Compare commits

...

8 Commits

5 changed files with 245 additions and 18 deletions

View File

@ -16,6 +16,21 @@
"type": "github" "type": "github"
} }
}, },
"my-flake": {
"locked": {
"lastModified": 1670879933,
"narHash": "sha256-V45PH0cnFLilx66x4td5qQnWNn/V/6/6b7FQDIHvdyI=",
"owner": "Jaculabilis",
"repo": "my-flake",
"rev": "2b2cd07a6d971b15fc5f65d6d963d0da551a5892",
"type": "github"
},
"original": {
"owner": "Jaculabilis",
"repo": "my-flake",
"type": "github"
}
},
"nixpkgs": { "nixpkgs": {
"locked": { "locked": {
"lastModified": 1669833724, "lastModified": 1669833724,
@ -35,6 +50,7 @@
"root": { "root": {
"inputs": { "inputs": {
"flake-compat": "flake-compat", "flake-compat": "flake-compat",
"my-flake": "my-flake",
"nixpkgs": "nixpkgs" "nixpkgs": "nixpkgs"
} }
} }

View File

@ -1,5 +1,6 @@
{ {
inputs = { inputs = {
my-flake.url = "github:Jaculabilis/my-flake";
nixpkgs.url = "github:NixOS/nixpkgs?ref=refs/tags/22.11"; nixpkgs.url = "github:NixOS/nixpkgs?ref=refs/tags/22.11";
flake-compat = { flake-compat = {
url = "github:edolstra/flake-compat"; url = "github:edolstra/flake-compat";
@ -7,21 +8,68 @@
}; };
}; };
outputs = { self, nixpkgs, flake-compat }: outputs = { self, my-flake, nixpkgs, flake-compat }:
let let
system = "x86_64-linux"; systems = [ "aarch64-linux" "x86_64-linux" ];
pkgs = nixpkgs.legacyPackages.${system}; each = system:
in let
{ pkgs = (import nixpkgs {
packages.${system}.default = inherit system;
(pkgs.poetry2nix.mkPoetryApplication { overlays = [ self.overlays.default ];
projectDir = ./.; });
}).dependencyEnv; in {
packages.${system} = {
default = self.packages.${system}.inquisitor;
inquisitor = pkgs.inquisitor;
env = pkgs.inquisitor.dependencyEnv;
};
defaultPackage.${system} = self.packages.${system}.default; devShells.${system} = {
default = self.devShells.${system}.inquisitor;
inquisitor = pkgs.mkShell {
buildInputs = [ (pkgs.python3.withPackages (p: [p.poetry])) ];
shellHook = ''
PS1="(inquisitor) $PS1"
'';
};
sources = pkgs.mkShell {
buildInputs = [ self.packages.${system}.env ];
shellHook = ''
PS1="(sources) $PS1"
'';
};
};
devShell.${system} = pkgs.mkShell { checks.${system}.test-module = let
buildInputs = [ (pkgs.python3.withPackages (p: [p.poetry])) ]; test-lib = import "${nixpkgs}/nixos/lib/testing-python.nix" {
inherit system;
};
in
test-lib.makeTest {
name = "inquisitor-test-module";
nodes = {
host = { ... }: {
imports = [ self.nixosModules.default ];
services.inquisitor.enable = true;
};
};
testScript = ''
start_all()
host.wait_for_unit("multi-user.target")
# Check that the setup script ran
host.succeed("[ -e /var/lib/inquisitor ]")
# Check that the service came up
host.succeed("systemctl is-enabled inquisitor")
host.succeed("systemctl is-active inquisitor")
'';
};
}; };
in (my-flake.outputs-for each systems) // {
overlays.default = final: prev: {
inquisitor = final.poetry2nix.mkPoetryApplication {
projectDir = ./.;
};
};
nixosModules.default = import ./module.nix self;
}; };
} }

View File

@ -236,6 +236,11 @@ def command_help(args):
return 0 return 0
def nocommand(args):
print("command required")
return 0
def main(): def main():
"""CLI entry point""" """CLI entry point"""
# Enable piping # Enable piping
@ -283,8 +288,11 @@ def main():
add_logging_handler(verbose=args.verbose, log_filename=None) add_logging_handler(verbose=args.verbose, log_filename=None)
# Execute command # Execute command
if args.command: try:
sys.exit(commands[args.command](args.args)) command = commands.get(args.command, nocommand)
else: sys.exit(command(args.args))
print("command required") except BrokenPipeError:
sys.exit(0) # See https://docs.python.org/3.10/library/signal.html#note-on-sigpipe
devnull = os.open(os.devnull, os.O_WRONLY)
os.dup2(devnull, sys.stdout.fileno())
sys.exit(1)

View File

@ -42,7 +42,8 @@ def read_config_file(config_path):
""" """
# Parse the config file into key-value pairs # Parse the config file into key-value pairs
if not os.path.isfile(config_path): if not os.path.isfile(config_path):
raise FileNotFoundError(f'No config file found at {config_path}')
raise FileNotFoundError(f'No config file found at {config_path}, try setting {CONFIG_ENVVAR}')
accumulated_configs = {} accumulated_configs = {}
current_key = None current_key = None
with open(config_path, 'r', encoding='utf8') as cfg: with open(config_path, 'r', encoding='utf8') as cfg:

154
module.nix Normal file
View File

@ -0,0 +1,154 @@
flake: { config, lib, pkgs, ... }:
let
inherit (lib) mkIf mkOption types;
cfg = config.services.inquisitor;
in
{
options = {
services.inquisitor = {
enable = mkOption {
type = types.bool;
default = true;
description = "Enable the Inquisitor aggregator.";
};
listen.addr = mkOption {
type = types.str;
default = "0.0.0.0";
description = "Listen address passed to nginx.";
};
listen.port = mkOption {
type = types.port;
default = 80;
description = "Listen port passed to nginx.";
};
};
};
config =
let
# Get the inquisitor package from the flake.
inquisitor = flake.packages.${pkgs.stdenv.hostPlatform.system}.env;
# Define the inquisitor state directory.
stateDir = "/var/lib/inquisitor";
# Define an scp helper for item callbacks to use.
scp-helper = pkgs.writeShellScriptBin "scp-helper" ''
${pkgs.openssh}/bin/scp -i ${stateDir}/.ssh/inquisitor.key -oStrictHostKeyChecking=no "$@"
'';
# Define the inquisitor service user.
svcUser = {
name = "inquisitor";
group = "inquisitor";
description = "Inquisitor service user";
isSystemUser = true;
shell = pkgs.bashInteractive;
packages = [ inquisitor pkgs.cron ];
};
# Create a config file pointing to the state directory.
inqConfig = pkgs.writeTextFile {
name = "inquisitor.conf";
text = ''
DataPath = ${stateDir}/data/
SourcePath = ${stateDir}/sources/
CachePath = ${stateDir}/cache/
Verbose = false
LogFile = ${stateDir}/inquisitor.log
'';
};
# Create a setup script to ensure the service directory state.
inqSetup = pkgs.writeShellScript "inquisitor-setup.sh" ''
# Ensure the required directories exist.
${pkgs.coreutils}/bin/mkdir -p ${stateDir}/data/inquisitor/
${pkgs.coreutils}/bin/mkdir -p ${stateDir}/sources/
${pkgs.coreutils}/bin/mkdir -p ${stateDir}/cache/
if [ ! -f ${stateDir}/data/inquisitor/state ]; then
${pkgs.coreutils}/bin/echo "{}" > ${stateDir}/data/inquisitor/state
fi
# Ensure the service owns the folders.
${pkgs.coreutils}/bin/chown -R ${svcUser.name} ${stateDir}
# Ensure the scp helper is present
if [ -f ${stateDir}/scp-helper ]; then
${pkgs.coreutils}/bin/rm ${stateDir}/scp-helper
fi
ln -s -t ${stateDir} ${scp-helper}/bin/scp-helper
'';
# Create a run script for the service.
inqRun = pkgs.writeShellScript "inquisitor-run.sh" ''
cd ${stateDir}
${inquisitor}/bin/gunicorn \
--bind=localhost:24133 \
--workers=4 \
--timeout 120 \
--log-level debug \
"inquisitor.app:wsgi()"
'';
# Create a wrapper to execute the cli as the service user.
# (needed to avoid creating files in the state dir the service can't read)
inqWrapper = pkgs.writeShellScriptBin "inq" ''
sudo --user=${svcUser.name} ${inquisitor}/bin/inquisitor "$@"
'';
in mkIf cfg.enable
{
users.users.inquisitor = svcUser;
users.groups.inquisitor = {};
# Link the config in /etc to avoid envvar shenanigans
environment.etc."inquisitor.conf".source = inqConfig;
# Give all users the wrapper program.
environment.systemPackages = [ inqWrapper ];
# Allow the sudo in the cli wrapper without password.
security.sudo.extraRules = [{
commands = [{
command = "${inquisitor}/bin/inquisitor";
options = [ "NOPASSWD" ];
}];
runAs = svcUser.name;
groups = [ "users" ];
}];
# Run the setup script on activation.
system.activationScripts.inquisitorSetup = "${inqSetup}";
# Set up the inquisitor service.
systemd.services.inquisitor = {
description = "Inquisitor server";
script = "${inqRun}";
serviceConfig = {
User = svcUser.name;
Type = "simple";
};
wantedBy = [ "multi-user.target" ];
after = [ "network.target" ];
enable = true;
};
# Set up the nginx reverse proxy to the server.
services.nginx.enable = true;
services.nginx.virtualHosts.inquisitorHost = {
listen = [ cfg.listen ];
locations."/".extraConfig = ''
access_log /var/log/nginx/access.inquisitor.log;
proxy_buffering off;
proxy_pass http://localhost:24133/;
'';
};
networking.firewall.allowedTCPPorts = [ cfg.listen.port ];
# Enable cron so the service can use it to schedule fetches.
services.cron.enable = true;
};
}