nixos/tandoor-recipes: init module
This commit is contained in:
parent
6a1359e4a2
commit
d8b1d34806
4 changed files with 154 additions and 0 deletions
|
@ -194,6 +194,13 @@
|
|||
<link linkend="opt-services.komga.enable">services.komga</link>.
|
||||
</para>
|
||||
</listitem>
|
||||
<listitem>
|
||||
<para>
|
||||
<link xlink:href="https://tandoor.dev">Tandoor Recipes</link>,
|
||||
a self-hosted multi-tenant recipe collection. Available as
|
||||
<link xlink:href="options.html#opt-services.tandoor-recipes.enable">services.tandoor-recipes</link>.
|
||||
</para>
|
||||
</listitem>
|
||||
<listitem>
|
||||
<para>
|
||||
<link xlink:href="https://hbase.apache.org/">HBase
|
||||
|
|
|
@ -72,6 +72,8 @@ In addition to numerous new and upgraded packages, this release has the followin
|
|||
|
||||
- [Komga](https://komga.org/), a free and open source comics/mangas media server. Available as [services.komga](#opt-services.komga.enable).
|
||||
|
||||
- [Tandoor Recipes](https://tandoor.dev), a self-hosted multi-tenant recipe collection. Available as [services.tandoor-recipes](options.html#opt-services.tandoor-recipes.enable).
|
||||
|
||||
- [HBase cluster](https://hbase.apache.org/), a distributed, scalable, big data store. Available as [services.hadoop.hbase](options.html#opt-services.hadoop.hbase.enable).
|
||||
|
||||
- [Sachet](https://github.com/messagebird/sachet/), an SMS alerting tool for the Prometheus Alertmanager. Available as [services.prometheus.sachet](#opt-services.prometheus.sachet.enable).
|
||||
|
|
|
@ -653,6 +653,7 @@
|
|||
./services/misc/svnserve.nix
|
||||
./services/misc/synergy.nix
|
||||
./services/misc/sysprof.nix
|
||||
./services/misc/tandoor-recipes.nix
|
||||
./services/misc/taskserver
|
||||
./services/misc/tiddlywiki.nix
|
||||
./services/misc/tp-auto-kbbl.nix
|
||||
|
|
144
nixos/modules/services/misc/tandoor-recipes.nix
Normal file
144
nixos/modules/services/misc/tandoor-recipes.nix
Normal file
|
@ -0,0 +1,144 @@
|
|||
{ config, pkgs, lib, ... }:
|
||||
|
||||
with lib;
|
||||
let
|
||||
cfg = config.services.tandoor-recipes;
|
||||
pkg = cfg.package;
|
||||
|
||||
# SECRET_KEY through an env file
|
||||
env = {
|
||||
GUNICORN_CMD_ARGS = "--bind=${cfg.address}:${toString cfg.port}";
|
||||
DEBUG = "0";
|
||||
MEDIA_ROOT = "/var/lib/tandoor-recipes";
|
||||
} // optionalAttrs (config.time.timeZone != null) {
|
||||
TIMEZONE = config.time.timeZone;
|
||||
} // (
|
||||
lib.mapAttrs (_: toString) cfg.extraConfig
|
||||
);
|
||||
|
||||
manage =
|
||||
let
|
||||
setupEnv = lib.concatStringsSep "\n" (mapAttrsToList (name: val: "export ${name}=\"${val}\"") env);
|
||||
in
|
||||
pkgs.writeShellScript "manage" ''
|
||||
${setupEnv}
|
||||
exec ${pkg}/bin/tandoor-recipes "$@"
|
||||
'';
|
||||
in
|
||||
{
|
||||
meta.maintainers = with maintainers; [ ambroisie ];
|
||||
|
||||
options.services.tandoor-recipes = {
|
||||
enable = mkOption {
|
||||
type = lib.types.bool;
|
||||
default = false;
|
||||
description = lib.mdDoc ''
|
||||
Enable Tandoor Recipes.
|
||||
|
||||
When started, the Tandoor Recipes database is automatically created if
|
||||
it doesn't exist and updated if the package has changed. Both tasks are
|
||||
achieved by running a Django migration.
|
||||
|
||||
A script to manage the instance (by wrapping Django's manage.py) is linked to
|
||||
`/var/lib/tandoor-recipes/tandoor-recipes-manage`.
|
||||
'';
|
||||
};
|
||||
|
||||
address = mkOption {
|
||||
type = types.str;
|
||||
default = "localhost";
|
||||
description = lib.mdDoc "Web interface address.";
|
||||
};
|
||||
|
||||
port = mkOption {
|
||||
type = types.port;
|
||||
default = 8080;
|
||||
description = lib.mdDoc "Web interface port.";
|
||||
};
|
||||
|
||||
extraConfig = mkOption {
|
||||
type = types.attrs;
|
||||
default = { };
|
||||
description = lib.mdDoc ''
|
||||
Extra tandoor recipes config options.
|
||||
|
||||
See [the example dot-env file](https://raw.githubusercontent.com/vabene1111/recipes/master/.env.template)
|
||||
for available options.
|
||||
'';
|
||||
example = {
|
||||
ENABLE_SIGNUP = "1";
|
||||
};
|
||||
};
|
||||
|
||||
package = mkOption {
|
||||
type = types.package;
|
||||
default = pkgs.tandoor-recipes;
|
||||
defaultText = literalExpression "pkgs.tandoor-recipes";
|
||||
description = lib.mdDoc "The Tandoor Recipes package to use.";
|
||||
};
|
||||
};
|
||||
|
||||
config = mkIf cfg.enable {
|
||||
systemd.services.tandoor-recipes = {
|
||||
description = "Tandoor Recipes server";
|
||||
|
||||
serviceConfig = {
|
||||
ExecStart = ''
|
||||
${pkg.python.pkgs.gunicorn}/bin/gunicorn recipes.wsgi
|
||||
'';
|
||||
Restart = "on-failure";
|
||||
|
||||
User = "tandoor_recipes";
|
||||
DynamicUser = true;
|
||||
StateDirectory = "tandoor-recipes";
|
||||
WorkingDirectory = "/var/lib/tandoor-recipes";
|
||||
RuntimeDirectory = "tandoor-recipes";
|
||||
|
||||
BindReadOnlyPaths = [
|
||||
"${config.environment.etc."ssl/certs/ca-certificates.crt".source}:/etc/ssl/certs/ca-certificates.crt"
|
||||
builtins.storeDir
|
||||
"-/etc/resolv.conf"
|
||||
"-/etc/nsswitch.conf"
|
||||
"-/etc/hosts"
|
||||
"-/etc/localtime"
|
||||
"-/run/postgresql"
|
||||
];
|
||||
CapabilityBoundingSet = "";
|
||||
LockPersonality = true;
|
||||
MemoryDenyWriteExecute = true;
|
||||
PrivateDevices = true;
|
||||
PrivateUsers = true;
|
||||
ProtectClock = true;
|
||||
ProtectControlGroups = true;
|
||||
ProtectHome = true;
|
||||
ProtectHostname = true;
|
||||
ProtectKernelLogs = true;
|
||||
ProtectKernelModules = true;
|
||||
ProtectKernelTunables = true;
|
||||
RestrictAddressFamilies = [ "AF_UNIX" "AF_INET" "AF_INET6" ];
|
||||
RestrictNamespaces = true;
|
||||
RestrictRealtime = true;
|
||||
SystemCallArchitectures = "native";
|
||||
# gunicorn needs setuid
|
||||
SystemCallFilter = [ "@system-service" "~@privileged" "@resources" "@setuid" "@keyring" ];
|
||||
UMask = "0066";
|
||||
} // lib.optionalAttrs (cfg.port < 1024) {
|
||||
AmbientCapabilities = [ "CAP_NET_BIND_SERVICE" ];
|
||||
CapabilityBoundingSet = [ "CAP_NET_BIND_SERVICE" ];
|
||||
};
|
||||
|
||||
wantedBy = [ "multi-user.target" ];
|
||||
|
||||
preStart = ''
|
||||
ln -sf ${manage} tandoor-recipes-manage
|
||||
|
||||
# Let django migrate the DB as needed
|
||||
${pkg}/bin/tandoor-recipes migrate
|
||||
'';
|
||||
|
||||
environment = env // {
|
||||
PYTHONPATH = "${pkg.python.pkgs.makePythonPath pkg.propagatedBuildInputs}:${pkg}/lib/tandoor-recipes";
|
||||
};
|
||||
};
|
||||
};
|
||||
}
|
Loading…
Reference in a new issue