-
-
Notifications
You must be signed in to change notification settings - Fork 14.3k
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
- Loading branch information
1 parent
6ad8520
commit 352e7ab
Showing
2 changed files
with
134 additions
and
0 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,133 @@ | ||
| { | ||
| config, | ||
| lib, | ||
| pkgs, | ||
| ... | ||
| }: | ||
| let | ||
| cfg = config.services.fastapi-dls; | ||
| stateDir = "/var/lib/fastapi-dls"; | ||
| dls_privkey = "${stateDir}/instance.private.pem"; | ||
| dls_pubkey = "${stateDir}/instance.public.pem"; | ||
| https_privkey = "${stateDir}/webserver.key"; | ||
| https_cert = "${stateDir}/webserver.crt"; | ||
| in | ||
| { | ||
| ##### interface | ||
| options = { | ||
| services.fastapi-dls = { | ||
| enable = lib.mkEnableOption "fastapi-dls"; | ||
|
|
||
| package = lib.mkOption { | ||
| type = lib.types.package; | ||
| default = pkgs.fastapi-dls; | ||
| defaultText = lib.literalExpression "pkgs.fastapi-dls"; | ||
| description = "Which package to use for the fastapi-dls daemon."; | ||
| }; | ||
|
|
||
| listenAddress = lib.mkOption { | ||
| type = lib.types.str; | ||
| default = "127.0.0.1"; | ||
| description = "The IP address on which `fastapi-dls` listens."; | ||
| }; | ||
|
|
||
| listenPort = lib.mkOption { | ||
| type = lib.types.port; | ||
| default = 443; | ||
| description = "The port on which `fastapi-dls` listens."; | ||
| }; | ||
|
|
||
| dlsAddress = lib.mkOption { | ||
| type = lib.types.str; | ||
| default = cfg.listenAddress; | ||
| defaultText = lib.literalExpression "services.fastapi-dls.listenAddress"; | ||
| description = '' | ||
| The HTTPS domain name that DLS clients should connect to. | ||
| Useful when you put `fastapi-dls` behind a reverse proxy. | ||
| ''; | ||
| }; | ||
|
|
||
| dlsPort = lib.mkOption { | ||
| type = lib.types.port; | ||
| default = cfg.listenPort; | ||
| defaultText = lib.literalExpression "services.fastapi-dls.listenPort"; | ||
| description = "The port that DLS clients should connect to."; | ||
| }; | ||
|
|
||
| openFirewall = lib.mkEnableOption "opening the firewall for `fastapi-dls`"; | ||
| }; | ||
| }; | ||
|
|
||
| ##### implementation | ||
| config = | ||
| let | ||
| envFile = pkgs.writeText "fastapi-dls.env" '' | ||
| # Toggle debug mode | ||
| #DEBUG=false | ||
| # Where the client can find the DLS server | ||
| DLS_URL=${cfg.dlsAddress} | ||
| DLS_PORT=${builtins.toString cfg.dlsPort} | ||
| # CORS configuration | ||
| ## comma separated list without spaces | ||
| #CORS_ORIGINS="https://${cfg.dlsAddress}:${builtins.toString cfg.dlsPort}" | ||
| # Lease expiration in days | ||
| LEASE_EXPIRE_DAYS=90 | ||
| LEASE_RENEWAL_PERIOD=0.2 | ||
| # Database location | ||
| ## https://docs.sqlalchemy.org/en/14/core/engines.html | ||
| DATABASE=sqlite:///${stateDir}/db.sqlite | ||
| # UUIDs for identifying the instance | ||
| #SITE_KEY_XID="00000000-0000-0000-0000-000000000000" | ||
| #INSTANCE_REF="10000000-0000-0000-0000-000000000001" | ||
| #ALLOTMENT_REF="20000000-0000-0000-0000-000000000001" | ||
| # Site-wide signing keys | ||
| INSTANCE_KEY_RSA=${dls_privkey} | ||
| INSTANCE_KEY_PUB=${dls_pubkey} | ||
| ''; | ||
| in | ||
| lib.mkIf cfg.enable { | ||
| networking.firewall = lib.mkIf cfg.openFirewall { | ||
| allowedTCPPorts = [ cfg.listenPort ]; | ||
| }; | ||
|
|
||
| systemd.services.fastapi-dls = { | ||
| description = "fastapi-dls daemon"; | ||
| wantedBy = [ "multi-user.target" ]; | ||
| wants = [ "network-online.target" ]; | ||
| after = [ "network-online.target" ]; | ||
| preStart = '' | ||
| if [ ! -f "${dls_privkey}" ]; then | ||
| ${pkgs.openssl}/bin/openssl genrsa -out "${dls_privkey}" 2048 | ||
| fi | ||
| if [ ! -f "${dls_pubkey}" ]; then | ||
| ${pkgs.openssl}/bin/openssl rsa -in "${dls_privkey}" -outform PEM -pubout -out "${dls_pubkey}" | ||
| fi | ||
| if [ ! -f "${https_privkey}" ] || [ ! -f "${https_cert}" ]; then | ||
| ${pkgs.openssl}/bin/openssl req -x509 -nodes \ | ||
| -days 3650 -newkey rsa:2048 -subj "/CN=fastapi-dls" \ | ||
| -keyout "${https_privkey}" -out "${https_cert}" | ||
| fi | ||
| ''; | ||
| script = '' | ||
| ${lib.getExe cfg.package} \ | ||
| --env-file ${envFile} \ | ||
| --host ${cfg.listenAddress} \ | ||
| --port ${builtins.toString cfg.listenPort} \ | ||
| --ssl-keyfile ${https_privkey} \ | ||
| --ssl-certfile ${https_cert} | ||
| ''; | ||
| serviceConfig = { | ||
| DynamicUser = true; | ||
| StateDirectory = builtins.baseNameOf stateDir; | ||
| }; | ||
| }; | ||
| }; | ||
|
|
||
| meta.maintainers = with lib.maintainers; [ makisekurisu ]; | ||
| } |