feat: allow setting tls on nixos

refactor: using cool NixOS option for nginx
nix: fixing the module
2023-10-09 03:22:58 +00:00 · 2023-10-09 03:16:33 +00:00 · 2023-08-06 17:17:06 +00:00 · 2023-08-06 14:02:04 +00:00
1 changed files with 36 additions and 32 deletions
--- a/flake.nix
+++ b/flake.nix
@@ -10,7 +10,7 @@
    flake-utils.lib.eachDefaultSystem (system:
      let
        pkgs = nixpkgs.legacyPackages.${system};
-        packageName = "blanning-poker-kazbegi";
+        packageName = "planning-poker-kazbegi";
        backendName = "${packageName}-backend";
        version = "0.1.1";
        backendPackage = sbt-derivation.lib.mkSbtDerivation rec {
@@ -46,7 +46,7 @@
        # Just the backend jar
        packages.backend = backendPackage;
        # Module for NixOS to allow starting backend as SystemD service
-        module = { config, pkgs, ... }:
+        nixosModules.backendApp = { config, pkgs, ... }:
          let
            cfg = config.services.${backendName};
            lib = pkgs.lib;
@@ -72,48 +72,52 @@
                default = true;
                description = "Whether to use Nginx to proxy requests.";
              };
-            };
+              useHostTls = lib.mkOption {
-            config = lib.mkIf cfg.enable {
+                type = lib.types.bool;
-              users.groups."${backendName}-group" = { };
+                default = false;
-              users.users."${backendName}-user" = {
+                description =
-                isSystemUser = true;
+                  "Whether virtual host should enable NixOS ACME certs";
                group = "${backendName}-group";
              };
-
+            };
-              systemd.services.${backendName} =
+            config.users = lib.mkIf cfg.enable {
              groups."${backendName}" = { };
              users."${backendName}" = {
                isSystemUser = true;
                group = "${backendName}";
              };
            };
            config.systemd.services.${backendName} = lib.mkIf cfg.enable {
              description = "Exercise app ${backendName}";
              wantedBy = [ "multi-user.target" ];
              after = [ "network.target" ];
              startLimitIntervalSec = 30;
              startLimitBurst = 10;
              serviceConfig =
                let serverHost = if cfg.useNginx then "localhost" else cfg.host;
                in {
-                  description = "Exercise app ${backendName}";
+                  ExecStart =
-                  wantedBy = [ "multi-user.target" ];
+                    "${pkgs.jdk}/bin/java -jar ${backendPackage}/bin/${backendName}.jar -p ${
-                  after = [ "network.target" ];
+                      toString cfg.port
-                  startLimitIntervalSec = 30;
+                    } --host ${serverHost}";
-                  startLimitBurst = 10;
+                  WorkingDirectory = "${backendPackage}/bin";
-                  serviceConfig = {
+                  Restart = "on-failure";
-                    ExecStart =
+                  User = "${backendName}";
-                      "${pkgs.jdk}/bin/java -jar ${backendPackage}/bin/${backendName}.jar -p ${
+                  Group = "${backendName}";
                        toString cfg.port
                      } --host ${serverHost}";
                    WorkingDirectory = "${backendPackage}/bin";
                    Restart = "on-failure";
                    User = "${backendName}-user";
                    Group = "${backendName}-group";
                  };
                };
-              # this is only backend. Front end still configured and installed separately.
+            };
-              services.nginx.virtualHosts.${cfg.host}.locations."/api" = {
+            config.services.nginx.virtualHosts.${cfg.host} = {
              forceSSL = cfg.useHostTls;
              enableACME = cfg.useHostTls;
              locations."/api" = lib.mkIf cfg.enable {
                proxyPass = "http://127.0.0.1:${toString cfg.port}";
                # this is config for websocket
                proxyWebsockets = true;
                extraConfig = ''
                  rewrite ^/api/(.*)$ /$1 break;
                  proxy_set_header Host $host;
                  proxy_set_header X-Real-IP $remote_addr;
                  proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
                  proxy_set_header X-Forwarded-Proto $scheme;
                  # Add the following lines for WebSocket support
                  proxy_http_version 1.1;
                  proxy_set_header Upgrade $http_upgrade;
                  proxy_set_header Connection "upgrade";
                '';
              };
            };
Author	SHA1	Message	Date
efim	e4edffd69f	feat: allow setting tls on nixos	2023-10-09 03:22:58 +00:00
efim	7dbcc63394	refactor: using cool NixOS option for nginx	2023-10-09 03:16:33 +00:00
efim	fe9794a796	nix: fixing the module for some reason config = lib.mkIf didn't work over whole config, with 'infinite recursion' Setting particular parts of config helped. Then - trimming user and group name to under 31 symbols	2023-08-06 17:17:06 +00:00
efim	24b42352b3	nix: nixos module for backend installation systemd to run service, nginx config bundled in	2023-08-06 14:02:04 +00:00