forked from emily/nixfiles
ooklaserver: Cleanup
This commit is contained in:
parent
66bfeade06
commit
e56c756223
GPG key ID:
F6F4C66207FCF995
1 changed files with 25 additions and 21 deletions
|
|
@ -3,13 +3,15 @@ let
|
|||
cfg = config.kyouma.ooklaserver;
|
||||
in {
|
||||
options = {
|
||||
kyouma.ooklaserver = with lib; {
|
||||
enable = mkEnableOption "ookla speedtest server";
|
||||
package = mkPackageOption pkgs "ooklaserver" {};
|
||||
kyouma.ooklaserver = let
|
||||
inherit (lib) mkOption types;
|
||||
in {
|
||||
enable = lib.mkEnableOption "ookla speedtest server";
|
||||
package = lib.mkPackageOption pkgs "ooklaserver" {};
|
||||
domain = mkOption {
|
||||
description = "Domain to use.";
|
||||
default = null;
|
||||
type = types.str;
|
||||
type = with types; nullOr nonEmptyStr;
|
||||
};
|
||||
openFirewall = mkOption {
|
||||
description = "Whether to open the firewall for the specified ports.";
|
||||
|
|
@ -51,20 +53,19 @@ in {
|
|||
};
|
||||
};
|
||||
config = lib.mkIf cfg.enable {
|
||||
users.users.ooklaserver = {
|
||||
description = "OoklaServer User";
|
||||
group = "ooklaserver";
|
||||
createHome = false;
|
||||
isSystemUser = true;
|
||||
};
|
||||
users.groups.ooklaserver = {};
|
||||
security.acme.certs.${cfg.domain} = {
|
||||
group = "ooklaserver";
|
||||
reloadServices = [ "ooklaserver.service" ];
|
||||
webroot = "/var/lib/acme/acme-challenge";
|
||||
};
|
||||
|
||||
kyouma.ooklaserver.settings = with lib; {
|
||||
networking.firewall = lib.mkIf cfg.openFirewall {
|
||||
allowedUDPPorts = cfg.udpPorts;
|
||||
allowedTCPPorts = cfg.tcpPorts;
|
||||
};
|
||||
|
||||
kyouma.ooklaserver.settings = let
|
||||
inherit (lib) mkDefault;
|
||||
in {
|
||||
OoklaServer = {
|
||||
inherit (cfg) tcpPorts udpPorts;
|
||||
enableAutoUpdate = false;
|
||||
|
|
@ -89,8 +90,8 @@ in {
|
|||
http.maxHeadersSize = mkDefault 65536;
|
||||
};
|
||||
openSSL.server = {
|
||||
certificateFile = "${config.security.acme.certs.${cfg.domain}.directory}/cert.pem";
|
||||
privateKeyFile = "${config.security.acme.certs.${cfg.domain}.directory}/key.pem";
|
||||
certificateFile = "/run/credentials/${config.systemd.services.ooklaserver.name}/cert.pem";
|
||||
privateKeyFile = "/run/credentials/${config.systemd.services.ooklaserver.name}/key.pem";
|
||||
minimumTLSProtocol = mkDefault "1.2";
|
||||
};
|
||||
logging.loggers.app = {
|
||||
|
|
@ -102,10 +103,7 @@ in {
|
|||
level = mkDefault "information";
|
||||
};
|
||||
};
|
||||
networking.firewall = lib.mkIf cfg.openFirewall {
|
||||
allowedUDPPorts = cfg.udpPorts;
|
||||
allowedTCPPorts = cfg.tcpPorts;
|
||||
};
|
||||
|
||||
systemd.services.ooklaserver = let
|
||||
configFile = let
|
||||
anyToString = arg: if (lib.isBool arg) then
|
||||
|
|
@ -113,8 +111,8 @@ in {
|
|||
else if (lib.isList arg) then
|
||||
lib.concatStringsSep "," (map (val: toString val) arg)
|
||||
else toString arg;
|
||||
|
||||
in with lib; lib.pipe cfg.settings [
|
||||
in
|
||||
with lib; lib.pipe cfg.settings [
|
||||
(mapAttrsRecursive (path: val: "${concatStringsSep "." path} = ${anyToString val}"))
|
||||
(collect isString)
|
||||
(concatLines)
|
||||
|
|
@ -132,9 +130,15 @@ in {
|
|||
serviceConfig = {
|
||||
Type = "simple";
|
||||
Restart = "always";
|
||||
|
||||
User = "ooklaserver";
|
||||
Group = "ooklaserver";
|
||||
DynamicUser = true;
|
||||
|
||||
LoadCredential = [
|
||||
"cert.pem:${config.security.acme.certs.${cfg.domain}.directory}/cert.pem"
|
||||
"key.pem:${config.security.acme.certs.${cfg.domain}.directory}/key.pem"
|
||||
];
|
||||
ExecStart = "${packageWithCfg}/bin/OoklaServer";
|
||||
WorkingDirectory = packageWithCfg;
|
||||
SyslogIdentifier = "ooklaserver";
|
||||
|
|
|
|||
Loading…
Reference in a new issue