foodogsquared/nixos-config
1
0
Fork 0
mirror of https://github.com/foo-dogsquared/nixos-config.git synced 2025-04-18 06:19:11 +00:00
Code Issues Actions 2 Packages Projects Releases Wiki Activity

services/archivebox: refactor and remove persistent option

Browse Source
This commit is contained in:
Gabriel Arazas 2023-10-27 13:23:37 +08:00
parent 29ddcaf501
commit 52871b4fa3
No known key found for this signature in database
GPG Key ID: ADE0C41DAB221FCC
1 changed files with 84 additions and 90 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

174
modules/nixos/services/archivebox.nix
View File

@ -38,10 +38,59 @@ let
defaultText = "weekly";
example = "*-*-01/2";
};
persistent = lib.mkEnableOption "service persistence for this job";
};
};
mkJobService = name: value:
let
pkgSet = [ pkgs.archivebox ] ++ (lib.optionals cfg.withDependencies
(with pkgs; [ chromium nodejs_latest wget curl youtube-dl ]));
in
lib.nameValuePair
(jobUnitName name)
{
description =
"Archivebox archive group '${name}' for ${cfg.archivePath}";
after = [ "network.target" ];
documentation = [ "https://docs.archivebox.io/" ];
path = with pkgs; [ ripgrep coreutils ] ++ pkgSet ++ [ config.programs.git.package ];
preStart = ''
mkdir -p ${lib.escapeShellArg cfg.archivePath}
'';
script = ''
echo "${lib.concatStringsSep "\n" value.urls}" \
| archivebox add ${lib.concatStringsSep " " value.extraArgs}
'';
serviceConfig = {
LockPersonality = true;
NoNewPrivileges = true;
PrivateTmp = true;
PrivateUsers = true;
PrivateDevices = true;
ProtectControlGroups = true;
ProtectClock = true;
ProtectKernelLogs = true;
ProtectKernelModules = true;
ProtectKernelTunables = true;
SystemCallFilter = "@system-service";
SystemCallErrorNumber = "EPERM";
WorkingDirectory = cfg.archivePath;
};
};
mkTimerUnit = name: value:
lib.nameValuePair (jobUnitName name) {
description =
"Archivebox download job '${name}'";
after = [ "network.target" ];
documentation = [ "https://docs.archivebox.io/" ];
timerConfig = {
Persistent = true;
OnCalendar = value.startAt;
RandomizedDelaySec = 120;
};
wantedBy = [ "timers.target" ];
};
in
{
options.services.archivebox = {
@ -97,93 +146,38 @@ in
};
};
config =
let
pkgSet = [ pkgs.archivebox ] ++ (lib.optionals cfg.withDependencies
(with pkgs; [ chromium nodejs_latest wget curl youtube-dl ]));
in
lib.mkIf cfg.enable {
systemd.services = lib.mkMerge [
(lib.mapAttrs'
(name: value:
lib.nameValuePair (jobUnitName name) {
description =
"Archivebox archive group '${name}' for ${cfg.archivePath}";
after = [ "network.target" ];
documentation = [ "https://docs.archivebox.io/" ];
path = with pkgs;
[ ripgrep coreutils ] ++ pkgSet ++ [ config.programs.git.package ];
preStart = ''
mkdir -p ${lib.escapeShellArg cfg.archivePath}
'';
script = ''
echo "${lib.concatStringsSep "\n" value.urls}" \
| archivebox add ${lib.concatStringsSep " " value.extraArgs}
'';
serviceConfig = {
LockPersonality = true;
NoNewPrivileges = true;
PrivateTmp = true;
PrivateUsers = true;
PrivateDevices = true;
ProtectControlGroups = true;
ProtectClock = true;
ProtectKernelLogs = true;
ProtectKernelModules = true;
ProtectKernelTunables = true;
SystemCallFilter = "@system-service";
SystemCallErrorNumber = "EPERM";
WorkingDirectory = cfg.archivePath;
};
})
cfg.jobs)
config = lib.mkIf cfg.enable (lib.mkMerge [
{
systemd.services = lib.mapAttrs' mkJobService cfg.jobs;
systemd.timers = lib.mapAttrs' mkTimerUnit cfg.jobs;
}
(lib.mkIf cfg.webserver.enable {
archivebox-server = {
description = "Archivebox server for ${cfg.archivePath}";
after = [ "network.target" ];
documentation = [ "https://docs.archivebox.io/" ];
wantedBy = [ "graphical-session.target" ];
preStart = ''
mkdir -p ${lib.escapeShellArg cfg.archivePath}
'';
serviceConfig = {
ExecStart = "${pkgs.archivebox}/bin/archivebox server localhost:${
toString cfg.webserver.port
}";
Restart = "on-failure";
LockPersonality = true;
NoNewPrivileges = true;
PrivateTmp = true;
PrivateUsers = true;
PrivateDevices = true;
ProtectControlGroups = true;
ProtectClock = true;
ProtectKernelLogs = true;
ProtectKernelModules = true;
ProtectKernelTunables = true;
SystemCallFilter = "@system-service";
SystemCallErrorNumber = "EPERM";
WorkingDirectory = cfg.archivePath;
};
};
})
];
systemd.timers = lib.mapAttrs'
(name: value:
lib.nameValuePair (jobUnitName name) {
description =
"Archivebox archive group '${name}' for ${cfg.archivePath}";
after = [ "network.target" ];
documentation = [ "https://docs.archivebox.io/" ];
timerConfig = {
Persistent = value.persistent;
OnCalendar = value.startAt;
RandomizedDelaySec = 120;
};
wantedBy = [ "timers.target" ];
})
cfg.jobs;
};
(lib.mkIf cfg.webserver.enable {
systemd.services.archivebox-server = {
description = "Archivebox server for ${cfg.archivePath}";
after = [ "network.target" ];
documentation = [ "https://docs.archivebox.io/" ];
wantedBy = [ "graphical-session.target" ];
serviceConfig = {
ExecStart = "${pkgs.archivebox}/bin/archivebox server localhost:${
toString cfg.webserver.port
}";
Restart = "on-failure";
LockPersonality = true;
NoNewPrivileges = true;
PrivateTmp = true;
PrivateUsers = true;
PrivateDevices = true;
ProtectControlGroups = true;
ProtectClock = true;
ProtectKernelLogs = true;
ProtectKernelModules = true;
ProtectKernelTunables = true;
SystemCallFilter = "@system-service";
SystemCallErrorNumber = "EPERM";
WorkingDirectory = cfg.archivePath;
};
};
})
]);
}