stuebinm
f654b33a56
this started with emily pointing out to me that it's possible to generate IP addresses for containers in Nix (hence no need to worry about ever having collisions, as we had before), but then I thought, hey, while I'm at it, I can also write a little container module so we have a little less repetition in our configs in general (and a more reasonable place for our custom evalConfig than just keeping it around in flake.nix). See the option descriptions in modules/containers.nix for further details. Apart from giving all containers a new IP address (and also shiny new IPv6 addresses), this should be a no-op for the actual built system.
146 lines
4.1 KiB
Nix
146 lines
4.1 KiB
Nix
{ config, lib, pkgs, ... }:
|
|
|
|
let
|
|
tracktrain-config = ''
|
|
dbstring: "dbname=tracktrain"
|
|
gtfs: /persist/gtfs.zip
|
|
assets: ${pkgs.tracktrain}/assets
|
|
|
|
warp:
|
|
port: 4000
|
|
|
|
login:
|
|
enable: true
|
|
url: https://login.infra4future.de
|
|
clientname: tracktrain
|
|
# clientsecret defined in env file
|
|
'';
|
|
in
|
|
{
|
|
sops.secrets = {
|
|
"tracktrain/env" = {};
|
|
};
|
|
|
|
services.nginx.virtualHosts."tracktrain.ilztalbahn.eu" = {
|
|
enableACME = true;
|
|
forceSSL = true;
|
|
locations."/" = {
|
|
proxyPass = "http://${config.containers.tracktrain.localAddress}:4000";
|
|
proxyWebsockets = true;
|
|
};
|
|
# note: this shadows the /metrics endpoint of tracktrain
|
|
# in case you remove this, please consider putting something
|
|
# else here to keep it from being publicly scrapable
|
|
locations."/metrics/" = {
|
|
proxyPass = "http://${config.containers.tracktrain.localAddress}:2342";
|
|
proxyWebsockets = true;
|
|
extraConfig = ''
|
|
rewrite ^/metrics/(.*) /$1 break;
|
|
'';
|
|
};
|
|
};
|
|
|
|
hacc.containers.tracktrain = {
|
|
bindSecrets = true;
|
|
|
|
config = { config, lib, pkgs, ... }: {
|
|
system.stateVersion = "21.11";
|
|
|
|
users.users.tracktrain = {
|
|
group = "tracktrain";
|
|
isSystemUser = true;
|
|
};
|
|
users.groups.tracktrain = {};
|
|
|
|
systemd.services.tracktrain = {
|
|
enable = true;
|
|
|
|
description = "tracks trains, hopefully";
|
|
wantedBy = [ "multi-user.target" ];
|
|
requires = [ "network.target" ];
|
|
after = [ "network.target" ];
|
|
serviceConfig = {
|
|
Type = "simple";
|
|
EnvironmentFile = "/secrets/env";
|
|
User = "tracktrain";
|
|
Group = "tracktrain";
|
|
};
|
|
path = [ pkgs.wget ];
|
|
script = ''
|
|
mkdir -p /persist/tracktrain
|
|
cd /persist/tracktrain
|
|
ln -sf ${pkgs.writeText "tracktrain-config.yaml" tracktrain-config} config.yaml
|
|
wget "https://ilztalbahn.eu/wp-content/uploads/2020/07/gtfs.zip" || sleep 4; wget "https://ilztalbahn.eu/wp-content/uploads/2020/07/gtfs.zip"
|
|
${pkgs.tracktrain}/bin/tracktrain +RTS -T
|
|
'';
|
|
};
|
|
|
|
services.postgresql = {
|
|
enable = true;
|
|
|
|
package = pkgs.postgresql_15;
|
|
ensureDatabases = [ "tracktrain" ];
|
|
ensureUsers = [ {
|
|
name = "tracktrain";
|
|
ensureDBOwnership = true;
|
|
} ];
|
|
authentication = ''
|
|
local all all trust
|
|
host all all 127.0.0.1/32 trust
|
|
'';
|
|
};
|
|
|
|
services.prometheus = {
|
|
enable = true;
|
|
port = 9001;
|
|
scrapeConfigs = [ {
|
|
job_name = "tracktrain";
|
|
static_configs = [{
|
|
targets = [ "0.0.0.0:4000" ];
|
|
}];
|
|
} ];
|
|
};
|
|
|
|
services.grafana = {
|
|
enable = true;
|
|
settings.server = {
|
|
serve_from_sub_path = true;
|
|
domain = "tracktrain.ilztalbahn.eu";
|
|
root_url = "https://%(domain)s/metrics/";
|
|
http_port = 2342;
|
|
http_addr = "0.0.0.0";
|
|
};
|
|
|
|
settings."auth.generic_oauth" = {
|
|
name = "uffd";
|
|
enabled = true;
|
|
allow_sign_up = true;
|
|
empty_scopes = true;
|
|
client_id = "ilztalbahn-grafana";
|
|
client_secret = "\${GRAFANA_CLIENT_SECRET}";
|
|
auth_url = "https://login.infra4future.de/oauth2/authorize";
|
|
token_url = "https://login.infra4future.de/oauth2/token";
|
|
api_url = "https://login.infra4future.de/oauth2/userinfo";
|
|
};
|
|
# disables the default login screen. comment out if for some
|
|
# reason you do need it
|
|
settings.auth.oauth_auto_login = true;
|
|
settings.users.auto_assign_org_role = "Admin";
|
|
|
|
provision = {
|
|
enable = true;
|
|
datasources.settings.datasources = [ {
|
|
url = "http://localhost:9001";
|
|
type = "prometheus";
|
|
name = "prometheus";
|
|
} ];
|
|
};
|
|
};
|
|
|
|
systemd.services.grafana.serviceConfig.EnvironmentFile =
|
|
"/secrets/env";
|
|
hacc.bindToPersist = [ "/var/lib/grafana" ];
|
|
};
|
|
};
|
|
|
|
}
|