1
1
Fork 0
nixos-configs/inquisitor.nix

137 lines
4.1 KiB
Nix
Raw Normal View History

2020-12-29 11:18:23 +00:00
{pkgs, ...}:
let
2020-12-30 01:32:46 +00:00
# Import the inquisitor package and build it
2020-12-29 18:21:21 +00:00
inquisitorSource = pkgs.fetchFromGitHub {
2020-12-29 11:18:23 +00:00
owner = "Jaculabilis";
repo = "Inquisitor";
2022-01-08 00:25:16 +00:00
rev = "a6d961aba948d3a682dbde12dbaa8805eadbbd84";
sha256 = "10n6c5zvi27f92b7am0rrdizxz0mlp3rw1y1jyd44b57ykk7x6fr";
2020-12-29 11:18:23 +00:00
};
2020-12-29 18:21:21 +00:00
inquisitor = pkgs.callPackage inquisitorSource {};
2020-12-29 11:18:23 +00:00
# Define the inquisitor data directory
inquisiDir = "/var/lib/inquisitor";
2022-01-08 00:25:16 +00:00
# Define an scp helper for executing in cron jobs
scp-helper = pkgs.writeShellScriptBin "scp-helper" ''
${pkgs.openssh}/bin/scp -i ${inquisiDir}/inquisitor.key -oStrictHostKeyChecking=no "$@"
'';
# Define the inquisitor service user
inquisitorUser = {
name = "inquisitor";
description = "Inquisitor service user";
isSystemUser = true;
shell = pkgs.bashInteractive;
packages = [ inquisitor pkgs.cron ];
};
2020-12-30 01:32:46 +00:00
# Create the inquisitor config file in the nix store, pointing to /var/lib/
2020-12-29 18:21:21 +00:00
inquisitorConfig = pkgs.writeTextFile {
name = "inquisitor.conf";
text = ''
DataPath = ${inquisiDir}/data/
SourcePath = ${inquisiDir}/sources/
CachePath = ${inquisiDir}/cache/
2020-12-29 18:21:21 +00:00
Verbose = false
2020-12-30 22:08:44 +00:00
LogFile = ${inquisiDir}/inquisitor.log
2020-12-29 18:21:21 +00:00
'';
};
# Create a setup script to ensure the service directory state
inquisitorSetup = pkgs.writeShellScriptBin "inquisitor-setup.sh" ''
# Ensure the service directory and the default source directory
${pkgs.coreutils}/bin/mkdir -p ${inquisiDir}/data/inquisitor/
${pkgs.coreutils}/bin/mkdir -p ${inquisiDir}/sources/
${pkgs.coreutils}/bin/mkdir -p ${inquisiDir}/cache/
if [ ! -f ${inquisiDir}/data/inquisitor/state ]; then
${pkgs.coreutils}/bin/echo "{}" > ${inquisiDir}/data/inquisitor/state
2020-12-29 18:21:21 +00:00
fi
# Ensure the service owns the folders
chown -R ${inquisitorUser.name} ${inquisiDir}
2022-01-08 00:25:16 +00:00
# Ensure the scp helper is present
if [ -f ${inquisiDir}/scp-helper ]; then
rm ${inquisiDir}/scp-helper
fi
ln -s -t ${inquisiDir} ${scp-helper}/bin/scp-helper
'';
# Create a run script for the server
inquisitorRun = pkgs.writeShellScriptBin "inquisitor-run.sh" ''
cd ${inquisiDir}
2020-12-30 01:32:46 +00:00
${inquisitor}/bin/gunicorn \
--bind=localhost:24133 \
--workers=4 \
2022-01-08 00:25:16 +00:00
--timeout 120 \
2020-12-30 01:32:46 +00:00
--log-level debug \
"inquisitor.app:wsgi()"
2020-12-29 18:21:21 +00:00
'';
# Create a wrapper to execute the cli as the service user
2020-12-29 18:21:21 +00:00
inquisitorWrapper = pkgs.writeShellScriptBin "inq" ''
sudo --user=inquisitor ${inquisitor}/bin/inquisitor "$@"
2020-12-29 11:18:23 +00:00
'';
in
{
users.users.inquisitor = inquisitorUser;
# Link the config in /etc to avoid envvar shenanigans
environment.etc."inquisitor.conf".source = "${inquisitorConfig}";
2020-12-29 11:18:23 +00:00
2020-12-29 18:21:21 +00:00
# Give all users the inq wrapper
environment.systemPackages = [ inquisitorWrapper ];
2020-12-29 11:18:23 +00:00
# Allow the sudo in the cli wrapper without password
security.sudo.extraRules = [{
commands = [{
command = "${inquisitor}/bin/inquisitor";
options = [ "NOPASSWD" ];
}];
runAs = "${inquisitorUser.name}";
groups = [ "users" ];
}];
# Run the setup script on activation
system.activationScripts.inquisitorSetup = "${inquisitorSetup}/bin/inquisitor-setup.sh";
2020-12-29 11:18:23 +00:00
# Set up the inquisitor service
systemd.services.inquisitor =
{
2020-12-29 11:18:23 +00:00
description = "Inquisitor server";
script = "${inquisitorRun}/bin/inquisitor-run.sh";
2020-12-29 11:18:23 +00:00
serviceConfig = {
User = "${inquisitorUser.name}";
2020-12-29 11:18:23 +00:00
Type = "simple";
};
wantedBy = [ "multi-user.target" ];
after = [ "network.target" ];
enable = true;
};
2020-12-30 02:09:58 +00:00
# Set up nginx to reverse proxy from the beatific url to the inq server
services.nginx.enable = true;
services.nginx.virtualHosts.inquisitorHost = {
listen = [ { addr = "10.7.3.99"; port = 80; } ];
locations."/".extraConfig = ''
access_log /var/log/nginx/access.inquisitor.log;
proxy_buffering off;
proxy_pass http://localhost:24133/;
'';
};
# Allow nginx through the firewall
networking.firewall = {
allowedTCPPorts = [
80 # http
443 # https
];
};
2020-12-30 06:48:59 +00:00
# Enable cron, but don't set up any system cron jobs
# Inquisitor updates will be managed manually
services.cron.enable = true;
2020-12-29 11:18:23 +00:00
}