From 05948d31c27f4a3b8e08c96604089ce9464b496e Mon Sep 17 00:00:00 2001 From: Jurn Wubben Date: Tue, 23 Sep 2025 08:10:26 +0000 Subject: [PATCH 1/4] Updated secrets --- secrets/derek-bot.age | Bin 1124 -> 1124 bytes system/server/derek-bot.nix | 27 ++++++++++++++++++++++++++- 2 files changed, 26 insertions(+), 1 deletion(-) diff --git a/secrets/derek-bot.age b/secrets/derek-bot.age index f45ac469bf36dc83ed10f2a869114b6d3da43dfb..6d1a80cad3d3d70f97eafbbcfb4b28f8d91b08a4 100644 GIT binary patch delta 1038 zcmaFD@q}Z7PJKyoQc=01zo$X2uUSP>gnm$Ng@0~Zai&>tfT>HQlVxh5X-=X^q=$QE zIag#Pa9&nXa)gI=u6JpAVwHAc zdS;NDbB<9umwSjuT4|P-cDZ4(c~GENW`tv5MS)>~Q=o6LZ&;AIky(&ER6NDoRWOKqk@x-A`85O z%rkP6Q`~&rlJ(t!(sD}+qOzh2Qq0n#{L4%xpJf!U_YDm)3Cwnm$o11VD#&njPV{$j zPIcA}E4DPRDDd|-$}@9L4Yn*ZcP=;K(#{FX&9_Vr4vh4#GB!vF%L?#uH1G*Xt}HP% zEqC`yEi5T;On3G$Fmp;rkAbkjN;88%1&^v^H>dm(e{TbmT#uZvf|PnUztXZ`-$+xh zR5PD2|A3q%^WemCvs5$JNG_Lx5+mnGLl5^v6EAN^?aJi*FeBfbqL3(WbIYKr;vA#2 z@PeE?m*Vn>axPt6T?GrX0(TE1?GpVWKYf#Y_cVX^2>tA^A_Hx&fC?k80Jr3%lq4@7 z*H9l56E4$jPHQut>))xDQ+v1jTiN=BRn-<-u3Y#f_vy`3#@Vbk7dHqjS#tgB8advc zFMD_M>aS2UvpUbrShFhLJh3A)IHWv8E$u6q@RWBbdo|KvQvg?(v?3c&4nVy_n z8F{hz?FXig@a`AW&fmE1K1UVbdE$f@bS+R+5| zr+a_>tbX$7Qfxir>g+%A)pr(5kNhp+UY{6M@mFS{^l=?M(H!56YB2}nHg|ZnS8mZ< zUbFkEq0)tqp=nOy*PMm)gzt8vh=&Lwl$`j@Z2bKj^(=I|5&B?0!`)xP(7 zzp(SIZLHZP{5?A_Y4a`7%SSTT&DnP<`1_|jr+V)3PvO*h*LV8FGPmMQb{yG9w5qwz O6qbEsO+7a!xe)+lQI@L! delta 1038 zcmaFD@q}Z7PJODSSE^xZRjMnIXiOIlS{mcNV1 z#E;_P=IMcMsX1u|zLi0l6@~>)#(sgJmhReN&cPW$PHv&zIr`~lUS>(|K?dnuhULjs zMt)}gF6FMC7A0OTnb|2`mii%K=H+F6zCn>$xnXHpF3F|tIZ4Tr;~B-n1KcWuE7CJl z%tH-~oI^?jj0}B^eS$rMjkLpkz00yA%u3w6^Rz4S{WC4NLIcxNTp~Ry^2{vqOicN=%9hk8*TOwY1Dmi*Sla zDl)Gs$}aH=&I>THFgA+{2yyo?ORX~D3ds*BOU}(J&WcJ*uS_c{GA+~hbG7sgO!INe zaCJ$|EcK6YwJ^4fN=l7HkAbkjN;88%1(OH^eX|I612>Pdl+q%zaK&52tifOa0QSY{QUjUvu}Iitvi6Z0|6a(lpa7rwFGU?ex&9 zfZV8%K(5VE&vKS{mbcbF_c+EsFTFXeb%o~USL+PamVEs`OP*=AHlBOP2ujEZ1vsu?ZjQ(UC|Tv&f?$a9J0RR+#Y31 zo8KO0y#lflKMuvK#H>l#H1DWOtfi#%Ouh1;tP{GMw6A;r&NuKD3BKCKSYM*8s&D1^ zady;W(H-@Qzivn6er^}E$=|n$<(brRj@~0npDA^-GW1#UIErsBe7xCy(a%ta>sm{2GeoJ8oP-pyIap2ytkM=XIW@e)a9w( zQg=C-COi^pJ*LN2b=l^s61%p;|v!gcjPw&^? L$$I`w Date: Tue, 30 Sep 2025 18:48:03 +0200 Subject: [PATCH 2/4] Started on implementing derek's site --- hosts/lapserv/hardware-configuration.nix | 48 +++++++------- secrets/default.nix | 4 ++ secrets/derek-site.age | Bin 0 -> 995 bytes secrets/secrets.nix | 1 + system/server/default.nix | 1 + system/server/derek-site.nix | 77 +++++++++++++++++++++++ system/server/lib/extractWebOptions.nix | 4 +- 7 files changed, 112 insertions(+), 23 deletions(-) create mode 100644 secrets/derek-site.age create mode 100644 system/server/derek-site.nix diff --git a/hosts/lapserv/hardware-configuration.nix b/hosts/lapserv/hardware-configuration.nix index 282444c..5692d9f 100644 --- a/hosts/lapserv/hardware-configuration.nix +++ b/hosts/lapserv/hardware-configuration.nix @@ -1,17 +1,23 @@ # Do not modify this file! It was generated by ‘nixos-generate-config’ # and may be overwritten by future invocations. Please make changes # to /etc/nixos/configuration.nix instead. -{ config, lib, pkgs, modulesPath, ... }: - { - imports = - [ (modulesPath + "/installer/scan/not-detected.nix") - ]; + config, + lib, + pkgs, + modulesPath, + ... +}: { + imports = [ + (modulesPath + "/installer/scan/not-detected.nix") + ]; - boot.initrd.availableKernelModules = [ "xhci_pci" "ahci" "nvme" "sd_mod" ]; - boot.initrd.kernelModules = [ ]; - boot.kernelModules = [ "kvm-intel" ]; - boot.extraModulePackages = [ ]; + boot = { + initrd.availableKernelModules = ["xhci_pci" "ahci" "nvme" "sd_mod"]; + initrd.kernelModules = []; + kernelModules = ["kvm-intel"]; + extraModulePackages = []; + }; # fileSystems."/" = # { device = "/dev/disk/by-uuid/33b7e681-d92a-40db-a172-b797591a1e2e"; @@ -24,20 +30,20 @@ # options = [ "fmask=0022" "dmask=0022" ]; # }; - fileSystems."/" = - { device = "/dev/disk/by-uuid/2ce4b2b1-0083-43b2-bd8d-0e8cd21b1ef6"; - fsType = "ext4"; - }; + fileSystems."/" = { + device = "/dev/disk/by-uuid/2ce4b2b1-0083-43b2-bd8d-0e8cd21b1ef6"; + fsType = "ext4"; + }; - fileSystems."/boot" = - { device = "/dev/disk/by-uuid/AE71-FD70"; - fsType = "vfat"; - options = [ "fmask=0022" "dmask=0022" ]; - }; + fileSystems."/boot" = { + device = "/dev/disk/by-uuid/AE71-FD70"; + fsType = "vfat"; + options = ["fmask=0022" "dmask=0022"]; + }; - swapDevices = - [ { device = "/dev/disk/by-uuid/f5af06e8-e285-4565-abc3-fdd0ddde4736"; } - ]; + swapDevices = [ + {device = "/dev/disk/by-uuid/f5af06e8-e285-4565-abc3-fdd0ddde4736";} + ]; nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux"; hardware.cpu.intel.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware; diff --git a/secrets/default.nix b/secrets/default.nix index c1cafa6..ebb6d1c 100644 --- a/secrets/default.nix +++ b/secrets/default.nix @@ -22,6 +22,10 @@ in { file = ./derek-bot.age; owner = "derek-bot"; }; + derek-site = isEnabled "derek-site" { + file = ./derek-bot.age; + owner = "derek-site"; + }; # matrix-registration = isEnabled "matrix" { # file = ./matrix-registration.age; # owner = abstrServiceUser "matrix-continuwuity"; diff --git a/secrets/derek-site.age b/secrets/derek-site.age new file mode 100644 index 0000000000000000000000000000000000000000..bab4b4e3d1afd3708a965883cfc91512b76e8c85 GIT binary patch literal 995 zcmYdHPt{G$OD?J`D9Oyv)5|YP*Do{V(zR14F3!+RO))YxHMCT453Gs|cT^~f$SHO< z$|@-ga7xcBGph{BD=Diia7^+@$uuy{it_d>2`SKbPPA}xb>&J8bW3wFO|2^M&@Xff zD|N3hG|3G&2rG68F>xzREp*PvsdRR9$@Px#u|T)YH!a9K%u&I@EUF|T+&Hw*-y_Mw zC&D?{xirPoG$hl{!pkCDyG-B9SwF|ntjaUW#gi*2Lf;}HFvKV~ATzZr*sr7@%S78T zC(y^)BDo|eqom9z(lpt;&?v~jH4xo4?c}nckaPtjegAMv7c>1_eJ9_D^73F;7n4+@ z%=FBxtODnd3jJJ1L(hO@!_p!**K#hGQtiA@Uw@a3qRfcGvMfViU&Bi0>_X#|44DlaM5&rUTmtH=lo zO3pUXuSn)9D=AB_D$a}yjL7it$PL!cHH*x4ED9-b^~*9a@N!KL^)N{@&h|@mPAW#X zEiACo%pg!9-O@Osw9v)ZUB93t)v_SBEYQ(6CE2{PP~XL^JUGqNvm{Nwve+>*G1P!7 zHNV&^+sG}*ve?yEJ3ZAj&#Wpe)x03j#NX3WKhVV~H#FQg&&SonHP3`gS65fTBgrMK z#5px0sNA%;sG!I@H9RA-s9fJ8G|D(Qved%EJF%iNKQXK{J1U=x+3kywUuNVK$L{v> zb&r^sneWs2M#Q{#L9ke`kJjZt(+fUUsHQg6dGE-i($3U37&SZ zeyuOhp7VAeu{B$LHiz$4Rm$ttC#UrFSuUH_G;huO-kzXCI>#5QUbfAXYA!kRAT7=E z|K0;XqV|5^V$r?bU&3YkjrslFihq(P&ZyJ|_m=MOoVVV)W{c}WCizn~6FGI}E8jg3 z{bc&Q2XB`Cd6~-d^vUlFsjO$)6??kfrm`@FZHajvn$6&z;rH#W80*^1H_d_uRcmz0 zAUp MnqQ+7PE-p503K#-QUCw| literal 0 HcmV?d00001 diff --git a/secrets/secrets.nix b/secrets/secrets.nix index 66e90da..1fd8855 100644 --- a/secrets/secrets.nix +++ b/secrets/secrets.nix @@ -16,6 +16,7 @@ in { "password.age".publicKeys = keys; "jsw-bot.age".publicKeys = keys; "derek-bot.age".publicKeys = keys; + "derek-site.age".publicKeys = keys; "matrix-registration.age".publicKeys = keys; "mail-admin.age".publicKeys = keys; "zitadel-key.age".publicKeys = keys; diff --git a/system/server/default.nix b/system/server/default.nix index 920d92c..06ef7b9 100644 --- a/system/server/default.nix +++ b/system/server/default.nix @@ -7,6 +7,7 @@ in { ./jsw-bot.nix ./caddy.nix ./derek-bot.nix + ./derek-site.nix ./forgejo.nix ./immich.nix ./index diff --git a/system/server/derek-site.nix b/system/server/derek-site.nix new file mode 100644 index 0000000..97f6d43 --- /dev/null +++ b/system/server/derek-site.nix @@ -0,0 +1,77 @@ +{ + config, + pkgs, + lib, + ... +}: let + name = "derek-site"; + cfg = config.niksos.server.${name}.enable; + + userGroup = name; + gitRepo = "https://github.com/Definitely-Not-A-Dolphin/Geen-Dolfijn"; + + inherit (lib) getExe mkEnableOption mkIf; + bash = getExe pkgs.bash; + + varLib = "/var/lib/"; + mainDir = "${varLib}${userGroup}"; + programDir = "${mainDir}/program"; + denoDir = "${mainDir}/deno"; + + path = builtins.concatStringsSep ":" (map (x: "${x}/bin/") [pkgs.coreutils pkgs.deno pkgs.git]); + run = pkgs.writeShellScriptBin "geen-dolfijn" '' + cd "${programDir}" + export $(grep -v '^#' "${config.age.secrets.${userGroup}.path}" | xargs) + + deno run preview + ''; +in { + options.niksos.server.${name}.enable = mkEnableOption name; + + config = mkIf cfg { + systemd.services.${userGroup} = { + enable = true; + after = ["network.target"]; + wantedBy = ["default.target"]; + description = userGroup; + + environment = { + "DENO_DIR" = denoDir; + "PATH" = lib.mkForce path; + }; + + preStart = '' + export PATH=${path} + + cd "${mainDir}" + chown -R ${userGroup}:${userGroup} ${mainDir}/* || echo + + if [ ! -d "${programDir}" ]; then + git clone "${gitRepo}" "${programDir}" + fi + chmod -R 750 ${mainDir}/* || echo + + cd "${programDir}" + git fetch + git reset --hard origin/HEAD + + DENO_DIR=${denoDir} deno i + ''; + + serviceConfig = { + StateDirectory = userGroup; + ExecStart = getExe run; + User = userGroup; + Group = userGroup; + Restart = "always"; + RuntimeMaxSec = 1 * 60 * 60; # 1h * 60min * 60s + }; + }; + + users.groups.${userGroup} = {}; + users.users.${userGroup} = { + group = userGroup; + isSystemUser = true; + }; + }; +} diff --git a/system/server/lib/extractWebOptions.nix b/system/server/lib/extractWebOptions.nix index 805fea1..cf84dd2 100644 --- a/system/server/lib/extractWebOptions.nix +++ b/system/server/lib/extractWebOptions.nix @@ -11,8 +11,8 @@ then "" else "${cfg.subDomain}."; in - cfg // - { + cfg + // { domain = "${subDomain}${baseDomain}"; inherit baseDomain subDomain; } From a0638fdff32b8013ed72155693edfd87fadd66bb Mon Sep 17 00:00:00 2001 From: Jurn Wubben Date: Tue, 30 Sep 2025 16:49:52 +0000 Subject: [PATCH 3/4] Updated permissions --- system/server/derek-bot.nix | 19 ++++++++++++------- 1 file changed, 12 insertions(+), 7 deletions(-) diff --git a/system/server/derek-bot.nix b/system/server/derek-bot.nix index 4372258..c27a30f 100644 --- a/system/server/derek-bot.nix +++ b/system/server/derek-bot.nix @@ -80,13 +80,18 @@ in { home = "/home/${userGroup}"; }; security.polkit.extraConfig = '' - polkit.addRule(function(action, subject) { - if (action.id == "org.freedesktop.systemd1.manage-units" && - action.lookup("unit") == "${userGroup}.service" && - subject.user == "${userGroup}") { - return polkit.Result.YES; - } - }); + polkit.addRule(function(action, subject) { + polkit.log("Rule triggered. Action: " + action.id + " Unit: " + action.lookup("unit") + " User: " + subject.user); + + // For journalctl access + if ((action.id == "org.freedesktop.systemd1.manage-units" || + action.id == "org.freedesktop.systemd1.unit-journal") && + action.lookup("unit") == "${userGroup}.service" && + subject.user == "${userGroup}") { + polkit.log("ALLOWING access for " + subject.user); + return polkit.Result.YES; + } + }); polkit.addRule(function(action, subject) { if ( subject.user == "${userGroup}" && From 876c9ee88de2761b2a3606b8ab4ecfaa131e0b81 Mon Sep 17 00:00:00 2001 From: Jurn Wubben Date: Tue, 30 Sep 2025 18:48:03 +0200 Subject: [PATCH 4/4] Started on implementing derek's site --- hosts/lapserv/hardware-configuration.nix | 48 +++++++------- secrets/default.nix | 4 ++ secrets/derek-site.age | Bin 0 -> 995 bytes secrets/secrets.nix | 1 + system/server/default.nix | 1 + system/server/derek-site.nix | 77 +++++++++++++++++++++++ system/server/lib/extractWebOptions.nix | 4 +- 7 files changed, 112 insertions(+), 23 deletions(-) create mode 100644 secrets/derek-site.age create mode 100644 system/server/derek-site.nix diff --git a/hosts/lapserv/hardware-configuration.nix b/hosts/lapserv/hardware-configuration.nix index 282444c..5692d9f 100644 --- a/hosts/lapserv/hardware-configuration.nix +++ b/hosts/lapserv/hardware-configuration.nix @@ -1,17 +1,23 @@ # Do not modify this file! It was generated by ‘nixos-generate-config’ # and may be overwritten by future invocations. Please make changes # to /etc/nixos/configuration.nix instead. -{ config, lib, pkgs, modulesPath, ... }: - { - imports = - [ (modulesPath + "/installer/scan/not-detected.nix") - ]; + config, + lib, + pkgs, + modulesPath, + ... +}: { + imports = [ + (modulesPath + "/installer/scan/not-detected.nix") + ]; - boot.initrd.availableKernelModules = [ "xhci_pci" "ahci" "nvme" "sd_mod" ]; - boot.initrd.kernelModules = [ ]; - boot.kernelModules = [ "kvm-intel" ]; - boot.extraModulePackages = [ ]; + boot = { + initrd.availableKernelModules = ["xhci_pci" "ahci" "nvme" "sd_mod"]; + initrd.kernelModules = []; + kernelModules = ["kvm-intel"]; + extraModulePackages = []; + }; # fileSystems."/" = # { device = "/dev/disk/by-uuid/33b7e681-d92a-40db-a172-b797591a1e2e"; @@ -24,20 +30,20 @@ # options = [ "fmask=0022" "dmask=0022" ]; # }; - fileSystems."/" = - { device = "/dev/disk/by-uuid/2ce4b2b1-0083-43b2-bd8d-0e8cd21b1ef6"; - fsType = "ext4"; - }; + fileSystems."/" = { + device = "/dev/disk/by-uuid/2ce4b2b1-0083-43b2-bd8d-0e8cd21b1ef6"; + fsType = "ext4"; + }; - fileSystems."/boot" = - { device = "/dev/disk/by-uuid/AE71-FD70"; - fsType = "vfat"; - options = [ "fmask=0022" "dmask=0022" ]; - }; + fileSystems."/boot" = { + device = "/dev/disk/by-uuid/AE71-FD70"; + fsType = "vfat"; + options = ["fmask=0022" "dmask=0022"]; + }; - swapDevices = - [ { device = "/dev/disk/by-uuid/f5af06e8-e285-4565-abc3-fdd0ddde4736"; } - ]; + swapDevices = [ + {device = "/dev/disk/by-uuid/f5af06e8-e285-4565-abc3-fdd0ddde4736";} + ]; nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux"; hardware.cpu.intel.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware; diff --git a/secrets/default.nix b/secrets/default.nix index c1cafa6..ebb6d1c 100644 --- a/secrets/default.nix +++ b/secrets/default.nix @@ -22,6 +22,10 @@ in { file = ./derek-bot.age; owner = "derek-bot"; }; + derek-site = isEnabled "derek-site" { + file = ./derek-bot.age; + owner = "derek-site"; + }; # matrix-registration = isEnabled "matrix" { # file = ./matrix-registration.age; # owner = abstrServiceUser "matrix-continuwuity"; diff --git a/secrets/derek-site.age b/secrets/derek-site.age new file mode 100644 index 0000000000000000000000000000000000000000..bab4b4e3d1afd3708a965883cfc91512b76e8c85 GIT binary patch literal 995 zcmYdHPt{G$OD?J`D9Oyv)5|YP*Do{V(zR14F3!+RO))YxHMCT453Gs|cT^~f$SHO< z$|@-ga7xcBGph{BD=Diia7^+@$uuy{it_d>2`SKbPPA}xb>&J8bW3wFO|2^M&@Xff zD|N3hG|3G&2rG68F>xzREp*PvsdRR9$@Px#u|T)YH!a9K%u&I@EUF|T+&Hw*-y_Mw zC&D?{xirPoG$hl{!pkCDyG-B9SwF|ntjaUW#gi*2Lf;}HFvKV~ATzZr*sr7@%S78T zC(y^)BDo|eqom9z(lpt;&?v~jH4xo4?c}nckaPtjegAMv7c>1_eJ9_D^73F;7n4+@ z%=FBxtODnd3jJJ1L(hO@!_p!**K#hGQtiA@Uw@a3qRfcGvMfViU&Bi0>_X#|44DlaM5&rUTmtH=lo zO3pUXuSn)9D=AB_D$a}yjL7it$PL!cHH*x4ED9-b^~*9a@N!KL^)N{@&h|@mPAW#X zEiACo%pg!9-O@Osw9v)ZUB93t)v_SBEYQ(6CE2{PP~XL^JUGqNvm{Nwve+>*G1P!7 zHNV&^+sG}*ve?yEJ3ZAj&#Wpe)x03j#NX3WKhVV~H#FQg&&SonHP3`gS65fTBgrMK z#5px0sNA%;sG!I@H9RA-s9fJ8G|D(Qved%EJF%iNKQXK{J1U=x+3kywUuNVK$L{v> zb&r^sneWs2M#Q{#L9ke`kJjZt(+fUUsHQg6dGE-i($3U37&SZ zeyuOhp7VAeu{B$LHiz$4Rm$ttC#UrFSuUH_G;huO-kzXCI>#5QUbfAXYA!kRAT7=E z|K0;XqV|5^V$r?bU&3YkjrslFihq(P&ZyJ|_m=MOoVVV)W{c}WCizn~6FGI}E8jg3 z{bc&Q2XB`Cd6~-d^vUlFsjO$)6??kfrm`@FZHajvn$6&z;rH#W80*^1H_d_uRcmz0 zAUp MnqQ+7PE-p503K#-QUCw| literal 0 HcmV?d00001 diff --git a/secrets/secrets.nix b/secrets/secrets.nix index 66e90da..1fd8855 100644 --- a/secrets/secrets.nix +++ b/secrets/secrets.nix @@ -16,6 +16,7 @@ in { "password.age".publicKeys = keys; "jsw-bot.age".publicKeys = keys; "derek-bot.age".publicKeys = keys; + "derek-site.age".publicKeys = keys; "matrix-registration.age".publicKeys = keys; "mail-admin.age".publicKeys = keys; "zitadel-key.age".publicKeys = keys; diff --git a/system/server/default.nix b/system/server/default.nix index 920d92c..06ef7b9 100644 --- a/system/server/default.nix +++ b/system/server/default.nix @@ -7,6 +7,7 @@ in { ./jsw-bot.nix ./caddy.nix ./derek-bot.nix + ./derek-site.nix ./forgejo.nix ./immich.nix ./index diff --git a/system/server/derek-site.nix b/system/server/derek-site.nix new file mode 100644 index 0000000..97f6d43 --- /dev/null +++ b/system/server/derek-site.nix @@ -0,0 +1,77 @@ +{ + config, + pkgs, + lib, + ... +}: let + name = "derek-site"; + cfg = config.niksos.server.${name}.enable; + + userGroup = name; + gitRepo = "https://github.com/Definitely-Not-A-Dolphin/Geen-Dolfijn"; + + inherit (lib) getExe mkEnableOption mkIf; + bash = getExe pkgs.bash; + + varLib = "/var/lib/"; + mainDir = "${varLib}${userGroup}"; + programDir = "${mainDir}/program"; + denoDir = "${mainDir}/deno"; + + path = builtins.concatStringsSep ":" (map (x: "${x}/bin/") [pkgs.coreutils pkgs.deno pkgs.git]); + run = pkgs.writeShellScriptBin "geen-dolfijn" '' + cd "${programDir}" + export $(grep -v '^#' "${config.age.secrets.${userGroup}.path}" | xargs) + + deno run preview + ''; +in { + options.niksos.server.${name}.enable = mkEnableOption name; + + config = mkIf cfg { + systemd.services.${userGroup} = { + enable = true; + after = ["network.target"]; + wantedBy = ["default.target"]; + description = userGroup; + + environment = { + "DENO_DIR" = denoDir; + "PATH" = lib.mkForce path; + }; + + preStart = '' + export PATH=${path} + + cd "${mainDir}" + chown -R ${userGroup}:${userGroup} ${mainDir}/* || echo + + if [ ! -d "${programDir}" ]; then + git clone "${gitRepo}" "${programDir}" + fi + chmod -R 750 ${mainDir}/* || echo + + cd "${programDir}" + git fetch + git reset --hard origin/HEAD + + DENO_DIR=${denoDir} deno i + ''; + + serviceConfig = { + StateDirectory = userGroup; + ExecStart = getExe run; + User = userGroup; + Group = userGroup; + Restart = "always"; + RuntimeMaxSec = 1 * 60 * 60; # 1h * 60min * 60s + }; + }; + + users.groups.${userGroup} = {}; + users.users.${userGroup} = { + group = userGroup; + isSystemUser = true; + }; + }; +} diff --git a/system/server/lib/extractWebOptions.nix b/system/server/lib/extractWebOptions.nix index 805fea1..cf84dd2 100644 --- a/system/server/lib/extractWebOptions.nix +++ b/system/server/lib/extractWebOptions.nix @@ -11,8 +11,8 @@ then "" else "${cfg.subDomain}."; in - cfg // - { + cfg + // { domain = "${subDomain}${baseDomain}"; inherit baseDomain subDomain; }