{ config, pkgs, ... }: let deployScript = pkgs.writeShellScript "deploy" '' systemctl start deploy-bikemap; systemctl status deploy-bikemap; ''; in { dns.zones."ctu.cx".subdomains.bikemap.CNAME = [ "${config.networking.fqdn}." ]; users.users."bikemap" = { home = "/var/lib/bikemap"; group = "git"; isSystemUser = true; }; security.sudo.extraRules = [{ users = [ "git" ]; commands = [ { command = "${deployScript}"; options = [ "SETENV" "NOPASSWD" ]; } ]; }]; systemd.services.deploy-bikemap = { script = '' # strict mode set -euo pipefail IFS=$'\n\t' TMP_DIR=$(mktemp -d) trap "{ rm -rf "$TMP_DIR"; }" SIGINT SIGTERM ERR EXIT ${pkgs.git}/bin/git clone /var/lib/gitolite/repositories/biketracks.git $TMP_DIR/tracks mkdir $TMP_DIR/tiles ${pkgs.generateTilesFromGPX}/bin/generateTilesFromGPX $TMP_DIR/tracks $TMP_DIR/tiles rm -rf ~/*; ln -sf ${pkgs.gpx-map}/index.html ~/index.html ln -sf ${pkgs.gpx-map}/bundle.js ~/bundle.js mv $TMP_DIR/tiles ~/tiles; echo "{\"lastUpdated\":\"$(date +"%Y-%m-%d %H:%M")\"}" > ~/lastUpdated.json ''; serviceConfig = { Type = "oneshot"; User = "bikemap"; Group = "git"; WorkingDirectory = "~"; StateDirectory = "bikemap"; StateDirectoryMode = "755"; NoNewPrivileges = true; PrivateTmp = true; PrivateDevices = true; RestrictAddressFamilies = "none"; RestrictNamespaces = true; RestrictRealtime = true; ProtectSystem = "full"; ProtectControlGroups = true; ProtectKernelModules = true; ProtectKernelTunables = true; DevicePolicy = "closed"; LockPersonality = true; }; }; services = { gitolite.commonHooks.post-receive = '' #deploy bikemap [ "$GL_REPO" == "biketracks" ] && sudo ${deployScript} ''; nginx = { enable = true; virtualHosts."bikemap.ctu.cx" = { enableACME = true; forceSSL = true; kTLS = true; root = "/var/lib/bikemap/"; }; }; }; }