From e494baf4c5f4b5043f6c47a136e0ad685c81144b Mon Sep 17 00:00:00 2001
From: Marc Coquand <marc@mccd.space>
Date: Wed, 24 Jan 2024 15:02:36 -0600
Subject: Move over Ann to SQLite

---
 configuration.nix | 43 +++++++++++++++++++++++++++----------------
 flake.lock        |  8 ++++----
 2 files changed, 31 insertions(+), 20 deletions(-)

diff --git a/configuration.nix b/configuration.nix
index 2784c41..fe96a43 100644
--- a/configuration.nix
+++ b/configuration.nix
@@ -12,42 +12,53 @@ in {
   networking.nat.externalInterface = "eth0";
 
   containers.ann = {
-    # Drop privileges
-    extraFlags = [ "-U" ];
     autoStart = true;
     hostAddress = "192.168.100.2";
     localAddress = "192.168.100.11";
     privateNetwork = true;
 
+    ephemeral = true;
+
+    bindMounts = {
+      "/srv/ann" = {
+        hostPath = "/mnt/ann/";
+        isReadOnly = false;
+      };
+    };
+
     config = { config, pkgs, ... }: {
+     systemd.tmpfiles.rules = [ "d /srv/ann 700 ann ann -" ];
+      users.users.ann = {
+        isSystemUser = true;
+        home = "/srv/ann";
+        group =  "ann";
+        extraGroups = [ "wheel" ];
+      };
+      users.groups.ann = {};
+     
+
       systemd.services.ann = {
           enable = true;
           description = "Ann";
+          environment = {
+            ANN_DB_URL = "sqlite3:/srv/ann/ann.db";
+            ANN_INTERFACE = "0.0.0.0";
+          };
           script = ''
-      export POSTGRESQL_URL="postgres://postgres@localhost:5432/ann?sslmode=disable" 
-      export ANN_INTERFACE="0.0.0.0"
+            echo "Running migrations"
             ${inputs.ann.apps.${pkgs.system}."migrate-up".program} 
+            echo "Migrations complete, starting server"
             exec ${inputs.ann.apps.${pkgs.system}.ann.default.program}
              '';
           serviceConfig = {
             Restart = "on-failure";
             RestartSec = 1;
+            User = "ann";
+            group = "ann";
           };
           wantedBy = [ "multi-user.target" ];
       };
       networking.firewall.allowedTCPPorts = [ 80 443 8080];
-      services.postgresql = {
-        enable = true;
-        ensureDatabases = [ "ann" ];
-        settings = {
-          listen_addresses = pkgs.lib.mkForce "*";
-        };
-        authentication = pkgs.lib.mkOverride 10 ''
-          #type database  DBuser                        auth-method
-          local all       all     trust
-          host    all             all             ::1/128                 trust
-        '';
-      };
       system.stateVersion = "24.05";
     };
   };
diff --git a/flake.lock b/flake.lock
index b167652..7d33814 100644
--- a/flake.lock
+++ b/flake.lock
@@ -11,11 +11,11 @@
         "opam-nix": "opam-nix"
       },
       "locked": {
-        "lastModified": 1706107436,
-        "narHash": "sha256-RrM8IusMvn0qJCC2voMluNLZETq6XgkMqgLt6208Uek=",
+        "lastModified": 1706146151,
+        "narHash": "sha256-4t/WvcnIAQG6s1ybD+TXfDc9J0Av8IEOYlwGw9P4xZ4=",
         "ref": "refs/heads/main",
-        "rev": "fb61ff1ee5e13575286fb3c89adb5b2a1d3b83a4",
-        "revCount": 50,
+        "rev": "e057e39ccf1f0b73b5bb94f685db85e0c1f6f2b4",
+        "revCount": 56,
         "type": "git",
         "url": "https://git.sr.ht/~marcc/ann_bloop"
       },
-- 
cgit v1.2.3