From fcb6220fca2eff1ef9bf05f2fa45b5350dad00af Mon Sep 17 00:00:00 2001 From: Marc Coquand Date: Mon, 22 Jan 2024 14:36:28 -0600 Subject: Use systemd containers for ann --- configuration.nix | 81 ++++++++++++++++++++++++++++++++----------------------- 1 file changed, 47 insertions(+), 34 deletions(-) (limited to 'configuration.nix') diff --git a/configuration.nix b/configuration.nix index dc3e7e6..f782e9c 100644 --- a/configuration.nix +++ b/configuration.nix @@ -4,19 +4,49 @@ ./networking.nix # generated at runtime by nixos-infect ]; nix.settings.experimental-features = [ "nix-command" "flakes" ]; - systemd.services.ann = { - enable = true; - description = "Ann"; - script = '' - export POSTGRESQL_URL="postgres://postgres@localhost:5432/ann?sslmode=disable" - ${inputs.ann.apps.${pkgs.system}."migrate-up".program} - exec ${inputs.ann.apps.${pkgs.system}.ann.default.program} - ''; - serviceConfig = { - Restart = "on-failure"; - RestartSec = 1; + networking.nat.enable = true; + networking.nat.internalInterfaces = [ "ve-*" ]; + networking.nat.externalInterface = "eth0"; + + containers.ann = { + # Drop privileges + extraFlags = [ "-U" ]; + autoStart = true; + hostAddress = "192.168.100.2"; + localAddress = "192.168.100.11"; + privateNetwork = true; + + config = { config, pkgs, ... }: { + systemd.services.ann = { + enable = true; + description = "Ann"; + script = '' + export POSTGRESQL_URL="postgres://postgres@localhost:5432/ann?sslmode=disable" + export ANN_INTERFACE="0.0.0.0" + ${inputs.ann.apps.${pkgs.system}."migrate-up".program} + exec ${inputs.ann.apps.${pkgs.system}.ann.default.program} + ''; + serviceConfig = { + Restart = "on-failure"; + RestartSec = 1; + }; + wantedBy = [ "multi-user.target" ]; + }; + networking.firewall.allowedTCPPorts = [ 80 443 8080]; + services.postgresql = { + enable = true; + ensureDatabases = [ "ann" ]; + settings = { + listen_addresses = pkgs.lib.mkForce "*"; + }; + authentication = pkgs.lib.mkOverride 10 '' + #type database DBuser auth-method + local all all trust + host all all ::1/128 trust + ''; }; - wantedBy = [ "multi-user.target" ]; + system.stateVersion = "24.05"; + }; }; services.freshrss = { @@ -34,20 +64,6 @@ "10 * * * * www-data ${pkgs.php}/bin/php -f ${pkgs.freshrss}/app/actualize_script.php > /tmp/FreshRSS.log 2>&1" ]; }; - - services.postgresql = { - enable = true; - ensureDatabases = [ "ann" ]; - settings = { - listen_addresses = pkgs.lib.mkForce "*"; - }; - authentication = pkgs.lib.mkOverride 10 '' - #type database DBuser auth-method - local all all trust - host all all ::1/128 trust - ''; - }; - services.nginx = { enable = true; @@ -68,18 +84,15 @@ addSSL = true; locations."~" = { - proxyPass = "http://localhost:8080"; + proxyPass = "http://192.168.100.11:8080"; proxyWebsockets = true; # needed if you need to use WebSocket - extraConfig = - # required when the target is also TLS server with multiple hosts - "proxy_ssl_server_name on;" + - # required when the server wants to use HTTP Authentication - "proxy_pass_header Authorization;" - ; }; }; }; - networking.firewall.allowedTCPPorts = [ 80 443]; + + networking.firewall.allowedTCPPorts = [ 80 443 8080]; + system.stateVersion = "24.05"; + security.acme = { acceptTerms = true; defaults.email = "marcc@mccd.space"; -- cgit v1.2.3