feat(nixos): draft nixos service for server side

3 files changed, 83 insertions, 0 deletions

diff --git a/default.nix b/default.nix
index 67fb767..7e1d280 100644
--- a/default.nix
+++ b/default.nix
@@ -105,6 +105,11 @@ rec {
       dontStrip = true;
     };
 
+  overlay = callPackage ./nixos/overlay.nix {
+    inherit bahnhofshalle;
+    warteraum = warteraum-static;
+  };
+
   pythonShell =
     let
       pythonEnv = python3.withPackages (p: with p; [
diff --git a/nixos/flipdot-gschichtler.nix b/nixos/flipdot-gschichtler.nix
new file mode 100644
index 0000000..2ed61f3
--- /dev/null
+++ b/nixos/flipdot-gschichtler.nix
@@ -0,0 +1,71 @@
+{ config, lib, pkgs, flipdot-gschichtler, ... }:
+
+with lib;
+
+let
+  cfg = config.services.flipdot-gschichtler;
+  fg  = flipdot-gschichtler;
+
+in {
+  options = {
+    services.flipdot-gschichtler = {
+      enable = mkEnableOption "flipdot-gschichtler";
+
+      virtualHost = mkOption {
+        type = types.str;
+        default = "localhost";
+        description = ''
+          Virtual Host for nginx to use for serving
+          warteraum and bahnhofshalle.
+        '';
+      };
+    };
+  };
+
+  config = mkIf cfg.enable {
+    systemd.services.warteraum = {
+      description = "Warteraum REST API http server of flipdot-gschichtler";
+      after = [ "network.target" ];
+      wantedBy = [ "multi-user.target" ];
+
+      serviceConfig = {
+        Type = "simple";
+        ExecStart = "${fg.warteraum-static}/bin/warteraum";
+        InAccessibleDirectories = "/";
+        # SystemCallFilter = "@default @basic-io @io-event @network-io fcntl @signal";
+        SystemCallFilter = "@system-service ~@mount";
+        SystemCallArchitectures = "native";
+        CapabilityBoundingSet = "";
+
+        NoNewPrivileges = true;
+        RestrictRealtime = true;
+        LockPersonality = true;
+
+        DynamicUser = true;
+
+        ProtectSystem = "strict";
+        ProtectHome = true;
+        PrivateTmp = true;
+        PrivateUsers = true;
+        ProtectKernelTunables = true;
+        ProtectKernelModules = true;
+        ProtectControlGroups = true;
+        ProtectKernelLogs = true;
+        MemoryDenyWriteExecute = true;
+        PrivateDevices = true;
+        PrivateMounts = true;
+      };
+    };
+
+    services.nginx.virtualHosts."${cfg.virtualHost}" = {
+      enableACME = true;
+      forceSSL = true;
+      root = fg.bahnhofshalle;
+      extraConfig = ''
+        location /api {
+          proxy_pass http://127.0.0.1:9000/api;
+        }
+      '';
+    };
+  };
+}
diff --git a/nixos/overlay.nix b/nixos/overlay.nix
new file mode 100644
index 0000000..f4438a8
--- /dev/null
+++ b/nixos/overlay.nix
@@ -0,0 +1,7 @@
+{ warteraum, bahnhofshalle }:
+
+self: super:
+
+{
+  inherit warteraum bahnhofshalle;
+}