Compare commits
No commits in common. "10f8246ac44223aaa8cfd2955d47fc8ea17d51b8" and "dd3a8016d3148681886c9a2bba465d5eab85a0ac" have entirely different histories.
10f8246ac4
...
dd3a8016d3
16
flake.lock
16
flake.lock
|
@ -16,21 +16,6 @@
|
||||||
"type": "github"
|
"type": "github"
|
||||||
}
|
}
|
||||||
},
|
},
|
||||||
"my-flake": {
|
|
||||||
"locked": {
|
|
||||||
"lastModified": 1670879933,
|
|
||||||
"narHash": "sha256-V45PH0cnFLilx66x4td5qQnWNn/V/6/6b7FQDIHvdyI=",
|
|
||||||
"owner": "Jaculabilis",
|
|
||||||
"repo": "my-flake",
|
|
||||||
"rev": "2b2cd07a6d971b15fc5f65d6d963d0da551a5892",
|
|
||||||
"type": "github"
|
|
||||||
},
|
|
||||||
"original": {
|
|
||||||
"owner": "Jaculabilis",
|
|
||||||
"repo": "my-flake",
|
|
||||||
"type": "github"
|
|
||||||
}
|
|
||||||
},
|
|
||||||
"nixpkgs": {
|
"nixpkgs": {
|
||||||
"locked": {
|
"locked": {
|
||||||
"lastModified": 1669833724,
|
"lastModified": 1669833724,
|
||||||
|
@ -50,7 +35,6 @@
|
||||||
"root": {
|
"root": {
|
||||||
"inputs": {
|
"inputs": {
|
||||||
"flake-compat": "flake-compat",
|
"flake-compat": "flake-compat",
|
||||||
"my-flake": "my-flake",
|
|
||||||
"nixpkgs": "nixpkgs"
|
"nixpkgs": "nixpkgs"
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
28
flake.nix
28
flake.nix
|
@ -1,6 +1,5 @@
|
||||||
{
|
{
|
||||||
inputs = {
|
inputs = {
|
||||||
my-flake.url = "github:Jaculabilis/my-flake";
|
|
||||||
nixpkgs.url = "github:NixOS/nixpkgs?ref=refs/tags/22.11";
|
nixpkgs.url = "github:NixOS/nixpkgs?ref=refs/tags/22.11";
|
||||||
flake-compat = {
|
flake-compat = {
|
||||||
url = "github:edolstra/flake-compat";
|
url = "github:edolstra/flake-compat";
|
||||||
|
@ -8,30 +7,21 @@
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
|
|
||||||
outputs = { self, my-flake, nixpkgs, flake-compat }:
|
outputs = { self, nixpkgs, flake-compat }:
|
||||||
let
|
|
||||||
systems = [ "aarch64-linux" "x86_64-linux" ];
|
|
||||||
each = system:
|
|
||||||
let
|
let
|
||||||
|
system = "x86_64-linux";
|
||||||
pkgs = nixpkgs.legacyPackages.${system};
|
pkgs = nixpkgs.legacyPackages.${system};
|
||||||
in
|
in
|
||||||
{
|
{
|
||||||
packages.${system}.default = (import nixpkgs {
|
packages.${system}.default =
|
||||||
inherit system;
|
(pkgs.poetry2nix.mkPoetryApplication {
|
||||||
overlays = [ self.overlays.default ];
|
projectDir = ./.;
|
||||||
}).inquisitor;
|
}).dependencyEnv;
|
||||||
|
|
||||||
devShells.${system}.default = pkgs.mkShell {
|
defaultPackage.${system} = self.packages.${system}.default;
|
||||||
|
|
||||||
|
devShell.${system} = pkgs.mkShell {
|
||||||
buildInputs = [ (pkgs.python3.withPackages (p: [p.poetry])) ];
|
buildInputs = [ (pkgs.python3.withPackages (p: [p.poetry])) ];
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
in (my-flake.outputs-for each systems) //
|
|
||||||
{
|
|
||||||
overlays.default = final: prev: {
|
|
||||||
inquisitor = (final.poetry2nix.mkPoetryApplication {
|
|
||||||
projectDir = ./.;
|
|
||||||
}).dependencyEnv;
|
|
||||||
};
|
|
||||||
nixosModules.default = import ./module.nix self;
|
|
||||||
};
|
|
||||||
}
|
}
|
||||||
|
|
|
@ -42,8 +42,7 @@ def read_config_file(config_path):
|
||||||
"""
|
"""
|
||||||
# Parse the config file into key-value pairs
|
# Parse the config file into key-value pairs
|
||||||
if not os.path.isfile(config_path):
|
if not os.path.isfile(config_path):
|
||||||
|
raise FileNotFoundError(f'No config file found at {config_path}')
|
||||||
raise FileNotFoundError(f'No config file found at {config_path}, try setting {CONFIG_ENVVAR}')
|
|
||||||
accumulated_configs = {}
|
accumulated_configs = {}
|
||||||
current_key = None
|
current_key = None
|
||||||
with open(config_path, 'r', encoding='utf8') as cfg:
|
with open(config_path, 'r', encoding='utf8') as cfg:
|
||||||
|
|
154
module.nix
154
module.nix
|
@ -1,154 +0,0 @@
|
||||||
flake: { config, lib, pkgs, ... }:
|
|
||||||
|
|
||||||
let
|
|
||||||
inherit (lib) mkIf mkOption types;
|
|
||||||
|
|
||||||
cfg = config.services.inquisitor;
|
|
||||||
in
|
|
||||||
{
|
|
||||||
options = {
|
|
||||||
services.inquisitor = {
|
|
||||||
enable = mkOption {
|
|
||||||
type = types.bool;
|
|
||||||
default = true;
|
|
||||||
description = "Enable the Inquisitor aggregator.";
|
|
||||||
};
|
|
||||||
|
|
||||||
listen.addr = mkOption {
|
|
||||||
type = types.str;
|
|
||||||
default = "0.0.0.0";
|
|
||||||
description = "Listen address passed to nginx.";
|
|
||||||
};
|
|
||||||
|
|
||||||
listen.port = mkOption {
|
|
||||||
type = types.port;
|
|
||||||
default = 80;
|
|
||||||
description = "Listen port passed to nginx.";
|
|
||||||
};
|
|
||||||
};
|
|
||||||
};
|
|
||||||
|
|
||||||
config =
|
|
||||||
let
|
|
||||||
# Get the inquisitor package from the flake.
|
|
||||||
inquisitor = flake.packages.${pkgs.system}.default;
|
|
||||||
|
|
||||||
# Define the inquisitor state directory.
|
|
||||||
stateDir = "/var/lib/inquisitor";
|
|
||||||
|
|
||||||
# Define an scp helper for item callbacks to use.
|
|
||||||
scp-helper = pkgs.writeShellScriptBin "scp-helper" ''
|
|
||||||
${pkgs.openssh}/bin/scp -i ${stateDir}/.ssh/inquisitor.key -oStrictHostKeyChecking=no "$@"
|
|
||||||
'';
|
|
||||||
|
|
||||||
# Define the inquisitor service user.
|
|
||||||
svcUser = {
|
|
||||||
name = "inquisitor";
|
|
||||||
group = "inquisitor";
|
|
||||||
description = "Inquisitor service user";
|
|
||||||
isSystemUser = true;
|
|
||||||
shell = pkgs.bashInteractive;
|
|
||||||
packages = [ inquisitor pkgs.cron ];
|
|
||||||
};
|
|
||||||
|
|
||||||
# Create a config file pointing to the state directory.
|
|
||||||
inqConfig = pkgs.writeTextFile {
|
|
||||||
name = "inquisitor.conf";
|
|
||||||
text = ''
|
|
||||||
DataPath = ${stateDir}/data/
|
|
||||||
SourcePath = ${stateDir}/sources/
|
|
||||||
CachePath = ${stateDir}/cache/
|
|
||||||
Verbose = false
|
|
||||||
LogFile = ${stateDir}/inquisitor.log
|
|
||||||
'';
|
|
||||||
};
|
|
||||||
|
|
||||||
# Create a setup script to ensure the service directory state.
|
|
||||||
inqSetup = pkgs.writeShellScript "inquisitor-setup.sh" ''
|
|
||||||
# Ensure the required directories exist.
|
|
||||||
${pkgs.coreutils}/bin/mkdir -p ${stateDir}/data/inquisitor/
|
|
||||||
${pkgs.coreutils}/bin/mkdir -p ${stateDir}/sources/
|
|
||||||
${pkgs.coreutils}/bin/mkdir -p ${stateDir}/cache/
|
|
||||||
if [ ! -f ${stateDir}/data/inquisitor/state ]; then
|
|
||||||
${pkgs.coreutils}/bin/echo "{}" > ${stateDir}/data/inquisitor/state
|
|
||||||
fi
|
|
||||||
|
|
||||||
# Ensure the service owns the folders.
|
|
||||||
${pkgs.coreutils}/bin/chown -R ${svcUser.name} ${stateDir}
|
|
||||||
|
|
||||||
# Ensure the scp helper is present
|
|
||||||
if [ -f ${stateDir}/scp-helper ]; then
|
|
||||||
${pkgs.coreutils}/bin/rm ${stateDir}/scp-helper
|
|
||||||
fi
|
|
||||||
ln -s -t ${stateDir}/scp-helper ${scp-helper}/bin/scp-helper
|
|
||||||
'';
|
|
||||||
|
|
||||||
# Create a run script for the service.
|
|
||||||
inqRun = pkgs.writeShellScript "inquisitor-run.sh" ''
|
|
||||||
cd ${stateDir}
|
|
||||||
${inquisitor}/bin/gunicorn \
|
|
||||||
--bind=localhost:24133 \
|
|
||||||
--workers=4 \
|
|
||||||
--timeout 120 \
|
|
||||||
--log-level debug \
|
|
||||||
"inquisitor.app:wsgi()"
|
|
||||||
'';
|
|
||||||
|
|
||||||
# Create a wrapper to execute the cli as the service user.
|
|
||||||
# (needed to avoid creating files in the state dir the service can't read)
|
|
||||||
inqWrapper = pkgs.writeShellScriptBin "inq" ''
|
|
||||||
sudo --user=${svcUser.name} ${inquisitor}/bin/inquisitor "$@"
|
|
||||||
'';
|
|
||||||
in mkIf cfg.enable
|
|
||||||
{
|
|
||||||
users.users.inquisitor = svcUser;
|
|
||||||
users.groups.inquisitor = {};
|
|
||||||
|
|
||||||
# Link the config in /etc to avoid envvar shenanigans
|
|
||||||
environment.etc."inquisitor.conf".source = inqConfig;
|
|
||||||
|
|
||||||
# Give all users the wrapper program.
|
|
||||||
environment.systemPackages = [ inqWrapper ];
|
|
||||||
# Allow the sudo in the cli wrapper without password.
|
|
||||||
security.sudo.extraRules = [{
|
|
||||||
commands = [{
|
|
||||||
command = "${inquisitor}/bin/inquisitor";
|
|
||||||
options = [ "NOPASSWD" ];
|
|
||||||
}];
|
|
||||||
runAs = svcUser.name;
|
|
||||||
groups = [ "users" ];
|
|
||||||
}];
|
|
||||||
|
|
||||||
# Run the setup script on activation.
|
|
||||||
system.activationScripts.inquisitorSetup = "${inqSetup}";
|
|
||||||
|
|
||||||
# Set up the inquisitor service.
|
|
||||||
systemd.services.inquisitor = {
|
|
||||||
description = "Inquisitor server";
|
|
||||||
script = "${inqRun}";
|
|
||||||
serviceConfig = {
|
|
||||||
User = svcUser.name;
|
|
||||||
Type = "simple";
|
|
||||||
};
|
|
||||||
wantedBy = [ "multi-user.target" ];
|
|
||||||
after = [ "network.target" ];
|
|
||||||
enable = true;
|
|
||||||
};
|
|
||||||
|
|
||||||
# Set up the nginx reverse proxy to the server.
|
|
||||||
services.nginx.enable = true;
|
|
||||||
services.nginx.virtualHosts.inquisitorHost = {
|
|
||||||
listen = [ cfg.listen ];
|
|
||||||
locations."/".extraConfig = ''
|
|
||||||
access_log /var/log/nginx/access.inquisitor.log;
|
|
||||||
proxy_buffering off;
|
|
||||||
proxy_pass http://localhost:24133/;
|
|
||||||
'';
|
|
||||||
};
|
|
||||||
networking.firewall.allowedTCPPorts = [ cfg.listen.port ];
|
|
||||||
|
|
||||||
# Enable cron so the service can use it to schedule fetches.
|
|
||||||
services.cron.enable = true;
|
|
||||||
};
|
|
||||||
}
|
|
||||||
|
|
Loading…
Reference in New Issue