diff options
Diffstat (limited to 'nixpkgs/nixos/modules/services/development')
17 files changed, 2727 insertions, 0 deletions
diff --git a/nixpkgs/nixos/modules/services/development/athens.md b/nixpkgs/nixos/modules/services/development/athens.md new file mode 100644 index 000000000000..77663db509d5 --- /dev/null +++ b/nixpkgs/nixos/modules/services/development/athens.md @@ -0,0 +1,52 @@ +# Athens {#module-athens} + +*Source:* {file}`modules/services/development/athens.nix` + +*Upstream documentation:* <https://docs.gomods.io/> + +[Athens](https://github.com/gomods/athens) +is a Go module datastore and proxy + +The main goal of Athens is providing a Go proxy (`$GOPROXY`) in regions without access to `https://proxy.golang.org` or to +improve the speed of Go module downloads for CI/CD systems. + +## Configuring {#module-services-development-athens-configuring} + +A complete list of options for the Athens module may be found +[here](#opt-services.athens.enable). + +## Basic usage for a caching proxy configuration {#opt-services-development-athens-caching-proxy} + +A very basic configuration for Athens that acts as a caching and forwarding HTTP proxy is: +``` +{ + services.athens = { + enable = true; + }; +} +``` + +If you want to prevent Athens from writing to disk, you can instead configure it to cache modules only in memory: + +``` +{ + services.athens = { + enable = true; + storageType = "memory"; + }; +} +``` + +To use the local proxy in Go builds, you can set the proxy as environment variable: + +``` +{ + environment.variables = { + GOPROXY = "http://localhost:3000" + }; +} +``` + +It is currently not possible to use the local proxy for builds done by the Nix daemon. This might be enabled +by experimental features, specifically [`configurable-impure-env`](https://nixos.org/manual/nix/unstable/contributing/experimental-features#xp-feature-configurable-impure-env), +in upcoming Nix versions. diff --git a/nixpkgs/nixos/modules/services/development/athens.nix b/nixpkgs/nixos/modules/services/development/athens.nix new file mode 100644 index 000000000000..34f8964a3bd5 --- /dev/null +++ b/nixpkgs/nixos/modules/services/development/athens.nix @@ -0,0 +1,936 @@ +{ config, lib, pkgs, ... }: + +with lib; + +let + cfg = config.services.athens; + + athensConfig = flip recursiveUpdate cfg.extraConfig ( + { + GoBinary = "${cfg.goBinary}/bin/go"; + GoEnv = cfg.goEnv; + GoBinaryEnvVars = lib.mapAttrsToList (k: v: "${k}=${v}") cfg.goBinaryEnvVars; + GoGetWorkers = cfg.goGetWorkers; + GoGetDir = cfg.goGetDir; + ProtocolWorkers = cfg.protocolWorkers; + LogLevel = cfg.logLevel; + CloudRuntime = cfg.cloudRuntime; + EnablePprof = cfg.enablePprof; + PprofPort = ":${toString cfg.pprofPort}"; + FilterFile = cfg.filterFile; + RobotsFile = cfg.robotsFile; + Timeout = cfg.timeout; + StorageType = cfg.storageType; + TLSCertFile = cfg.tlsCertFile; + TLSKeyFile = cfg.tlsKeyFile; + Port = ":${toString cfg.port}"; + UnixSocket = cfg.unixSocket; + GlobalEndpoint = cfg.globalEndpoint; + BasicAuthUser = cfg.basicAuthUser; + BasicAuthPass = cfg.basicAuthPass; + ForceSSL = cfg.forceSSL; + ValidatorHook = cfg.validatorHook; + PathPrefix = cfg.pathPrefix; + NETRCPath = cfg.netrcPath; + GithubToken = cfg.githubToken; + HGRCPath = cfg.hgrcPath; + TraceExporter = cfg.traceExporter; + StatsExporter = cfg.statsExporter; + SumDBs = cfg.sumDBs; + NoSumPatterns = cfg.noSumPatterns; + DownloadMode = cfg.downloadMode; + NetworkMode = cfg.networkMode; + DownloadURL = cfg.downloadURL; + SingleFlightType = cfg.singleFlightType; + IndexType = cfg.indexType; + ShutdownTimeout = cfg.shutdownTimeout; + SingleFlight = { + Etcd = { + Endpoints = builtins.concatStringsSep "," cfg.singleFlight.etcd.endpoints; + }; + Redis = { + Endpoint = cfg.singleFlight.redis.endpoint; + Password = cfg.singleFlight.redis.password; + LockConfig = { + TTL = cfg.singleFlight.redis.lockConfig.ttl; + Timeout = cfg.singleFlight.redis.lockConfig.timeout; + MaxRetries = cfg.singleFlight.redis.lockConfig.maxRetries; + }; + }; + RedisSentinel = { + Endpoints = cfg.singleFlight.redisSentinel.endpoints; + MasterName = cfg.singleFlight.redisSentinel.masterName; + SentinelPassword = cfg.singleFlight.redisSentinel.sentinelPassword; + LockConfig = { + TTL = cfg.singleFlight.redisSentinel.lockConfig.ttl; + Timeout = cfg.singleFlight.redisSentinel.lockConfig.timeout; + MaxRetries = cfg.singleFlight.redisSentinel.lockConfig.maxRetries; + }; + }; + }; + Storage = { + CDN = { + Endpoint = cfg.storage.cdn.endpoint; + }; + Disk = { + RootPath = cfg.storage.disk.rootPath; + }; + GCP = { + ProjectID = cfg.storage.gcp.projectID; + Bucket = cfg.storage.gcp.bucket; + JSONKey = cfg.storage.gcp.jsonKey; + }; + Minio = { + Endpoint = cfg.storage.minio.endpoint; + Key = cfg.storage.minio.key; + Secret = cfg.storage.minio.secret; + EnableSSL = cfg.storage.minio.enableSSL; + Bucket = cfg.storage.minio.bucket; + region = cfg.storage.minio.region; + }; + Mongo = { + URL = cfg.storage.mongo.url; + DefaultDBName = cfg.storage.mongo.defaultDBName; + CertPath = cfg.storage.mongo.certPath; + Insecure = cfg.storage.mongo.insecure; + }; + S3 = { + Region = cfg.storage.s3.region; + Key = cfg.storage.s3.key; + Secret = cfg.storage.s3.secret; + Token = cfg.storage.s3.token; + Bucket = cfg.storage.s3.bucket; + ForcePathStyle = cfg.storage.s3.forcePathStyle; + UseDefaultConfiguration = cfg.storage.s3.useDefaultConfiguration; + CredentialsEndpoint = cfg.storage.s3.credentialsEndpoint; + AwsContainerCredentialsRelativeURI = cfg.storage.s3.awsContainerCredentialsRelativeURI; + Endpoint = cfg.storage.s3.endpoint; + }; + AzureBlob = { + AccountName = cfg.storage.azureblob.accountName; + AccountKey = cfg.storage.azureblob.accountKey; + ContainerName = cfg.storage.azureblob.containerName; + }; + External = { + URL = cfg.storage.external.url; + }; + }; + Index = { + MySQL = { + Protocol = cfg.index.mysql.protocol; + Host = cfg.index.mysql.host; + Port = cfg.index.mysql.port; + User = cfg.index.mysql.user; + Password = cfg.index.mysql.password; + Database = cfg.index.mysql.database; + Params = { + parseTime = cfg.index.mysql.params.parseTime; + timeout = cfg.index.mysql.params.timeout; + }; + }; + Postgres = { + Host = cfg.index.postgres.host; + Port = cfg.index.postgres.port; + User = cfg.index.postgres.user; + Password = cfg.index.postgres.password; + Database = cfg.index.postgres.database; + Params = { + connect_timeout = cfg.index.postgres.params.connect_timeout; + sslmode = cfg.index.postgres.params.sslmode; + }; + }; + }; + } + ); + + configFile = pkgs.runCommandLocal "config.toml" { } '' + ${pkgs.buildPackages.jq}/bin/jq 'del(..|nulls)' \ + < ${pkgs.writeText "config.json" (builtins.toJSON athensConfig)} | \ + ${pkgs.buildPackages.remarshal}/bin/remarshal -if json -of toml \ + > $out + ''; +in +{ + meta = { + maintainers = pkgs.athens.meta.maintainers; + doc = ./athens.md; + }; + + options.services.athens = { + enable = mkEnableOption (lib.mdDoc "Go module datastore and proxy"); + + package = mkOption { + default = pkgs.athens; + defaultText = literalExpression "pkgs.athens"; + example = "pkgs.athens"; + description = lib.mdDoc "Which athens derivation to use"; + type = types.package; + }; + + goBinary = mkOption { + type = types.package; + default = pkgs.go; + defaultText = literalExpression "pkgs.go"; + example = "pkgs.go_1_21"; + description = lib.mdDoc '' + The Go package used by Athens at runtime. + + Athens primarily runs two Go commands: + 1. `go mod download -json <module>@<version>` + 2. `go list -m -json <module>@latest` + ''; + }; + + goEnv = mkOption { + type = types.enum [ "development" "production" ]; + description = lib.mdDoc "Specifies the type of environment to run. One of 'development' or 'production'."; + default = "development"; + example = "production"; + }; + + goBinaryEnvVars = mkOption { + type = types.attrs; + description = lib.mdDoc "Environment variables to pass to the Go binary."; + example = '' + { "GOPROXY" = "direct", "GODEBUG" = "true" } + ''; + default = { }; + }; + + goGetWorkers = mkOption { + type = types.int; + description = lib.mdDoc "Number of workers concurrently downloading modules."; + default = 10; + example = 32; + }; + + goGetDir = mkOption { + type = types.nullOr types.path; + description = lib.mdDoc '' + Temporary directory that Athens will use to + fetch modules from VCS prior to persisting + them to a storage backend. + + If the value is empty, Athens will use the + default OS temp directory. + ''; + default = null; + example = "/tmp/athens"; + }; + + protocolWorkers = mkOption { + type = types.int; + description = lib.mdDoc "Number of workers concurrently serving protocol paths."; + default = 30; + }; + + logLevel = mkOption { + type = types.nullOr (types.enum [ "panic" "fatal" "error" "warning" "info" "debug" "trace" ]); + description = lib.mdDoc '' + Log level for Athens. + Supports all logrus log levels (https://github.com/Sirupsen/logrus#level-logging)". + ''; + default = "warning"; + example = "debug"; + }; + + cloudRuntime = mkOption { + type = types.enum [ "GCP" "none" ]; + description = lib.mdDoc '' + Specifies the Cloud Provider on which the Proxy/registry is running. + ''; + default = "none"; + example = "GCP"; + }; + + enablePprof = mkOption { + type = types.bool; + description = lib.mdDoc "Enable pprof endpoints."; + default = false; + }; + + pprofPort = mkOption { + type = types.port; + description = lib.mdDoc "Port number for pprof endpoints."; + default = 3301; + example = 443; + }; + + filterFile = mkOption { + type = types.nullOr types.path; + description = lib.mdDoc ''Filename for the include exclude filter.''; + default = null; + example = literalExpression '' + pkgs.writeText "filterFile" ''' + - github.com/azure + + github.com/azure/azure-sdk-for-go + D golang.org/x/tools + ''' + ''; + }; + + robotsFile = mkOption { + type = types.nullOr types.path; + description = lib.mdDoc ''Provides /robots.txt for net crawlers.''; + default = null; + example = literalExpression ''pkgs.writeText "robots.txt" "# my custom robots.txt ..."''; + }; + + timeout = mkOption { + type = types.int; + description = lib.mdDoc "Timeout for external network calls in seconds."; + default = 300; + example = 3; + }; + + storageType = mkOption { + type = types.enum [ "memory" "disk" "mongo" "gcp" "minio" "s3" "azureblob" "external" ]; + description = lib.mdDoc "Specifies the type of storage backend to use."; + default = "disk"; + }; + + tlsCertFile = mkOption { + type = types.nullOr types.path; + description = lib.mdDoc "Path to the TLS certificate file."; + default = null; + example = "/etc/ssl/certs/athens.crt"; + }; + + tlsKeyFile = mkOption { + type = types.nullOr types.path; + description = lib.mdDoc "Path to the TLS key file."; + default = null; + example = "/etc/ssl/certs/athens.key"; + }; + + port = mkOption { + type = types.port; + default = 3000; + description = lib.mdDoc '' + Port number Athens listens on. + ''; + example = 443; + }; + + unixSocket = mkOption { + type = types.nullOr types.path; + description = lib.mdDoc '' + Path to the unix socket file. + If set, Athens will listen on the unix socket instead of TCP socket. + ''; + default = null; + example = "/run/athens.sock"; + }; + + globalEndpoint = mkOption { + type = types.str; + description = lib.mdDoc '' + Endpoint for a package registry in case of a proxy cache miss. + ''; + default = ""; + example = "http://upstream-athens.example.com:3000"; + }; + + basicAuthUser = mkOption { + type = types.nullOr types.str; + description = lib.mdDoc '' + Username for basic auth. + ''; + default = null; + example = "user"; + }; + + basicAuthPass = mkOption { + type = types.nullOr types.str; + description = lib.mdDoc '' + Password for basic auth. Warning: this is stored in plain text in the config file. + ''; + default = null; + example = "swordfish"; + }; + + forceSSL = mkOption { + type = types.bool; + description = lib.mdDoc '' + Force SSL redirects for incoming requests. + ''; + default = false; + }; + + validatorHook = mkOption { + type = types.nullOr types.str; + description = lib.mdDoc '' + Endpoint to validate modules against. + + Not used if empty. + ''; + default = null; + example = "https://validation.example.com"; + }; + + pathPrefix = mkOption { + type = types.nullOr types.str; + description = lib.mdDoc '' + Sets basepath for all routes. + ''; + default = null; + example = "/athens"; + }; + + netrcPath = mkOption { + type = types.nullOr types.path; + description = lib.mdDoc '' + Path to the .netrc file. + ''; + default = null; + example = "/home/user/.netrc"; + }; + + githubToken = mkOption { + type = types.nullOr types.str; + description = lib.mdDoc '' + Creates .netrc file with the given token to be used for GitHub. + Warning: this is stored in plain text in the config file. + ''; + default = null; + example = "ghp_1234567890"; + }; + + hgrcPath = mkOption { + type = types.nullOr types.path; + description = lib.mdDoc '' + Path to the .hgrc file. + ''; + default = null; + example = "/home/user/.hgrc"; + }; + + traceExporter = mkOption { + type = types.nullOr (types.enum [ "jaeger" "datadog" ]); + description = lib.mdDoc '' + Trace exporter to use. + ''; + default = null; + }; + + traceExporterURL = mkOption { + type = types.nullOr types.str; + description = lib.mdDoc '' + URL endpoint that traces will be sent to. + ''; + default = null; + example = "http://localhost:14268"; + }; + + statsExporter = mkOption { + type = types.nullOr (types.enum [ "prometheus" ]); + description = lib.mdDoc "Stats exporter to use."; + default = null; + }; + + sumDBs = mkOption { + type = types.listOf types.str; + description = lib.mdDoc '' + List of fully qualified URLs that Athens will proxy + that the go command can use a checksum verifier. + ''; + default = [ "https://sum.golang.org" ]; + }; + + noSumPatterns = mkOption { + type = types.listOf types.str; + description = lib.mdDoc '' + List of patterns that Athens sum db proxy will return a 403 for. + ''; + default = [ ]; + example = [ "github.com/mycompany/*" ]; + }; + + downloadMode = mkOption { + type = types.oneOf [ (types.enum [ "sync" "async" "redirect" "async_redirect" "none" ]) (types.strMatching "^file:.*$|^custom:.*$") ]; + description = lib.mdDoc '' + Defines how Athens behaves when a module@version + is not found in storage. There are 7 options: + 1. "sync": download the module synchronously and + return the results to the client. + 2. "async": return 404, but asynchronously store the module + in the storage backend. + 3. "redirect": return a 301 redirect status to the client + with the base URL as the DownloadRedirectURL from below. + 4. "async_redirect": same as option number 3 but it will + asynchronously store the module to the backend. + 5. "none": return 404 if a module is not found and do nothing. + 6. "file:<path>": will point to an HCL file that specifies + any of the 5 options above based on different import paths. + 7. "custom:<base64-encoded-hcl>" is the same as option 6 + but the file is fully encoded in the option. This is + useful for using an environment variable in serverless + deployments. + ''; + default = "async_redirect"; + }; + + networkMode = mkOption { + type = types.enum [ "strict" "offline" "fallback" ]; + description = lib.mdDoc '' + Configures how Athens will return the results + of the /list endpoint as it can be assembled from both its own + storage and the upstream VCS. + + Note, that for better error messaging, this would also affect how other + endpoints behave. + + Modes: + 1. strict: merge VCS versions with storage versions, but fail if either of them fails. + 2. offline: only get storage versions, never reach out to VCS. + 3. fallback: only return storage versions, if VCS fails. Note this means that you may + see inconsistent results since fallback mode does a best effort of giving you what's + available at the time of requesting versions. + ''; + default = "strict"; + }; + + downloadURL = mkOption { + type = types.str; + description = lib.mdDoc "URL used if DownloadMode is set to redirect."; + default = "https://proxy.golang.org"; + }; + + singleFlightType = mkOption { + type = types.enum [ "memory" "etcd" "redis" "redis-sentinel" "gcp" "azureblob" ]; + description = lib.mdDoc '' + Determines what mechanism Athens uses to manage concurrency flowing into the Athens backend. + ''; + default = "memory"; + }; + + indexType = mkOption { + type = types.enum [ "none" "memory" "mysql" "postgres" ]; + description = lib.mdDoc '' + Type of index backend Athens will use. + ''; + default = "none"; + }; + + shutdownTimeout = mkOption { + type = types.int; + description = lib.mdDoc '' + Number of seconds to wait for the server to shutdown gracefully. + ''; + default = 60; + example = 1; + }; + + singleFlight = { + etcd = { + endpoints = mkOption { + type = types.listOf types.str; + description = lib.mdDoc "URLs that determine all distributed etcd servers."; + default = [ ]; + example = [ "localhost:2379" ]; + }; + }; + redis = { + endpoint = mkOption { + type = types.str; + description = lib.mdDoc "URL of the redis server."; + default = ""; + example = "localhost:6379"; + }; + password = mkOption { + type = types.str; + description = lib.mdDoc "Password for the redis server. Warning: this is stored in plain text in the config file."; + default = ""; + example = "swordfish"; + }; + + lockConfig = { + ttl = mkOption { + type = types.int; + description = lib.mdDoc "TTL for the lock in seconds."; + default = 900; + example = 1; + }; + timeout = mkOption { + type = types.int; + description = lib.mdDoc "Timeout for the lock in seconds."; + default = 15; + example = 1; + }; + maxRetries = mkOption { + type = types.int; + description = lib.mdDoc "Maximum number of retries for the lock."; + default = 10; + example = 1; + }; + }; + }; + + redisSentinel = { + endpoints = mkOption { + type = types.listOf types.str; + description = lib.mdDoc "URLs that determine all distributed redis servers."; + default = [ ]; + example = [ "localhost:26379" ]; + }; + masterName = mkOption { + type = types.str; + description = lib.mdDoc "Name of the sentinel master server."; + default = ""; + example = "redis-1"; + }; + sentinelPassword = mkOption { + type = types.str; + description = lib.mdDoc "Password for the sentinel server. Warning: this is stored in plain text in the config file."; + default = ""; + example = "swordfish"; + }; + + lockConfig = { + ttl = mkOption { + type = types.int; + description = lib.mdDoc "TTL for the lock in seconds."; + default = 900; + example = 1; + }; + timeout = mkOption { + type = types.int; + description = lib.mdDoc "Timeout for the lock in seconds."; + default = 15; + example = 1; + }; + maxRetries = mkOption { + type = types.int; + description = lib.mdDoc "Maximum number of retries for the lock."; + default = 10; + example = 1; + }; + }; + }; + }; + + storage = { + cdn = { + endpoint = mkOption { + type = types.nullOr types.str; + description = lib.mdDoc "hostname of the CDN server."; + example = "cdn.example.com"; + default = null; + }; + }; + + disk = { + rootPath = mkOption { + type = types.nullOr types.path; + description = lib.mdDoc "Athens disk root folder."; + default = "/var/lib/athens"; + }; + }; + + gcp = { + projectID = mkOption { + type = types.nullOr types.str; + description = lib.mdDoc "GCP project ID."; + example = "my-project"; + default = null; + }; + bucket = mkOption { + type = types.nullOr types.str; + description = lib.mdDoc "GCP backend storage bucket."; + example = "my-bucket"; + default = null; + }; + jsonKey = mkOption { + type = types.nullOr types.str; + description = lib.mdDoc "Base64 encoded GCP service account key. Warning: this is stored in plain text in the config file."; + default = null; + }; + }; + + minio = { + endpoint = mkOption { + type = types.nullOr types.str; + description = lib.mdDoc "Endpoint of the minio storage backend."; + example = "minio.example.com:9001"; + default = null; + }; + key = mkOption { + type = types.nullOr types.str; + description = lib.mdDoc "Access key id for the minio storage backend."; + example = "minio"; + default = null; + }; + secret = mkOption { + type = types.nullOr types.str; + description = lib.mdDoc "Secret key for the minio storage backend. Warning: this is stored in plain text in the config file."; + example = "minio123"; + default = null; + }; + enableSSL = mkOption { + type = types.bool; + description = lib.mdDoc "Enable SSL for the minio storage backend."; + default = false; + }; + bucket = mkOption { + type = types.nullOr types.str; + description = lib.mdDoc "Bucket name for the minio storage backend."; + example = "gomods"; + default = null; + }; + region = mkOption { + type = types.nullOr types.str; + description = lib.mdDoc "Region for the minio storage backend."; + example = "us-east-1"; + default = null; + }; + }; + + mongo = { + url = mkOption { + type = types.nullOr types.str; + description = lib.mdDoc "URL of the mongo database."; + example = "mongodb://localhost:27017"; + default = null; + }; + defaultDBName = mkOption { + type = types.nullOr types.str; + description = lib.mdDoc "Name of the mongo database."; + example = "athens"; + default = null; + }; + certPath = mkOption { + type = types.nullOr types.path; + description = lib.mdDoc "Path to the certificate file for the mongo database."; + example = "/etc/ssl/mongo.pem"; + default = null; + }; + insecure = mkOption { + type = types.bool; + description = lib.mdDoc "Allow insecure connections to the mongo database."; + default = false; + }; + }; + + s3 = { + region = mkOption { + type = types.nullOr types.str; + description = lib.mdDoc "Region of the S3 storage backend."; + example = "eu-west-3"; + default = null; + }; + key = mkOption { + type = types.nullOr types.str; + description = lib.mdDoc "Access key id for the S3 storage backend."; + example = "minio"; + default = null; + }; + secret = mkOption { + type = types.str; + description = lib.mdDoc "Secret key for the S3 storage backend. Warning: this is stored in plain text in the config file."; + default = ""; + }; + token = mkOption { + type = types.nullOr types.str; + description = lib.mdDoc "Token for the S3 storage backend. Warning: this is stored in plain text in the config file."; + default = null; + }; + bucket = mkOption { + type = types.nullOr types.str; + description = lib.mdDoc "Bucket name for the S3 storage backend."; + example = "gomods"; + default = null; + }; + forcePathStyle = mkOption { + type = types.bool; + description = lib.mdDoc "Force path style for the S3 storage backend."; + default = false; + }; + useDefaultConfiguration = mkOption { + type = types.bool; + description = lib.mdDoc "Use default configuration for the S3 storage backend."; + default = false; + }; + credentialsEndpoint = mkOption { + type = types.str; + description = lib.mdDoc "Credentials endpoint for the S3 storage backend."; + default = ""; + }; + awsContainerCredentialsRelativeURI = mkOption { + type = types.nullOr types.str; + description = lib.mdDoc "Container relative url (used by fargate)."; + default = null; + }; + endpoint = mkOption { + type = types.nullOr types.str; + description = lib.mdDoc "Endpoint for the S3 storage backend."; + default = null; + }; + }; + + azureblob = { + accountName = mkOption { + type = types.nullOr types.str; + description = lib.mdDoc "Account name for the Azure Blob storage backend."; + default = null; + }; + accountKey = mkOption { + type = types.nullOr types.str; + description = lib.mdDoc "Account key for the Azure Blob storage backend. Warning: this is stored in plain text in the config file."; + default = null; + }; + containerName = mkOption { + type = types.nullOr types.str; + description = lib.mdDoc "Container name for the Azure Blob storage backend."; + default = null; + }; + }; + + external = { + url = mkOption { + type = types.nullOr types.str; + description = lib.mdDoc "URL of the backend storage layer."; + example = "https://athens.example.com"; + default = null; + }; + }; + }; + + index = { + mysql = { + protocol = mkOption { + type = types.str; + description = lib.mdDoc "Protocol for the MySQL database."; + default = "tcp"; + }; + host = mkOption { + type = types.str; + description = lib.mdDoc "Host for the MySQL database."; + default = "localhost"; + }; + port = mkOption { + type = types.int; + description = lib.mdDoc "Port for the MySQL database."; + default = 3306; + }; + user = mkOption { + type = types.str; + description = lib.mdDoc "User for the MySQL database."; + default = "root"; + }; + password = mkOption { + type = types.nullOr types.str; + description = lib.mdDoc "Password for the MySQL database. Warning: this is stored in plain text in the config file."; + default = null; + }; + database = mkOption { + type = types.str; + description = lib.mdDoc "Database name for the MySQL database."; + default = "athens"; + }; + params = { + parseTime = mkOption { + type = types.nullOr types.str; + description = lib.mdDoc "Parse time for the MySQL database."; + default = "true"; + }; + timeout = mkOption { + type = types.nullOr types.str; + description = lib.mdDoc "Timeout for the MySQL database."; + default = "30s"; + }; + }; + }; + + postgres = { + host = mkOption { + type = types.str; + description = lib.mdDoc "Host for the Postgres database."; + default = "localhost"; + }; + port = mkOption { + type = types.int; + description = lib.mdDoc "Port for the Postgres database."; + default = 5432; + }; + user = mkOption { + type = types.str; + description = lib.mdDoc "User for the Postgres database."; + default = "postgres"; + }; + password = mkOption { + type = types.nullOr types.str; + description = lib.mdDoc "Password for the Postgres database. Warning: this is stored in plain text in the config file."; + default = null; + }; + database = mkOption { + type = types.str; + description = lib.mdDoc "Database name for the Postgres database."; + default = "athens"; + }; + params = { + connect_timeout = mkOption { + type = types.nullOr types.str; + description = lib.mdDoc "Connect timeout for the Postgres database."; + default = "30s"; + }; + sslmode = mkOption { + type = types.nullOr types.str; + description = lib.mdDoc "SSL mode for the Postgres database."; + default = "disable"; + }; + }; + }; + }; + + extraConfig = mkOption { + type = types.attrs; + description = lib.mdDoc '' + Extra configuration options for the athens config file. + ''; + default = { }; + }; + }; + + config = mkIf cfg.enable { + systemd.services.athens = { + description = "Athens Go module proxy"; + documentation = [ "https://docs.gomods.io" ]; + + wantedBy = [ "multi-user.target" ]; + after = [ "network-online.target" ]; + wants = [ "network-online.target" ]; + + serviceConfig = { + Restart = "on-abnormal"; + Nice = 5; + ExecStart = ''${cfg.package}/bin/athens -config_file=${configFile}''; + + KillMode = "mixed"; + KillSignal = "SIGINT"; + TimeoutStopSec = cfg.shutdownTimeout; + + LimitNOFILE = 1048576; + LimitNPROC = 512; + + DynamicUser = true; + PrivateTmp = true; + PrivateDevices = true; + ProtectHome = "read-only"; + ProtectSystem = "full"; + + ReadWritePaths = mkIf (cfg.storage.disk.rootPath != null && (! hasPrefix "/var/lib/" cfg.storage.disk.rootPath)) [ cfg.storage.disk.rootPath ]; + StateDirectory = mkIf (hasPrefix "/var/lib/" cfg.storage.disk.rootPath) [ (removePrefix "/var/lib/" cfg.storage.disk.rootPath) ]; + + CapabilityBoundingSet = [ "CAP_NET_BIND_SERVICE" ]; + AmbientCapabilities = [ "CAP_NET_BIND_SERVICE" ]; + NoNewPrivileges = true; + }; + }; + + networking.firewall = { + allowedTCPPorts = optionals (cfg.unixSocket == null) [ cfg.port ] + ++ optionals cfg.enablePprof [ cfg.pprofPort ]; + }; + }; + +} diff --git a/nixpkgs/nixos/modules/services/development/blackfire.md b/nixpkgs/nixos/modules/services/development/blackfire.md new file mode 100644 index 000000000000..e2e7e4780c79 --- /dev/null +++ b/nixpkgs/nixos/modules/services/development/blackfire.md @@ -0,0 +1,39 @@ +# Blackfire profiler {#module-services-blackfire} + +*Source:* {file}`modules/services/development/blackfire.nix` + +*Upstream documentation:* <https://blackfire.io/docs/introduction> + +[Blackfire](https://blackfire.io) is a proprietary tool for profiling applications. There are several languages supported by the product but currently only PHP support is packaged in Nixpkgs. The back-end consists of a module that is loaded into the language runtime (called *probe*) and a service (*agent*) that the probe connects to and that sends the profiles to the server. + +To use it, you will need to enable the agent and the probe on your server. The exact method will depend on the way you use PHP but here is an example of NixOS configuration for PHP-FPM: +``` +let + php = pkgs.php.withExtensions ({ enabled, all }: enabled ++ (with all; [ + blackfire + ])); +in { + # Enable the probe extension for PHP-FPM. + services.phpfpm = { + phpPackage = php; + }; + + # Enable and configure the agent. + services.blackfire-agent = { + enable = true; + settings = { + # You will need to get credentials at https://blackfire.io/my/settings/credentials + # You can also use other options described in https://blackfire.io/docs/up-and-running/configuration/agent + server-id = "XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX"; + server-token = "XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX"; + }; + }; + + # Make the agent run on start-up. + # (WantedBy= from the upstream unit not respected: https://github.com/NixOS/nixpkgs/issues/81138) + # Alternately, you can start it manually with `systemctl start blackfire-agent`. + systemd.services.blackfire-agent.wantedBy = [ "phpfpm-foo.service" ]; +} +``` + +On your developer machine, you will also want to install [the client](https://blackfire.io/docs/up-and-running/installation#install-a-profiling-client) (see `blackfire` package) or the browser extension to actually trigger the profiling. diff --git a/nixpkgs/nixos/modules/services/development/blackfire.nix b/nixpkgs/nixos/modules/services/development/blackfire.nix new file mode 100644 index 000000000000..3c98d7a281c6 --- /dev/null +++ b/nixpkgs/nixos/modules/services/development/blackfire.nix @@ -0,0 +1,60 @@ +{ config, lib, pkgs, ... }: + +let + cfg = config.services.blackfire-agent; + + agentConfigFile = lib.generators.toINI {} { + blackfire = cfg.settings; + }; + + agentSock = "blackfire/agent.sock"; +in { + meta = { + maintainers = pkgs.blackfire.meta.maintainers; + doc = ./blackfire.md; + }; + + options = { + services.blackfire-agent = { + enable = lib.mkEnableOption (lib.mdDoc "Blackfire profiler agent"); + settings = lib.mkOption { + description = lib.mdDoc '' + See https://blackfire.io/docs/up-and-running/configuration/agent + ''; + type = lib.types.submodule { + freeformType = with lib.types; attrsOf str; + + options = { + server-id = lib.mkOption { + type = lib.types.str; + description = lib.mdDoc '' + Sets the server id used to authenticate with Blackfire + + You can find your personal server-id at https://blackfire.io/my/settings/credentials + ''; + }; + + server-token = lib.mkOption { + type = lib.types.str; + description = lib.mdDoc '' + Sets the server token used to authenticate with Blackfire + + You can find your personal server-token at https://blackfire.io/my/settings/credentials + ''; + }; + }; + }; + }; + }; + }; + + config = lib.mkIf cfg.enable { + environment.etc."blackfire/agent".text = agentConfigFile; + + services.blackfire-agent.settings.socket = "unix:///run/${agentSock}"; + + systemd.packages = [ + pkgs.blackfire + ]; + }; +} diff --git a/nixpkgs/nixos/modules/services/development/bloop.nix b/nixpkgs/nixos/modules/services/development/bloop.nix new file mode 100644 index 000000000000..27da76a74432 --- /dev/null +++ b/nixpkgs/nixos/modules/services/development/bloop.nix @@ -0,0 +1,54 @@ +{ config, lib, pkgs, ... }: + +with lib; + +let + + cfg = config.services.bloop; + +in { + + options.services.bloop = { + extraOptions = mkOption { + type = types.listOf types.str; + default = [ ]; + example = [ + "-J-Xmx2G" + "-J-XX:MaxInlineLevel=20" + "-J-XX:+UseParallelGC" + ]; + description = lib.mdDoc '' + Specifies additional command line argument to pass to bloop + java process. + ''; + }; + + install = mkOption { + type = types.bool; + default = false; + description = lib.mdDoc '' + Whether to install a user service for the Bloop server. + + The service must be manually started for each user with + "systemctl --user start bloop". + ''; + }; + }; + + config = mkIf (cfg.install) { + systemd.user.services.bloop = { + description = "Bloop Scala build server"; + + environment = { + PATH = mkForce "${makeBinPath [ config.programs.java.package ]}"; + }; + serviceConfig = { + Type = "simple"; + ExecStart = "${pkgs.bloop}/bin/bloop server"; + Restart = "always"; + }; + }; + + environment.systemPackages = [ pkgs.bloop ]; + }; +} diff --git a/nixpkgs/nixos/modules/services/development/distccd.nix b/nixpkgs/nixos/modules/services/development/distccd.nix new file mode 100644 index 000000000000..c33bf436bffb --- /dev/null +++ b/nixpkgs/nixos/modules/services/development/distccd.nix @@ -0,0 +1,148 @@ +{ config, lib, pkgs, ... }: + +with lib; + +let + cfg = config.services.distccd; +in +{ + options = { + services.distccd = { + enable = mkEnableOption (lib.mdDoc "distccd"); + + allowedClients = mkOption { + type = types.listOf types.str; + default = [ "127.0.0.1" ]; + example = [ "127.0.0.1" "192.168.0.0/24" "10.0.0.0/24" ]; + description = lib.mdDoc '' + Client IPs which are allowed to connect to distccd in CIDR notation. + + Anyone who can connect to the distccd server can run arbitrary + commands on that system as the distcc user, therefore you should use + this judiciously. + ''; + }; + + jobTimeout = mkOption { + type = types.nullOr types.int; + default = null; + description = lib.mdDoc '' + Maximum duration, in seconds, of a single compilation request. + ''; + }; + + logLevel = mkOption { + type = types.nullOr (types.enum [ "critical" "error" "warning" "notice" "info" "debug" ]); + default = "warning"; + description = lib.mdDoc '' + Set the minimum severity of error that will be included in the log + file. Useful if you only want to see error messages rather than an + entry for each connection. + ''; + }; + + maxJobs = mkOption { + type = types.nullOr types.int; + default = null; + description = lib.mdDoc '' + Maximum number of tasks distccd should execute at any time. + ''; + }; + + + nice = mkOption { + type = types.nullOr types.int; + default = null; + description = lib.mdDoc '' + Niceness of the compilation tasks. + ''; + }; + + openFirewall = mkOption { + type = types.bool; + default = false; + description = lib.mdDoc '' + Opens the specified TCP port for distcc. + ''; + }; + + package = mkPackageOption pkgs "distcc" { }; + + port = mkOption { + type = types.port; + default = 3632; + description = lib.mdDoc '' + The TCP port which distccd will listen on. + ''; + }; + + stats = { + enable = mkEnableOption (lib.mdDoc "statistics reporting via HTTP server"); + port = mkOption { + type = types.port; + default = 3633; + description = lib.mdDoc '' + The TCP port which the distccd statistics HTTP server will listen + on. + ''; + }; + }; + + zeroconf = mkOption { + type = types.bool; + default = false; + description = lib.mdDoc '' + Whether to register via mDNS/DNS-SD + ''; + }; + }; + }; + + config = mkIf cfg.enable { + networking.firewall = mkIf cfg.openFirewall { + allowedTCPPorts = [ cfg.port ] + ++ optionals cfg.stats.enable [ cfg.stats.port ]; + }; + + systemd.services.distccd = { + after = [ "network.target" ]; + wantedBy = [ "multi-user.target" ]; + + description = "Distributed C, C++ and Objective-C compiler"; + documentation = [ "man:distccd(1)" ]; + + serviceConfig = { + User = "distcc"; + Group = "distcc"; + # FIXME: I'd love to get rid of `--enable-tcp-insecure` here, but I'm + # not sure how I'm supposed to get distccd to "accept" running a binary + # (the compiler) that's outside of /usr/lib. + ExecStart = pkgs.writeShellScript "start-distccd" '' + export PATH="${pkgs.distccMasquerade}/bin" + ${cfg.package}/bin/distccd \ + --no-detach \ + --daemon \ + --enable-tcp-insecure \ + --port ${toString cfg.port} \ + ${optionalString (cfg.jobTimeout != null) "--job-lifetime ${toString cfg.jobTimeout}"} \ + ${optionalString (cfg.logLevel != null) "--log-level ${cfg.logLevel}"} \ + ${optionalString (cfg.maxJobs != null) "--jobs ${toString cfg.maxJobs}"} \ + ${optionalString (cfg.nice != null) "--nice ${toString cfg.nice}"} \ + ${optionalString cfg.stats.enable "--stats"} \ + ${optionalString cfg.stats.enable "--stats-port ${toString cfg.stats.port}"} \ + ${optionalString cfg.zeroconf "--zeroconf"} \ + ${concatMapStrings (c: "--allow ${c} ") cfg.allowedClients} + ''; + }; + }; + + users = { + groups.distcc.gid = config.ids.gids.distcc; + users.distcc = { + description = "distccd user"; + group = "distcc"; + uid = config.ids.uids.distcc; + }; + }; + }; +} diff --git a/nixpkgs/nixos/modules/services/development/gemstash.nix b/nixpkgs/nixos/modules/services/development/gemstash.nix new file mode 100644 index 000000000000..eb7ccb98bde8 --- /dev/null +++ b/nixpkgs/nixos/modules/services/development/gemstash.nix @@ -0,0 +1,103 @@ +{ lib, pkgs, config, ... }: +with lib; + +let + settingsFormat = pkgs.formats.yaml { }; + + # gemstash uses a yaml config where the keys are ruby symbols, + # which means they start with ':'. This would be annoying to use + # on the nix side, so we rewrite plain names instead. + prefixColon = s: listToAttrs (map + (attrName: { + name = ":${attrName}"; + value = + if isAttrs s.${attrName} + then prefixColon s."${attrName}" + else s."${attrName}"; + }) + (attrNames s)); + + # parse the port number out of the tcp://ip:port bind setting string + parseBindPort = bind: strings.toInt (last (strings.splitString ":" bind)); + + cfg = config.services.gemstash; +in +{ + options.services.gemstash = { + enable = mkEnableOption (lib.mdDoc "gemstash service"); + + openFirewall = mkOption { + type = types.bool; + default = false; + description = lib.mdDoc '' + Whether to open the firewall for the port in {option}`services.gemstash.bind`. + ''; + }; + + settings = mkOption { + default = {}; + description = lib.mdDoc '' + Configuration for Gemstash. The details can be found at in + [gemstash documentation](https://github.com/rubygems/gemstash/blob/master/man/gemstash-configuration.5.md). + Each key set here is automatically prefixed with ":" to match the gemstash expectations. + ''; + type = types.submodule { + freeformType = settingsFormat.type; + options = { + base_path = mkOption { + type = types.path; + default = "/var/lib/gemstash"; + description = lib.mdDoc "Path to store the gem files and the sqlite database. If left unchanged, the directory will be created."; + }; + bind = mkOption { + type = types.str; + default = "tcp://0.0.0.0:9292"; + description = lib.mdDoc "Host and port combination for the server to listen on."; + }; + db_adapter = mkOption { + type = types.nullOr (types.enum [ "sqlite3" "postgres" "mysql" "mysql2" ]); + default = null; + description = lib.mdDoc "Which database type to use. For choices other than sqlite3, the dbUrl has to be specified as well."; + }; + db_url = mkOption { + type = types.nullOr types.str; + default = null; + description = lib.mdDoc "The database to connect to when using postgres, mysql, or mysql2."; + }; + }; + }; + }; + }; + + config = + mkIf cfg.enable { + users = { + users.gemstash = { + group = "gemstash"; + isSystemUser = true; + }; + groups.gemstash = { }; + }; + + networking.firewall.allowedTCPPorts = mkIf cfg.openFirewall [ (parseBindPort cfg.settings.bind) ]; + + systemd.services.gemstash = { + wantedBy = [ "multi-user.target" ]; + after = [ "network.target" ]; + serviceConfig = mkMerge [ + { + ExecStart = "${pkgs.gemstash}/bin/gemstash start --no-daemonize --config-file ${settingsFormat.generate "gemstash.yaml" (prefixColon cfg.settings)}"; + NoNewPrivileges = true; + User = "gemstash"; + Group = "gemstash"; + PrivateTmp = true; + RestrictSUIDSGID = true; + LockPersonality = true; + } + (mkIf (cfg.settings.base_path == "/var/lib/gemstash") { + StateDirectory = "gemstash"; + }) + ]; + }; + }; +} diff --git a/nixpkgs/nixos/modules/services/development/hoogle.nix b/nixpkgs/nixos/modules/services/development/hoogle.nix new file mode 100644 index 000000000000..88dd01fd8aab --- /dev/null +++ b/nixpkgs/nixos/modules/services/development/hoogle.nix @@ -0,0 +1,81 @@ +{ config, lib, pkgs, ... }: + +with lib; + +let + + cfg = config.services.hoogle; + + hoogleEnv = pkgs.buildEnv { + name = "hoogle"; + paths = [ (cfg.haskellPackages.ghcWithHoogle cfg.packages) ]; + }; + +in { + + options.services.hoogle = { + enable = mkEnableOption (lib.mdDoc "Haskell documentation server"); + + port = mkOption { + type = types.port; + default = 8080; + description = lib.mdDoc '' + Port number Hoogle will be listening to. + ''; + }; + + packages = mkOption { + type = types.functionTo (types.listOf types.package); + default = hp: []; + defaultText = literalExpression "hp: []"; + example = literalExpression "hp: with hp; [ text lens ]"; + description = lib.mdDoc '' + The Haskell packages to generate documentation for. + + The option value is a function that takes the package set specified in + the {var}`haskellPackages` option as its sole parameter and + returns a list of packages. + ''; + }; + + haskellPackages = mkOption { + description = lib.mdDoc "Which haskell package set to use."; + type = types.attrs; + default = pkgs.haskellPackages; + defaultText = literalExpression "pkgs.haskellPackages"; + }; + + home = mkOption { + type = types.str; + description = lib.mdDoc "Url for hoogle logo"; + default = "https://hoogle.haskell.org"; + }; + + host = mkOption { + type = types.str; + description = lib.mdDoc "Set the host to bind on."; + default = "127.0.0.1"; + }; + }; + + config = mkIf cfg.enable { + systemd.services.hoogle = { + description = "Haskell documentation server"; + + wantedBy = [ "multi-user.target" ]; + + serviceConfig = { + Restart = "always"; + ExecStart = ''${hoogleEnv}/bin/hoogle server --local --port ${toString cfg.port} --home ${cfg.home} --host ${cfg.host}''; + + DynamicUser = true; + + ProtectHome = true; + + RuntimeDirectory = "hoogle"; + WorkingDirectory = "%t/hoogle"; + }; + }; + }; + +} diff --git a/nixpkgs/nixos/modules/services/development/jupyter/default.nix b/nixpkgs/nixos/modules/services/development/jupyter/default.nix new file mode 100644 index 000000000000..da8c7547fdd7 --- /dev/null +++ b/nixpkgs/nixos/modules/services/development/jupyter/default.nix @@ -0,0 +1,199 @@ +{ config, lib, pkgs, ... }: + +with lib; + +let + + cfg = config.services.jupyter; + + package = cfg.package; + + kernels = (pkgs.jupyter-kernel.create { + definitions = if cfg.kernels != null + then cfg.kernels + else pkgs.jupyter-kernel.default; + }); + + notebookConfig = pkgs.writeText "jupyter_config.py" '' + ${cfg.notebookConfig} + + c.NotebookApp.password = ${cfg.password} + ''; + +in { + meta.maintainers = with maintainers; [ aborsu ]; + + options.services.jupyter = { + enable = mkEnableOption (lib.mdDoc "Jupyter development server"); + + ip = mkOption { + type = types.str; + default = "localhost"; + description = lib.mdDoc '' + IP address Jupyter will be listening on. + ''; + }; + + # NOTE: We don't use top-level jupyter because we don't + # want to pass in JUPYTER_PATH but use .environment instead, + # saving a rebuild. + package = mkPackageOption pkgs [ "python3" "pkgs" "notebook" ] { }; + + command = mkOption { + type = types.str; + default = "jupyter-notebook"; + example = "jupyter-lab"; + description = lib.mdDoc '' + Which command the service runs. Note that not all jupyter packages + have all commands, e.g. jupyter-lab isn't present in the default package. + ''; + }; + + port = mkOption { + type = types.port; + default = 8888; + description = lib.mdDoc '' + Port number Jupyter will be listening on. + ''; + }; + + notebookDir = mkOption { + type = types.str; + default = "~/"; + description = lib.mdDoc '' + Root directory for notebooks. + ''; + }; + + user = mkOption { + type = types.str; + default = "jupyter"; + description = lib.mdDoc '' + Name of the user used to run the jupyter service. + For security reason, jupyter should really not be run as root. + If not set (jupyter), the service will create a jupyter user with appropriate settings. + ''; + example = "aborsu"; + }; + + group = mkOption { + type = types.str; + default = "jupyter"; + description = lib.mdDoc '' + Name of the group used to run the jupyter service. + Use this if you want to create a group of users that are able to view the notebook directory's content. + ''; + example = "users"; + }; + + password = mkOption { + type = types.str; + description = lib.mdDoc '' + Password to use with notebook. + Can be generated using: + In [1]: from notebook.auth import passwd + In [2]: passwd('test') + Out[2]: 'sha1:1b961dc713fb:88483270a63e57d18d43cf337e629539de1436ba' + NOTE: you need to keep the single quote inside the nix string. + Or you can use a python oneliner: + "open('/path/secret_file', 'r', encoding='utf8').read().strip()" + It will be interpreted at the end of the notebookConfig. + ''; + example = "'sha1:1b961dc713fb:88483270a63e57d18d43cf337e629539de1436ba'"; + }; + + notebookConfig = mkOption { + type = types.lines; + default = ""; + description = lib.mdDoc '' + Raw jupyter config. + ''; + }; + + kernels = mkOption { + type = types.nullOr (types.attrsOf(types.submodule (import ./kernel-options.nix { + inherit lib pkgs; + }))); + + default = null; + example = literalExpression '' + { + python3 = let + env = (pkgs.python3.withPackages (pythonPackages: with pythonPackages; [ + ipykernel + pandas + scikit-learn + ])); + in { + displayName = "Python 3 for machine learning"; + argv = [ + "''${env.interpreter}" + "-m" + "ipykernel_launcher" + "-f" + "{connection_file}" + ]; + language = "python"; + logo32 = "''${env.sitePackages}/ipykernel/resources/logo-32x32.png"; + logo64 = "''${env.sitePackages}/ipykernel/resources/logo-64x64.png"; + extraPaths = { + "cool.txt" = pkgs.writeText "cool" "cool content"; + }; + }; + } + ''; + description = lib.mdDoc '' + Declarative kernel config. + + Kernels can be declared in any language that supports and has the required + dependencies to communicate with a jupyter server. + In python's case, it means that ipykernel package must always be included in + the list of packages of the targeted environment. + ''; + }; + }; + + config = mkMerge [ + (mkIf cfg.enable { + systemd.services.jupyter = { + description = "Jupyter development server"; + + after = [ "network.target" ]; + wantedBy = [ "multi-user.target" ]; + + # TODO: Patch notebook so we can explicitly pass in a shell + path = [ pkgs.bash ]; # needed for sh in cell magic to work + + environment = { + JUPYTER_PATH = toString kernels; + }; + + serviceConfig = { + Restart = "always"; + ExecStart = ''${package}/bin/${cfg.command} \ + --no-browser \ + --ip=${cfg.ip} \ + --port=${toString cfg.port} --port-retries 0 \ + --notebook-dir=${cfg.notebookDir} \ + --NotebookApp.config_file=${notebookConfig} + ''; + User = cfg.user; + Group = cfg.group; + WorkingDirectory = "~"; + }; + }; + }) + (mkIf (cfg.enable && (cfg.group == "jupyter")) { + users.groups.jupyter = {}; + }) + (mkIf (cfg.enable && (cfg.user == "jupyter")) { + users.extraUsers.jupyter = { + extraGroups = [ cfg.group ]; + home = "/var/lib/jupyter"; + createHome = true; + isSystemUser = true; + useDefaultShell = true; # needed so that the user can start a terminal. + }; + }) + ]; +} diff --git a/nixpkgs/nixos/modules/services/development/jupyter/kernel-options.nix b/nixpkgs/nixos/modules/services/development/jupyter/kernel-options.nix new file mode 100644 index 000000000000..6e406152de47 --- /dev/null +++ b/nixpkgs/nixos/modules/services/development/jupyter/kernel-options.nix @@ -0,0 +1,80 @@ +# Options that can be used for creating a jupyter kernel. +{ lib, pkgs }: + +with lib; + +{ + freeformType = (pkgs.formats.json { }).type; + + options = { + + displayName = mkOption { + type = types.str; + default = ""; + example = literalExpression '' + "Python 3" + "Python 3 for Data Science" + ''; + description = lib.mdDoc '' + Name that will be shown to the user. + ''; + }; + + argv = mkOption { + type = types.listOf types.str; + example = [ + "{customEnv.interpreter}" + "-m" + "ipykernel_launcher" + "-f" + "{connection_file}" + ]; + description = lib.mdDoc '' + Command and arguments to start the kernel. + ''; + }; + + language = mkOption { + type = types.str; + example = "python"; + description = lib.mdDoc '' + Language of the environment. Typically the name of the binary. + ''; + }; + + env = mkOption { + type = types.attrsOf types.str; + default = { }; + example = { OMP_NUM_THREADS = "1"; }; + description = lib.mdDoc '' + Environment variables to set for the kernel. + ''; + }; + + logo32 = mkOption { + type = types.nullOr types.path; + default = null; + example = literalExpression ''"''${env.sitePackages}/ipykernel/resources/logo-32x32.png"''; + description = lib.mdDoc '' + Path to 32x32 logo png. + ''; + }; + logo64 = mkOption { + type = types.nullOr types.path; + default = null; + example = literalExpression ''"''${env.sitePackages}/ipykernel/resources/logo-64x64.png"''; + description = lib.mdDoc '' + Path to 64x64 logo png. + ''; + }; + + extraPaths = mkOption { + type = types.attrsOf types.path; + default = { }; + example = literalExpression ''"{ examples = ''${env.sitePack}/IRkernel/kernelspec/kernel.js"; }''; + description = lib.mdDoc '' + Extra paths to link in kernel directory + ''; + }; + }; +} diff --git a/nixpkgs/nixos/modules/services/development/jupyterhub/default.nix b/nixpkgs/nixos/modules/services/development/jupyterhub/default.nix new file mode 100644 index 000000000000..cebc35a50476 --- /dev/null +++ b/nixpkgs/nixos/modules/services/development/jupyterhub/default.nix @@ -0,0 +1,202 @@ +{ config, lib, pkgs, ... }: + +with lib; + +let + + cfg = config.services.jupyterhub; + + kernels = (pkgs.jupyter-kernel.create { + definitions = if cfg.kernels != null + then cfg.kernels + else pkgs.jupyter-kernel.default; + }); + + jupyterhubConfig = pkgs.writeText "jupyterhub_config.py" '' + c.JupyterHub.bind_url = "http://${cfg.host}:${toString cfg.port}" + + c.JupyterHub.authenticator_class = "${cfg.authentication}" + c.JupyterHub.spawner_class = "${cfg.spawner}" + + c.SystemdSpawner.default_url = '/lab' + c.SystemdSpawner.cmd = "${cfg.jupyterlabEnv}/bin/jupyterhub-singleuser" + c.SystemdSpawner.environment = { + 'JUPYTER_PATH': '${kernels}' + } + + ${cfg.extraConfig} + ''; +in { + meta.maintainers = with maintainers; [ costrouc ]; + + options.services.jupyterhub = { + enable = mkEnableOption (lib.mdDoc "Jupyterhub development server"); + + authentication = mkOption { + type = types.str; + default = "jupyterhub.auth.PAMAuthenticator"; + description = lib.mdDoc '' + Jupyterhub authentication to use + + There are many authenticators available including: oauth, pam, + ldap, kerberos, etc. + ''; + }; + + spawner = mkOption { + type = types.str; + default = "systemdspawner.SystemdSpawner"; + description = lib.mdDoc '' + Jupyterhub spawner to use + + There are many spawners available including: local process, + systemd, docker, kubernetes, yarn, batch, etc. + ''; + }; + + extraConfig = mkOption { + type = types.lines; + default = ""; + description = lib.mdDoc '' + Extra contents appended to the jupyterhub configuration + + Jupyterhub configuration is a normal python file using + Traitlets. https://jupyterhub.readthedocs.io/en/stable/getting-started/config-basics.html. The + base configuration of this module was designed to have sane + defaults for configuration but you can override anything since + this is a python file. + ''; + example = '' + c.SystemdSpawner.mem_limit = '8G' + c.SystemdSpawner.cpu_limit = 2.0 + ''; + }; + + jupyterhubEnv = mkOption { + type = types.package; + default = pkgs.python3.withPackages (p: with p; [ + jupyterhub + jupyterhub-systemdspawner + ]); + defaultText = literalExpression '' + pkgs.python3.withPackages (p: with p; [ + jupyterhub + jupyterhub-systemdspawner + ]) + ''; + description = lib.mdDoc '' + Python environment to run jupyterhub + + Customizing will affect the packages available in the hub and + proxy. This will allow packages to be available for the + extraConfig that you may need. This will not normally need to + be changed. + ''; + }; + + jupyterlabEnv = mkOption { + type = types.package; + default = pkgs.python3.withPackages (p: with p; [ + jupyterhub + jupyterlab + ]); + defaultText = literalExpression '' + pkgs.python3.withPackages (p: with p; [ + jupyterhub + jupyterlab + ]) + ''; + description = lib.mdDoc '' + Python environment to run jupyterlab + + Customizing will affect the packages available in the + jupyterlab server and the default kernel provided. This is the + way to customize the jupyterlab extensions and jupyter + notebook extensions. This will not normally need to + be changed. + ''; + }; + + kernels = mkOption { + type = types.nullOr (types.attrsOf(types.submodule (import ../jupyter/kernel-options.nix { + inherit lib pkgs; + }))); + + default = null; + example = literalExpression '' + { + python3 = let + env = (pkgs.python3.withPackages (pythonPackages: with pythonPackages; [ + ipykernel + pandas + scikit-learn + ])); + in { + displayName = "Python 3 for machine learning"; + argv = [ + "''${env.interpreter}" + "-m" + "ipykernel_launcher" + "-f" + "{connection_file}" + ]; + language = "python"; + logo32 = "''${env}/''${env.sitePackages}/ipykernel/resources/logo-32x32.png"; + logo64 = "''${env}/''${env.sitePackages}/ipykernel/resources/logo-64x64.png"; + }; + } + ''; + description = lib.mdDoc '' + Declarative kernel config + + Kernels can be declared in any language that supports and has + the required dependencies to communicate with a jupyter server. + In python's case, it means that ipykernel package must always be + included in the list of packages of the targeted environment. + ''; + }; + + port = mkOption { + type = types.port; + default = 8000; + description = lib.mdDoc '' + Port number Jupyterhub will be listening on + ''; + }; + + host = mkOption { + type = types.str; + default = "0.0.0.0"; + description = lib.mdDoc '' + Bind IP JupyterHub will be listening on + ''; + }; + + stateDirectory = mkOption { + type = types.str; + default = "jupyterhub"; + description = lib.mdDoc '' + Directory for jupyterhub state (token + database) + ''; + }; + }; + + config = mkMerge [ + (mkIf cfg.enable { + systemd.services.jupyterhub = { + description = "Jupyterhub development server"; + + after = [ "network.target" ]; + wantedBy = [ "multi-user.target" ]; + + serviceConfig = { + Restart = "always"; + ExecStart = "${cfg.jupyterhubEnv}/bin/jupyterhub --config ${jupyterhubConfig}"; + User = "root"; + StateDirectory = cfg.stateDirectory; + WorkingDirectory = "/var/lib/${cfg.stateDirectory}"; + }; + }; + }) + ]; +} diff --git a/nixpkgs/nixos/modules/services/development/livebook.md b/nixpkgs/nixos/modules/services/development/livebook.md new file mode 100644 index 000000000000..5012e977a4f7 --- /dev/null +++ b/nixpkgs/nixos/modules/services/development/livebook.md @@ -0,0 +1,50 @@ +# Livebook {#module-services-livebook} + +[Livebook](https://livebook.dev/) is a web application for writing +interactive and collaborative code notebooks. + +## Basic Usage {#module-services-livebook-basic-usage} + +Enabling the `livebook` service creates a user +[`systemd`](https://www.freedesktop.org/wiki/Software/systemd/) unit +which runs the server. + +``` +{ ... }: + +{ + services.livebook = { + enableUserService = true; + port = 20123; + # See note below about security + environmentFile = pkgs.writeText "livebook.env" '' + LIVEBOOK_PASSWORD = "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxx" + ''; + }; +} +``` + +::: {.note} + +The Livebook server has the ability to run any command as the user it +is running under, so securing access to it with a password is highly +recommended. + +Putting the password in the Nix configuration like above is an easy +way to get started but it is not recommended in the real world because +the `livebook.env` file will be added to the world-readable Nix store. +A better approach would be to put the password in some secure +user-readable location and set `environmentFile = /home/user/secure/livebook.env`. + +::: + +### Extra dependencies {#module-services-livebook-extra-dependencies} + +By default, the Livebook service is run with minimum dependencies, but +some features require additional packages. For example, the machine +learning Kinos require `gcc` and `gnumake`. To add these, use +`extraPackages`: + +``` +services.livebook.extraPackages = with pkgs; [ gcc gnumake ]; +``` diff --git a/nixpkgs/nixos/modules/services/development/livebook.nix b/nixpkgs/nixos/modules/services/development/livebook.nix new file mode 100644 index 000000000000..75729ff28efa --- /dev/null +++ b/nixpkgs/nixos/modules/services/development/livebook.nix @@ -0,0 +1,101 @@ +{ config, lib, pkgs, ... }: + +with lib; +let + cfg = config.services.livebook; +in +{ + options.services.livebook = { + # Since livebook doesn't have a granular permission system (a user + # either has access to all the data or none at all), the decision + # was made to run this as a user service. If that changes in the + # future, this can be changed to a system service. + enableUserService = mkEnableOption "a user service for Livebook"; + + package = mkPackageOption pkgs "livebook" { }; + + environmentFile = mkOption { + type = types.path; + description = lib.mdDoc '' + Environment file as defined in {manpage}`systemd.exec(5)` passed to the service. + + This must contain at least `LIVEBOOK_PASSWORD` or + `LIVEBOOK_TOKEN_ENABLED=false`. See `livebook server --help` + for other options.''; + }; + + erlang_node_short_name = mkOption { + type = with types; nullOr str; + default = null; + example = "livebook"; + description = "A short name for the distributed node."; + }; + + erlang_node_name = mkOption { + type = with types; nullOr str; + default = null; + example = "livebook@127.0.0.1"; + description = "The name for the app distributed node."; + }; + + port = mkOption { + type = types.port; + default = 8080; + description = "The port to start the web application on."; + }; + + address = mkOption { + type = types.str; + default = "127.0.0.1"; + description = lib.mdDoc '' + The address to start the web application on. Must be a valid IPv4 or + IPv6 address. + ''; + }; + + options = mkOption { + type = with types; attrsOf str; + default = { }; + description = lib.mdDoc '' + Additional options to pass as command-line arguments to the server. + ''; + example = literalExpression '' + { + cookie = "a value shared by all nodes in this cluster"; + } + ''; + }; + + extraPackages = mkOption { + type = with types; listOf package; + default = [ ]; + description = lib.mdDoc '' + Extra packages to make available to the Livebook service. + ''; + example = literalExpression "with pkgs; [ gcc gnumake ]"; + }; + }; + + config = mkIf cfg.enableUserService { + systemd.user.services.livebook = { + serviceConfig = { + Restart = "always"; + EnvironmentFile = cfg.environmentFile; + ExecStart = + let + args = lib.cli.toGNUCommandLineShell { } ({ + inherit (cfg) port; + ip = cfg.address; + name = cfg.erlang_node_name; + sname = cfg.erlang_node_short_name; + } // cfg.options); + in + "${cfg.package}/bin/livebook server ${args}"; + }; + path = [ pkgs.bash ] ++ cfg.extraPackages; + wantedBy = [ "default.target" ]; + }; + }; + + meta.doc = ./livebook.md; +} diff --git a/nixpkgs/nixos/modules/services/development/lorri.nix b/nixpkgs/nixos/modules/services/development/lorri.nix new file mode 100644 index 000000000000..74f56f5890fc --- /dev/null +++ b/nixpkgs/nixos/modules/services/development/lorri.nix @@ -0,0 +1,55 @@ +{ config, lib, pkgs, ... }: + +let + cfg = config.services.lorri; + socketPath = "lorri/daemon.socket"; +in { + options = { + services.lorri = { + enable = lib.mkOption { + default = false; + type = lib.types.bool; + description = lib.mdDoc '' + Enables the daemon for `lorri`, a nix-shell replacement for project + development. The socket-activated daemon starts on the first request + issued by the `lorri` command. + ''; + }; + package = lib.mkOption { + default = pkgs.lorri; + type = lib.types.package; + description = lib.mdDoc '' + The lorri package to use. + ''; + defaultText = lib.literalExpression "pkgs.lorri"; + }; + }; + }; + + config = lib.mkIf cfg.enable { + systemd.user.sockets.lorri = { + description = "Socket for Lorri Daemon"; + wantedBy = [ "sockets.target" ]; + socketConfig = { + ListenStream = "%t/${socketPath}"; + RuntimeDirectory = "lorri"; + }; + }; + + systemd.user.services.lorri = { + description = "Lorri Daemon"; + requires = [ "lorri.socket" ]; + after = [ "lorri.socket" ]; + path = with pkgs; [ config.nix.package git gnutar gzip ]; + serviceConfig = { + ExecStart = "${cfg.package}/bin/lorri daemon"; + PrivateTmp = true; + ProtectSystem = "strict"; + ProtectHome = "read-only"; + Restart = "on-failure"; + }; + }; + + environment.systemPackages = [ cfg.package pkgs.direnv ]; + }; +} diff --git a/nixpkgs/nixos/modules/services/development/nixseparatedebuginfod.nix b/nixpkgs/nixos/modules/services/development/nixseparatedebuginfod.nix new file mode 100644 index 000000000000..daf85153d339 --- /dev/null +++ b/nixpkgs/nixos/modules/services/development/nixseparatedebuginfod.nix @@ -0,0 +1,105 @@ +{ pkgs, lib, config, ... }: +let + cfg = config.services.nixseparatedebuginfod; + url = "127.0.0.1:${toString cfg.port}"; +in +{ + options = { + services.nixseparatedebuginfod = { + enable = lib.mkEnableOption "separatedebuginfod, a debuginfod server providing source and debuginfo for nix packages"; + port = lib.mkOption { + description = "port to listen"; + default = 1949; + type = lib.types.port; + }; + nixPackage = lib.mkOption { + type = lib.types.package; + default = pkgs.nix; + defaultText = lib.literalExpression "pkgs.nix"; + description = '' + The version of nix that nixseparatedebuginfod should use as client for the nix daemon. It is strongly advised to use nix version >= 2.18, otherwise some debug info may go missing. + ''; + }; + allowOldNix = lib.mkOption { + type = lib.types.bool; + default = false; + description = '' + Do not fail evaluation when {option}`services.nixseparatedebuginfod.nixPackage` is older than nix 2.18. + ''; + }; + }; + }; + config = lib.mkIf cfg.enable { + assertions = [ { + assertion = cfg.allowOldNix || (lib.versionAtLeast cfg.nixPackage.version "2.18"); + message = "nixseparatedebuginfod works better when `services.nixseparatedebuginfod.nixPackage` is set to nix >= 2.18 (instead of ${cfg.nixPackage.name}). Set `services.nixseparatedebuginfod.allowOldNix` to bypass."; + } ]; + + systemd.services.nixseparatedebuginfod = { + wantedBy = [ "multi-user.target" ]; + wants = [ "nix-daemon.service" ]; + after = [ "nix-daemon.service" ]; + path = [ cfg.nixPackage ]; + serviceConfig = { + ExecStart = [ "${pkgs.nixseparatedebuginfod}/bin/nixseparatedebuginfod -l ${url}" ]; + Restart = "on-failure"; + CacheDirectory = "nixseparatedebuginfod"; + # nix does not like DynamicUsers in allowed-users + User = "nixseparatedebuginfod"; + Group = "nixseparatedebuginfod"; + + # hardening + # Filesystem stuff + ProtectSystem = "strict"; # Prevent writing to most of / + ProtectHome = true; # Prevent accessing /home and /root + PrivateTmp = true; # Give an own directory under /tmp + PrivateDevices = true; # Deny access to most of /dev + ProtectKernelTunables = true; # Protect some parts of /sys + ProtectControlGroups = true; # Remount cgroups read-only + RestrictSUIDSGID = true; # Prevent creating SETUID/SETGID files + PrivateMounts = true; # Give an own mount namespace + RemoveIPC = true; + UMask = "0077"; + + # Capabilities + CapabilityBoundingSet = ""; # Allow no capabilities at all + NoNewPrivileges = true; # Disallow getting more capabilities. This is also implied by other options. + + # Kernel stuff + ProtectKernelModules = true; # Prevent loading of kernel modules + SystemCallArchitectures = "native"; # Usually no need to disable this + ProtectKernelLogs = true; # Prevent access to kernel logs + ProtectClock = true; # Prevent setting the RTC + + # Networking + RestrictAddressFamilies = "AF_UNIX AF_INET AF_INET6"; + + # Misc + LockPersonality = true; # Prevent change of the personality + ProtectHostname = true; # Give an own UTS namespace + RestrictRealtime = true; # Prevent switching to RT scheduling + MemoryDenyWriteExecute = true; # Maybe disable this for interpreters like python + RestrictNamespaces = true; + }; + }; + + users.users.nixseparatedebuginfod = { + isSystemUser = true; + group = "nixseparatedebuginfod"; + }; + + users.groups.nixseparatedebuginfod = { }; + + nix.settings.extra-allowed-users = [ "nixseparatedebuginfod" ]; + + environment.variables.DEBUGINFOD_URLS = "http://${url}"; + + environment.systemPackages = [ + # valgrind support requires debuginfod-find on PATH + (lib.getBin pkgs.elfutils) + ]; + + environment.etc."gdb/gdbinit.d/nixseparatedebuginfod.gdb".text = "set debuginfod enabled on"; + + }; +} diff --git a/nixpkgs/nixos/modules/services/development/rstudio-server/default.nix b/nixpkgs/nixos/modules/services/development/rstudio-server/default.nix new file mode 100644 index 000000000000..fc3756edf0ab --- /dev/null +++ b/nixpkgs/nixos/modules/services/development/rstudio-server/default.nix @@ -0,0 +1,101 @@ +{ config, lib, pkgs, ... }: + +with lib; + +let + + cfg = config.services.rstudio-server; + + rserver-conf = builtins.toFile "rserver.conf" '' + server-working-dir=${cfg.serverWorkingDir} + www-address=${cfg.listenAddr} + ${cfg.rserverExtraConfig} + ''; + + rsession-conf = builtins.toFile "rsession.conf" '' + ${cfg.rsessionExtraConfig} + ''; + +in +{ + meta.maintainers = with maintainers; [ jbedo cfhammill ]; + + options.services.rstudio-server = { + enable = mkEnableOption (lib.mdDoc "RStudio server"); + + serverWorkingDir = mkOption { + type = types.str; + default = "/var/lib/rstudio-server"; + description = lib.mdDoc '' + Default working directory for server (server-working-dir in rserver.conf). + ''; + }; + + listenAddr = mkOption { + type = types.str; + default = "127.0.0.1"; + description = lib.mdDoc '' + Address to listen on (www-address in rserver.conf). + ''; + }; + + package = mkPackageOption pkgs "rstudio-server" { + example = "rstudioServerWrapper.override { packages = [ pkgs.rPackages.ggplot2 ]; }"; + }; + + rserverExtraConfig = mkOption { + type = types.str; + default = ""; + description = lib.mdDoc '' + Extra contents for rserver.conf. + ''; + }; + + rsessionExtraConfig = mkOption { + type = types.str; + default = ""; + description = lib.mdDoc '' + Extra contents for resssion.conf. + ''; + }; + + }; + + config = mkIf cfg.enable + { + systemd.services.rstudio-server = { + description = "Rstudio server"; + + after = [ "network.target" ]; + wantedBy = [ "multi-user.target" ]; + restartTriggers = [ rserver-conf rsession-conf ]; + + serviceConfig = { + Restart = "on-failure"; + Type = "forking"; + ExecStart = "${cfg.package}/bin/rserver"; + StateDirectory = "rstudio-server"; + RuntimeDirectory = "rstudio-server"; + }; + }; + + environment.etc = { + "rstudio/rserver.conf".source = rserver-conf; + "rstudio/rsession.conf".source = rsession-conf; + "pam.d/rstudio".source = "/etc/pam.d/login"; + }; + environment.systemPackages = [ cfg.package ]; + + users = { + users.rstudio-server = { + uid = config.ids.uids.rstudio-server; + description = "rstudio-server"; + group = "rstudio-server"; + }; + groups.rstudio-server = { + gid = config.ids.gids.rstudio-server; + }; + }; + + }; +} diff --git a/nixpkgs/nixos/modules/services/development/zammad.nix b/nixpkgs/nixos/modules/services/development/zammad.nix new file mode 100644 index 000000000000..c084d6541ad3 --- /dev/null +++ b/nixpkgs/nixos/modules/services/development/zammad.nix @@ -0,0 +1,361 @@ +{ config, lib, pkgs, ... }: + +with lib; + +let + cfg = config.services.zammad; + settingsFormat = pkgs.formats.yaml { }; + filterNull = filterAttrs (_: v: v != null); + serviceConfig = { + Type = "simple"; + Restart = "always"; + + User = "zammad"; + Group = "zammad"; + PrivateTmp = true; + StateDirectory = "zammad"; + WorkingDirectory = cfg.dataDir; + }; + environment = { + RAILS_ENV = "production"; + NODE_ENV = "production"; + RAILS_SERVE_STATIC_FILES = "true"; + RAILS_LOG_TO_STDOUT = "true"; + REDIS_URL = "redis://${cfg.redis.host}:${toString cfg.redis.port}"; + }; + databaseConfig = settingsFormat.generate "database.yml" cfg.database.settings; +in +{ + + options = { + services.zammad = { + enable = mkEnableOption (lib.mdDoc "Zammad, a web-based, open source user support/ticketing solution"); + + package = mkPackageOption pkgs "zammad" { }; + + dataDir = mkOption { + type = types.path; + default = "/var/lib/zammad"; + description = lib.mdDoc '' + Path to a folder that will contain Zammad working directory. + ''; + }; + + host = mkOption { + type = types.str; + default = "127.0.0.1"; + example = "192.168.23.42"; + description = lib.mdDoc "Host address."; + }; + + openPorts = mkOption { + type = types.bool; + default = false; + description = lib.mdDoc "Whether to open firewall ports for Zammad"; + }; + + port = mkOption { + type = types.port; + default = 3000; + description = lib.mdDoc "Web service port."; + }; + + websocketPort = mkOption { + type = types.port; + default = 6042; + description = lib.mdDoc "Websocket service port."; + }; + + redis = { + createLocally = mkOption { + type = types.bool; + default = true; + description = lib.mdDoc "Whether to create a local redis automatically."; + }; + + name = mkOption { + type = types.str; + default = "zammad"; + description = lib.mdDoc '' + Name of the redis server. Only used if `createLocally` is set to true. + ''; + }; + + host = mkOption { + type = types.str; + default = "localhost"; + description = lib.mdDoc '' + Redis server address. + ''; + }; + + port = mkOption { + type = types.port; + default = 6379; + description = lib.mdDoc "Port of the redis server."; + }; + }; + + database = { + type = mkOption { + type = types.enum [ "PostgreSQL" "MySQL" ]; + default = "PostgreSQL"; + example = "MySQL"; + description = lib.mdDoc "Database engine to use."; + }; + + host = mkOption { + type = types.nullOr types.str; + default = { + PostgreSQL = "/run/postgresql"; + MySQL = "localhost"; + }.${cfg.database.type}; + defaultText = literalExpression '' + { + PostgreSQL = "/run/postgresql"; + MySQL = "localhost"; + }.''${config.services.zammad.database.type}; + ''; + description = lib.mdDoc '' + Database host address. + ''; + }; + + port = mkOption { + type = types.nullOr types.port; + default = null; + description = lib.mdDoc "Database port. Use `null` for default port."; + }; + + name = mkOption { + type = types.str; + default = "zammad"; + description = lib.mdDoc '' + Database name. + ''; + }; + + user = mkOption { + type = types.nullOr types.str; + default = "zammad"; + description = lib.mdDoc "Database user."; + }; + + passwordFile = mkOption { + type = types.nullOr types.path; + default = null; + example = "/run/keys/zammad-dbpassword"; + description = lib.mdDoc '' + A file containing the password for {option}`services.zammad.database.user`. + ''; + }; + + createLocally = mkOption { + type = types.bool; + default = true; + description = lib.mdDoc "Whether to create a local database automatically."; + }; + + settings = mkOption { + type = settingsFormat.type; + default = { }; + example = literalExpression '' + { + } + ''; + description = lib.mdDoc '' + The {file}`database.yml` configuration file as key value set. + See \<TODO\> + for list of configuration parameters. + ''; + }; + }; + + secretKeyBaseFile = mkOption { + type = types.nullOr types.path; + default = null; + example = "/run/keys/secret_key_base"; + description = lib.mdDoc '' + The path to a file containing the + `secret_key_base` secret. + + Zammad uses `secret_key_base` to encrypt + the cookie store, which contains session data, and to digest + user auth tokens. + + Needs to be a 64 byte long string of hexadecimal + characters. You can generate one by running + + ``` + openssl rand -hex 64 >/path/to/secret_key_base_file + ``` + + This should be a string, not a nix path, since nix paths are + copied into the world-readable nix store. + ''; + }; + }; + }; + + config = mkIf cfg.enable { + + services.zammad.database.settings = { + production = mapAttrs (_: v: mkDefault v) (filterNull { + adapter = { + PostgreSQL = "postgresql"; + MySQL = "mysql2"; + }.${cfg.database.type}; + database = cfg.database.name; + pool = 50; + timeout = 5000; + encoding = "utf8"; + username = cfg.database.user; + host = cfg.database.host; + port = cfg.database.port; + }); + }; + + networking.firewall.allowedTCPPorts = mkIf cfg.openPorts [ + config.services.zammad.port + config.services.zammad.websocketPort + ]; + + users.users.zammad = { + isSystemUser = true; + home = cfg.dataDir; + group = "zammad"; + }; + + users.groups.zammad = { }; + + assertions = [ + { + assertion = cfg.database.createLocally -> cfg.database.user == "zammad" && cfg.database.name == "zammad"; + message = "services.zammad.database.user must be set to \"zammad\" if services.zammad.database.createLocally is set to true"; + } + { + assertion = cfg.database.createLocally -> cfg.database.passwordFile == null; + message = "a password cannot be specified if services.zammad.database.createLocally is set to true"; + } + { + assertion = cfg.redis.createLocally -> cfg.redis.host == "localhost"; + message = "the redis host must be localhost if services.zammad.redis.createLocally is set to true"; + } + ]; + + services.mysql = optionalAttrs (cfg.database.createLocally && cfg.database.type == "MySQL") { + enable = true; + package = mkDefault pkgs.mariadb; + ensureDatabases = [ cfg.database.name ]; + ensureUsers = [ + { + name = cfg.database.user; + ensurePermissions = { "${cfg.database.name}.*" = "ALL PRIVILEGES"; }; + } + ]; + }; + + services.postgresql = optionalAttrs (cfg.database.createLocally && cfg.database.type == "PostgreSQL") { + enable = true; + ensureDatabases = [ cfg.database.name ]; + ensureUsers = [ + { + name = cfg.database.user; + ensureDBOwnership = true; + } + ]; + }; + + services.redis = optionalAttrs cfg.redis.createLocally { + servers."${cfg.redis.name}" = { + enable = true; + port = cfg.redis.port; + }; + }; + + systemd.services.zammad-web = { + inherit environment; + serviceConfig = serviceConfig // { + # loading all the gems takes time + TimeoutStartSec = 1200; + }; + after = [ + "network.target" + "postgresql.service" + ] ++ optionals cfg.redis.createLocally [ + "redis-${cfg.redis.name}.service" + ]; + requires = [ + "postgresql.service" + ]; + description = "Zammad web"; + wantedBy = [ "multi-user.target" ]; + preStart = '' + # Blindly copy the whole project here. + chmod -R +w . + rm -rf ./public/assets/ + rm -rf ./tmp/* + rm -rf ./log/* + cp -r --no-preserve=owner ${cfg.package}/* . + chmod -R +w . + # config file + cp ${databaseConfig} ./config/database.yml + chmod -R +w . + ${optionalString (cfg.database.passwordFile != null) '' + { + echo -n " password: " + cat ${cfg.database.passwordFile} + } >> ./config/database.yml + ''} + ${optionalString (cfg.secretKeyBaseFile != null) '' + { + echo "production: " + echo -n " secret_key_base: " + cat ${cfg.secretKeyBaseFile} + } > ./config/secrets.yml + ''} + + if [ `${config.services.postgresql.package}/bin/psql \ + --host ${cfg.database.host} \ + ${optionalString + (cfg.database.port != null) + "--port ${toString cfg.database.port}"} \ + --username ${cfg.database.user} \ + --dbname ${cfg.database.name} \ + --command "SELECT COUNT(*) FROM pg_class c \ + JOIN pg_namespace s ON s.oid = c.relnamespace \ + WHERE s.nspname NOT IN ('pg_catalog', 'pg_toast', 'information_schema') \ + AND s.nspname NOT LIKE 'pg_temp%';" | sed -n 3p` -eq 0 ]; then + echo "Initialize database" + ./bin/rake --no-system db:migrate + ./bin/rake --no-system db:seed + else + echo "Migrate database" + ./bin/rake --no-system db:migrate + fi + echo "Done" + ''; + script = "./script/rails server -b ${cfg.host} -p ${toString cfg.port}"; + }; + + systemd.services.zammad-websocket = { + inherit serviceConfig environment; + after = [ "zammad-web.service" ]; + requires = [ "zammad-web.service" ]; + description = "Zammad websocket"; + wantedBy = [ "multi-user.target" ]; + script = "./script/websocket-server.rb -b ${cfg.host} -p ${toString cfg.websocketPort} start"; + }; + + systemd.services.zammad-worker = { + inherit serviceConfig environment; + after = [ "zammad-web.service" ]; + requires = [ "zammad-web.service" ]; + description = "Zammad background worker"; + wantedBy = [ "multi-user.target" ]; + script = "./script/background-worker.rb start"; + }; + }; + + meta.maintainers = with lib.maintainers; [ taeer netali ]; +} |