| blob | 76e85a91317c23420e0e60fe926a0443dc08952c |
1 { config, lib, pkgs, ... }:
2 let
3 gunicorn = pkgs.python3Packages.gunicorn;
4 bepasty = pkgs.bepasty;
5 gevent = pkgs.python3Packages.gevent;
6 python = pkgs.python3Packages.python;
7 cfg = config.services.bepasty;
8 user = "bepasty";
9 group = "bepasty";
10 default_home = "/var/lib/bepasty";
11 in
12 {
13 options.services.bepasty = {
14 enable = lib.mkEnableOption "bepasty, a binary pastebin server";
16 servers = lib.mkOption {
17 default = {};
18 description = ''
19 configure a number of bepasty servers which will be started with
20 gunicorn.
21 '';
22 type = with lib.types ; attrsOf (submodule ({ config, ... } : {
24 options = {
26 bind = lib.mkOption {
27 type = lib.types.str;
28 description = ''
29 Bind address to be used for this server.
30 '';
31 example = "0.0.0.0:8000";
32 default = "127.0.0.1:8000";
33 };
35 dataDir = lib.mkOption {
36 type = lib.types.str;
37 description = ''
38 Path to the directory where the pastes will be saved to
39 '';
40 default = default_home+"/data";
41 };
43 defaultPermissions = lib.mkOption {
44 type = lib.types.str;
45 description = ''
46 default permissions for all unauthenticated accesses.
47 '';
48 example = "read,create,delete";
49 default = "read";
50 };
52 extraConfig = lib.mkOption {
53 type = lib.types.lines;
54 description = ''
55 Extra configuration for bepasty server to be appended on the
56 configuration.
57 see https://bepasty-server.readthedocs.org/en/latest/quickstart.html#configuring-bepasty
58 for all options.
59 '';
60 default = "";
61 example = ''
62 PERMISSIONS = {
63 'myadminsecret': 'admin,list,create,read,delete',
64 }
65 MAX_ALLOWED_FILE_SIZE = 5 * 1000 * 1000
66 '';
67 };
69 secretKey = lib.mkOption {
70 type = lib.types.str;
71 description = ''
72 server secret for safe session cookies, must be set.
74 Warning: this secret is stored in the WORLD-READABLE Nix store!
76 It's recommended to use {option}`secretKeyFile`
77 which takes precedence over {option}`secretKey`.
78 '';
79 default = "";
80 };
82 secretKeyFile = lib.mkOption {
83 type = lib.types.nullOr lib.types.str;
84 default = null;
85 description = ''
86 A file that contains the server secret for safe session cookies, must be set.
88 {option}`secretKeyFile` takes precedence over {option}`secretKey`.
90 Warning: when {option}`secretKey` is non-empty {option}`secretKeyFile`
91 defaults to a file in the WORLD-READABLE Nix store containing that secret.
92 '';
93 };
95 workDir = lib.mkOption {
96 type = lib.types.str;
97 description = ''
98 Path to the working directory (used for config and pidfile).
99 Defaults to the users home directory.
100 '';
101 default = default_home;
102 };
104 };
105 config = {
106 secretKeyFile = lib.mkDefault (
107 if config.secretKey != ""
108 then toString (pkgs.writeTextFile {
109 name = "bepasty-secret-key";
110 text = config.secretKey;
111 })
112 else null
113 );
114 };
115 }));
116 };
117 };
119 config = lib.mkIf cfg.enable {
121 environment.systemPackages = [ bepasty ];
123 # creates gunicorn systemd service for each configured server
124 systemd.services = lib.mapAttrs' (name: server:
125 lib.nameValuePair ("bepasty-server-${name}-gunicorn")
126 ({
127 description = "Bepasty Server ${name}";
128 wantedBy = [ "multi-user.target" ];
129 after = [ "network.target" ];
130 restartIfChanged = true;
132 environment = let
133 penv = python.buildEnv.override {
134 extraLibs = [ bepasty gevent ];
135 };
136 in {
137 BEPASTY_CONFIG = "${server.workDir}/bepasty-${name}.conf";
138 PYTHONPATH= "${penv}/${python.sitePackages}/";
139 };
141 serviceConfig = {
142 Type = "simple";
143 PrivateTmp = true;
144 ExecStartPre = assert server.secretKeyFile != null; pkgs.writeScript "bepasty-server.${name}-init" ''
145 #!/bin/sh
146 mkdir -p "${server.workDir}"
147 mkdir -p "${server.dataDir}"
148 chown ${user}:${group} "${server.workDir}" "${server.dataDir}"
149 cat > ${server.workDir}/bepasty-${name}.conf <<EOF
150 SITENAME="${name}"
151 STORAGE_FILESYSTEM_DIRECTORY="${server.dataDir}"
152 SECRET_KEY="$(cat "${server.secretKeyFile}")"
153 DEFAULT_PERMISSIONS="${server.defaultPermissions}"
154 ${server.extraConfig}
155 EOF
156 '';
157 ExecStart = ''${gunicorn}/bin/gunicorn bepasty.wsgi --name ${name} \
158 -u ${user} \
159 -g ${group} \
160 --workers 3 --log-level=info \
161 --bind=${server.bind} \
162 --pid ${server.workDir}/gunicorn-${name}.pid \
163 -k gevent
164 '';
165 };
166 })
167 ) cfg.servers;
169 users.users.${user} =
170 { uid = config.ids.uids.bepasty;
171 group = group;
172 home = default_home;
173 };
175 users.groups.${group}.gid = config.ids.gids.bepasty;
176 };
177 }