stuebinm 9d187d212a initial work towards nixos 23.11
Note: this updates all postgres instances, since postgresql_11 no longer
2023-12-02 22:05:46 +01:00

154 lines
4.2 KiB

{ config, lib, pkgs, evalConfig, ... }:
tracktrain-config = ''
dbstring: "dbname=tracktrain"
gtfs: /persist/gtfs.zip
assets: ${pkgs.tracktrain}/assets
port: 4000
enable: true
url: https://login.infra4future.de
clientname: tracktrain
# clientsecret defined in env file
sops.secrets = {
"tracktrain/env" = {};
services.nginx.virtualHosts."tracktrain.ilztalbahn.eu" = {
enableACME = true;
forceSSL = true;
locations."/" = {
proxyPass = "";
proxyWebsockets = true;
# note: this shadows the /metrics endpoint of tracktrain
# in case you remove this, please consider putting something
# else here to keep it from being publicly scrapable
locations."/metrics/" = {
proxyPass = "";
proxyWebsockets = true;
extraConfig = ''
rewrite ^/metrics/(.*) /$1 break;
containers.tracktrain = {
privateNetwork = true;
hostAddress = "";
localAddress = "";
autoStart = true;
bindMounts = {
"/persist" = {
hostPath = "/persist/containers/tracktrain";
isReadOnly = false;
"/secrets".hostPath = "/run/secrets/tracktrain";
path = evalConfig ({ config, lib, pkgs, ... }: {
system.stateVersion = "21.11";
users.users.tracktrain = {
group = "tracktrain";
isSystemUser = true;
users.groups.tracktrain = {};
systemd.services.tracktrain = {
enable = true;
description = "tracks trains, hopefully";
wantedBy = [ "multi-user.target" ];
requires = [ "network.target" ];
after = [ "network.target" ];
serviceConfig = {
Type = "simple";
EnvironmentFile = "/secrets/env";
User = "tracktrain";
Group = "tracktrain";
path = [ pkgs.wget ];
script = ''
mkdir -p /persist/tracktrain
cd /persist/tracktrain
ln -sf ${pkgs.writeText "tracktrain-config.yaml" tracktrain-config} config.yaml
wget "https://ilztalbahn.eu/wp-content/uploads/2020/07/gtfs.zip" || sleep 4; wget "https://ilztalbahn.eu/wp-content/uploads/2020/07/gtfs.zip"
${pkgs.tracktrain}/bin/tracktrain +RTS -T
services.postgresql = {
enable = true;
ensureDatabases = [ "tracktrain" ];
ensureUsers = [ {
name = "tracktrain";
ensureDBOwnership = true;
} ];
authentication = ''
local all all trust
host all all trust
services.prometheus = {
enable = true;
port = 9001;
scrapeConfigs = [ {
job_name = "tracktrain";
static_configs = [{
targets = [ "" ];
} ];
services.grafana = {
enable = true;
settings.server = {
serve_from_sub_path = true;
domain = "tracktrain.ilztalbahn.eu";
root_url = "https://%(domain)s/metrics/";
http_port = 2342;
http_addr = "";
settings."auth.generic_oauth" = {
name = "uffd";
enabled = true;
allow_sign_up = true;
empty_scopes = true;
client_id = "ilztalbahn-grafana";
client_secret = "\${GRAFANA_CLIENT_SECRET}";
auth_url = "https://login.infra4future.de/oauth2/authorize";
token_url = "https://login.infra4future.de/oauth2/token";
api_url = "https://login.infra4future.de/oauth2/userinfo";
# disables the default login screen. comment out if for some
# reason you do need it
settings.auth.oauth_auto_login = true;
settings.users.auto_assign_org_role = "Admin";
provision = {
enable = true;
datasources.settings.datasources = [ {
url = "http://localhost:9001";
type = "prometheus";
name = "prometheus";
} ];
systemd.services.grafana.serviceConfig.EnvironmentFile =