From 59c3b1ce591258711d8a38679ec7faaf1b55092f Mon Sep 17 00:00:00 2001
From: efim <efim666@bk.ru>
Date: Sun, 8 Oct 2023 13:36:31 +0000
Subject: [PATCH] feat: initial nixos module impl

---
 auth-notes.org | 25 ++++++++++++++++++++
 flake.nix      | 63 +++++++++++++++++++++++++++++++++++++++++++++++++-
 2 files changed, 87 insertions(+), 1 deletion(-)

diff --git a/auth-notes.org b/auth-notes.org
index 00bb801..62cb9cb 100644
--- a/auth-notes.org
+++ b/auth-notes.org
@@ -150,6 +150,31 @@ is what i need for it to pick up pb_data from work directory, cool
 
 ** TODO write nixos module
 need to pass data and migration location as params
+and address on which to serve, cool
+i suppose
+but also nginx settins at the same time
+*** this is behavior of specifying the host and port:
+[efim@chunky:~/Documents/personal/go-learning/auth-pocketbase-attempt]$ sudo ./result/bin/auth-pocketbase-attempt serve --https=127.0.0.1:8090 --dir=./pb_data
+2023/10/08 12:58:04 Server started at https://127.0.0.1:8090
+├─ REST API: https://127.0.0.1:8090/api/
+└─ Admin UI: https://127.0.0.1:8090/_/
+^C
+[efim@chunky:~/Documents/personal/go-learning/auth-pocketbase-attempt]$ sudo ./result/bin/auth-pocketbase-attempt serve 127.0.0.1:8090 --dir=./pb_data
+2023/10/08 12:58:15 Server started at https://127.0.0.1:8090
+├─ REST API: https://127.0.0.1:8090/api/
+└─ Admin UI: https://127.0.0.1:8090/_/
+^C
+[efim@chunky:~/Documents/personal/go-learning/auth-pocketbase-attempt]$ sudo ./result/bin/auth-pocketbase-attempt serve --http=127.0.0.1:8090 --dir=./pb_data
+2023/10/08 12:58:20 Server started at http://127.0.0.1:8090
+├─ REST API: http://127.0.0.1:8090/api/
+└─ Admin UI: http://127.0.0.1:8090/_/
+*** by default - if host is present, serving on https.
+cool
+
+oh, but if i'm using nginx i'll need my own certificate, that makes sence
+*** maybe things are ok?
+let's try to plaintext deploy?
+
 ** TODO add docker image from nix
 *** TODO add cli for port and host
 ** TODO add readme and comments
diff --git a/flake.nix b/flake.nix
index 0727667..7ba2ada 100644
--- a/flake.nix
+++ b/flake.nix
@@ -29,7 +29,8 @@
           auth-pocketbase-attempt = pkgs.buildGoModule {
             inherit pname version;
             src = pkgs.nix-gitignore.gitignoreSource [ ] ./.;
-            vendorHash = "sha256-7B5EkrLpL+P5wipQG5a12hrvXQn/UpYAjrz/DuHmSUQ="; # set to "" when get dependencies in go.mod
+            vendorHash =
+              "sha256-7B5EkrLpL+P5wipQG5a12hrvXQn/UpYAjrz/DuHmSUQ="; # set to "" when get dependencies in go.mod
 
             # Adding the Tailwind build step to preBuild
             preBuild = ''
@@ -38,5 +39,65 @@
           };
           default = auth-pocketbase-attempt;
         };
+        nixosModules.auth-pocketbase-attempt = { config, pkgs, ... }:
+          let
+            cfg = config.services.${pname};
+            lib = pkgs.lib;
+            shortName = "pb-auth-example-group";
+          in {
+            options.services.${pname} = {
+              enable = lib.mkEnableOption
+                "Enable simple ssr oauth example build on pocketbase";
+              port = lib.mkOption {
+                type = lib.types.int;
+                default = 8090;
+                description =
+                  "Port to listen on. Use 443 for tls when no nginx, usual plaintext is 8090.";
+              };
+              host = lib.mkOption {
+                type = lib.types.str;
+                default = "127.0.0.1";
+                description = "Host to bind to.";
+              };
+              useNginx = lib.mkOption {
+                type = lib.types.bool;
+                default = true;
+                description = "Whether to use Nginx to proxy requests.";
+              };
+              usePbTls = lib.mkOption {
+                type = lib.types.bool;
+                default = false;
+                description =
+                  "Whether pocketbase should serve on https and issue own certs. Main case for true - when not under nginx";
+              };
+            };
+            config = lib.mkIf cfg.enable {
+              users.groups."${shortName}-group" = { };
+              users.users."${shortName}-user" = {
+                isSystemUser = true;
+                group = "${shortName}-group";
+              };
+              systemd.services.${shortName} = let
+                protocol = if cfg.usePbTls then "https" else "http";
+                serverHost = if cfg.useNginx then "127.0.0.1" else cfg.host;
+                servedAddress = "${protocol}://${serverHost}:${cfg.port}";
+              in {
+                description = "Exercise app ${pname}";
+                wantedBy = [ "multi-user.target" ];
+                after = [ "network.target" ];
+                startLimitIntervalSec = 30;
+                startLimitBurst = 10;
+                serviceConfig = {
+                  ExecStart =
+                    "${packages.auth-pocketbase-attempt}/bin/${pname} serve ${servedAddress} --dir=/home/${
+                      config.users.users."${shortName}-user"
+                    }";
+                  Restart = "on-failure";
+                  User = "${shortName}-user";
+                  Group = "${shortName}-group";
+                };
+              };
+            };
+          };
       });
 }