tlaternet-server/configuration/services/webserver.nix

{
  config,
  pkgs,
  ...
}: {
  users = {
    extraUsers.webserver = {
      uid = config.ids.uids.webserver;
      group = config.users.extraGroups.webserver.name;
      isSystemUser = true;
      description = "tlater.net web server user";
    };
    extraGroups.webserver = {gid = config.ids.gids.webserver;};
  };

  virtualisation.oci-containers.containers.webserver = {
    image = "tlaternet/webserver";

    imageFile = pkgs.dockerTools.buildImage {
      name = "tlaternet/webserver";
      tag = "latest";
      contents = pkgs.tlaternet-webserver.webserver;

      config = let
        uid = toString config.users.extraUsers.webserver.uid;
        gid = toString config.users.extraGroups.webserver.gid;
      in {
        Cmd = ["tlaternet-webserver"];
        Volumes = {"/srv/mail" = {};};
        Env = [
          "ROCKET_PORT=3002"
          "ROCKET_TEMPLATE_DIR=${pkgs.tlaternet-templates.templates}/browser/"
        ];
        ExposedPorts = {"3002" = {};};
        User = "${uid}:${gid}";
      };
    };

    ports = ["3002:3002"];
    volumes = ["tlaternet-mail:/srv/mail"];
    extraOptions = [
      "--hostname=tlater.net"
      # Rocket 0.4 doesn't support SIGTERM anyway, so SIGKILL is the cleanest exit possible.
      "--stop-signal=SIGKILL"
    ];
  };
}
Add webserver service 2021-04-12 01:44:10 +01:00			`{`
treewide: Reformat project with alejandra 2022-10-10 13:03:08 +01:00			`config,`
			`pkgs,`
			`...`
			`}: {`
Fix service uid/gids 2021-12-26 19:00:59 +00:00			`users = {`
			`extraUsers.webserver = {`
			`uid = config.ids.uids.webserver;`
			`group = config.users.extraGroups.webserver.name;`
			`isSystemUser = true;`
			`description = "tlater.net web server user";`
			`};`
treewide: Reformat project with alejandra 2022-10-10 13:03:08 +01:00			`extraGroups.webserver = {gid = config.ids.gids.webserver;};`
Set limited permissions for the webserver container 2021-04-19 00:39:33 +01:00			`};`

Add webserver service 2021-04-12 01:44:10 +01:00			`virtualisation.oci-containers.containers.webserver = {`
			`image = "tlaternet/webserver";`

			`imageFile = pkgs.dockerTools.buildImage {`
			`name = "tlaternet/webserver";`
			`tag = "latest";`
			`contents = pkgs.tlaternet-webserver.webserver;`

Set limited permissions for the webserver container 2021-04-19 00:39:33 +01:00			`config = let`
Fix service uid/gids 2021-12-26 19:00:59 +00:00			`uid = toString config.users.extraUsers.webserver.uid;`
			`gid = toString config.users.extraGroups.webserver.gid;`
Set limited permissions for the webserver container 2021-04-19 00:39:33 +01:00			`in {`
treewide: Reformat project with alejandra 2022-10-10 13:03:08 +01:00			`Cmd = ["tlaternet-webserver"];`
			`Volumes = {"/srv/mail" = {};};`
Add webserver service 2021-04-12 01:44:10 +01:00			`Env = [`
Set limited permissions for the webserver container 2021-04-19 00:39:33 +01:00			`"ROCKET_PORT=3002"`
Add webserver service 2021-04-12 01:44:10 +01:00			`"ROCKET_TEMPLATE_DIR=${pkgs.tlaternet-templates.templates}/browser/"`
			`];`
treewide: Reformat project with alejandra 2022-10-10 13:03:08 +01:00			`ExposedPorts = {"3002" = {};};`
Set limited permissions for the webserver container 2021-04-19 00:39:33 +01:00			`User = "${uid}:${gid}";`
Add webserver service 2021-04-12 01:44:10 +01:00			`};`
			`};`

treewide: Reformat project with alejandra 2022-10-10 13:03:08 +01:00			`ports = ["3002:3002"];`
			`volumes = ["tlaternet-mail:/srv/mail"];`
webserver: Use SIGKILL instead of SIGTERM 2021-05-17 00:18:51 +01:00			`extraOptions = [`
			`"--hostname=tlater.net"`
			`# Rocket 0.4 doesn't support SIGTERM anyway, so SIGKILL is the cleanest exit possible.`
			`"--stop-signal=SIGKILL"`
			`];`
Add webserver service 2021-04-12 01:44:10 +01:00			`};`
			`}`