65 lines
1.5 KiB
Nix
65 lines
1.5 KiB
Nix
|
{ pkgs, config, ... }:
|
||
|
|
||
|
let
|
||
|
containerStateDir = "/data";
|
||
|
hostStateDir = "/opt/tangd";
|
||
|
domain = "";
|
||
|
serviceAddress = "10.10.42.12";
|
||
|
in
|
||
|
{
|
||
|
services.nginx.virtualHosts."${domain}" = {
|
||
|
forceSSL = true;
|
||
|
enableACME = true;
|
||
|
locations."/" = {
|
||
|
proxyPass = "http://${serviceAddress}:${toString servicePort}";
|
||
|
};
|
||
|
};
|
||
|
|
||
|
containers."tang" = {
|
||
|
autoStart = true;
|
||
|
ephemeral = true;
|
||
|
bindMounts."${containerStateDir}" = {
|
||
|
hostPath = hostStateDir;
|
||
|
isReadOnly = false;
|
||
|
};
|
||
|
|
||
|
config = { config, pkgs, ... }: {
|
||
|
networking.firewall.enable = false;
|
||
|
|
||
|
users.groups."_tang" = {} ;
|
||
|
|
||
|
users.users."_tang" = {
|
||
|
group = "_tang";
|
||
|
isSystemUser = true;
|
||
|
};
|
||
|
|
||
|
environment.systemPackages = [ "${pkgs.jose}" ];
|
||
|
|
||
|
systemd.services."tangd@" = {
|
||
|
enable = true;
|
||
|
serviceConfig = {
|
||
|
ExecStartPre = "${pkgs.bash}/bin/bash -c \"mkdir -p ${containerStateDir}/tang-db\"";
|
||
|
ExecStart = "${pkgs.tang}/libexec/tangd ${containerStateDir}/tang-db";
|
||
|
StandardInput = "socket";
|
||
|
StandardOutput = "socket";
|
||
|
StandardError = "journal";
|
||
|
User = "_tang";
|
||
|
Group = "_tang";
|
||
|
};
|
||
|
};
|
||
|
|
||
|
systemd.sockets."tangd" = {
|
||
|
enable = true;
|
||
|
listenStreams = [ "${toString servicePort}" ];
|
||
|
wantedBy = [ "sockets.target" ];
|
||
|
socketConfig = {
|
||
|
Accept = true;
|
||
|
};
|
||
|
};
|
||
|
|
||
|
system.stateVersion = "22.11";
|
||
|
};
|
||
|
|
||
|
};
|
||
|
}
|