Move nix code into separate files and directory and create basic module

2025-11-22 02:41:35 +01:00 · 2024-08-09 20:12:31 +02:00
parent f2a11529db
commit cfee37ad90
4 changed files with 169 additions and 156 deletions
--- a/nix/dev-vm.nix
+++ b/nix/dev-vm.nix
@@ -0,0 +1,84 @@
+{
+  pkgs,
+  lib,
+  modulesPath,
+  ...
+}:
+{
+  imports = [ "${modulesPath}/virtualisation/qemu-vm.nix" ];
+
+  networking = {
+    hostName = "archtika";
+    firewall.enable = false;
+  };
+
+  nix.settings.experimental-features = [ "nix-command flakes" ];
+
+  users.users.dev = {
+    isNormalUser = true;
+    extraGroups = [ "wheel" ];
+    password = "dev";
+  };
+
+  systemd.tmpfiles.rules = [ "d /var/www/archtika-websites 0777 root root -" ];
+
+  virtualisation = {
+    graphics = false;
+    sharedDirectories = {
+      websites = {
+        source = "/var/www/archtika-websites";
+        target = "/var/www/archtika-websites";
+      };
+    };
+    # Alternatively a bridge network for QEMU could be setup, but requires much more effort
+    forwardPorts = [
+      {
+        from = "host";
+        host.port = 15432;
+        guest.port = 5432;
+      }
+      {
+        from = "host";
+        host.port = 18000;
+        guest.port = 80;
+      }
+    ];
+  };
+
+  services = {
+    postgresql = {
+      enable = true;
+      package = pkgs.postgresql_16;
+      ensureDatabases = [ "archtika" ];
+      authentication = lib.mkForce ''
+        local all all trust
+        host all all all trust
+      '';
+      enableTCPIP = true;
+      extraPlugins = with pkgs.postgresql16Packages; [ pgjwt ];
+    };
+    nginx = {
+      enable = true;
+      virtualHosts."_" = {
+        listen = [
+          {
+            addr = "0.0.0.0";
+            port = 80;
+          }
+        ];
+        locations = {
+          "/" = {
+            root = "/var/www/archtika-websites";
+            index = "index.html";
+            tryFiles = "$uri $uri/ $uri/index.html =404";
+            extraConfig = ''
+              autoindex on;
+            '';
+          };
+        };
+      };
+    };
+  };
+
+  system.stateVersion = "24.05";
+}
--- a/nix/module-test.nix
+++ b/nix/module-test.nix
@@ -0,0 +1,49 @@
+{
+  pkgs,
+  lib,
+  modulesPath,
+  ...
+}:
+{
+  imports = [
+    "${modulesPath}/virtualisation/qemu-vm.nix"
+    ./module.nix
+  ];
+
+  networking = {
+    hostName = "archtika-module-test";
+    firewall.enable = false;
+  };
+
+  nix.settings.experimental-features = [ "nix-command flakes" ];
+
+  users.users.dev = {
+    isNormalUser = true;
+    extraGroups = [ "wheel" ];
+    password = "dev";
+  };
+
+  virtualisation = {
+    graphics = false;
+    # Alternatively a bridge network for QEMU could be setup, but requires much more effort
+    forwardPorts = [
+      {
+        from = "host";
+        host.port = 13000;
+        guest.port = 3000;
+      }
+      {
+        from = "host";
+        host.port = 14000;
+        guest.port = 4000;
+      }
+    ];
+  };
+
+  services.archtika = {
+    enable = true;
+    jwtSecret = "test-secret";
+  };
+
+  system.stateVersion = "24.05";
+}
--- a/nix/module.nix
+++ b/nix/module.nix
@@ -0,0 +1,124 @@
+{
+  config,
+  lib,
+  pkgs,
+  archtikaPackages,
+  ...
+}:
+
+with lib;
+
+let
+  cfg = config.services.archtika;
+in
+{
+  options.services.archtika = {
+    enable = mkEnableOption "archtika service";
+
+    user = mkOption {
+      type = types.str;
+      default = "archtika";
+      description = "User account under which archtika runs.";
+    };
+
+    group = mkOption {
+      type = types.str;
+      default = "archtika";
+      description = "Group under which archtika runs.";
+    };
+
+    databaseName = mkOption {
+      type = types.str;
+      default = "archtika";
+      description = "Name of the PostgreSQL database for archtika.";
+    };
+
+    jwtSecret = mkOption {
+      type = types.str;
+      description = "JWT secret for archtika.";
+    };
+
+    port = mkOption {
+      type = types.port;
+      default = 3000;
+      description = "Port on which the API runs.";
+    };
+
+    webAppPort = mkOption {
+      type = types.port;
+      default = 4000;
+      description = "Port on which the web application runs.";
+    };
+  };
+
+  config = mkIf cfg.enable {
+    users.users.${cfg.user} = {
+      isSystemUser = true;
+      group = cfg.group;
+      home = "/var/lib/archtika";
+      createHome = true;
+    };
+
+    users.groups.${cfg.group} = { };
+
+    systemd.services.archtika-api = {
+      description = "archtika API service";
+      wantedBy = [ "multi-user.target" ];
+      after = [
+        "network.target"
+        "postgresql.service"
+      ];
+
+      serviceConfig = {
+        User = cfg.user;
+        Group = cfg.group;
+        Restart = "always";
+      };
+
+      script = ''
+        ${pkgs.postgresql_16}/bin/psql postgres://postgres@localhost:5432/${cfg.databaseName} -c "ALTER DATABASE ${cfg.databaseName} SET \"app.jwt_secret\" TO '${cfg.jwtSecret}'"
+
+        ${pkgs.dbmate}/bin/dbmate --url postgres://postgres@localhost:5432/archtika?sslmode=disable --migrations-dir ${archtikaPackages.api}/migrations up
+
+        PGRST_SERVER_PORT=${toString cfg.port} PGRST_DB_SCHEMAS="api" PGRST_DB_ANON_ROLE="anon" PGRST_OPENAPI_MODE="ignore-privileges" PGRST_DB_URI="postgres://authenticator@localhost:5432/${cfg.databaseName}" PGRST_JWT_SECRET="${cfg.jwtSecret}" ${pkgs.postgrest}/bin/postgrest
+      '';
+    };
+
+    systemd.services.archtika-web = {
+      description = "archtika Web App service";
+      wantedBy = [ "multi-user.target" ];
+      after = [ "network.target" ];
+
+      serviceConfig = {
+        User = cfg.user;
+        Group = cfg.group;
+        Restart = "always";
+      };
+
+      script = ''
+        ORIGIN=http://localhost:${toString cfg.webAppPort} PORT=${toString cfg.webAppPort} ${pkgs.nodejs_22}/bin/node ${archtikaPackages.web}
+      '';
+    };
+
+    services.postgresql = {
+      enable = true;
+      package = pkgs.postgresql_16;
+      ensureDatabases = [ cfg.databaseName ];
+      authentication = lib.mkForce ''
+        # IPv4 local connections:
+        host    all    all    127.0.0.1/32    trust
+        # IPv6 local connections:
+        host    all    all    ::1/128         trust
+        # Local socket connections:
+        local   all    all                    trust
+      '';
+      extraPlugins = with pkgs.postgresql16Packages; [ pgjwt ];
+    };
+
+    services.nginx = {
+      enable = true;
+      recommendedProxySettings = true;
+      recommendedTlsSettings = true;
+    };
+  };
+}