From b6f809a92b8f4b5cca1d3cddc9480a0dc0275210 Mon Sep 17 00:00:00 2001 From: traxys Date: Sat, 29 Jul 2023 10:25:22 +0200 Subject: [PATCH] Add all settings --- nixos/default.nix | 114 ++++++++++++++++++++++++++++++++++++++++------ 1 file changed, 99 insertions(+), 15 deletions(-) diff --git a/nixos/default.nix b/nixos/default.nix index 051bbdf..e282776 100644 --- a/nixos/default.nix +++ b/nixos/default.nix @@ -2,6 +2,7 @@ self: { pkgs, lib, config, + options, ... }: with lib; { @@ -13,9 +14,68 @@ with lib; { default = self.packages.${config.nixpkgs.system}.server; }; - apiPort = mkOption { - type = types.port; - default = 8085; + settings = { + jwtSecret = mkOption { + type = types.nullOr types.str; + default = null; + description = '' + The JWT secret to be used by the application. Should be passed through environmentFile, + with REGALADE_JWT_SECRET. + ''; + }; + + host = mkOption { + type = types.str; + default = "0.0.0.0"; + description = "The listen address"; + }; + + port = mkOption { + type = types.port; + default = 8085; + }; + + apiAllowed = mkOption { + type = types.nullOr types.str; + default = null; + description = "The CORS Access-Control-Allow-Origin value"; + }; + + databaseUrl = mkOption { + type = types.str; + default = "postgres://${config.services.regalade.user}/regalade?host=/var/run/postgresql"; + }; + + sqlxLogging = mkEnableOption "logging of all SQL operations"; + + oidc = { + enable = mkEnableOption "authentication using an OIDC provider"; + + url = mkOption { + type = types.str; + description = "The base URL of the provider (directory where the .well-known is)"; + }; + + id = mkOption { + type = types.str; + description = "Client ID"; + }; + + secret = mkOption { + type = types.nullOr types.str; + description = "The environment variable REGALADE_OIDC__SECRET should be preferred"; + }; + + scopes = mkOption { + type = types.listOf types.str; + default = ["openid" "profile" "email"]; + }; + + domain = mkOption { + type = types.str; + description = "URL at which to redirect, where the application is deployed"; + }; + }; }; user = mkOption { @@ -74,20 +134,44 @@ with lib; { PrivateMounts = true; }; - environment = { - REGALADE_DATABASE_URL = "postgres://${cfg.user}/regalade?host=/var/run/postgresql"; - }; + environment = + { + REGALADE_DATABASE_URL = cfg.settings.databaseUrl; + REGALADE_JWT_SECRET = cfg.settings.jwtSecret; + REGALADE_HOST = cfg.settings.host; + REGALADE_PORT = toString cfg.settings.port; + REGALADE_API_ALLOWED = cfg.settings.apiAllowed; + REGALADE_SQLX_LOGGING = + if cfg.settings.sqlxLogging + then "true" + else "false"; + } + // ( + if cfg.settings.oidc.enable + then let + inherit (cfg.settings) oidc; + in { + REGALADE_OIDC__URL = oidc.url; + REGALADE_OIDC__ID = oidc.id; + REGALADE_OIDC__SECRET = oidc.secret; + REGALADE_OIDC__DOMAIN = oidc.domain; + REGALADE_OIDC__SCOPES = lib.strings.concatStringsSep "," oidc.scopes; + } + else {} + ); }; - services.postgresql = { - ensureUsers = [ - { - name = cfg.user; - ensurePermissions = {"DATABASE \"regalade\"" = "ALL PRIVILEGES";}; - } - ]; - ensureDatabases = ["regalade"]; - }; + services.postgresql = + mkIf (cfg.settings.databaseUrl == options.services.regalade.settings.databaseUrl.default) + { + ensureUsers = [ + { + name = cfg.user; + ensurePermissions = {"DATABASE \"regalade\"" = "ALL PRIVILEGES";}; + } + ]; + ensureDatabases = ["regalade"]; + }; users = mkIf (cfg.user == "regalade") { users.regalade = {