| blob | 70d07629493b632497fefe75390c9ccff0718473 |
1 { config, lib, pkgs, ... }:
3 with lib;
4 let
5 gunicorn = pkgs.python3Packages.gunicorn;
6 bepasty = pkgs.bepasty;
7 gevent = pkgs.python3Packages.gevent;
8 python = pkgs.python3Packages.python;
9 cfg = config.services.bepasty;
10 user = "bepasty";
11 group = "bepasty";
12 default_home = "/var/lib/bepasty";
13 in
14 {
15 options.services.bepasty = {
16 enable = mkEnableOption (lib.mdDoc "Bepasty servers");
18 servers = mkOption {
19 default = {};
20 description = lib.mdDoc ''
21 configure a number of bepasty servers which will be started with
22 gunicorn.
23 '';
24 type = with types ; attrsOf (submodule ({ config, ... } : {
26 options = {
28 bind = mkOption {
29 type = types.str;
30 description = lib.mdDoc ''
31 Bind address to be used for this server.
32 '';
33 example = "0.0.0.0:8000";
34 default = "127.0.0.1:8000";
35 };
37 dataDir = mkOption {
38 type = types.str;
39 description = lib.mdDoc ''
40 Path to the directory where the pastes will be saved to
41 '';
42 default = default_home+"/data";
43 };
45 defaultPermissions = mkOption {
46 type = types.str;
47 description = lib.mdDoc ''
48 default permissions for all unauthenticated accesses.
49 '';
50 example = "read,create,delete";
51 default = "read";
52 };
54 extraConfig = mkOption {
55 type = types.lines;
56 description = lib.mdDoc ''
57 Extra configuration for bepasty server to be appended on the
58 configuration.
59 see https://bepasty-server.readthedocs.org/en/latest/quickstart.html#configuring-bepasty
60 for all options.
61 '';
62 default = "";
63 example = ''
64 PERMISSIONS = {
65 'myadminsecret': 'admin,list,create,read,delete',
66 }
67 MAX_ALLOWED_FILE_SIZE = 5 * 1000 * 1000
68 '';
69 };
71 secretKey = mkOption {
72 type = types.str;
73 description = lib.mdDoc ''
74 server secret for safe session cookies, must be set.
76 Warning: this secret is stored in the WORLD-READABLE Nix store!
78 It's recommended to use {option}`secretKeyFile`
79 which takes precedence over {option}`secretKey`.
80 '';
81 default = "";
82 };
84 secretKeyFile = mkOption {
85 type = types.nullOr types.str;
86 default = null;
87 description = lib.mdDoc ''
88 A file that contains the server secret for safe session cookies, must be set.
90 {option}`secretKeyFile` takes precedence over {option}`secretKey`.
92 Warning: when {option}`secretKey` is non-empty {option}`secretKeyFile`
93 defaults to a file in the WORLD-READABLE Nix store containing that secret.
94 '';
95 };
97 workDir = mkOption {
98 type = types.str;
99 description = lib.mdDoc ''
100 Path to the working directory (used for config and pidfile).
101 Defaults to the users home directory.
102 '';
103 default = default_home;
104 };
106 };
107 config = {
108 secretKeyFile = mkDefault (
109 if config.secretKey != ""
110 then toString (pkgs.writeTextFile {
111 name = "bepasty-secret-key";
112 text = config.secretKey;
113 })
114 else null
115 );
116 };
117 }));
118 };
119 };
121 config = mkIf cfg.enable {
123 environment.systemPackages = [ bepasty ];
125 # creates gunicorn systemd service for each configured server
126 systemd.services = mapAttrs' (name: server:
127 nameValuePair ("bepasty-server-${name}-gunicorn")
128 ({
129 description = "Bepasty Server ${name}";
130 wantedBy = [ "multi-user.target" ];
131 after = [ "network.target" ];
132 restartIfChanged = true;
134 environment = let
135 penv = python.buildEnv.override {
136 extraLibs = [ bepasty gevent ];
137 };
138 in {
139 BEPASTY_CONFIG = "${server.workDir}/bepasty-${name}.conf";
140 PYTHONPATH= "${penv}/${python.sitePackages}/";
141 };
143 serviceConfig = {
144 Type = "simple";
145 PrivateTmp = true;
146 ExecStartPre = assert server.secretKeyFile != null; pkgs.writeScript "bepasty-server.${name}-init" ''
147 #!/bin/sh
148 mkdir -p "${server.workDir}"
149 mkdir -p "${server.dataDir}"
150 chown ${user}:${group} "${server.workDir}" "${server.dataDir}"
151 cat > ${server.workDir}/bepasty-${name}.conf <<EOF
152 SITENAME="${name}"
153 STORAGE_FILESYSTEM_DIRECTORY="${server.dataDir}"
154 SECRET_KEY="$(cat "${server.secretKeyFile}")"
155 DEFAULT_PERMISSIONS="${server.defaultPermissions}"
156 ${server.extraConfig}
157 EOF
158 '';
159 ExecStart = ''${gunicorn}/bin/gunicorn bepasty.wsgi --name ${name} \
160 -u ${user} \
161 -g ${group} \
162 --workers 3 --log-level=info \
163 --bind=${server.bind} \
164 --pid ${server.workDir}/gunicorn-${name}.pid \
165 -k gevent
166 '';
167 };
168 })
169 ) cfg.servers;
171 users.users.${user} =
172 { uid = config.ids.uids.bepasty;
173 group = group;
174 home = default_home;
175 };
177 users.groups.${group}.gid = config.ids.gids.bepasty;
178 };
179 }