1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
{ config, pkgs, ... }:
let
deployScript = pkgs.writeShellScript "deploy" ''
systemctl start deploy-bikemap;
systemctl status deploy-bikemap;
'';
in {
dns.zones."ctu.cx".subdomains.bikemap.CNAME = [ "${config.networking.fqdn}." ];
users.users."bikemap" = {
home = "/var/lib/bikemap";
group = "git";
isSystemUser = true;
};
security.sudo.extraRules = [{
users = [ "git" ];
commands = [
{ command = "${deployScript}"; options = [ "SETENV" "NOPASSWD" ]; }
];
}];
systemd.services.deploy-bikemap = {
script = ''
# strict mode
set -euo pipefail
IFS=$'\n\t'
TMP_DIR=$(mktemp -d)
trap "{ rm -rf "$TMP_DIR"; }" SIGINT SIGTERM ERR EXIT
${pkgs.git}/bin/git clone /var/lib/gitolite/repositories/biketracks.git $TMP_DIR/tracks
mkdir $TMP_DIR/tiles
${pkgs.generateTilesFromGPX}/bin/generateTilesFromGPX $TMP_DIR/tracks $TMP_DIR/tiles
rm -rf ~/*;
ln -sf ${pkgs.gpx-map}/index.html ~/index.html
ln -sf ${pkgs.gpx-map}/bundle.js ~/bundle.js
mv $TMP_DIR/tiles ~/tiles;
echo "{\"lastUpdated\":\"$(date +"%Y-%m-%d %H:%M")\"}" > ~/lastUpdated.json
'';
serviceConfig = {
Type = "oneshot";
User = "bikemap";
Group = "git";
WorkingDirectory = "~";
StateDirectory = "bikemap";
StateDirectoryMode = "755";
NoNewPrivileges = true;
PrivateTmp = true;
PrivateDevices = true;
RestrictAddressFamilies = "none";
RestrictNamespaces = true;
RestrictRealtime = true;
ProtectSystem = "full";
ProtectControlGroups = true;
ProtectKernelModules = true;
ProtectKernelTunables = true;
DevicePolicy = "closed";
LockPersonality = true;
};
};
services = {
gitolite.commonHooks.post-receive = ''
#deploy bikemap
[ "$GL_REPO" == "biketracks" ] && sudo ${deployScript}
'';
nginx = {
enable = true;
virtualHosts."bikemap.ctu.cx" = {
enableACME = true;
forceSSL = true;
kTLS = true;
root = "/var/lib/bikemap/";
};
};
};
}