Luke Granger-Brown
79ae0d7fef
We need to use openssl-legacy-provider to fix an issue with OpenSSL 3.x, because Webpack (or Nuxt?) need to use deprecated hashes.
204 lines
5.8 KiB
Nix
204 lines
5.8 KiB
Nix
{ depot, pkgs, lib, config, ... }:
|
|
|
|
let
|
|
inherit (depot.nix.pkgs) baserow;
|
|
|
|
environment = {
|
|
DJANGO_SETTINGS_MODULE = "baserow.config.settings.base";
|
|
PUBLIC_WEB_FRONTEND_URL = "https://baserow.lukegb.com";
|
|
PUBLIC_BACKEND_URL = "https://api.baserow.lukegb.com";
|
|
PRIVATE_BACKEND_URL = "http://localhost:28100";
|
|
MEDIA_URL = "https://baserow-media.zxcvbnm.ninja/";
|
|
MJML_SERVER_HOST = "localhost";
|
|
MEDIA_ROOT = "/var/lib/baserow/media";
|
|
|
|
SECRET_KEY = "zKBu7MIzBki5S3rResh5Vj0kG7Fl0b27OUYCDJvRxe7fWJUcAHL1cR70hZuqECnszFVwSgxv1ZHBaHv6";
|
|
|
|
DATABASE_HOST = "";
|
|
DATABASE_PASSWORD = "";
|
|
REDIS_HOST = "localhost";
|
|
EMAIL_SMTP = "yesplease";
|
|
FROM_EMAIL = "no-reply@baserow.lukegb.com";
|
|
};
|
|
baserow-util = pkgs.stdenv.mkDerivation {
|
|
name = "baserow-util";
|
|
dontUnpack = true;
|
|
dontBuild = true;
|
|
nativeBuildInputs = with pkgs; [ makeWrapper ];
|
|
baserow = baserow.backend;
|
|
installPhase = ''
|
|
install -d -m 0755 $out/bin
|
|
makeWrapper $baserow/bin/baserow $out/bin/baserow \
|
|
${lib.concatStringsSep "\n" (lib.mapAttrsToList (name: val: "--set-default '${name}' '${val}' \\") environment)}
|
|
'';
|
|
};
|
|
in
|
|
{
|
|
environment.systemPackages = [ baserow-util ];
|
|
|
|
users.groups.baserow = {};
|
|
users.users.baserow = {
|
|
group = "baserow";
|
|
isSystemUser = true;
|
|
};
|
|
|
|
systemd.tmpfiles.rules = [
|
|
"d /var/lib/baserow 0755 baserow baserow -"
|
|
"d /var/lib/baserow/media 0750 baserow baserow -"
|
|
];
|
|
|
|
services.postgresql = {
|
|
enable = true;
|
|
ensureUsers = [{
|
|
name = "baserow";
|
|
ensurePermissions = {
|
|
"DATABASE baserow" = "ALL PRIVILEGES";
|
|
};
|
|
}];
|
|
ensureDatabases = [ "baserow" ];
|
|
};
|
|
services.redis.servers."".enable = true;
|
|
|
|
systemd.services.baserow-frontend = {
|
|
wantedBy = [ "multi-user.target" ];
|
|
after = [ "network.target" ];
|
|
environment = environment // {
|
|
NODE_OPTIONS = "--openssl-legacy-provider";
|
|
};
|
|
|
|
serviceConfig = {
|
|
ExecStart = "${baserow.web-frontend}/bin/baserow-web-frontend --hostname 127.0.0.1 --port 28102";
|
|
User = "baserow";
|
|
Group = "baserow";
|
|
PrivateTmp = true;
|
|
PrivateDevices = true;
|
|
Restart = "on-failure";
|
|
};
|
|
};
|
|
systemd.services.baserow-backend = {
|
|
wantedBy = [ "multi-user.target" ];
|
|
after = [ "network.target" ];
|
|
inherit environment;
|
|
|
|
serviceConfig = {
|
|
ExecStart = "${baserow.backend}/bin/baserow-gunicorn -w 5 -b 127.0.0.1:28100 --log-level=debug";
|
|
User = "baserow";
|
|
Group = "baserow";
|
|
PrivateTmp = true;
|
|
PrivateDevices = true;
|
|
Restart = "on-failure";
|
|
};
|
|
};
|
|
systemd.services.baserow-worker-celery = {
|
|
wantedBy = [ "multi-user.target" ];
|
|
after = [ "network.target" ];
|
|
inherit environment;
|
|
|
|
serviceConfig = {
|
|
ExecStart = "${baserow.backend}/bin/baserow-celery worker -l INFO -Q celery";
|
|
User = "baserow";
|
|
Group = "baserow";
|
|
PrivateTmp = true;
|
|
PrivateDevices = true;
|
|
Restart = "on-failure";
|
|
};
|
|
};
|
|
systemd.services.baserow-worker-export = {
|
|
wantedBy = [ "multi-user.target" ];
|
|
after = [ "network.target" ];
|
|
inherit environment;
|
|
|
|
serviceConfig = {
|
|
ExecStart = "${baserow.backend}/bin/baserow-celery worker -l INFO -Q export";
|
|
User = "baserow";
|
|
Group = "baserow";
|
|
PrivateTmp = true;
|
|
PrivateDevices = true;
|
|
Restart = "on-failure";
|
|
};
|
|
};
|
|
systemd.services.baserow-worker-beat = {
|
|
wantedBy = [ "multi-user.target" ];
|
|
after = [ "network.target" ];
|
|
inherit environment;
|
|
|
|
serviceConfig = {
|
|
ExecStart = "${baserow.backend}/bin/baserow-celery beat -l INFO -S redbeat.RedBeatScheduler";
|
|
User = "baserow";
|
|
Group = "baserow";
|
|
PrivateTmp = true;
|
|
PrivateDevices = true;
|
|
Restart = "on-failure";
|
|
};
|
|
};
|
|
|
|
users.users.nginx.extraGroups = [ "baserow" ];
|
|
services.nginx.recommendedProxySettings = true;
|
|
services.nginx.recommendedTlsSettings = true;
|
|
services.nginx.virtualHosts = {
|
|
"baserow.lukegb.com" = {
|
|
forceSSL = true;
|
|
extraConfig = ''
|
|
proxy_read_timeout 1800s;
|
|
client_max_body_size 0;
|
|
chunked_transfer_encoding on;
|
|
'';
|
|
locations."/" = {
|
|
proxyPass = "http://127.0.0.1:28102";
|
|
};
|
|
};
|
|
"api.baserow.lukegb.com" = {
|
|
forceSSL = true;
|
|
extraConfig = ''
|
|
proxy_read_timeout 1800s;
|
|
client_max_body_size 0;
|
|
chunked_transfer_encoding on;
|
|
'';
|
|
locations."/" = {
|
|
proxyPass = "http://127.0.0.1:28100";
|
|
proxyWebsockets = true;
|
|
};
|
|
};
|
|
"baserow-media.zxcvbnm.ninja" = {
|
|
forceSSL = true;
|
|
root = "/var/lib/baserow/media";
|
|
locations."/user_files" = {
|
|
root = "/var/lib/baserow/media";
|
|
extraConfig = ''
|
|
add_header Content-disposition "attachment; filename=$1";
|
|
'';
|
|
};
|
|
locations."/export_files" = {
|
|
root = "/var/lib/baserow/media";
|
|
extraConfig = ''
|
|
add_header Content-disposition "attachment; filename=$1";
|
|
'';
|
|
};
|
|
};
|
|
};
|
|
my.vault.acmeCertificates = {
|
|
"baserow.lukegb.com" = {
|
|
hostnames = [ "baserow.lukegb.com" "api.baserow.lukegb.com" "baserow-media.zxcvbnm.ninja" ];
|
|
nginxVirtualHosts = [ "baserow.lukegb.com" "api.baserow.lukegb.com" "baserow-media.zxcvbnm.ninja" ];
|
|
};
|
|
};
|
|
|
|
services.postfix = {
|
|
enable = true;
|
|
domain = "baserow.lukegb.com";
|
|
hostname = "baserow.lukegb.com";
|
|
extraConfig = ''
|
|
milter_protocol = 2
|
|
milter_default_action = accept
|
|
smtpd_milters = ${config.services.opendkim.socket}
|
|
non_smtpd_milters = ${config.services.opendkim.socket}
|
|
'';
|
|
};
|
|
users.users.postfix.extraGroups = [ "opendkim" ];
|
|
services.opendkim = {
|
|
enable = true;
|
|
domains = "csl:baserow.lukegb.com";
|
|
selector = "totoro";
|
|
};
|
|
systemd.services.opendkim.serviceConfig.UMask = lib.mkForce "0007";
|
|
}
|