From f2a11529dbe511bd90b67b3f6df1b000b54d64aa Mon Sep 17 00:00:00 2001
From: thiloho <123883702+thiloho@users.noreply.github.com>
Date: Fri, 9 Aug 2024 18:14:51 +0200
Subject: [PATCH] Remove configuration files and use CLI args instead

---
 flake.nix               |  29 ++++----
 module.nix              | 158 ++++++++++++++++++++++++++++++++++++++++
 rest-api/.env           |   3 -
 rest-api/postgrest.conf |   3 -
 4 files changed, 173 insertions(+), 20 deletions(-)
 create mode 100644 module.nix
 delete mode 100644 rest-api/.env
 delete mode 100644 rest-api/postgrest.conf

diff --git a/flake.nix b/flake.nix
index 4056b08..79a359e 100644
--- a/flake.nix
+++ b/flake.nix
@@ -23,12 +23,10 @@
         in
         {
           api = pkgs.mkShell {
-            packages = with pkgs; [
-              dbmate
-              postgrest
-            ];
+            packages = with pkgs; [ dbmate ];
 
             shellHook = ''
+              alias dbmate="dbmate --url postgres://postgres@localhost:15432/archtika?sslmode=disable"
               alias formatsql="${pkgs.pgformatter}/bin/pg_format -s 2 -f 2 -U 2 -i db/migrations/*.sql"
             '';
           };
@@ -56,6 +54,15 @@
               cp -r build/* $out
             '';
           };
+
+          api = pkgs.stdenv.mkDerivation {
+            name = "archtika-api";
+            src = ./rest-api;
+            installPhase = ''
+              mkdir $out
+              cp -r db/migrations $out
+            '';
+          };
         }
       );
 
@@ -68,24 +75,18 @@
           api = {
             type = "app";
             program = "${pkgs.writeShellScriptBin "api-setup" ''
-              source .env
+              ${pkgs.postgresql_16}/bin/psql postgres://postgres@localhost:15432/archtika -c "ALTER DATABASE archtika SET \"app.jwt_secret\" TO 'a42kVyAhTImYxZeebZkApoAZLmf0VtDA'"
 
-              ${pkgs.postgresql_16}/bin/psql $DATABASE_URL -c "ALTER DATABASE archtika SET \"app.jwt_secret\" TO '$JWT_SECRET'"
+              ${pkgs.dbmate}/bin/dbmate --url postgres://postgres@localhost:15432/archtika?sslmode=disable --migrations-dir ${self.packages.${system}.api}/migrations up
 
-              ${pkgs.dbmate}/bin/dbmate up
-
-              PGRST_DB_URI="$PGRST_DB_URI" PGRST_JWT_SECRET="$JWT_SECRET" ${pkgs.postgrest}/bin/postgrest postgrest.conf
+              PGRST_DB_SCHEMAS="api" PGRST_DB_ANON_ROLE="anon" PGRST_OPENAPI_MODE="ignore-privileges" PGRST_DB_URI="postgres://authenticator@localhost:15432/archtika" PGRST_JWT_SECRET="a42kVyAhTImYxZeebZkApoAZLmf0VtDA" ${pkgs.postgrest}/bin/postgrest
             ''}/bin/api-setup";
           };
 
           web = {
             type = "app";
             program = "${pkgs.writeShellScriptBin "web-wrapper" ''
-              export ORIGIN=http://localhost:4000
-              export HOST=127.0.0.1
-              export PORT=4000
-
-              ${pkgs.nodejs_22}/bin/node ${self.packages.${system}.web}
+              ORIGIN=http://localhost:4000 HOST=127.0.0.1 PORT=4000 ${pkgs.nodejs_22}/bin/node ${self.packages.${system}.web}
             ''}/bin/web-wrapper";
           };
         }
diff --git a/module.nix b/module.nix
new file mode 100644
index 0000000..fbc0353
--- /dev/null
+++ b/module.nix
@@ -0,0 +1,158 @@
+{
+  config,
+  lib,
+  pkgs,
+  ...
+}:
+
+with lib;
+
+let
+  cfg = config.services.archtika;
+in
+{
+  options.services.archtika = {
+    enable = mkEnableOption "archtika service";
+
+    user = mkOption {
+      type = types.str;
+      default = "archtika";
+      description = "User account under which archtika runs.";
+    };
+
+    group = mkOption {
+      type = types.str;
+      default = "archtika";
+      description = "Group under which archtika runs.";
+    };
+
+    databaseName = mkOption {
+      type = types.str;
+      default = "archtika";
+      description = "Name of the PostgreSQL database for archtika.";
+    };
+
+    jwtSecret = mkOption {
+      type = types.str;
+      description = "JWT secret for archtika.";
+    };
+
+    port = mkOption {
+      type = types.port;
+      default = 3000;
+      description = "Port on which the API runs.";
+    };
+
+    webAppPort = mkOption {
+      type = types.port;
+      default = 4000;
+      description = "Port on which the web application runs.";
+    };
+  };
+
+  config = mkIf cfg.enable {
+    users.users.${cfg.user} = {
+      isSystemUser = true;
+      group = cfg.group;
+      home = "/var/lib/archtika";
+      createHome = true;
+    };
+
+    users.groups.${cfg.group} = { };
+
+    systemd.services.archtika-api = {
+      description = "archtika API service";
+      wantedBy = [ "multi-user.target" ];
+      after = [
+        "network.target"
+        "postgresql.service"
+      ];
+      environment = {
+        PGRST_DB_URI = "postgres://authenticator@localhost:5432/${cfg.databaseName}";
+        PGRST_JWT_SECRET = cfg.jwtSecret;
+      };
+
+      serviceConfig = {
+        ExecStart = "${pkgs.postgrest}/bin/postgrest";
+        User = cfg.user;
+        Group = cfg.group;
+        Restart = "always";
+      };
+    };
+
+    systemd.services.archtika-web = {
+      description = "Archtika Web App service";
+      wantedBy = [ "multi-user.target" ];
+      after = [ "network.target" ];
+      environment = {
+        ORIGIN = "https://${cfg.domain}";
+        HOST = "127.0.0.1";
+        PORT = toString cfg.webAppPort;
+      };
+
+      serviceConfig = {
+        ExecStart = "${pkgs.nodejs_22}/bin/node ${pkgs.callPackage ../packages/web.nix { }}";
+        User = cfg.user;
+        Group = cfg.group;
+        Restart = "always";
+      };
+    };
+
+    services.postgresql = {
+      enable = true;
+      package = pkgs.postgresql_16;
+      ensureDatabases = [ cfg.databaseName ];
+      ensureUsers = [
+        {
+          name = cfg.user;
+          ensurePermissions = {
+            "DATABASE ${cfg.databaseName}" = "ALL PRIVILEGES";
+          };
+        }
+      ];
+      authentication = lib.mkForce ''
+        local all all trust
+        host all all 127.0.0.1/32 trust
+      '';
+      enableTCPIP = true;
+      extraPlugins = with pkgs.postgresql16Packages; [ pgjwt ];
+    };
+
+    services.nginx = {
+      enable = true;
+      recommendedProxySettings = true;
+      recommendedTlsSettings = true;
+
+      virtualHosts.${cfg.domain} = {
+        forceSSL = true;
+        enableACME = true;
+
+        locations."/" = {
+          proxyPass = "http://127.0.0.1:${toString cfg.webAppPort}";
+        };
+
+        locations."/api/" = {
+          proxyPass = "http://127.0.0.1:${toString cfg.port}/";
+        };
+      };
+    };
+
+    networking.firewall.allowedTCPPorts = [
+      80
+      443
+    ];
+
+    system.activationScripts.archtika-setup = ''
+      mkdir -p /etc/archtika
+      cat > /etc/archtika/postgrest.conf << EOF
+      db-uri = "$(systemd-escape "postgres://${cfg.user}:${cfg.user}@localhost/${cfg.databaseName}")"
+      db-schema = "api"
+      db-anon-role = "anon"
+      jwt-secret = "$(systemd-escape "${cfg.jwtSecret}")"
+      server-port = ${toString cfg.port}
+      EOF
+      chown -R ${cfg.user}:${cfg.group} /etc/archtika
+      chmod 600 /etc/archtika/postgrest.conf
+    '';
+  };
+}
diff --git a/rest-api/.env b/rest-api/.env
deleted file mode 100644
index 3eff81c..0000000
--- a/rest-api/.env
+++ /dev/null
@@ -1,3 +0,0 @@
-DATABASE_URL="postgres://postgres@localhost:15432/archtika?sslmode=disable"
-PGRST_DB_URI="postgres://authenticator@localhost:15432/archtika?sslmode=disable"
-JWT_SECRET="a42kVyAhTImYxZeebZkApoAZLmf0VtDA"
\ No newline at end of file
diff --git a/rest-api/postgrest.conf b/rest-api/postgrest.conf
deleted file mode 100644
index f7db5e6..0000000
--- a/rest-api/postgrest.conf
+++ /dev/null
@@ -1,3 +0,0 @@
-db-schemas = "api"
-db-anon-role = "anon"
-openapi-mode = "ignore-privileges"
\ No newline at end of file