services.bonfire: init

pkgs/by-name/bonfire/update.nix

@@ -47,6 +47,7 @@ in
                 --option sandbox relaxed \
                 --no-link --print-out-paths \
                 --repair \
+                --refresh \
                 -f . \
                 bonfire.${FLAVOUR}.passthru.update.package
         )

profiles/nixos/nginx/reverse-proxy.nix

@@ -0,0 +1,89 @@
+{
+  service,
+  location ? "/",
+  proxyPass ? "http://unix:/run/${service}/socket",
+  recommendedProxySettings ? true,
+  proxyWebsockets ? false,
+  group ? service,
+  virtualHost ? { },
+}:
+
+{
+  lib,
+  config,
+  options,
+  modulesPath,
+  ...
+}:
+
+let
+  cfg = config.services.${service};
+in
+{
+  # Explanation: https://nixos.org/manual/nixos/unstable/#modular-services
+  _class = "nixos";
+
+  options = {
+    services.${service} = {
+      nginx = {
+        enable = lib.mkEnableOption "an Nginx reverse-proxy to ${service}";
+        virtualHost = lib.mkOption {
+          description = ''
+            With this option, you can customize an nginx virtual host which already has sensible defaults for `${service}`.
+            Set to `{}` if you do not need any customization to the virtual host.
+            If enabled, then by default, the {option}`serverName` is
+            `${service}.''${config.networking.domain}`,
+            TLS is active, and certificates are acquired via ACME.
+            If this is set to null (the default), no nginx virtual host will be configured.
+          '';
+          default = { };
+          example = lib.literalExpression ''
+            {
+              enableACME = false;
+              useACMEHost = config.networking.domain;
+            }
+          '';
+          type = lib.types.submodule (
+            lib.recursiveUpdate
+              (import (modulesPath + "/services/web-servers/nginx/vhost-options.nix") {
+                inherit config lib;
+              })
+              {
+                options.serverName = {
+                  default = "${service}.${config.networking.domain}";
+                  defaultText = "${service}.\${config.networking.domain}";
+                };
+              }
+          );
+        };
+      };
+    };
+  };
+
+  config = lib.mkMerge [
+    (lib.mkIf cfg.nginx.enable {
+      services.nginx = {
+        enable = true;
+        virtualHosts.${cfg.nginx.virtualHost.serverName} = lib.mkMerge [
+          virtualHost
+          cfg.nginx.virtualHost
+          {
+            forceSSL = lib.mkDefault true;
+            enableACME = lib.mkDefault true;
+            locations.${location} = {
+              proxyPass = lib.mkDefault proxyPass;
+              recommendedProxySettings = lib.mkDefault recommendedProxySettings;
+              proxyWebsockets = lib.mkDefault proxyWebsockets;
+            };
+          }
+        ];
+      };
+    })
+    (lib.optionalAttrs (options ? systemd) {
+      systemd.services.nginx.serviceConfig.SupplementaryGroups = [
+        group
+      ];
+    })
+  ];
+
+}

projects/Bonfire/default.nix

@@ -0,0 +1,68 @@
+{
+  lib,
+  pkgs,
+  sources,
+  ...
+}@args:
+
+{
+  metadata = {
+    summary = "Open-source framework for building federated digital spaces where people can gather, interact, and form communities online";
+    subgrants = {
+      Commons = [ ];
+      Core = [ ];
+      Entrust = [
+        "Bonfire-FederatedGroups"
+        "Bonfire-Framework"
+      ];
+      Review = [
+        "Bonfire"
+      ];
+    };
+    links = {
+      homepage = {
+        text = "Home page";
+        url = "https://bonfirenetworks.org";
+      };
+      repo = {
+        text = "Source code (only the top-level repository)";
+        url = "https://github.com/bonfire-networks/bonfire-app";
+      };
+      docs = {
+        text = "Documentation";
+        url = "https://docs.bonfirenetworks.org/readme.html";
+      };
+    };
+  };
+
+  nixos.modules.services = {
+    bonfire = {
+      name = "service name";
+      module = ./services/bonfire/module.nix;
+      examples."Enable bonfire" = {
+        module = ./services/bonfire/examples/basic.nix;
+        description = ''
+          Usage instructions
+
+          1. Run `nix -L run -f . hydrated-projects.Bonfire.nixos.tests.basic.driverInteractive`
+          2. Open your browser to <http://localhost:4000/signup>
+          3. Create an account.
+        '';
+        tests.basic.module = import ./services/bonfire/tests/basic.nix args;
+      };
+    };
+  };
+
+  nixos.demo.vm = {
+    module = ./services/bonfire/examples/basic.nix;
+    module-demo = ./demo/module-demo.nix;
+    usage-instructions = [
+      {
+        instruction = ''
+          Wait until the service finishes its setup, then visit [http://127.0.0.1:18000](http://127.0.0.1:18000) in your browser
+        '';
+      }
+    ];
+    tests.demo.module = null;
+  };
+}

projects/Bonfire/demo/module-demo.nix

@@ -0,0 +1,26 @@
+{
+  lib,
+  config,
+  ...
+}:
+let
+  cfg = config.services.bonfire;
+  servicePort = 18000;
+in
+{
+  config = lib.mkIf cfg.enable {
+    programs.bash.interactiveShellInit = ''
+      echo "Bonfire is starting. Please wait ..."
+      until systemctl show bonfire.service | grep -q ActiveState=active; do sleep 1; done
+      echo "Bonfire is ready at http://localhost:${toString servicePort}"
+    '';
+
+    virtualisation.forwardPorts = [
+      {
+        from = "host";
+        host.port = servicePort;
+        guest.port = 80;
+      }
+    ];
+  };
+}

projects/Bonfire/services/bonfire/examples/basic.nix

@@ -0,0 +1,53 @@
+{
+  pkgs,
+  ...
+}:
+{
+  networking.domain = "localdomain";
+
+  services.bonfire = {
+    enable = true;
+
+    settings = {
+      HOSTNAME = "localhost";
+      PUBLIC_PORT = 80;
+    };
+
+    postgresql.enable = true;
+    meilisearch.enable = true;
+
+    nginx = {
+      enable = true;
+      virtualHost = {
+        serverAliases = [
+          "localhost"
+          "localhost.localdomain"
+        ];
+        forceSSL = false;
+        enableACME = false;
+      };
+    };
+  };
+
+  # WARN: !! Don't use this in production !!
+  # Instead, put the secrets directly in the systemd credentials store (`/etc/credstore/`, `/run/credstore/`, ...)
+  # For more information on this topic, see: <https://www.freedesktop.org/software/systemd/man/latest/systemd.exec.html#ImportCredential=GLOB>
+  environment.etc = {
+    # openssl rand -hex 128
+    "credstore/bonfire.ENCRYPTION_SALT".text =
+      "fde9939363a25b2696a7cfd738afcb19f82e2212bca4124d2c70102f3809974c618aeaa279e4daa062b53e07e7d14b4297409a582389a94bac247de13da116d76d6644174d21ad3814ddd7269696997447b8c8fb5f75aa757a8f32148708bb38bf0d66f1dd4a206e9ab3b3818f79dc48303c9375fa68210dbd8567f3a5bcf4f2";
+    # openssl rand -hex 25
+    "credstore/bonfire.POSTGRES_PASSWORD".text = "ced4a928ed2305630f7865a160b26bc6ab690c445529340fcf";
+    # openssl rand -hex 40
+    "credstore/bonfire.RELEASE_COOKIE".text =
+      "1255749c5082f5c64d6984231a02095f6273875363008a0a6ed2c413bbd7ed66249eeebf8abbae3d";
+    # openssl rand -hex 128
+    "credstore/bonfire.SECRET_KEY_BASE".text =
+      "0da76ae83b6e2170d3d501ac000dfe96adc820d16cbf54567188f206c9322dcfaf5fac1c5fc6ab742249ff28b69e7b06addc69e02e49290319bb3cc8df0aff920e1f812cf6906ac4711425a7bb7af2f5cf78e03039c8812f04eb2f1ce1ef31a1ff81bc6d4de06ec524171310f6c7fb2ac832f387725842667870081311386b82";
+    # openssl rand -hex 128
+    "credstore/bonfire.SIGNING_SALT".text =
+      "3278f788f120031c3d2b8dc480fce1dba38b6ce3f16de17df443e24c66a689d75e52516beec260a3f3bf53e8637c7e66591126e25a526dd25e3e26383124656eb9ad94441c31f278852a55cfe8083e8a0fef6b061fa8c34cbe26169a3dd43854c719c2ad269449fe9172193b031b5f76c16813fb7ec0a195289b6eb5ccfaa1ca";
+  };
+
+  services.meilisearch.masterKeyFile = pkgs.writeText "meilisearch.masterKeyFile" "675b2c63f569d0bb3f872517b903fa9ea3ddce19d5766c80a8";
+}