zaphyra's git: nixfiles

zaphyra's nixfiles

path: /nixosModules/zpha/websites/bikemap.zaphyra.eu.nix 3.34 KB | plain
1 
2 
3 
4 
5 
6 
7 
8 
9 
10 
11 
12 
13 
14 
15 
16 
17 
18 
19 
20 
21 
22 
23 
24 
25 
26 
27 
28 
29 
30 
31 
32 
33 
34 
35 
36 
37 
38 
39 
40 
41 
42 
43 
44 
45 
46 
47 
48 
49 
50 
51 
52 
53 
54 
55 
56 
57 
58 
59 
60 
61 
62 
63 
64 
65 
66 
67 
68 
69 
70 
71 
72 
73 
74 
75 
76 
77 
78 
79 
80 
81 
82 
83 
84 
85 
86 
87 
88 
89 
90 
91 
92 
93 
94 
95 
96 
97 
98 
99 
100 
101 
102 
103 
104 
105 
106 
107 
108 
109 
110 
111 
112 
113 
114 
115 
116 
117 
118 
119 
120 
121 
122 
123 
124 
{
  config,
  lib,
  pkgs,
  ...
}:

{

  options.zpha.websites."bikemap.zaphyra.eu".enable = lib.mkEnableOption "";

  config = lib.mkIf config.zpha.websites."bikemap.zaphyra.eu".enable (
    let
      deployScript = pkgs.writeShellScript "deployBikemap" ''
        systemctl start deployBikemap;
        systemctl status deployBikemap;
      '';

    in
    {
      assertions = lib.singleton {
        assertion = config.common.services.gitolite.enable;
        message = "The option 'common.services.gitolite.enable' must be enabled in order to use this module.";
      };

      dns.zones."zaphyra.eu".subdomains."bikemap".CNAME = lib.singleton "${config.networking.fqdn}.";

      common.configure.persist.system.dirs = lib.singleton {
        directory = "/var/lib/bikemap";
        mode = "0755";
        user = "bikemap";
        inherit (config.common.services.gitolite) group;
      };

      users.users."bikemap" = {
        isSystemUser = true;
        inherit (config.common.services.gitolite) group;
        createHome = true;
        homeMode = "755";
        home = "/var/lib/bikemap";
      };

      security.sudo.extraRules = [
        {
          users = [ "git" ];
          commands = [
            {
              command = "${deployScript}";
              options = [
                "SETENV"
                "NOPASSWD"
              ];
            }
          ];
        }
      ];

      systemd.services.deployBikemap = {
        script = ''
          # strict mode
          set -euo pipefail
          IFS=$'\n\t'

          TMP_DIR=$(mktemp -d)
          trap "{ rm -rf "$TMP_DIR"; }" SIGINT SIGTERM ERR EXIT

          ${pkgs.git}/bin/git config --global --add safe.directory ${config.common.services.gitolite.dataDir}/repositories/biketracks.git
          ${pkgs.git}/bin/git clone ${config.common.services.gitolite.dataDir}/repositories/biketracks.git $TMP_DIR/tracks

          mkdir $TMP_DIR/tiles

          ${pkgs.zpha.generateTilesFromGPX}/bin/generateTilesFromGPX $TMP_DIR/tracks $TMP_DIR/tiles

          rm -rf ~/*;

          ln -sf ${pkgs.zpha.gpx-map}/index.html ~/index.html
          ln -sf ${pkgs.zpha.gpx-map}/bundle.js  ~/bundle.js
          mv     $TMP_DIR/tiles             ~/tiles;
          echo "{\"lastUpdated\":\"$(date +"%Y-%m-%d %H:%M")\"}" > ~/lastUpdated.json
        '';

        serviceConfig = {
          Type = "oneshot";

          User = "bikemap";
          Group = config.common.services.gitolite.group;

          WorkingDirectory = "~";
          StateDirectory = "bikemap";
          StateDirectoryMode = "755";

          NoNewPrivileges = true;
          PrivateTmp = true;
          PrivateDevices = true;

          RestrictAddressFamilies = "none";
          RestrictNamespaces = true;
          RestrictRealtime = true;

          ProtectSystem = "full";
          ProtectControlGroups = true;
          ProtectKernelModules = true;
          ProtectKernelTunables = true;

          DevicePolicy = "closed";
          LockPersonality = true;
        };
      };

      common.services.gitolite.commonHooks.post-receive = ''
        #deploy bikemap
        [ "$GL_REPO" == "biketracks" ] && sudo ${deployScript}
      '';

      services.nginx.virtualHosts."bikemap.zaphyra.eu" = {
        useACMEHost = "${config.networking.fqdn}";
        forceSSL = true;
        kTLS = true;
        root = "/var/lib/bikemap/";
      };
    }
  );

}