{pkgs, ...}: let # Import the inquisitor package and build it inquisitorSource = pkgs.fetchFromGitHub { owner = "Jaculabilis"; repo = "Inquisitor"; rev = "933596d25c183782a8864e0d8c47bc65a64a791d"; sha256 = "0haa67lpm8dm8k2inyvfqdvxi1lzvrkb65vgv8nzq51iwlydygx7"; }; inquisitor = pkgs.callPackage inquisitorSource {}; # Define the inquisitor data directory inquisiDir = "/var/lib/inquisitor"; # Create the inquisitor config file in the nix store, pointing to /var/lib/ inquisitorConfig = pkgs.writeTextFile { name = "inquisitor.conf"; text = '' DataPath = ${inquisiDir}/data/ SourcePath = ${inquisiDir}/sources/ CachePath = ${inquisiDir}/cache/ Verbose = false LogFile = /var/log/inquisitor.log ''; }; # Create a run script for the server that sets up all necessary state inquisitorRun = pkgs.writeShellScriptBin "run.sh" '' # Ensure inquisitor directories and inquisitor source folder ${pkgs.coreutils}/bin/mkdir -p ${inquisiDir}/data/inquisitor/ ${pkgs.coreutils}/bin/mkdir -p ${inquisiDir}/sources/ ${pkgs.coreutils}/bin/mkdir -p ${inquisiDir}/cache/ if [ ! -f ${inquisiDir}/data/inquisitor/state ]; then ${pkgs.coreutils}/bin/echo "{}" > ${inquisiDir}/data/inquisitor/state fi # Run inquisitor cd ${inquisiDir} ${inquisitor}/bin/gunicorn \ --bind=localhost:24133 \ --workers=4 \ --env INQUISITOR_CONFIG=${inquisitorConfig} \ --log-level debug \ "inquisitor.app:wsgi()" ''; # Create a wrapper script to let users call into inquisitor safely inquisitorWrapper = pkgs.writeShellScriptBin "inq" '' INQUISITOR_CONFIG=${inquisitorConfig} ${inquisitor}/bin/inquisitor "$@" ''; in { # Create a user for the service users.users.inquisitor = { description = "Inquisitor service user"; isSystemUser = true; home = "${inquisiDir}"; createHome = true; shell = pkgs.bashInteractive; packages = [ inquisitor pkgs.cron ]; }; # Give all users the inq wrapper environment.systemPackages = [ inquisitorWrapper ]; # Set up the inquisitor service systemd.services.inquisitor = { description = "Inquisitor server"; script = "${inquisitorRun}/bin/run.sh"; serviceConfig = { User = "inquisitor"; Type = "simple"; }; wantedBy = [ "multi-user.target" ]; after = [ "network.target" ]; enable = true; }; # Set up nginx to reverse proxy from the beatific url to the inq server services.nginx.enable = true; services.nginx.virtualHosts.inquisitorHost = { listen = [ { addr = "10.7.3.99"; port = 80; } ]; locations."/".extraConfig = '' access_log /var/log/nginx/access.inquisitor.log; proxy_buffering off; proxy_pass http://localhost:24133/; ''; }; # Allow nginx through the firewall networking.firewall = { allowedTCPPorts = [ 80 # http 443 # https ]; }; # Enable cron, but don't set up any system cron jobs # Inquisitor updates will be managed manually services.cron.enable = true; }