added van inventory serves

2026-04-17 13:08:19 -04:00 · 2026-03-08 16:06:09 -04:00
parent b7bce0bcb9
commit 82851eb287
6 changed files with 281 additions and 35 deletions
--- a/systems/brain/services/postgress.nix
+++ b/systems/brain/services/postgress.nix
@@ -11,18 +11,16 @@
    authentication = pkgs.lib.mkOverride 10 ''

      # admins
-      local all  postgres   trust
-      host  all  postgres   127.0.0.1/32    trust
-      host  all  postgres   ::1/128         trust 
-
-      local all  richie   trust
+      local all  richie   peer
      host  all  richie   127.0.0.1/32    trust
      host  all  richie   ::1/128         trust
      host  all  richie   192.168.90.1/24 trust
      host  all  richie   192.168.99.1/24 trust

+      local van_inventory van_inventory peer
+
      #type database DBuser origin-address auth-method
-      local hass     hass     trust
+      local hass     hass     peer

      # ipv4
      host  hass     hass     192.168.90.1/24 trust
@@ -62,6 +60,13 @@
          replication = true;
        };
      }
+      {
+        name = "van_inventory";
+        ensureDBOwnership = true;
+        ensureClauses = {
+          login = true;
+        };
+      }
      {
        name = "hass";
        ensureDBOwnership = true;
--- a/systems/brain/services/van_inventory.nix
+++ b/systems/brain/services/van_inventory.nix
@@ -0,0 +1,46 @@
+{
+  pkgs,
+  inputs,
+  ...
+}:
+{
+  networking.firewall.allowedTCPPorts = [ 8001 ];
+
+  users.users.van_inventory = {
+    isSystemAccount = true;
+    group = "van_inventory";
+  };
+  users.groups.van_inventory = { };
+
+  systemd.services.van_inventory = {
+    description = "Van Inventory API";
+    after = [
+      "network.target"
+      "postgresql.service"
+    ];
+    requires = [ "postgresql.service" ];
+    wantedBy = [ "multi-user.target" ];
+
+    environment = {
+      PYTHONPATH = "${inputs.self}/";
+      VAN_INVENTORY_DB = "van_inventory";
+      VAN_INVENTORY_USER = "van_inventory";
+    };
+
+    serviceConfig = {
+      Type = "simple";
+      User = "van_inventory";
+      Group = "van_inventory";
+      ExecStart = "${pkgs.my_python}/bin/python -m python.van_inventory.main --host 0.0.0.0 --port 8001";
+      Restart = "on-failure";
+      RestartSec = "5s";
+      StandardOutput = "journal";
+      StandardError = "journal";
+      NoNewPrivileges = true;
+      ProtectSystem = "strict";
+      ProtectHome = "read-only";
+      PrivateTmp = true;
+      ReadOnlyPaths = [ "${inputs.self}" ];
+    };
+  };
+}