| blob | 1c903d280378efd85a7248e71ea45b825614de40 |
1 { config, pkgs, lib, ... }:
3 with lib;
4 let
5 cfg = config.services.tandoor-recipes;
6 pkg = cfg.package;
8 # SECRET_KEY through an env file
9 env = {
10 GUNICORN_CMD_ARGS = "--bind=${cfg.address}:${toString cfg.port}";
11 DEBUG = "0";
12 DEBUG_TOOLBAR = "0";
13 MEDIA_ROOT = "/var/lib/tandoor-recipes";
14 } // optionalAttrs (config.time.timeZone != null) {
15 TZ = config.time.timeZone;
16 } // (
17 lib.mapAttrs (_: toString) cfg.extraConfig
18 );
20 manage = pkgs.writeShellScript "manage" ''
21 set -o allexport # Export the following env vars
22 ${lib.toShellVars env}
23 eval "$(${config.systemd.package}/bin/systemctl show -pUID,GID,MainPID tandoor-recipes.service)"
24 exec ${pkgs.util-linux}/bin/nsenter \
25 -t $MainPID -m -S $UID -G $GID --wdns=${env.MEDIA_ROOT} \
26 ${pkg}/bin/tandoor-recipes "$@"
27 '';
28 in
29 {
30 meta.maintainers = with maintainers; [ ambroisie ];
32 options.services.tandoor-recipes = {
33 enable = mkOption {
34 type = lib.types.bool;
35 default = false;
36 description = ''
37 Enable Tandoor Recipes.
39 When started, the Tandoor Recipes database is automatically created if
40 it doesn't exist and updated if the package has changed. Both tasks are
41 achieved by running a Django migration.
43 A script to manage the instance (by wrapping Django's manage.py) is linked to
44 `/var/lib/tandoor-recipes/tandoor-recipes-manage`.
45 '';
46 };
48 address = mkOption {
49 type = types.str;
50 default = "localhost";
51 description = "Web interface address.";
52 };
54 port = mkOption {
55 type = types.port;
56 default = 8080;
57 description = "Web interface port.";
58 };
60 extraConfig = mkOption {
61 type = types.attrs;
62 default = { };
63 description = ''
64 Extra tandoor recipes config options.
66 See [the example dot-env file](https://raw.githubusercontent.com/vabene1111/recipes/master/.env.template)
67 for available options.
68 '';
69 example = {
70 ENABLE_SIGNUP = "1";
71 };
72 };
74 package = mkPackageOption pkgs "tandoor-recipes" { };
75 };
77 config = mkIf cfg.enable {
78 systemd.services.tandoor-recipes = {
79 description = "Tandoor Recipes server";
81 serviceConfig = {
82 ExecStart = ''
83 ${pkg.python.pkgs.gunicorn}/bin/gunicorn recipes.wsgi
84 '';
85 Restart = "on-failure";
87 User = "tandoor_recipes";
88 Group = "tandoor_recipes";
89 DynamicUser = true;
90 StateDirectory = "tandoor-recipes";
91 WorkingDirectory = env.MEDIA_ROOT;
92 RuntimeDirectory = "tandoor-recipes";
94 BindReadOnlyPaths = [
95 "${config.environment.etc."ssl/certs/ca-certificates.crt".source}:/etc/ssl/certs/ca-certificates.crt"
96 builtins.storeDir
97 "-/etc/resolv.conf"
98 "-/etc/nsswitch.conf"
99 "-/etc/hosts"
100 "-/etc/localtime"
101 "-/run/postgresql"
102 ];
103 CapabilityBoundingSet = "";
104 LockPersonality = true;
105 MemoryDenyWriteExecute = true;
106 PrivateDevices = true;
107 PrivateUsers = true;
108 ProtectClock = true;
109 ProtectControlGroups = true;
110 ProtectHome = true;
111 ProtectHostname = true;
112 ProtectKernelLogs = true;
113 ProtectKernelModules = true;
114 ProtectKernelTunables = true;
115 RestrictAddressFamilies = [ "AF_UNIX" "AF_INET" "AF_INET6" ];
116 RestrictNamespaces = true;
117 RestrictRealtime = true;
118 SystemCallArchitectures = "native";
119 # gunicorn needs setuid
120 SystemCallFilter = [ "@system-service" "~@privileged" "@resources" "@setuid" "@keyring" ];
121 UMask = "0066";
122 } // lib.optionalAttrs (cfg.port < 1024) {
123 AmbientCapabilities = [ "CAP_NET_BIND_SERVICE" ];
124 CapabilityBoundingSet = [ "CAP_NET_BIND_SERVICE" ];
125 };
127 wantedBy = [ "multi-user.target" ];
129 preStart = ''
130 ln -sf ${manage} tandoor-recipes-manage
132 # Let django migrate the DB as needed
133 ${pkg}/bin/tandoor-recipes migrate
134 '';
136 environment = env // {
137 PYTHONPATH = "${pkg.python.pkgs.makePythonPath pkg.propagatedBuildInputs}:${pkg}/lib/tandoor-recipes";
138 };
139 };
140 };
141 }