53 lines
1.4 KiB
Nix
53 lines
1.4 KiB
Nix
{ config, pkgs, lib, ... }:
|
|
|
|
let
|
|
autodeploy = pkgs.buildGoModule {
|
|
name = "autodeploy";
|
|
src = ./autodeploy;
|
|
vendorHash = "sha256-H8Wa1GoXjU8mkaE0ofdA1mO+rNo3l4s0nxTVih9LuWs=";
|
|
};
|
|
|
|
in {
|
|
virtualisation.podman.enable = true;
|
|
virtualisation.oci-containers.backend = "podman";
|
|
virtualisation.oci-containers.containers = {
|
|
site = {
|
|
image = "git.orga.cebula.camp/infra/site@sha256:a0868ed94fdaa00fe70f9bf1f8f77a91634c91cb633232257831b290fe3d1660";
|
|
ports = [ "10.88.0.1:9001:3000" ];
|
|
};
|
|
};
|
|
services.nginx.virtualHosts."cebula.camp" = {
|
|
forceSSL = true;
|
|
enableACME = true;
|
|
locations."/" = {
|
|
proxyPass = "http://10.88.0.1:9001/";
|
|
proxyWebsockets = true;
|
|
};
|
|
};
|
|
systemd.timers.site-autodeploy = {
|
|
wantedBy = [ "timers.target" ];
|
|
timerConfig = {
|
|
OnBootSec = "5m";
|
|
OnUnitActiveSec = "5m";
|
|
Unit = "site-autodeploy.service";
|
|
};
|
|
};
|
|
systemd.services.site-autodeploy = {
|
|
path = [ pkgs.podman ];
|
|
script = ''
|
|
set -eu
|
|
${autodeploy}/bin/autodeploy \
|
|
-local_checkout /root/site-ci \
|
|
-trigger "systemctl restart podman-site"
|
|
'';
|
|
serviceConfig = {
|
|
Type = "oneshot";
|
|
# TODO: run as an unprivileged user:
|
|
# 1. figure out why rootless podman is broken, probaby something with
|
|
# subuid/subgid maps with LDAP.
|
|
# 2. let the unprivileged user sudo into a systemctl unit restart
|
|
User = "root";
|
|
};
|
|
};
|
|
}
|