feat: initial nixos module impl

2025-11-03 21:33:35 +00:00 · 2023-10-08 13:36:31 +00:00 · 2023-10-08 13:36:31 +00:00 · 59c3b1ce59
commit 59c3b1ce59
parent 4a64f2186f
2 changed files with 87 additions and 1 deletions
--- a/auth-notes.org
+++ b/auth-notes.org
@ -150,6 +150,31 @@ is what i need for it to pick up pb_data from work directory, cool

 ** TODO write nixos module
 need to pass data and migration location as params
+and address on which to serve, cool
+i suppose
+but also nginx settins at the same time
+*** this is behavior of specifying the host and port:
+[efim@chunky:~/Documents/personal/go-learning/auth-pocketbase-attempt]$ sudo ./result/bin/auth-pocketbase-attempt serve --https=127.0.0.1:8090 --dir=./pb_data
+2023/10/08 12:58:04 Server started at https://127.0.0.1:8090
+├─ REST API: https://127.0.0.1:8090/api/
+└─ Admin UI: https://127.0.0.1:8090/_/
+^C
+[efim@chunky:~/Documents/personal/go-learning/auth-pocketbase-attempt]$ sudo ./result/bin/auth-pocketbase-attempt serve 127.0.0.1:8090 --dir=./pb_data
+2023/10/08 12:58:15 Server started at https://127.0.0.1:8090
+├─ REST API: https://127.0.0.1:8090/api/
+└─ Admin UI: https://127.0.0.1:8090/_/
+^C
+[efim@chunky:~/Documents/personal/go-learning/auth-pocketbase-attempt]$ sudo ./result/bin/auth-pocketbase-attempt serve --http=127.0.0.1:8090 --dir=./pb_data
+2023/10/08 12:58:20 Server started at http://127.0.0.1:8090
+├─ REST API: http://127.0.0.1:8090/api/
+└─ Admin UI: http://127.0.0.1:8090/_/
+*** by default - if host is present, serving on https.
+cool
+
+oh, but if i'm using nginx i'll need my own certificate, that makes sence
+*** maybe things are ok?
+let's try to plaintext deploy?
+
 ** TODO add docker image from nix
 *** TODO add cli for port and host
 ** TODO add readme and comments
--- a/flake.nix
+++ b/flake.nix
@ -29,7 +29,8 @@
          auth-pocketbase-attempt = pkgs.buildGoModule {
            inherit pname version;
            src = pkgs.nix-gitignore.gitignoreSource [ ] ./.;
-            vendorHash = "sha256-7B5EkrLpL+P5wipQG5a12hrvXQn/UpYAjrz/DuHmSUQ="; # set to "" when get dependencies in go.mod
+            vendorHash =
+              "sha256-7B5EkrLpL+P5wipQG5a12hrvXQn/UpYAjrz/DuHmSUQ="; # set to "" when get dependencies in go.mod

            # Adding the Tailwind build step to preBuild
            preBuild = ''
@ -38,5 +39,65 @@
          };
          default = auth-pocketbase-attempt;
        };
+        nixosModules.auth-pocketbase-attempt = { config, pkgs, ... }:
+          let
+            cfg = config.services.${pname};
+            lib = pkgs.lib;
+            shortName = "pb-auth-example-group";
+          in {
+            options.services.${pname} = {
+              enable = lib.mkEnableOption
+                "Enable simple ssr oauth example build on pocketbase";
+              port = lib.mkOption {
+                type = lib.types.int;
+                default = 8090;
+                description =
+                  "Port to listen on. Use 443 for tls when no nginx, usual plaintext is 8090.";
+              };
+              host = lib.mkOption {
+                type = lib.types.str;
+                default = "127.0.0.1";
+                description = "Host to bind to.";
+              };
+              useNginx = lib.mkOption {
+                type = lib.types.bool;
+                default = true;
+                description = "Whether to use Nginx to proxy requests.";
+              };
+              usePbTls = lib.mkOption {
+                type = lib.types.bool;
+                default = false;
+                description =
+                  "Whether pocketbase should serve on https and issue own certs. Main case for true - when not under nginx";
+              };
+            };
+            config = lib.mkIf cfg.enable {
+              users.groups."${shortName}-group" = { };
+              users.users."${shortName}-user" = {
+                isSystemUser = true;
+                group = "${shortName}-group";
+              };
+              systemd.services.${shortName} = let
+                protocol = if cfg.usePbTls then "https" else "http";
+                serverHost = if cfg.useNginx then "127.0.0.1" else cfg.host;
+                servedAddress = "${protocol}://${serverHost}:${cfg.port}";
+              in {
+                description = "Exercise app ${pname}";
+                wantedBy = [ "multi-user.target" ];
+                after = [ "network.target" ];
+                startLimitIntervalSec = 30;
+                startLimitBurst = 10;
+                serviceConfig = {
+                  ExecStart =
+                    "${packages.auth-pocketbase-attempt}/bin/${pname} serve ${servedAddress} --dir=/home/${
+                      config.users.users."${shortName}-user"
+                    }";
+                  Restart = "on-failure";
+                  User = "${shortName}-user";
+                  Group = "${shortName}-group";
+                };
+              };
+            };
+          };
      });
 }