-
Notifications
You must be signed in to change notification settings - Fork 0
/
default.nix
101 lines (93 loc) · 2.86 KB
/
default.nix
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
{ config, pkgs, mysecrets, syndicationd, ... }:
let
syndPkg = syndicationd.packages."${pkgs.system}".synd-api;
syndUser = "synd";
syndGroup = syndUser;
in {
config = {
# Create user
users = {
groups.synd = { name = "${syndGroup}"; };
users.synd = {
name = "${syndUser}";
isSystemUser = true;
group = "${syndGroup}";
};
};
# Tls certificate and private key
age.secrets = {
"syndicationd_certificate" = {
file = "${mysecrets}/syndicationd_certificate.pem.age";
mode = "0440";
owner = "${syndUser}";
group = "${syndGroup}";
};
"syndicationd_private_key" = {
file = "${mysecrets}/syndicationd_private_key.pem.age";
mode = "0440";
owner = "${syndUser}";
group = "${syndGroup}";
};
"syndicationd_grafanacloud" = {
file = "${mysecrets}/grafanacloud.age";
mode = "0440";
owner = "${syndUser}";
group = "${syndGroup}";
};
};
# Allow synd_api port
networking.firewall.allowedTCPPorts = [ 5959 ];
# Enable synd-api service
systemd.services.synd-api = {
description = "Syndicationd api";
wantedBy = [ "multi-user.target" ];
wants = [ "opentelemetry-collector.service" ];
after = [ "opentelemetry-collector.service" ];
environment = {
SYND_LOG = "INFO";
OTEL_EXPORTER_OTLP_ENDPOINT = "http://localhost:4317";
OTEL_RESOURCE_ATTRIBUTES =
"service.namespace=syndicationd,deployment.environment=production";
};
serviceConfig = let
cert = config.age.secrets.syndicationd_certificate.path;
key = config.age.secrets.syndicationd_private_key.path;
options = pkgs.lib.concatStrings (pkgs.lib.strings.intersperse " " [
"--addr 0.0.0.0"
"--port 5959"
"--timeout 30s"
"--body-limit-bytes 2048"
"--concurrency-limit 100"
"--kvsd-host 192.168.10.151"
"--kvsd-port 7379"
"--kvsd-username synd_api"
"--kvsd-password synd_api"
"--tls-cert ${cert}"
"--tls-key ${key}"
"--show-code-location=false"
"--show-target=true"
"--trace-sampler-ratio=1"
]);
ExecStart = "${syndPkg}/bin/synd-api ${options}";
in {
inherit ExecStart;
EnvironmentFile = with config.age.secrets;
[ syndicationd_grafanacloud.path ];
# user
DynamicUser = false;
User = "${syndUser}";
Group = "${syndGroup}";
# exec
Restart = "always";
WorkingDirectory = "/var/lib/synd-api";
# security
RemoveIPC = "true";
CapabilityBoundingSet = "";
ProtectSystem = "strict";
DevicePolicy = "closed";
NoNewPrivileges = true;
StateDirectory = "synd-api";
};
};
};
}