VEGAS: add SIPS service
This commit is contained in:
parent
db8bb892e0
commit
5157c9bec1
4 changed files with 91 additions and 0 deletions
76
hosts/VEGAS/services/sips/default.nix
Normal file
76
hosts/VEGAS/services/sips/default.nix
Normal file
|
@ -0,0 +1,76 @@
|
|||
{ config, inputs, pkgs, tools, ... }:
|
||||
let
|
||||
host = tools.identity.autoDomain "sips";
|
||||
|
||||
inherit (inputs.self.packages.${pkgs.system}) sips;
|
||||
|
||||
connStringNet = "host=127.0.0.1 sslmode=disable dbname=sips user=sips";
|
||||
connString = "host=/var/run/postgresql dbname=sips user=sips";
|
||||
|
||||
sipsctl = pkgs.runCommandNoCC "sipsctl-with-env" {
|
||||
nativeBuildInputs = [ pkgs.makeWrapper ];
|
||||
} ''
|
||||
makeWrapper ${sips}/bin/sipsctl $out/bin/sipsctl \
|
||||
--set PGPASSFILE ${config.age.secrets.sips-db-credentials.path} \
|
||||
--add-flags '--dbdriver postgres --db "${connStringNet}"'
|
||||
|
||||
ln -s ${sips}/share $out/share
|
||||
'';
|
||||
in
|
||||
{
|
||||
age.secrets.sips-db-credentials = {
|
||||
file = ../../../../secrets/sips-db-credentials.age;
|
||||
mode = "0400";
|
||||
};
|
||||
|
||||
reservePortsFor = [ "sips" "sipsInternal" "sipsIpfsApiProxy" ];
|
||||
|
||||
systemd.services.sips = {
|
||||
wantedBy = [ "multi-user.target" ];
|
||||
after = [ "network.target" ];
|
||||
requires = [ "sips-ipfs-api-proxy.service" ];
|
||||
serviceConfig = {
|
||||
ExecStart = "${sips}/bin/sips --dbdriver postgres --db \"${connString}\" --addr 127.0.0.1:${config.portsStr.sipsInternal} --api http://127.0.0.1:${config.portsStr.sipsIpfsApiProxy} --apitimeout 604800s";
|
||||
PrivateNetwork = true;
|
||||
DynamicUser = true;
|
||||
};
|
||||
environment.PGPASSFILE = config.age.secrets.sips-db-credentials.path;
|
||||
};
|
||||
|
||||
systemd.services.sips-ipfs-api-proxy = {
|
||||
after = [ "network.target" "sips.service" ];
|
||||
bindsTo = [ "sips.service" ];
|
||||
serviceConfig = {
|
||||
ExecStart = "${pkgs.socat}/bin/socat tcp4-listen:${config.portsStr.sipsIpfsApiProxy},fork,reuseaddr,bind=127.0.0.1 unix-connect:/run/ipfs/ipfs-api.sock";
|
||||
PrivateNetwork = true;
|
||||
DynamicUser = true;
|
||||
SupplementaryGroups = "ipfs";
|
||||
};
|
||||
unitConfig.JoinsNamespaceOf = "sips.service";
|
||||
};
|
||||
|
||||
systemd.services.sips-proxy = {
|
||||
after = [ "network.target" "sips.service" ];
|
||||
bindsTo = [ "sips.service" ];
|
||||
requires = [ "sips-proxy.socket" ];
|
||||
serviceConfig = {
|
||||
ExecStart = "${config.systemd.package}/lib/systemd/systemd-socket-proxyd 127.0.0.1:${config.portsStr.sipsInternal}";
|
||||
PrivateNetwork = true;
|
||||
DynamicUser = true;
|
||||
SupplementaryGroups = "ipfs";
|
||||
};
|
||||
unitConfig.JoinsNamespaceOf = "sips.service";
|
||||
};
|
||||
|
||||
systemd.sockets.sips-proxy = {
|
||||
wantedBy = [ "sockets.target" ];
|
||||
after = [ "network.target" ];
|
||||
socketConfig = {
|
||||
ListenStream = "127.0.0.1:${config.portsStr.sips}";
|
||||
};
|
||||
};
|
||||
|
||||
environment.systemPackages = [ sipsctl ];
|
||||
|
||||
services.nginx.virtualHosts.${host} = tools.nginx.vhosts.proxy "http://127.0.0.1:${config.portsStr.sips}";
|
||||
}
|
|
@ -36,6 +36,7 @@
|
|||
./services/nix/nar-serve.nix
|
||||
./services/object-storage
|
||||
./services/openvpn
|
||||
./services/sips
|
||||
./services/sso
|
||||
./services/vault
|
||||
./services/warehouse
|
||||
|
|
|
@ -21,6 +21,7 @@ in with hosts;
|
|||
"nextcloud-dbpass.age".publicKeys = max ++ map systemKeys [ VEGAS ];
|
||||
"oauth2_proxy-secrets.age".publicKeys = max ++ map systemKeys [ VEGAS ];
|
||||
"postfix-ldap-mailboxes.age".publicKeys = max ++ map systemKeys [ VEGAS ];
|
||||
"sips-db-credentials.age".publicKeys = max ++ map systemKeys [ VEGAS ];
|
||||
"synapse-db.age".publicKeys = max ++ map systemKeys [ VEGAS ];
|
||||
"synapse-keys.age".publicKeys = max ++ map systemKeys [ VEGAS ];
|
||||
"synapse-ldap.age".publicKeys = max ++ map systemKeys [ VEGAS ];
|
||||
|
|
13
secrets/sips-db-credentials.age
Normal file
13
secrets/sips-db-credentials.age
Normal file
|
@ -0,0 +1,13 @@
|
|||
age-encryption.org/v1
|
||||
-> ssh-ed25519 NO562A E/9/zbcPJ/7RcvpQDdiH3964S2458+gfe4y58gljdRM
|
||||
EkmMt7j+MRT4+StvnCbmyyFudWsGHN72Vq+sW3BMG3k
|
||||
-> ssh-ed25519 5/zT0w 2hwtQ2r3Yt92hnBdHS6dlxxWEMhc/a+Xs6GFjOer9xQ
|
||||
IADvMgdOEj9lVpEyPYQf4VHzbAqa5jf1xHCxu3tX0Os
|
||||
-> ssh-ed25519 d3WGuA SH5ARarHt6Z6ieKm42ECfJps0ZQZpEnbIcJzWZhGr1Q
|
||||
fjQQJJUkQf8fv7CihShd51ChXse9GBmoY/q186M7FBE
|
||||
-> /a.-grease
|
||||
w3y137fgLnhJLYkLo2uSwwIIevdM+G7A9ewrChPDFEmoahoOYPoNfPb6Lo4XBMEv
|
||||
OSVsc+9B5cO95zQ2hOncu7LlsDUcdCHa8rLJFVaGLwfqXi79EnCsdrucUK+nnNCe
|
||||
|
||||
--- mpr2ZFj40sPB65FCmlwUSWhRNU0TWSkNvyCh4HQN/e4
|
||||
ÿH1 ¹8—‹y@¯Ù;Ùa´«]'•Š<E280A2>ê¡gRÕy/7µ&¯¯ó >Ld'þ°¯˜tYN|eÜ žÆÔ_©oìÁÖ5¼à°Þ㼘+ä`[fí3ÆöéOPgÔwZÔfÞTÕÊT¨¼£}àyhs3Íì
|
Loading…
Reference in a new issue