From 07851e821f6b2c86f351e3713d971d010ca52434 Mon Sep 17 00:00:00 2001
From: Sumner Evans <sumner.evans@automattic.com>
Date: Sun, 29 Dec 2024 21:36:28 -0700
Subject: [PATCH] mineshspc: update

Signed-off-by: Sumner Evans <sumner.evans@automattic.com>
---
 flake.lock                        |  40 ++++--------
 flake.nix                         |   5 +-
 nixos/hosts/mineshspc/default.nix | 102 ++++++++++++++++++++++++------
 3 files changed, 99 insertions(+), 48 deletions(-)

diff --git a/flake.lock b/flake.lock
index 2b4de80..1f9086a 100644
--- a/flake.lock
+++ b/flake.lock
@@ -5,15 +5,17 @@
         "flake-compat": "flake-compat",
         "flake-utils": "flake-utils",
         "nix-github-actions": "nix-github-actions",
-        "nixpkgs": "nixpkgs",
+        "nixpkgs": [
+          "nixpkgs"
+        ],
         "stable": "stable"
       },
       "locked": {
-        "lastModified": 1731527002,
-        "narHash": "sha256-dI9I6suECoIAmbS4xcrqF8r2pbmed8WWm5LIF1yWPw8=",
+        "lastModified": 1734897875,
+        "narHash": "sha256-LLpiqfOGBippRax9F33kSJ/Imt8gJXb6o0JwSBiNHCk=",
         "owner": "zhaofengli",
         "repo": "colmena",
-        "rev": "e3ad42138015fcdf2524518dd564a13145c72ea1",
+        "rev": "a6b51f5feae9bfb145daa37fd0220595acb7871e",
         "type": "github"
       },
       "original": {
@@ -104,11 +106,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1715787935,
-        "narHash": "sha256-pAnGGrugMsrX9stncOhVXxpRwMHx2RuwPYJcZOx6RsM=",
+        "lastModified": 1735531368,
+        "narHash": "sha256-oNRZR+atmT01nEolJAlhnjQfQa8aqKzSIURzGwn9buc=",
         "owner": "ColoradoSchoolOfMines",
         "repo": "mineshspc.com",
-        "rev": "70ead8be5edd6cd9da2d594cf62e8f37622c661f",
+        "rev": "3cba70b616bb93bee018f0f649007caf6d4093b8",
         "type": "github"
       },
       "original": {
@@ -140,27 +142,11 @@
     },
     "nixpkgs": {
       "locked": {
-        "lastModified": 1730785428,
-        "narHash": "sha256-Zwl8YgTVJTEum+L+0zVAWvXAGbWAuXHax3KzuejaDyo=",
-        "owner": "NixOS",
-        "repo": "nixpkgs",
-        "rev": "4aa36568d413aca0ea84a1684d2d46f55dbabad7",
-        "type": "github"
-      },
-      "original": {
-        "owner": "NixOS",
-        "ref": "nixos-unstable",
-        "repo": "nixpkgs",
-        "type": "github"
-      }
-    },
-    "nixpkgs_2": {
-      "locked": {
-        "lastModified": 1731319897,
-        "narHash": "sha256-PbABj4tnbWFMfBp6OcUK5iGy1QY+/Z96ZcLpooIbuEI=",
+        "lastModified": 1735291276,
+        "narHash": "sha256-NYVcA06+blsLG6wpAbSPTCyLvxD/92Hy4vlY9WxFI1M=",
         "owner": "NixOS",
         "repo": "nixpkgs",
-        "rev": "dc460ec76cbff0e66e269457d7b728432263166c",
+        "rev": "634fd46801442d760e09493a794c4f15db2d0cbb",
         "type": "github"
       },
       "original": {
@@ -176,7 +162,7 @@
         "flake-utils": "flake-utils_2",
         "meetbot": "meetbot",
         "mineshspc": "mineshspc",
-        "nixpkgs": "nixpkgs_2"
+        "nixpkgs": "nixpkgs"
       }
     },
     "stable": {
diff --git a/flake.nix b/flake.nix
index a106550..7277b69 100644
--- a/flake.nix
+++ b/flake.nix
@@ -1,7 +1,10 @@
 {
   description = "Nevarro Infrastructure NixOS deployments";
   inputs = {
-    colmena.url = "github:zhaofengli/colmena";
+    colmena = {
+      url = "github:zhaofengli/colmena";
+      inputs.nixpkgs.follows = "nixpkgs";
+    };
     nixpkgs.url = "github:NixOS/nixpkgs/nixos-unstable";
     flake-utils.url = "github:numtide/flake-utils";
     mineshspc = {
diff --git a/nixos/hosts/mineshspc/default.nix b/nixos/hosts/mineshspc/default.nix
index 5ae59fa..2e15f1c 100644
--- a/nixos/hosts/mineshspc/default.nix
+++ b/nixos/hosts/mineshspc/default.nix
@@ -1,5 +1,5 @@
 { pkgs, ... }:
-let dataDir = "/var/lib/mineshspc";
+let minesHSPCDataDir = "/var/lib/mineshspc";
 in {
   imports = [ ./hardware-configuration.nix ];
 
@@ -37,25 +37,87 @@ in {
     };
   };
 
-  systemd.services."mineshspc.com" = {
-    description = "Mines HSPC Website service";
-    requires = [ "network-online.target" "mineshspc_env-key.service" ];
-    wantedBy = [ "multi-user.target" ];
-    serviceConfig = {
-      WorkingDirectory = dataDir;
-      User = "mineshspc";
-      Group = "mineshspc";
-      ExecStart = "${pkgs.mineshspc}/bin/mineshspc";
-      Restart = "on-failure";
-      EnvironmentFile = "/run/keys/mineshspc_env";
-    };
-    environment = {
-      MINESHSPC_DOMAIN = "https://mineshspc.com";
-      MINESHSPC_HOSTED_BY_HTML = ''
+  systemd.services = let
+    yamlFormat = pkgs.formats.yaml { };
+    siteConfig = {
+      database = {
+        type = "sqlite3";
+        uri = "${minesHSPCDataDir}/mineshspc.db?_txlock=immediate";
+      };
+      sendgrid_api_key = "$MINESHSPC_SENDGRID_API_KEY";
+      healthcheck_url = "$MINESHSPC_HEALTHCHECK_URL";
+      hosted_by_html = ''
         Hosting provided by <a href="https://nevarro.space" target="_blank">Nevarro LLC</a>.
-        Check the <a href="https://status.mineshspc.com/" target="_blank">site status</a>.
+          Check the <a href="https://status.mineshspc.com/" target="_blank">site status</a>.
+      '';
+      domain = "https://mineshspc.com";
+
+      jwt_secret_key = "$MINESHSPC_JWT_SECRET_KEY";
+
+      recaptcha = {
+        site_key = "$MINESHSPC_RECAPTCHA_SITE_KEY";
+        secret_key = "$MINESHSPC_RECAPTCHA_SECRET_KEY";
+      };
+
+      logging = {
+        min_level = "debug";
+        writers = [{
+          type = "stdout";
+          format = "pretty-colored";
+        }];
+      };
+    };
+    unsubstituted =
+      yamlFormat.generate "mineshspc.com.unsubstituted.config" siteConfig;
+  in {
+    "mineshspc.com.config" = {
+      description = "Mines HSPC website config generation service";
+      path = [ pkgs.yq pkgs.envsubst ];
+      serviceConfig = {
+        Type = "oneshot";
+
+        User = "mineshspc";
+        Group = "mineshspc";
+
+        SystemCallFilter = [ "@system-service" ];
+
+        ProtectSystem = "strict";
+        ProtectHome = true;
+
+        ReadWritePaths = minesHSPCDataDir;
+        StateDirectory = minesHSPCDataDir;
+        EnvironmentFile = "/run/keys/mineshspc_env";
+      };
+      script = ''
+        envsubst \
+            -o '${minesHSPCDataDir}/config.yaml' \
+            -i '${unsubstituted}'
       '';
-      # MINESHSPC_REGISTRATION_ENABLED = "1";
+      restartTriggers = [ unsubstituted ];
+    };
+    "mineshspc.com" = {
+      description = "Mines HSPC Website service";
+      requires = [
+        "network-online.target"
+        "mineshspc_env-key.service"
+        "mineshspc.com.config.service"
+      ];
+      after = [
+        "network-online.target"
+        "mineshspc_env-key.service"
+        "mineshspc.com.config.service"
+      ];
+      wantedBy = [ "multi-user.target" ];
+      serviceConfig = {
+        WorkingDirectory = minesHSPCDataDir;
+        User = "mineshspc";
+        Group = "mineshspc";
+        ExecStart =
+          "${pkgs.mineshspc}/bin/mineshspc -config ${minesHSPCDataDir}/config.yaml";
+        Restart = "on-failure";
+        EnvironmentFile = "/run/keys/mineshspc_env";
+      };
+      restartTriggers = [ unsubstituted ];
     };
   };
 
@@ -63,7 +125,7 @@ in {
     users.mineshspc = {
       group = "mineshspc";
       isSystemUser = true;
-      home = dataDir;
+      home = minesHSPCDataDir;
       createHome = true;
     };
     groups.mineshspc = { };
@@ -72,7 +134,7 @@ in {
   services.backup = {
     healthcheckId = "e3b7948f-42cd-4571-a400-f77401d7dc56";
     healthcheckPruneId = "197d3821-bbf0-4081-b388-8d9dc1c2f11f";
-    backups.mineshspc.path = dataDir;
+    backups.mineshspc.path = minesHSPCDataDir;
   };
 
   services.healthcheck = {