diff --git a/hosts/poseidon/default.nix b/hosts/poseidon/default.nix index 8185637..b89fdc7 100644 --- a/hosts/poseidon/default.nix +++ b/hosts/poseidon/default.nix @@ -80,6 +80,7 @@ in lohr = { enable = true; + port = 8083; }; miniflux = { diff --git a/secrets/default.nix b/secrets/default.nix index 2120a11..0f21d45 100644 --- a/secrets/default.nix +++ b/secrets/default.nix @@ -14,6 +14,7 @@ with lib; transmission-password = lib.fileContents ./transmission.secret; nextcloud-admin-pass = lib.fileContents ./nextcloud-admin-pass.secret; nextcloud-admin-user = lib.fileContents ./nextcloud-admin-user.secret; + lohr-shared-secret = lib.fileContents ./lohr-shared-secret.secret; wireguard = pkgs.callPackage ./wireguard.nix { }; }; diff --git a/secrets/lohr-shared-secret.secret b/secrets/lohr-shared-secret.secret new file mode 100644 index 0000000..a05809e Binary files /dev/null and b/secrets/lohr-shared-secret.secret differ diff --git a/services/lohr.nix b/services/lohr.nix index fcc05c3..957babf 100644 --- a/services/lohr.nix +++ b/services/lohr.nix @@ -1,4 +1,4 @@ -{ config, lib, ... }: +{ config, lib, pkgs, ... }: with lib; @@ -6,6 +6,12 @@ let cfg = config.my.services.lohr; my = config.my; domain = config.networking.domain; + secrets = config.my.secrets; + lohrPkg = + let + flake = builtins.getFlake "github:alarsyo/lohr?rev=bc32f8a565faa2055c1bbfa8c2353ce4738208b2"; + in + flake.defaultPackage."x86_64-linux"; # FIXME: use correct system in { options.my.services.lohr = { @@ -17,19 +23,51 @@ in example = "/var/lib/lohr"; description = "Home for the lohr service, where data will be stored"; }; + + port = mkOption { + type = types.port; + default = 8080; + example = 8080; + description = "Internal port for Lohr daemon"; + }; }; config = mkIf cfg.enable { + systemd.services.lohr = { + wantedBy = [ "multi-user.target" ]; + serviceConfig = { + Environment = [ + "ROCKET_PORT=${toString cfg.port}" + "ROCKET_LOG_LEVEL=normal" + "LOHR_HOME=${cfg.home}" + "'LOHR_SECRET=${secrets.lohr-shared-secret}'" + ]; + ExecStart = "${lohrPkg}/bin/lohr"; + StateDirectory = "lohr"; + WorkingDirectory = "/var/lib/lohr"; + User = "lohr"; + Group = "lohr"; + }; + path = with pkgs; [ + git + ]; + }; + + users.users.lohr = { + isSystemUser = true; + home = cfg.home; + createHome = true; + group = "lohr"; + }; + users.groups.lohr = { }; + services.nginx.virtualHosts = { "lohr.${domain}" = { forceSSL = true; enableACME = true; locations."/" = { - proxyPass = let - laptopClientNum = my.secrets.wireguard.peers.laptop.clientNum; - in - "http://10.0.0.${toString laptopClientNum}:8000"; + proxyPass = "http://127.0.0.1:${toString cfg.port}"; }; }; };