; services.postgresql = { enable = true; package = pkgs.postgresql_16; ensureDatabases = [ cfg.databaseName ]; - ensureUsers = [ - { - name = cfg.user; - ensurePermissions = { - "DATABASE ${cfg.databaseName}" = "ALL PRIVILEGES"; - }; - } - ]; authentication = lib.mkForce '' - local all all trust - host all all 127.0.0.1/32 trust + # IPv4 local connections: + host all all 127.0.0.1/32 trust + # IPv6 local connections: + host all all ::1/128 trust + # Local socket connections: + local all all trust ''; - enableTCPIP = true; extraPlugins = with pkgs.postgresql16Packages; [ pgjwt ]; }; @@ -122,37 +119,6 @@ in enable = true; recommendedProxySettings = true; recommendedTlsSettings = true; - - virtualHosts.${cfg.domain} = { - forceSSL = true; - enableACME = true; - - locations."/" = { - proxyPass = "http://127.0.0.1:${toString cfg.webAppPort}"; - }; - - locations."/api/" = { - proxyPass = "http://127.0.0.1:${toString cfg.port}/"; - }; - }; }; - - networking.firewall.allowedTCPPorts = [ - 80 - 443 - ]; - - system.activationScripts.archtika-setup = '' - mkdir -p /etc/archtika - cat > /etc/archtika/postgrest.conf << EOF - db-uri = "$(systemd-escape "postgres://${cfg.user}:${cfg.user}@localhost/${cfg.databaseName}")" - db-schema = "api" - db-anon-role = "anon" - jwt-secret = "$(systemd-escape "${cfg.jwtSecret}")" - server-port = ${toString cfg.port} - EOF - chown -R ${cfg.user}:${cfg.group} /etc/archtika - chmod 600 /etc/archtika/postgrest.conf - ''; }; }