nixos/modules/services/misc/blenderfarm.nix

   1 {
   2   config,
   3   lib,
   4   pkgs,
   5   ...
   6 }:
   7 let
   8   cfg = config.services.blendfarm;
   9   json = pkgs.formats.json { };
  10   configFile = json.generate "ServerSettings" (defaultConfig // cfg.serverConfig);
  11   defaultConfig = {
  12     Port = 15000;
  13     BroadcastPort = 16342;
  14     BypassScriptUpdate = false;
  15     BasicSecurityPassword = null;
  16   };
  17 in
  18 {
  19   meta.maintainers = with lib.maintainers; [ gador ];
  20
  21   options.services.blendfarm = with lib.types; {
  22     enable = lib.mkEnableOption "Blendfarm, a render farm management software for Blender";
  23     package = lib.mkPackageOption pkgs "blendfarm" { };
  24     openFirewall = lib.mkEnableOption "allowing blendfarm network access through the firewall";
  25
  26     user = lib.mkOption {
  27       description = "User under which blendfarm runs.";
  28       default = "blendfarm";
  29       type = str;
  30     };
  31
  32     group = lib.mkOption {
  33       description = "Group under which blendfarm runs.";
  34       default = "blendfarm";
  35       type = str;
  36     };
  37
  38     basicSecurityPasswordFile = lib.mkOption {
  39       description = ''
  40         Path to the password file the client needs to connect to the server.
  41               The password must not contain a forward slash.'';
  42       default = null;
  43       type = nullOr str;
  44     };
  45
  46     blenderPackage = lib.mkPackageOption pkgs "blender" { };
  47
  48     serverConfig = lib.mkOption {
  49       description = "Server configuration";
  50       default = defaultConfig;
  51       type = submodule {
  52         freeformType = attrsOf anything;
  53         options = {
  54           Port = lib.mkOption {
  55             description = "Default port blendfarm server listens on.";
  56             default = 15000;
  57             type = types.port;
  58           };
  59           BroadcastPort = lib.mkOption {
  60             description = "Default port blendfarm server advertises itself on.";
  61             default = 16342;
  62             type = types.port;
  63           };
  64
  65           BypassScriptUpdate = lib.mkOption {
  66             description = "Prevents blendfarm from replacing the .py self-generated scripts.";
  67             default = false;
  68             type = bool;
  69           };
  70         };
  71       };
  72     };
  73   };
  74
  75   config = lib.mkIf cfg.enable {
  76     environment.systemPackages = [ cfg.package ];
  77     networking.firewall = lib.optionalAttrs (cfg.openFirewall) {
  78       allowedTCPPorts = [ cfg.serverConfig.Port ];
  79       allowedUDPPorts = [ cfg.serverConfig.BroadcastPort ];
  80     };
  81
  82     systemd.services.blendfarm-server = {
  83       wantedBy = [ "multi-user.target" ];
  84       after = [ "network-online.target" ];
  85       wants = [ "network-online.target" ];
  86       description = "blendfarm server";
  87       path = [ cfg.blenderPackage ];
  88       preStart =
  89         ''
  90           rm -f ServerSettings
  91           install -m640 ${configFile} ServerSettings
  92           if [ ! -d "BlenderData/nix-blender-linux64" ]; then
  93             mkdir -p BlenderData/nix-blender-linux64
  94             echo "nix-blender" > VersionCustom
  95           fi
  96           rm -f BlenderData/nix-blender-linux64/blender
  97           ln -s ${lib.getExe cfg.blenderPackage} BlenderData/nix-blender-linux64/blender
  98         ''
  99         + lib.optionalString (cfg.basicSecurityPasswordFile != null) ''
 100           BLENDFARM_PASSWORD=$(${pkgs.systemd}/bin/systemd-creds cat BLENDFARM_PASS_FILE)
 101           sed -i "s/null/\"$BLENDFARM_PASSWORD\"/g" ServerSettings
 102         '';
 103       serviceConfig = {
 104         ExecStart = "${cfg.package}/bin/LogicReinc.BlendFarm.Server";
 105         DynamicUser = true;
 106         LogsDirectory = "blendfarm";
 107         StateDirectory = "blendfarm";
 108         WorkingDirectory = "/var/lib/blendfarm";
 109         User = cfg.user;
 110         Group = cfg.group;
 111         StateDirectoryMode = "0755";
 112         LoadCredential = lib.optional (
 113           cfg.basicSecurityPasswordFile != null
 114         ) "BLENDFARM_PASS_FILE:${cfg.basicSecurityPasswordFile}";
 115         ReadWritePaths = "";
 116         CapabilityBoundingSet = "";
 117         RestrictAddressFamilies = [
 118           "AF_UNIX"
 119           "AF_INET"
 120           "AF_INET6"
 121         ];
 122         RestrictNamespaces = true;
 123         PrivateDevices = true;
 124         PrivateUsers = true;
 125         ProtectClock = true;
 126         ProtectControlGroups = true;
 127         ProtectHome = true;
 128         ProtectKernelLogs = true;
 129         ProtectKernelModules = true;
 130         ProtectKernelTunables = true;
 131         SystemCallArchitectures = "native";
 132         SystemCallFilter = [
 133           "@system-service"
 134           "~@privileged"
 135           "@chown"
 136         ];
 137         RestrictRealtime = true;
 138         LockPersonality = true;
 139         UMask = "0066";
 140         ProtectHostname = true;
 141       };
 142     };
 143
 144     users.users.blendfarm = {
 145       isSystemUser = true;
 146       group = "blendfarm";
 147     };
 148     users.groups.blendfarm = { };
 149   };
 150 }