diff options
Diffstat (limited to 'modules/socialpredict/sys.nix')
| -rw-r--r-- | modules/socialpredict/sys.nix | 102 |
1 files changed, 0 insertions, 102 deletions
diff --git a/modules/socialpredict/sys.nix b/modules/socialpredict/sys.nix deleted file mode 100644 index 36e5272..0000000 --- a/modules/socialpredict/sys.nix +++ /dev/null @@ -1,102 +0,0 @@ -{ - cfg, - doctrine, - lib, - pkgs, - ... -}: { - services = { - nginx = lib.mkIf (cfg.domain != null) { - enable = true; - - virtualHosts.${cfg.domain} = lib.mkMerge [ - cfg.nginx - { - locations = { - "/" = { - root = "${cfg.frontend}"; - index = "index.html"; - tryFiles = "$uri $uri/ /index.html =404"; - }; - - "/api/" = { - proxyPass = "http://localhost:${toString cfg.backendPort}/"; - }; - - "= /env-config.js" = { - alias = "${pkgs.writeText "socialpredict-env-config.js" '' - window.__ENV__ = { - DOMAIN_URL: "https://${cfg.domain}", - API_URL: "https://${cfg.domain}/api" - }; - ''}"; - }; - }; - } - ]; - }; - - postgresql = { - enable = true; - - ensureUsers = [ - { - name = cfg.user; - ensureDBOwnership = cfg.user == cfg.database; - } - ]; - - ensureDatabases = [cfg.database]; - }; - }; - - systemd.services.socialpredict = { - after = ["postgresql.service"]; - wants = ["postgresql.service"]; - wantedBy = ["multi-user.target"]; - - environment = { - ADMIN_PASSWORD = cfg.initialAdminPassword; - BACKEND_PORT = toString cfg.backendPort; - POSTGRES_URL = "postgresql:///${cfg.database}?host=/var/run/postgresql"; - }; - - serviceConfig = { - Group = cfg.group; - User = cfg.user; - - ExecStart = lib.getExe cfg.backend; - - KeyringMode = "private"; - LockPersonality = true; - MemoryDenyWriteExecute = true; - NoNewPrivileges = true; - PrivateMounts = "yes"; - PrivateTmp = "yes"; - ProtectControlGroups = true; - ProtectHome = "yes"; - ProtectHostname = true; - ProtectKernelModules = true; - ProtectKernelTunables = true; - ProtectSystem = "strict"; - RemoveIPC = true; - RestrictAddressFamilies = ["AF_UNIX" "AF_INET" "AF_INET6"]; - RestrictNamespaces = true; - RestrictRealtime = true; - RestrictSUIDSGID = true; - SystemCallArchitectures = "native"; - - ReadWritePaths = [ - "/var/run/postgresql" - ]; - }; - }; - - users = { - groups.${cfg.group} = {}; - users.${cfg.user} = { - inherit (cfg) group; - isSystemUser = true; - }; - }; -} |