VEGAS: add SIPS service

This commit is contained in:
Max Headroom 2022-02-03 00:43:29 +01:00
parent db8bb892e0
commit 5157c9bec1
4 changed files with 91 additions and 0 deletions

View file

@ -0,0 +1,76 @@
{ config, inputs, pkgs, tools, ... }:
let
host = tools.identity.autoDomain "sips";
inherit (inputs.self.packages.${pkgs.system}) sips;
connStringNet = "host=127.0.0.1 sslmode=disable dbname=sips user=sips";
connString = "host=/var/run/postgresql dbname=sips user=sips";
sipsctl = pkgs.runCommandNoCC "sipsctl-with-env" {
nativeBuildInputs = [ pkgs.makeWrapper ];
} ''
makeWrapper ${sips}/bin/sipsctl $out/bin/sipsctl \
--set PGPASSFILE ${config.age.secrets.sips-db-credentials.path} \
--add-flags '--dbdriver postgres --db "${connStringNet}"'
ln -s ${sips}/share $out/share
'';
in
{
age.secrets.sips-db-credentials = {
file = ../../../../secrets/sips-db-credentials.age;
mode = "0400";
};
reservePortsFor = [ "sips" "sipsInternal" "sipsIpfsApiProxy" ];
systemd.services.sips = {
wantedBy = [ "multi-user.target" ];
after = [ "network.target" ];
requires = [ "sips-ipfs-api-proxy.service" ];
serviceConfig = {
ExecStart = "${sips}/bin/sips --dbdriver postgres --db \"${connString}\" --addr 127.0.0.1:${config.portsStr.sipsInternal} --api http://127.0.0.1:${config.portsStr.sipsIpfsApiProxy} --apitimeout 604800s";
PrivateNetwork = true;
DynamicUser = true;
};
environment.PGPASSFILE = config.age.secrets.sips-db-credentials.path;
};
systemd.services.sips-ipfs-api-proxy = {
after = [ "network.target" "sips.service" ];
bindsTo = [ "sips.service" ];
serviceConfig = {
ExecStart = "${pkgs.socat}/bin/socat tcp4-listen:${config.portsStr.sipsIpfsApiProxy},fork,reuseaddr,bind=127.0.0.1 unix-connect:/run/ipfs/ipfs-api.sock";
PrivateNetwork = true;
DynamicUser = true;
SupplementaryGroups = "ipfs";
};
unitConfig.JoinsNamespaceOf = "sips.service";
};
systemd.services.sips-proxy = {
after = [ "network.target" "sips.service" ];
bindsTo = [ "sips.service" ];
requires = [ "sips-proxy.socket" ];
serviceConfig = {
ExecStart = "${config.systemd.package}/lib/systemd/systemd-socket-proxyd 127.0.0.1:${config.portsStr.sipsInternal}";
PrivateNetwork = true;
DynamicUser = true;
SupplementaryGroups = "ipfs";
};
unitConfig.JoinsNamespaceOf = "sips.service";
};
systemd.sockets.sips-proxy = {
wantedBy = [ "sockets.target" ];
after = [ "network.target" ];
socketConfig = {
ListenStream = "127.0.0.1:${config.portsStr.sips}";
};
};
environment.systemPackages = [ sipsctl ];
services.nginx.virtualHosts.${host} = tools.nginx.vhosts.proxy "http://127.0.0.1:${config.portsStr.sips}";
}

View file

@ -36,6 +36,7 @@
./services/nix/nar-serve.nix
./services/object-storage
./services/openvpn
./services/sips
./services/sso
./services/vault
./services/warehouse

View file

@ -21,6 +21,7 @@ in with hosts;
"nextcloud-dbpass.age".publicKeys = max ++ map systemKeys [ VEGAS ];
"oauth2_proxy-secrets.age".publicKeys = max ++ map systemKeys [ VEGAS ];
"postfix-ldap-mailboxes.age".publicKeys = max ++ map systemKeys [ VEGAS ];
"sips-db-credentials.age".publicKeys = max ++ map systemKeys [ VEGAS ];
"synapse-db.age".publicKeys = max ++ map systemKeys [ VEGAS ];
"synapse-keys.age".publicKeys = max ++ map systemKeys [ VEGAS ];
"synapse-ldap.age".publicKeys = max ++ map systemKeys [ VEGAS ];

View file

@ -0,0 +1,13 @@
age-encryption.org/v1
-> ssh-ed25519 NO562A E/9/zbcPJ/7RcvpQDdiH3964S2458+gfe4y58gljdRM
EkmMt7j+MRT4+StvnCbmyyFudWsGHN72Vq+sW3BMG3k
-> ssh-ed25519 5/zT0w 2hwtQ2r3Yt92hnBdHS6dlxxWEMhc/a+Xs6GFjOer9xQ
IADvMgdOEj9lVpEyPYQf4VHzbAqa5jf1xHCxu3tX0Os
-> ssh-ed25519 d3WGuA SH5ARarHt6Z6ieKm42ECfJps0ZQZpEnbIcJzWZhGr1Q
fjQQJJUkQf8fv7CihShd51ChXse9GBmoY/q186M7FBE
-> /a.-grease
w3y137fgLnhJLYkLo2uSwwIIevdM+G7A9ewrChPDFEmoahoOYPoNfPb6Lo4XBMEv
OSVsc+9B5cO95zQ2hOncu7LlsDUcdCHa8rLJFVaGLwfqXi79EnCsdrucUK+nnNCe
--- mpr2ZFj40sPB65FCmlwUSWhRNU0TWSkNvyCh4HQN/e4
ÿH1 ¹8—y@¯Ù;Ùa´«]'•Š<E280A2>ê¡gRÕy/7µ&¯¯ó >Ld'þ°¯˜tYN|eÜ žÆÔ_©oìÁÖ5¼à°Þ㼘+ä`[fí3ÆöéOPgÔwZÔfÞTÕÊT¨¼£}àyhs3Íì