Skip to content

Instantly share code, notes, and snippets.

@jezen

jezen/nix_ops_shared.nix Secret

Created January 23, 2020 21:02
Show Gist options
  • Star 0 You must be signed in to star a gist
  • Fork 0 You must be signed in to fork a gist
  • Save jezen/e8064828fde12185adc8d053674c65a3 to your computer and use it in GitHub Desktop.
Save jezen/e8064828fde12185adc8d053674c65a3 to your computer and use it in GitHub Desktop.
Download ZIP
The underscores in the filenames are actually slashes, but GitHub doesn't allow it.
Raw
nix_ops_shared.nix
{ secrets }:
rec {
input = rec {
pkgs = import ../nixpkgs.nix {
config = import ../pkgconfig.nix { compiler = "ghc865"; };
localSystem.system = "x86_64-linux";
};
app = import ../../default.nix { inherit pkgs; };
market-list = import ../../frontend/market-list/default.nix { inherit pkgs; };
chat = import ../../frontend/chat/default.nix { inherit pkgs; };
grafanaPort = 4000;
};
network = with input; {
network.description = "app";
defaults = {
environment.systemPackages = [ app pkgs.influxdb ];
imports = [
../services/firewall.nix
../services/collectd.nix
../services/influxdb.nix
../services/openssh.nix
../services/postgresql.nix
];
services = {
ejabberd = {
enable = true;
configFile = "/etc/ejabberd.yml";
};
redis.enable = true;
timesyncd.enable = true;
};
environment.etc."ejabberd.yml" = {
user = "ejabberd";
mode = "0600";
text = builtins.readFile ../services/ejabberd/ejabberd.yml;
};
systemd.services.app = {
description = "app Webserver";
requires = [ "postgresql.service" ];
wantedBy = [ "multi-user.target" "nginx.service" ];
after = [ "network.target" "local-fs.target" "postgresql.service" ];
serviceConfig = { ExecStart = "${app}/bin/app"; };
preStart = ''
mkdir -p /static/app/{market-list,chat}
cp -r ${market-list}/assets/* /static/app/market-list
cp -r ${chat}/assets/* /static/app/chat
'';
environment = {
STATIC_DIR = ''/static/'';
PORT = "3000";
PGUSER = "app";
PGPASS = secrets.PGPASS;
PGHOST = "127.0.0.1";
PGDATABASE = "app";
AWS_ACCESS_KEY_ID = secrets.AWS_ACCESS_KEY_ID;
AWS_SECRET_ACCESS_KEY = secrets.AWS_SECRET_ACCESS_KEY;
AWS_REGION = "eu-west-2";
ROLLBAR_API_KEY = secrets.ROLLBAR_API_KEY;
MIGRATION_DIR =
"${app}/share/x86_64-linux-ghc-8.6.5/app-0.0.0/config/migration";
};
};
};
};
}
Raw
nix_services.nix
let
secrets = import ./secrets.nix;
shared = import ./ops/shared.nix { inherit secrets; };
in shared.network // (with shared.input;
{
staging = { ... }:
let domain = "staging.app.com";
in { networking.hostName = "app_staging";
services.nginx = (import ./services/nginx.nix {
inherit pkgs app domain grafanaPort;
extra = ''
auth_basic "app Staging Server";
auth_basic_user_file /tmp/htpasswd;
'';
});
services.grafana = (import ./services/grafana.nix {
inherit pkgs domain;
useHttps = true;
port = grafanaPort;
});
systemd.services.app.environment.YESOD_ENV = "staging";
systemd.services.app.environment.APPROOT = "https://${domain}";
systemd.services.app.environment.S3_DOCS_URL =
"https://s3-eu-west-2.amazonaws.com/app-userdocs-staging";
security.acme.certs = { "${domain}".email = "all@app.com"; };
};
production = { ... }:
let domain = "app.com";
in { networking.hostName = "app_production";
services.nginx = import ./services/nginx.nix {
inherit pkgs app domain grafanaPort;
extra = "";
};
services.grafana = (import ./services/grafana.nix {
inherit pkgs domain;
port = grafanaPort;
useHttps = true;
});
systemd.services.app.environment.YESOD_ENV = "production";
systemd.services.app.environment.APPROOT = "https://${domain}";
systemd.services.app.environment.S3_DOCS_URL =
"https://s3-eu-west-2.amazonaws.com/app-userdocs-production";
security.acme.certs = { "${domain}".email = "all@app.com"; };
};
})
Raw
pkgconfig.nix
{ compiler }:
{ packageOverrides = pkgs: {
nginx = pkgs.nginx.override {
modules = [ pkgs.nginxModules.moreheaders ];
};
ejabberd = pkgs.ejabberd.override { withPgsql = true; };
haskell = pkgs.haskell // {
packages = pkgs.haskell.packages // {
"${compiler}" = pkgs.haskell.packages."${compiler}".override {
overrides = hpNew: hpOld: rec {
classy-prelude =
hpNew.callPackage ./classy-prelude.nix {
unliftio =
hpNew.callPackage ./unliftio.nix {};
};
classy-prelude-yesod =
pkgs.haskell.lib.dontHaddock hpOld.classy-prelude-yesod;
conduit-extra =
hpNew.callPackage ./conduit-extra.nix {
typed-process =
hpNew.callPackage ./typed-process.nix {};
};
haskell-xmpp =
hpNew.callPackage ./haskell-xmpp.nix {};
zxcvbn-hs =
hpNew.callPackage ./zxcvbn-hs.nix {};
yesod-auth-simple =
hpNew.callPackage ./yesod-auth-simple.nix {
zxcvbn-hs = hpNew.callPackage ./zxcvbn-hs.nix {};
};
wai-extra =
hpNew.callPackage ./wai-extra.nix {};
yesod-form =
hpNew.callPackage ./yesod-form.nix {};
yesod-auth =
hpNew.callPackage ./yesod-auth.nix {
nonce =
hpNew.callPackage ./nonce.nix {
unliftio =
hpNew.callPackage ./unliftio.nix {};
};
};
yesod-core =
hpNew.callPackage ./yesod-core.nix {
rio =
hpNew.callPackage ./rio.nix {
typed-process =
hpNew.callPackage ./typed-process.nix {};
unliftio =
hpNew.callPackage ./unliftio.nix {};
};
};
yesod-test =
hpNew.callPackage ./yesod-test.nix {};
yesod-persistent =
hpNew.callPackage ./yesod-persistent.nix {};
ghc-exactprint =
pkgs.haskell.lib.dontCheck hpOld.ghc-exactprint;
yesod-paginator =
hpNew.callPackage ./yesod-paginator.nix {};
network =
hpNew.callPackage ./network.nix {};
postgresql-simple =
hpNew.callPackage ./postgresql-simple.nix {};
postgresql-simple-migration =
hpNew.callPackage ./postgresql-simple-migration.nix {
inherit postgresql-simple;
};
persistent-test =
hpNew.callPackage ./persistent-test.nix {
persistent-template =
hpNew.callPackage ./persistent-template.nix {
persistent =
hpNew.callPackage ./persistent.nix {};
};
};
persistent =
hpNew.callPackage ./persistent.nix {};
persistent-qq =
hpNew.callPackage ./persistent-qq.nix {
inherit persistent;
};
persistent-postgresql =
hpNew.callPackage ./persistent-postgresql.nix {
inherit persistent postgresql-simple;
};
persistent-template =
hpNew.callPackage ./persistent-template.nix {
inherit persistent;
};
persistent-sqlite =
hpNew.callPackage ./persistent-sqlite.nix {};
esqueleto = hpNew.callPackage ./esqueleto.nix rec {
unliftio =
hpNew.callPackage ./unliftio.nix {};
persistent-mysql =
hpNew.callPackage ./persistent-mysql.nix {
inherit persistent persistent-test;
};
};
safe-money =
hpNew.callPackage ./safe-money.nix {};
safe-money-aeson =
hpNew.callPackage ./safe-money-aeson.nix {};
serversession-backend-redis =
pkgs.haskell.lib.appendPatch hpOld.serversession-backend-redis
./patches/serversession-backend-redis.patch;
serversession-frontend-yesod =
hpNew.callPackage ./serversession-frontend-yesod.nix {};
mime-mail =
hpNew.callPackage ./mime-mail.nix {};
cryptonite =
hpNew.callPackage ./cryptonite.nix {};
fakedata =
hpNew.callPackage ./fakedata.nix {};
};
};
};
};
};
# TODO: amazonka is broken in nixos-19.09
allowBroken = true;
allowUnsupportedSystem = true; # currently for ejabberd on darwin
allowUnfree = true;
}
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment