some-automoderation/flake.nix

{
  description = "Automoderation web app";
  inputs.nixpkgs.url = "github:NixOS/nixpkgs/nixos-unstable";
  inputs.nixpkgs-stable.url = "github:NixOS/nixpkgs/nixos-23.05";
  inputs.flake-utils.url = "github:numtide/flake-utils";

  outputs = { self, nixpkgs, flake-utils, nixpkgs-stable }:
    flake-utils.lib.eachDefaultSystem (system:
      let
        pkgs = nixpkgs.legacyPackages.${system};
        pkgs-stable = nixpkgs-stable.legacyPackages.${system};
        pname = "some-automoderation";
        version = "0.0.1";
      in rec {
        devShells.default = pkgs.mkShell {
          buildInputs = [
            pkgs.go
            pkgs-stable.wgo
            pkgs.semgrep
            pkgs.gopls
            pkgs.nodePackages.tailwindcss
            pkgs.nodePackages.prettier
            pkgs.gnumake
            pkgs.redis
          ];
          shellHook = ''
            export GOPATH=$PWD/.go
            export PATH=$GOPATH/bin:$PATH
          '';
        };
        packages = rec {
          some-automoderation = pkgs.buildGoModule {
            inherit pname version;
            src = pkgs.nix-gitignore.gitignoreSource [ ] ./.;
            vendorHash = "sha256-zc4n5UxsmW8Nt52kS57i1W61Gy/J8T0RJPlwJnYJjHI=";

            preBuild = ''
              ${pkgs.nodePackages.tailwindcss}/bin/tailwindcss -i routes/in.css -o routes/static/out.css
            '';
          };
          default = some-automoderation;
        };
        nixosModules.some-automoderation-module = { lib, pkgs, config, ... }:
          let
            cfg = config.services.${pname};
          in {
            options.services.${pname} = {
              enable =
                lib.mkEnableOption "Enable Some-Automoderation web service";
              host = lib.mkOption {
                type = lib.types.str;
                default = "127.0.0.1";
                description = "Host to bind to.";
              };
              useNginx = lib.mkOption {
                type = lib.types.bool;
                default = true;
                description =
                  "Whether to set up nginx reverse proxy";
              };
              port = lib.mkOption {
                type = lib.types.int;
                default = 8090;
                description =
                  "Port to listen on. Use 443 for tls when no nginx, usual plaintext is 8090.";
              };
              redisPort = lib.mkOption {
                type = lib.types.int;
                default = 7777;
                description = "Port on which to connect to redis database.";
              };
              useHostTls = lib.mkOption {
                type = lib.types.bool;
                default = false;
                description =
                  "Whether virtual host should enable NixOS ACME certs";
              };
            };
            config =
              let
              username = "${pname}";
              groupname = "${pname}";
            in
              lib.mkIf cfg.enable {
              users.groups."${groupname}" = { };
              users.users."${username}" = {
                isNormalUser = true; # needed to allow for home dir
                group = "${groupname}";
              };
              systemd.services.${pname} = {
                description = "Some Automoderation systemd service";
                wantedBy = [ "multi-user.target" ];
                after = [ "network.target" ];
                startLimitIntervalSec = 30;
                startLimitBurst = 10;
                serviceConfig = {
                  ExecStart = let
                    serveCliArg =
                      "--port ${toString cfg.port} --redisPort ${toString cfg.redisPort}";
                  in "${packages.some-automoderation}/bin/${pname} ${serveCliArg}";
                  Restart = "on-failure";
                  User = "${username}";
                  Group = "${groupname}";
                };
              };
              services.nginx = lib.mkIf cfg.useNginx {
                virtualHosts.${cfg.host} = {
                  forceSSL = cfg.useHostTls;
                  enableACME = cfg.useHostTls;
                  locations."/" = {
                    proxyPass = "http://127.0.0.1:${toString cfg.port}";
                  };
                };
              };
              services.redis.servers.${pname} = {
                enable = true;
                user = "${username}";
                port = cfg.redisPort;
                settings = {
                    notify-keyspace-events = "KEA";
                  }
                ;
              };
            };
          };
      });
}