Merge commit '974154ce2da0b60bdff5ae3c57e0490db58d9f0e'

1 files changed, 102 insertions, 0 deletions

diff --git a/modules/socialpredict/sys.nix b/modules/socialpredict/sys.nix
new file mode 100644
index 0000000..36e5272
--- /dev/null
+++ b/modules/socialpredict/sys.nix
@@ -0,0 +1,102 @@
+{
+  cfg,
+  doctrine,
+  lib,
+  pkgs,
+  ...
+}: {
+  services = {
+    nginx = lib.mkIf (cfg.domain != null) {
+      enable = true;
+
+      virtualHosts.${cfg.domain} = lib.mkMerge [
+        cfg.nginx
+        {
+          locations = {
+            "/" = {
+              root = "${cfg.frontend}";
+              index = "index.html";
+              tryFiles = "$uri $uri/ /index.html =404";
+            };
+
+            "/api/" = {
+              proxyPass = "http://localhost:${toString cfg.backendPort}/";
+            };
+
+            "= /env-config.js" = {
+              alias = "${pkgs.writeText "socialpredict-env-config.js" ''
+                window.__ENV__ = {
+                  DOMAIN_URL: "https://${cfg.domain}",
+                  API_URL: "https://${cfg.domain}/api"
+                };
+              ''}";
+            };
+          };
+        }
+      ];
+    };
+
+    postgresql = {
+      enable = true;
+
+      ensureUsers = [
+        {
+          name = cfg.user;
+          ensureDBOwnership = cfg.user == cfg.database;
+        }
+      ];
+
+      ensureDatabases = [cfg.database];
+    };
+  };
+
+  systemd.services.socialpredict = {
+    after = ["postgresql.service"];
+    wants = ["postgresql.service"];
+    wantedBy = ["multi-user.target"];
+
+    environment = {
+      ADMIN_PASSWORD = cfg.initialAdminPassword;
+      BACKEND_PORT = toString cfg.backendPort;
+      POSTGRES_URL = "postgresql:///${cfg.database}?host=/var/run/postgresql";
+    };
+
+    serviceConfig = {
+      Group = cfg.group;
+      User = cfg.user;
+
+      ExecStart = lib.getExe cfg.backend;
+
+      KeyringMode = "private";
+      LockPersonality = true;
+      MemoryDenyWriteExecute = true;
+      NoNewPrivileges = true;
+      PrivateMounts = "yes";
+      PrivateTmp = "yes";
+      ProtectControlGroups = true;
+      ProtectHome = "yes";
+      ProtectHostname = true;
+      ProtectKernelModules = true;
+      ProtectKernelTunables = true;
+      ProtectSystem = "strict";
+      RemoveIPC = true;
+      RestrictAddressFamilies = ["AF_UNIX" "AF_INET" "AF_INET6"];
+      RestrictNamespaces = true;
+      RestrictRealtime = true;
+      RestrictSUIDSGID = true;
+      SystemCallArchitectures = "native";
+
+      ReadWritePaths = [
+        "/var/run/postgresql"
+      ];
+    };
+  };
+
+  users = {
+    groups.${cfg.group} = {};
+    users.${cfg.user} = {
+      inherit (cfg) group;
+      isSystemUser = true;
+    };
+  };
+}