sam/nixos
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity

add semitamaps webserver container

Browse source
This commit is contained in:
Sam 2025-02-08 14:15:45 +00:00
parent cfc8454540
commit 2d6b274b8a
1 changed files with 47 additions and 2 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

49
hosts/common/optional/nixos-containers/semitamaps.nix
View file

@ -1,6 +1,7 @@
{ {
pkgs, pkgs,
lib, lib,
configVars,
... ...
}: let }: let
containerName = "semitamaps"; containerName = "semitamaps";
@ -8,6 +9,9 @@
hostAddress = configVars.networking.addresses.semitamaps.hostAddress; hostAddress = configVars.networking.addresses.semitamaps.hostAddress;
localAddress = configVars.networking.addresses.semitamaps.localAddress; localAddress = configVars.networking.addresses.semitamaps.localAddress;
in { in {
systemd.tmpfiles.rules = [
"d /var/run/sockets 0770 root root -"
];
networking = { networking = {
nat = { nat = {
@ -30,19 +34,29 @@ in {
hostAddress = hostAddress; hostAddress = hostAddress;
localAddress = localAddress; localAddress = localAddress;
nixpkgs = pkgs.path; nixpkgs = pkgs.path;
bindMounts = {
"/etc/ssh/ssh_host_ed25519_key" = {
hostPath = "/etc/ssh/ssh_host_ed25519_key";
isReadOnly = true;
};
"/var/run/sockets" = {
hostPath = "/var/run/sockets";
isReadOnly = false;
};
};
config = { config = {
pkgs, pkgs,
lib, lib,
... ...
}: { }: {
networking = { networking = {
firewall = { firewall = {
enable = true; enable = true;
rejectPackets = true; rejectPackets = true;
allowedTCPPorts = [ allowedTCPPorts = [
80 443 80
443
]; ];
}; };
useHostResolvConf = lib.mkForce false; useHostResolvConf = lib.mkForce false;
@ -63,6 +77,37 @@ in {
settings.PasswordAuthentication = false; settings.PasswordAuthentication = false;
}; };
systemd.services.semitamaps-api = {
wantedBy = ["multi-user.target"];
after = ["network.target"];
description = "Deploys and serves semitamaps api";
environment = {
};
serviceConfig = {
ExecStartPre = pkgs.writeShellScript "semitamaps-api-prestart" ''
set -e
GITCMD="${pkgs.openssh}/bin/ssh -i /etc/ssh/ssh_host_ed25519_key"
if [ ! -d "/srv/semitamaps" ]; then
export GIT_SSH_COMMAND=$GITCMD
${pkgs.git}/bin/git clone git@git.bitlab21.com:sam/semitamaps.com.git /srv/semitamaps
mkdir /srv/semitamaps/.venv
fi
cd /srv/semitamaps
${pkgs.poetry}/bin/poetry install
'';
ExecStart = pkgs.writeShellScript "semitamaps-api-start" ''
cd /srv/semitamaps
.venv/bin/python .venv/bin/uvicorn --workers 4 --uds /var/run/sockets/baseddata.sock backend.app:app
'';
Restart = "on-failure";
};
};
programs.ssh.knownHosts = {
"git.bitlab21.com".publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIALNd2BGf64heYjWT9yt0fVmngepiHRIMsL7au/MRteg";
};
users.users = { users.users = {
root = { root = {
openssh.authorizedKeys.keys = lib.lists.forEach pubKeys (key: builtins.readFile key); openssh.authorizedKeys.keys = lib.lists.forEach pubKeys (key: builtins.readFile key);