clerie/vcp-bula-nixfiles
1
0
Fork 0
Code Releases Activity
e8d4a82581
vcp-bula-nixfiles/hosts/nerd/nerd.nix
Ember 'n0emis' Keske 9795ed55b8
nerd: only allow export from services-net
2022-07-20 23:58:11 +02:00

100 lines
2.3 KiB
Nix
Raw Blame History

{ config, pkgs, lib, ... }:
{
sops.secrets.nerd_secret = {
owner = "nerd";
restartUnits = [ "nerd.service" ];
};
systemd.services.nerd = let
nerdCfg = pkgs.writeText "nerd.cfg" ''
[django]
secret = !!DJANGO_SECRET!!
allowed_hosts = nerd.bula22.de
debug = False
language_code = de-de
time_zone = Europe/Berlin
csrf_trusted_origins = https://nerd.bula22.de
[database]
engine = postgresql_psycopg2
name = nerd
user =
password =
host = /run/postgresql
port =
'';
in {
after = [ "network.target" ];
wantedBy = [ "multi-user.target" ];
environment = {
NERD_CONFIG_FILE = "/etc/nerd/nerd.cfg";
PYTHONPATH = "${pkgs.python3.pkgs.nerd.pythonPath}:${pkgs.python3.pkgs.nerd}/${pkgs.python3.sitePackages}:${pkgs.python3Packages.psycopg2}/${pkgs.python3.sitePackages}";
};
preStart = ''
export DJANGO_SECRET=$(cat ${config.sops.secrets.nerd_secret.path})
${pkgs.gnused}/bin/sed -e "s/!!DJANGO_SECRET!!/$DJANGO_SECRET/g" ${nerdCfg} > /etc/nerd/nerd.cfg
${pkgs.python3.pkgs.nerd}/bin/nerd migrate
'';
serviceConfig = {
User = "nerd";
Group = "nerd";
ConfigurationDirectory = "nerd";
ExecStart = ''
${pkgs.python3Packages.gunicorn}/bin/gunicorn \
--bind 0.0.0.0:10510 \
--access-logfile - \
nerd.wsgi
'';
};
};
services.postgresql = {
enable = true;
ensureDatabases = [ "nerd" ];
ensureUsers = [
{
name = "nerd";
ensurePermissions = {
"DATABASE nerd" = "ALL PRIVILEGES";
};
}
];
};
users.users.nerd = {
isSystemUser = true;
group = "nerd";
};
users.groups.nerd = {};
networking.firewall.allowedTCPPorts = [ 80 443 ];
services.nginx.enable = lib.mkForce false;
services.caddy = {
enable = true;
virtualHosts."nerd.bula22.de" = {
extraConfig = ''
@disallow_export {
not remote_ip 10.42.10.0/24 2a01:4f8:1c0c:8221::/64
path /export.json*
}
route {
file_server /static/*
respond @disallow_export 403 {
close
}
reverse_proxy * http://127.0.0.1:10510
}
root * ${pkgs.python3.pkgs.nerd}/var/lib/nerd/
'';
};
};
}
View Git Blame Copy Permalink