Replace inquisitor with intake
This commit is contained in:
parent
f5faefb5e5
commit
820417819f
@ -12,7 +12,6 @@
|
||||
#./redstring.nix
|
||||
./catacomb.nix
|
||||
./gitea.nix
|
||||
./inquisitor.nix
|
||||
];
|
||||
|
||||
beatific.hostName = "empyrean";
|
||||
@ -94,7 +93,7 @@
|
||||
};
|
||||
|
||||
services.intake = {
|
||||
listen = { addr = "10.22.20.1"; port = 5234; };
|
||||
listen = { addr = "10.22.20.1"; };
|
||||
users.tvb.enable = true;
|
||||
users.tvb.extraPackages = [ pkgs.intakeSources pkgs.openssh ];
|
||||
};
|
||||
@ -105,7 +104,6 @@
|
||||
80 # http
|
||||
443 # https
|
||||
655 # tinc
|
||||
5234# intake
|
||||
];
|
||||
allowedUDPPorts = [
|
||||
655 # tinc
|
||||
|
@ -1,138 +0,0 @@
|
||||
{pkgs, ...}:
|
||||
|
||||
let
|
||||
# Import the inquisitor package and build it
|
||||
inquisitorSource = pkgs.fetchFromGitHub {
|
||||
owner = "Jaculabilis";
|
||||
repo = "Inquisitor";
|
||||
rev = "addcb4f1a56c878b58f2e1c38dfd485761b31306";
|
||||
sha256 = "0jjl92nf1y40acdly1kls0mppcadvmgbfr6qwczxni1f1zphw3as";
|
||||
};
|
||||
inquisitor = pkgs.callPackage inquisitorSource { inherit pkgs; };
|
||||
|
||||
# Define the inquisitor data directory
|
||||
inquisiDir = "/var/lib/inquisitor";
|
||||
|
||||
# Define an scp helper for executing in cron jobs
|
||||
scp-helper = pkgs.writeShellScriptBin "scp-helper" ''
|
||||
${pkgs.openssh}/bin/scp -i ${inquisiDir}/inquisitor.key -oStrictHostKeyChecking=no "$@"
|
||||
'';
|
||||
|
||||
# Define the inquisitor service user
|
||||
inquisitorUser = {
|
||||
name = "inquisitor";
|
||||
group = "inquisitor";
|
||||
description = "Inquisitor service user";
|
||||
isSystemUser = true;
|
||||
shell = pkgs.bashInteractive;
|
||||
packages = [ inquisitor pkgs.cron ];
|
||||
};
|
||||
|
||||
# Create the inquisitor config file in the nix store, pointing to /var/lib/
|
||||
inquisitorConfig = pkgs.writeTextFile {
|
||||
name = "inquisitor.conf";
|
||||
text = ''
|
||||
DataPath = ${inquisiDir}/data/
|
||||
SourcePath = ${inquisiDir}/sources/
|
||||
CachePath = ${inquisiDir}/cache/
|
||||
Verbose = false
|
||||
LogFile = ${inquisiDir}/inquisitor.log
|
||||
'';
|
||||
};
|
||||
|
||||
# Create a setup script to ensure the service directory state
|
||||
inquisitorSetup = pkgs.writeShellScriptBin "inquisitor-setup.sh" ''
|
||||
# Ensure the service directory and the default source directory
|
||||
${pkgs.coreutils}/bin/mkdir -p ${inquisiDir}/data/inquisitor/
|
||||
${pkgs.coreutils}/bin/mkdir -p ${inquisiDir}/sources/
|
||||
${pkgs.coreutils}/bin/mkdir -p ${inquisiDir}/cache/
|
||||
if [ ! -f ${inquisiDir}/data/inquisitor/state ]; then
|
||||
${pkgs.coreutils}/bin/echo "{}" > ${inquisiDir}/data/inquisitor/state
|
||||
fi
|
||||
|
||||
# Ensure the service owns the folders
|
||||
chown -R ${inquisitorUser.name} ${inquisiDir}
|
||||
|
||||
# Ensure the scp helper is present
|
||||
if [ -f ${inquisiDir}/scp-helper ]; then
|
||||
rm ${inquisiDir}/scp-helper
|
||||
fi
|
||||
ln -s -t ${inquisiDir} ${scp-helper}/bin/scp-helper
|
||||
'';
|
||||
|
||||
# Create a run script for the server
|
||||
inquisitorRun = pkgs.writeShellScriptBin "inquisitor-run.sh" ''
|
||||
cd ${inquisiDir}
|
||||
${inquisitor}/bin/gunicorn \
|
||||
--bind=localhost:24133 \
|
||||
--workers=4 \
|
||||
--timeout 120 \
|
||||
--log-level debug \
|
||||
"inquisitor.app:wsgi()"
|
||||
'';
|
||||
|
||||
# Create a wrapper to execute the cli as the service user
|
||||
inquisitorWrapper = pkgs.writeShellScriptBin "inq" ''
|
||||
sudo --user=inquisitor ${inquisitor}/bin/inquisitor "$@"
|
||||
'';
|
||||
in
|
||||
{
|
||||
users.users.inquisitor = inquisitorUser;
|
||||
users.groups.inquisitor = {};
|
||||
|
||||
# Link the config in /etc to avoid envvar shenanigans
|
||||
environment.etc."inquisitor.conf".source = "${inquisitorConfig}";
|
||||
|
||||
# Give all users the inq wrapper
|
||||
environment.systemPackages = [ inquisitorWrapper ];
|
||||
|
||||
# Allow the sudo in the cli wrapper without password
|
||||
security.sudo.extraRules = [{
|
||||
commands = [{
|
||||
command = "${inquisitor}/bin/inquisitor";
|
||||
options = [ "NOPASSWD" ];
|
||||
}];
|
||||
runAs = "${inquisitorUser.name}";
|
||||
groups = [ "users" ];
|
||||
}];
|
||||
|
||||
# Run the setup script on activation
|
||||
system.activationScripts.inquisitorSetup = "${inquisitorSetup}/bin/inquisitor-setup.sh";
|
||||
|
||||
# Set up the inquisitor service
|
||||
systemd.services.inquisitor =
|
||||
{
|
||||
description = "Inquisitor server";
|
||||
script = "${inquisitorRun}/bin/inquisitor-run.sh";
|
||||
serviceConfig = {
|
||||
User = "${inquisitorUser.name}";
|
||||
Type = "simple";
|
||||
};
|
||||
wantedBy = [ "multi-user.target" ];
|
||||
after = [ "network.target" ];
|
||||
enable = true;
|
||||
};
|
||||
|
||||
# Set up nginx to reverse proxy from the beatific url to the inq server
|
||||
services.nginx.enable = true;
|
||||
services.nginx.virtualHosts.inquisitorHost = {
|
||||
listen = [ { addr = "10.22.20.1"; port = 80; } ];
|
||||
locations."/".extraConfig = ''
|
||||
access_log /var/log/nginx/access.inquisitor.log;
|
||||
proxy_buffering off;
|
||||
proxy_pass http://localhost:24133/;
|
||||
'';
|
||||
};
|
||||
|
||||
# Allow nginx through the firewall
|
||||
networking.firewall = {
|
||||
allowedTCPPorts = [
|
||||
80 # http
|
||||
443 # https
|
||||
];
|
||||
};
|
||||
|
||||
# Enable cron, but don't set up any system cron jobs
|
||||
# Inquisitor updates will be managed manually
|
||||
services.cron.enable = true;
|
||||
}
|
Loading…
Reference in New Issue
Block a user