{ config, lib, pkgs, ... }: let cfg = config.orbekk.bridge; in with lib; { options = { orbekk.bridge = { enable = mkEnableOption "Enable bridge service"; port = lib.mkOption { type = lib.types.port; default = (import ../data/aliases.nix).services.bridge_nightly.port; description = "bridge local port"; }; }; }; config = mkIf cfg.enable { age.secrets.bridge-nightly.file = ./. + "/../secrets/bridge-nightly.age"; systemd.services.bridge-nightly = { description = "Bridge Nightly backend"; wantedBy = [ "multi-user.target" ]; after = [ "network.target" ]; environment = { BIND_ADDRESS = "[::]:${toString cfg.port}"; RUST_BACKTRACE = "1"; AUTHENTICATOR = "oauth"; OPENID_ISSUER_URL = "https://auth.orbekk.com/realms/test"; OPENID_CLIENT_ID = "test-client"; OPENID_CLIENT_SECRET = "secret"; APP_URL = "https://bridge.orbekk.com"; DATABASE_URL = "postgres:///bridge_nightly"; RUST_LOG = "info"; }; serviceConfig = { User = "bridge_nightly"; Group = "bridge_nightly"; EnvironmentFile = config.age.secrets.bridge-nightly.path; ExecStart = "/opt/bridge-nightly/profile/bin/server"; }; }; services.nginx.virtualHosts."bridge.orbekk.com" = { enableACME = true; forceSSL = true; root = "/opt/bridge-nightly/profile"; locations."/api".proxyPass = "http://localhost:${toString cfg.port}"; extraConfig = '' # Single-page application setup. # First attempt to serve request as file, then # as directory, then fall back to redirecting to index.html try_files $uri $uri/ $uri.html /index.html; ''; }; services.postgresql = { enable = true; enableTCPIP = true; authentication = '' host all all 2001:470:8e2e:1000::/64 md5 host all all 2001:470:8e2e:100::/64 md5 ''; ensureDatabases = [ "bridge_nightly" ]; ensureUsers = [{ name = "bridge_nightly"; ensurePermissions."DATABASE bridge_nightly" = "ALL PRIVILEGES"; }]; }; }; }