modules/socialpredict/sys.nix


1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102

{
  cfg,
  doctrine,
  lib,
  pkgs,
  ...
}: {
  services = {
    nginx = lib.mkIf (cfg.domain != null) {
      enable = true;

      virtualHosts.${cfg.domain} = lib.mkMerge [
        cfg.nginx
        {
          locations = {
            "/" = {
              root = "${cfg.frontend}";
              index = "index.html";
              tryFiles = "$uri $uri/ /index.html =404";
            };

            "/api/" = {
              proxyPass = "http://localhost:${toString cfg.backendPort}/";
            };

            "= /env-config.js" = {
              alias = "${pkgs.writeText "socialpredict-env-config.js" ''
                window.__ENV__ = {
                  DOMAIN_URL: "https://${cfg.domain}",
                  API_URL: "https://${cfg.domain}/api"
                };
              ''}";
            };
          };
        }
      ];
    };

    postgresql = {
      enable = true;

      ensureUsers = [
        {
          name = cfg.user;
          ensureDBOwnership = cfg.user == cfg.database;
        }
      ];

      ensureDatabases = [cfg.database];
    };
  };

  systemd.services.socialpredict = {
    after = ["postgresql.service"];
    wants = ["postgresql.service"];
    wantedBy = ["multi-user.target"];

    environment = {
      ADMIN_PASSWORD = cfg.initialAdminPassword;
      BACKEND_PORT = toString cfg.backendPort;
      POSTGRES_URL = "postgresql:///${cfg.database}?host=/var/run/postgresql";
    };

    serviceConfig = {
      Group = cfg.group;
      User = cfg.user;

      ExecStart = lib.getExe cfg.backend;

      KeyringMode = "private";
      LockPersonality = true;
      MemoryDenyWriteExecute = true;
      NoNewPrivileges = true;
      PrivateMounts = "yes";
      PrivateTmp = "yes";
      ProtectControlGroups = true;
      ProtectHome = "yes";
      ProtectHostname = true;
      ProtectKernelModules = true;
      ProtectKernelTunables = true;
      ProtectSystem = "strict";
      RemoveIPC = true;
      RestrictAddressFamilies = ["AF_UNIX" "AF_INET" "AF_INET6"];
      RestrictNamespaces = true;
      RestrictRealtime = true;
      RestrictSUIDSGID = true;
      SystemCallArchitectures = "native";

      ReadWritePaths = [
        "/var/run/postgresql"
      ];
    };
  };

  users = {
    groups.${cfg.group} = {};
    users.${cfg.user} = {
      inherit (cfg) group;
      isSystemUser = true;
    };
  };
}