Loading nixos/modules/services/misc/sourcehut/service.nix +320 −288 Original line number Diff line number Diff line Loading @@ -19,11 +19,14 @@ let cfg = config.services.sourcehut; configIni = configIniOfService srv; srvCfg = cfg.${srv}; baseService = serviceName: { allowStripe ? false }: extraService: let baseService = serviceName: { allowStripe ? false }: extraService: let runDir = "/run/sourcehut/${serviceName}"; rootDir = "/run/sourcehut/chroots/${serviceName}"; in mkMerge [ extraService { mkMerge [ extraService { after = [ "network.target" ] ++ optional cfg.postgresql.enable "postgresql.service" ++ optional cfg.redis.enable "redis-sourcehut-${srvsrht}.service"; Loading Loading @@ -69,13 +72,15 @@ let # Hence this one is run as root (the +) with RootDirectoryStartOnly= # to reach credentials wherever they are. # Note that each systemd service gets its own ${runDir}/config.ini file. ExecStartPre = mkBefore [("+"+pkgs.writeShellScript "${serviceName}-credentials" '' ExecStartPre = mkBefore [ ("+" + pkgs.writeShellScript "${serviceName}-credentials" '' set -x # Replace values beginning with a '<' by the content of the file whose name is after. gawk '{ if (match($0,/^([^=]+=)<(.+)/,m)) { getline f < m[2]; print m[1] f } else print $0 }' ${configIni} | ${optionalString (!allowStripe) "gawk '!/^stripe-secret-key=/' |"} install -o ${srvCfg.user} -g root -m 400 /dev/stdin ${runDir}/config.ini '')]; '') ]; # The following options are only for optimizing: # systemd-analyze security AmbientCapabilities = ""; Loading Loading @@ -108,12 +113,18 @@ let #SocketBindDeny = "any"; SystemCallFilter = [ "@system-service" "~@aio" "~@keyring" "~@memlock" "~@privileged" "~@timer" "@chown" "@setuid" "~@aio" "~@keyring" "~@memlock" "~@privileged" "~@timer" "@chown" "@setuid" ]; SystemCallArchitectures = "native"; }; } ]; } ]; in { options.services.sourcehut.${srv} = { Loading Loading @@ -192,7 +203,9 @@ in }; }; config = lib.mkIf (cfg.enable && srvCfg.enable) (mkMerge [ extraConfig { config = lib.mkIf (cfg.enable && srvCfg.enable) (mkMerge [ extraConfig { users = { users = { "${srvCfg.user}" = { Loading @@ -203,11 +216,15 @@ in }; groups = { "${srvCfg.group}" = { }; } // optionalAttrs (cfg.postgresql.enable && hasSuffix "0" (postgresql.settings.unix_socket_permissions or "")) { } // optionalAttrs (cfg.postgresql.enable && hasSuffix "0" (postgresql.settings.unix_socket_permissions or "")) { "postgres".members = [ srvCfg.user ]; } // optionalAttrs (cfg.redis.enable && hasSuffix "0" (redis.settings.unixsocketperm or "")) { } // optionalAttrs (cfg.redis.enable && hasSuffix "0" (redis.settings.unixsocketperm or "")) { "redis-sourcehut-${srvsrht}".members = [ srvCfg.user ]; }; }; Loading Loading @@ -239,7 +256,8 @@ in add_header 'Access-Control-Expose-Headers' 'Content-Length,Content-Range'; ''; }; } cfg.nginx.virtualHost ]; } cfg.nginx.virtualHost]; }; services.postgresql = mkIf cfg.postgresql.enable { Loading @@ -247,7 +265,8 @@ in local ${srvCfg.postgresql.database} ${srvCfg.user} trust ''; ensureDatabases = [ srvCfg.postgresql.database ]; ensureUsers = map (name: { ensureUsers = map (name: { inherit name; # We don't use it because we have a special default database name with dots. # TODO(for maintainers of sourcehut): migrate away from custom preStart script. Loading Loading @@ -298,10 +317,12 @@ in StateDirectoryMode = "2750"; ExecStart = "${cfg.python}/bin/gunicorn ${srvsrht}.app:app --name ${srvsrht} --bind ${cfg.listenAddress}:${toString srvCfg.port} " + concatStringsSep " " srvCfg.gunicorn.extraArgs; }; preStart = let preStart = let version = pkgs.sourcehut.${srvsrht}.version; stateDir = "/var/lib/sourcehut/${srvsrht}"; in mkBefore '' in mkBefore '' set -x # Use the /run/sourcehut/${srvsrht}/config.ini # installed by a previous ExecStartPre= in baseService Loading Loading @@ -330,7 +351,9 @@ in touch ${stateDir}/webhook fi ''; } mainService ]); } mainService ]); } (mkIf webhooks { Loading @@ -354,7 +377,8 @@ in }; }) (mapAttrs (timerName: timer: (baseService timerName {} (mkMerge [ (mapAttrs (timerName: timer: (baseService timerName { } (mkMerge [ { description = "sourcehut ${timerName} service"; after = [ "network.target" "${srvsrht}.service" ]; Loading @@ -364,9 +388,11 @@ in }; } (timer.service or { }) ]))) extraTimers) ]))) extraTimers) (mapAttrs (serviceName: extraService: baseService serviceName {} (mkMerge [ (mapAttrs (serviceName: extraService: baseService serviceName { } (mkMerge [ { description = "sourcehut ${serviceName} service"; # So that extraServices have the PostgreSQL database initialized. Loading @@ -379,17 +405,20 @@ in }; } extraService ])) extraServices) ])) extraServices) # Work around 'pq: permission denied for schema public' with postgres v15. # See https://github.com/NixOS/nixpkgs/issues/216989 # Workaround taken from nixos/forgejo: https://github.com/NixOS/nixpkgs/pull/262741 # TODO(to maintainers of sourcehut): please migrate away from this workaround # by migrating away from database name defaults with dots. (lib.mkIf ( (lib.mkIf ( cfg.postgresql.enable && lib.strings.versionAtLeast config.services.postgresql.package.version "15.0" ) { ) { postgresql.postStart = (lib.mkAfter '' $PSQL -tAc 'ALTER DATABASE "${srvCfg.postgresql.database}" OWNER TO "${srvCfg.user}";' ''); Loading @@ -397,11 +426,14 @@ in ) ]; systemd.timers = mapAttrs (timerName: timer: systemd.timers = mapAttrs (timerName: timer: { description = "sourcehut timer for ${timerName}"; wantedBy = [ "timers.target" ]; inherit (timer) timerConfig; }) extraTimers; } ]); }) extraTimers; } ]); } Loading
nixos/modules/services/misc/sourcehut/service.nix +320 −288 Original line number Diff line number Diff line Loading @@ -19,11 +19,14 @@ let cfg = config.services.sourcehut; configIni = configIniOfService srv; srvCfg = cfg.${srv}; baseService = serviceName: { allowStripe ? false }: extraService: let baseService = serviceName: { allowStripe ? false }: extraService: let runDir = "/run/sourcehut/${serviceName}"; rootDir = "/run/sourcehut/chroots/${serviceName}"; in mkMerge [ extraService { mkMerge [ extraService { after = [ "network.target" ] ++ optional cfg.postgresql.enable "postgresql.service" ++ optional cfg.redis.enable "redis-sourcehut-${srvsrht}.service"; Loading Loading @@ -69,13 +72,15 @@ let # Hence this one is run as root (the +) with RootDirectoryStartOnly= # to reach credentials wherever they are. # Note that each systemd service gets its own ${runDir}/config.ini file. ExecStartPre = mkBefore [("+"+pkgs.writeShellScript "${serviceName}-credentials" '' ExecStartPre = mkBefore [ ("+" + pkgs.writeShellScript "${serviceName}-credentials" '' set -x # Replace values beginning with a '<' by the content of the file whose name is after. gawk '{ if (match($0,/^([^=]+=)<(.+)/,m)) { getline f < m[2]; print m[1] f } else print $0 }' ${configIni} | ${optionalString (!allowStripe) "gawk '!/^stripe-secret-key=/' |"} install -o ${srvCfg.user} -g root -m 400 /dev/stdin ${runDir}/config.ini '')]; '') ]; # The following options are only for optimizing: # systemd-analyze security AmbientCapabilities = ""; Loading Loading @@ -108,12 +113,18 @@ let #SocketBindDeny = "any"; SystemCallFilter = [ "@system-service" "~@aio" "~@keyring" "~@memlock" "~@privileged" "~@timer" "@chown" "@setuid" "~@aio" "~@keyring" "~@memlock" "~@privileged" "~@timer" "@chown" "@setuid" ]; SystemCallArchitectures = "native"; }; } ]; } ]; in { options.services.sourcehut.${srv} = { Loading Loading @@ -192,7 +203,9 @@ in }; }; config = lib.mkIf (cfg.enable && srvCfg.enable) (mkMerge [ extraConfig { config = lib.mkIf (cfg.enable && srvCfg.enable) (mkMerge [ extraConfig { users = { users = { "${srvCfg.user}" = { Loading @@ -203,11 +216,15 @@ in }; groups = { "${srvCfg.group}" = { }; } // optionalAttrs (cfg.postgresql.enable && hasSuffix "0" (postgresql.settings.unix_socket_permissions or "")) { } // optionalAttrs (cfg.postgresql.enable && hasSuffix "0" (postgresql.settings.unix_socket_permissions or "")) { "postgres".members = [ srvCfg.user ]; } // optionalAttrs (cfg.redis.enable && hasSuffix "0" (redis.settings.unixsocketperm or "")) { } // optionalAttrs (cfg.redis.enable && hasSuffix "0" (redis.settings.unixsocketperm or "")) { "redis-sourcehut-${srvsrht}".members = [ srvCfg.user ]; }; }; Loading Loading @@ -239,7 +256,8 @@ in add_header 'Access-Control-Expose-Headers' 'Content-Length,Content-Range'; ''; }; } cfg.nginx.virtualHost ]; } cfg.nginx.virtualHost]; }; services.postgresql = mkIf cfg.postgresql.enable { Loading @@ -247,7 +265,8 @@ in local ${srvCfg.postgresql.database} ${srvCfg.user} trust ''; ensureDatabases = [ srvCfg.postgresql.database ]; ensureUsers = map (name: { ensureUsers = map (name: { inherit name; # We don't use it because we have a special default database name with dots. # TODO(for maintainers of sourcehut): migrate away from custom preStart script. Loading Loading @@ -298,10 +317,12 @@ in StateDirectoryMode = "2750"; ExecStart = "${cfg.python}/bin/gunicorn ${srvsrht}.app:app --name ${srvsrht} --bind ${cfg.listenAddress}:${toString srvCfg.port} " + concatStringsSep " " srvCfg.gunicorn.extraArgs; }; preStart = let preStart = let version = pkgs.sourcehut.${srvsrht}.version; stateDir = "/var/lib/sourcehut/${srvsrht}"; in mkBefore '' in mkBefore '' set -x # Use the /run/sourcehut/${srvsrht}/config.ini # installed by a previous ExecStartPre= in baseService Loading Loading @@ -330,7 +351,9 @@ in touch ${stateDir}/webhook fi ''; } mainService ]); } mainService ]); } (mkIf webhooks { Loading @@ -354,7 +377,8 @@ in }; }) (mapAttrs (timerName: timer: (baseService timerName {} (mkMerge [ (mapAttrs (timerName: timer: (baseService timerName { } (mkMerge [ { description = "sourcehut ${timerName} service"; after = [ "network.target" "${srvsrht}.service" ]; Loading @@ -364,9 +388,11 @@ in }; } (timer.service or { }) ]))) extraTimers) ]))) extraTimers) (mapAttrs (serviceName: extraService: baseService serviceName {} (mkMerge [ (mapAttrs (serviceName: extraService: baseService serviceName { } (mkMerge [ { description = "sourcehut ${serviceName} service"; # So that extraServices have the PostgreSQL database initialized. Loading @@ -379,17 +405,20 @@ in }; } extraService ])) extraServices) ])) extraServices) # Work around 'pq: permission denied for schema public' with postgres v15. # See https://github.com/NixOS/nixpkgs/issues/216989 # Workaround taken from nixos/forgejo: https://github.com/NixOS/nixpkgs/pull/262741 # TODO(to maintainers of sourcehut): please migrate away from this workaround # by migrating away from database name defaults with dots. (lib.mkIf ( (lib.mkIf ( cfg.postgresql.enable && lib.strings.versionAtLeast config.services.postgresql.package.version "15.0" ) { ) { postgresql.postStart = (lib.mkAfter '' $PSQL -tAc 'ALTER DATABASE "${srvCfg.postgresql.database}" OWNER TO "${srvCfg.user}";' ''); Loading @@ -397,11 +426,14 @@ in ) ]; systemd.timers = mapAttrs (timerName: timer: systemd.timers = mapAttrs (timerName: timer: { description = "sourcehut timer for ${timerName}"; wantedBy = [ "timers.target" ]; inherit (timer) timerConfig; }) extraTimers; } ]); }) extraTimers; } ]); }
