diff --git a/machine/empyrean/default.nix b/machine/empyrean/default.nix index 1848445..2c56414 100644 --- a/machine/empyrean/default.nix +++ b/machine/empyrean/default.nix @@ -12,7 +12,6 @@ #./redstring.nix ./catacomb.nix ./gitea.nix - ./inquisitor.nix ]; beatific.hostName = "empyrean"; @@ -94,7 +93,7 @@ }; services.intake = { - listen = { addr = "10.22.20.1"; port = 5234; }; + listen = { addr = "10.22.20.1"; }; users.tvb.enable = true; users.tvb.extraPackages = [ pkgs.intakeSources pkgs.openssh ]; }; @@ -105,7 +104,6 @@ 80 # http 443 # https 655 # tinc - 5234# intake ]; allowedUDPPorts = [ 655 # tinc diff --git a/machine/empyrean/inquisitor.nix b/machine/empyrean/inquisitor.nix deleted file mode 100644 index 9f5648b..0000000 --- a/machine/empyrean/inquisitor.nix +++ /dev/null @@ -1,138 +0,0 @@ -{pkgs, ...}: - -let - # Import the inquisitor package and build it - inquisitorSource = pkgs.fetchFromGitHub { - owner = "Jaculabilis"; - repo = "Inquisitor"; - rev = "addcb4f1a56c878b58f2e1c38dfd485761b31306"; - sha256 = "0jjl92nf1y40acdly1kls0mppcadvmgbfr6qwczxni1f1zphw3as"; - }; - inquisitor = pkgs.callPackage inquisitorSource { inherit pkgs; }; - - # Define the inquisitor data directory - inquisiDir = "/var/lib/inquisitor"; - - # Define an scp helper for executing in cron jobs - scp-helper = pkgs.writeShellScriptBin "scp-helper" '' - ${pkgs.openssh}/bin/scp -i ${inquisiDir}/inquisitor.key -oStrictHostKeyChecking=no "$@" - ''; - - # Define the inquisitor service user - inquisitorUser = { - name = "inquisitor"; - group = "inquisitor"; - description = "Inquisitor service user"; - isSystemUser = true; - shell = pkgs.bashInteractive; - packages = [ inquisitor pkgs.cron ]; - }; - - # Create the inquisitor config file in the nix store, pointing to /var/lib/ - inquisitorConfig = pkgs.writeTextFile { - name = "inquisitor.conf"; - text = '' - DataPath = ${inquisiDir}/data/ - SourcePath = ${inquisiDir}/sources/ - CachePath = ${inquisiDir}/cache/ - Verbose = false - LogFile = ${inquisiDir}/inquisitor.log - ''; - }; - - # Create a setup script to ensure the service directory state - inquisitorSetup = pkgs.writeShellScriptBin "inquisitor-setup.sh" '' - # Ensure the service directory and the default source directory - ${pkgs.coreutils}/bin/mkdir -p ${inquisiDir}/data/inquisitor/ - ${pkgs.coreutils}/bin/mkdir -p ${inquisiDir}/sources/ - ${pkgs.coreutils}/bin/mkdir -p ${inquisiDir}/cache/ - if [ ! -f ${inquisiDir}/data/inquisitor/state ]; then - ${pkgs.coreutils}/bin/echo "{}" > ${inquisiDir}/data/inquisitor/state - fi - - # Ensure the service owns the folders - chown -R ${inquisitorUser.name} ${inquisiDir} - - # Ensure the scp helper is present - if [ -f ${inquisiDir}/scp-helper ]; then - rm ${inquisiDir}/scp-helper - fi - ln -s -t ${inquisiDir} ${scp-helper}/bin/scp-helper - ''; - - # Create a run script for the server - inquisitorRun = pkgs.writeShellScriptBin "inquisitor-run.sh" '' - cd ${inquisiDir} - ${inquisitor}/bin/gunicorn \ - --bind=localhost:24133 \ - --workers=4 \ - --timeout 120 \ - --log-level debug \ - "inquisitor.app:wsgi()" - ''; - - # Create a wrapper to execute the cli as the service user - inquisitorWrapper = pkgs.writeShellScriptBin "inq" '' - sudo --user=inquisitor ${inquisitor}/bin/inquisitor "$@" - ''; -in -{ - users.users.inquisitor = inquisitorUser; - users.groups.inquisitor = {}; - - # Link the config in /etc to avoid envvar shenanigans - environment.etc."inquisitor.conf".source = "${inquisitorConfig}"; - - # Give all users the inq wrapper - environment.systemPackages = [ inquisitorWrapper ]; - - # Allow the sudo in the cli wrapper without password - security.sudo.extraRules = [{ - commands = [{ - command = "${inquisitor}/bin/inquisitor"; - options = [ "NOPASSWD" ]; - }]; - runAs = "${inquisitorUser.name}"; - groups = [ "users" ]; - }]; - - # Run the setup script on activation - system.activationScripts.inquisitorSetup = "${inquisitorSetup}/bin/inquisitor-setup.sh"; - - # Set up the inquisitor service - systemd.services.inquisitor = - { - description = "Inquisitor server"; - script = "${inquisitorRun}/bin/inquisitor-run.sh"; - serviceConfig = { - User = "${inquisitorUser.name}"; - Type = "simple"; - }; - wantedBy = [ "multi-user.target" ]; - after = [ "network.target" ]; - enable = true; - }; - - # Set up nginx to reverse proxy from the beatific url to the inq server - services.nginx.enable = true; - services.nginx.virtualHosts.inquisitorHost = { - listen = [ { addr = "10.22.20.1"; port = 80; } ]; - locations."/".extraConfig = '' - access_log /var/log/nginx/access.inquisitor.log; - proxy_buffering off; - proxy_pass http://localhost:24133/; - ''; - }; - - # Allow nginx through the firewall - networking.firewall = { - allowedTCPPorts = [ - 80 # http - 443 # https - ]; - }; - - # Enable cron, but don't set up any system cron jobs - # Inquisitor updates will be managed manually - services.cron.enable = true; -}