configuration-standalone.nix

# Edit this configuration file to define what should be installed on
# your system.  Help is available in the configuration.nix(5) man page
# and in the NixOS manual (accessible by running ‘nixos-help’).

{ lib, config, pkgs, fetchgit, ... }:
{
  imports = [
    passopolis/service.nix
  ];
  services = {
    passopolis = {
      enable = true;
    };
    postgresql = {
      enable = true;
      authentication = ''
local all all trust
host  all all 127.0.0.1/32 trust
      '';
    };
  };
  users.users.root.initialPassword = "root";
}

pkg.nix

with import <nixpkgs> {}; # bring all of Nixpkgs into scope

antBuild {
  name = "passopolis-unstable-2016-05-07";

  src = fetchgit {
    url = "https://github.com/WeAreWizards/passopolis-server";
    sha256 = "0ywmymbjcfsxv1p1j0l0lw9cb7f79h23ic1c4b5w5nb0k9f4zvfq";
    rev = "b827b3a6176e050deb729009676fad7e86e5393a";
    leaveDotGit = true;
  };

  buildInputs = [ git python ];
  antTargets = [ "jar" ];

  meta = {
    homepage = "https://github.com/WeAreWizards/passopolis-server";
    description = "A well-designed, well-functioning and secure secret manager.";
    license = stdenv.lib.licenses.gpl3;
  };
}

service.nix

{ config, lib, pkgs, ... }:

with lib;

let
  cfg = config.services.passopolis;
in {
  ###### interface

  options = {

    services.passopolis = {

      enable = mkEnableOption "Passopolis";

      user = mkOption {
        type = types.str;
        default = "passopolis";
        description = "User account under which passopolis runs.";
      };

      statePath = mkOption {
        type = types.str;
        default = "/var/passopolis";
        description = "The state directory";
      };

      databaseHost = mkOption {
        type = types.str;
        default = "127.0.0.1";
        description = "Database hostname";
      };

      databaseName = mkOption {
        type = types.str;
        default = "passopolis";
        description = "Database name";
      };

    };

  };


  ###### implementation

  config = mkIf cfg.enable {

    users.extraUsers.passopolis =
    {
      name = cfg.user;
      description = "Passopolis service user";
    };

    systemd.services.passopolis =
    {
      description = "Passopolis service";
      after = [ "network.target" "postgresql.service" ];
      wantedBy = [ "multi-user.target" ];
      path = with pkgs; [
        config.services.postgresql.package
      ];
      preStart = ''
      mkdir -p ${cfg.statePath}
      chown ${cfg.user} ${cfg.statePath}
      if [ "${cfg.databaseHost}" = "127.0.0.1" ]; then
        if ! test -e "${cfg.statePath}/db-created"; then
          psql postgres -c "CREATE ROLE ${cfg.user} WITH LOGIN NOCREATEDB NOCREATEROLE NOCREATEUSER"
          ${config.services.postgresql.package}/bin/createdb --owner ${cfg.user} ${cfg.databaseName} || true
          touch "${cfg.statePath}/db-created"
        fi
      fi
      '';

      serviceConfig = {
        PermissionsStartOnly = true; # preStart must be run as root
        Type = "simple";
        ExecStart = "${pkgs.jre}/bin/java -version";
        #ExecStart = "${pkgs.jre}/bin/java -DgenerateSecretsForTest=true -Ddatabase_url=jdbc:postgresql://${cfg.databaseHost}:5432/${cfg.databaseName} -ea -jar ${pkgs.passopolis}/share/java/mitrocore.jar";
        User = cfg.user;
      };
    };
  };
}