diff --git a/modules/nixos/services/archivebox.nix b/modules/nixos/services/archivebox.nix index d00622ca..a2bafb2e 100644 --- a/modules/nixos/services/archivebox.nix +++ b/modules/nixos/services/archivebox.nix @@ -38,10 +38,59 @@ let defaultText = "weekly"; example = "*-*-01/2"; }; - - persistent = lib.mkEnableOption "service persistence for this job"; }; }; + + mkJobService = name: value: + let + pkgSet = [ pkgs.archivebox ] ++ (lib.optionals cfg.withDependencies + (with pkgs; [ chromium nodejs_latest wget curl youtube-dl ])); + in + lib.nameValuePair + (jobUnitName name) + { + description = + "Archivebox archive group '${name}' for ${cfg.archivePath}"; + after = [ "network.target" ]; + documentation = [ "https://docs.archivebox.io/" ]; + path = with pkgs; [ ripgrep coreutils ] ++ pkgSet ++ [ config.programs.git.package ]; + preStart = '' + mkdir -p ${lib.escapeShellArg cfg.archivePath} + ''; + script = '' + echo "${lib.concatStringsSep "\n" value.urls}" \ + | archivebox add ${lib.concatStringsSep " " value.extraArgs} + ''; + serviceConfig = { + LockPersonality = true; + NoNewPrivileges = true; + PrivateTmp = true; + PrivateUsers = true; + PrivateDevices = true; + ProtectControlGroups = true; + ProtectClock = true; + ProtectKernelLogs = true; + ProtectKernelModules = true; + ProtectKernelTunables = true; + SystemCallFilter = "@system-service"; + SystemCallErrorNumber = "EPERM"; + WorkingDirectory = cfg.archivePath; + }; + }; + + mkTimerUnit = name: value: + lib.nameValuePair (jobUnitName name) { + description = + "Archivebox download job '${name}'"; + after = [ "network.target" ]; + documentation = [ "https://docs.archivebox.io/" ]; + timerConfig = { + Persistent = true; + OnCalendar = value.startAt; + RandomizedDelaySec = 120; + }; + wantedBy = [ "timers.target" ]; + }; in { options.services.archivebox = { @@ -97,93 +146,38 @@ in }; }; - config = - let - pkgSet = [ pkgs.archivebox ] ++ (lib.optionals cfg.withDependencies - (with pkgs; [ chromium nodejs_latest wget curl youtube-dl ])); - in - lib.mkIf cfg.enable { - systemd.services = lib.mkMerge [ - (lib.mapAttrs' - (name: value: - lib.nameValuePair (jobUnitName name) { - description = - "Archivebox archive group '${name}' for ${cfg.archivePath}"; - after = [ "network.target" ]; - documentation = [ "https://docs.archivebox.io/" ]; - path = with pkgs; - [ ripgrep coreutils ] ++ pkgSet ++ [ config.programs.git.package ]; - preStart = '' - mkdir -p ${lib.escapeShellArg cfg.archivePath} - ''; - script = '' - echo "${lib.concatStringsSep "\n" value.urls}" \ - | archivebox add ${lib.concatStringsSep " " value.extraArgs} - ''; - serviceConfig = { - LockPersonality = true; - NoNewPrivileges = true; - PrivateTmp = true; - PrivateUsers = true; - PrivateDevices = true; - ProtectControlGroups = true; - ProtectClock = true; - ProtectKernelLogs = true; - ProtectKernelModules = true; - ProtectKernelTunables = true; - SystemCallFilter = "@system-service"; - SystemCallErrorNumber = "EPERM"; - WorkingDirectory = cfg.archivePath; - }; - }) - cfg.jobs) + config = lib.mkIf cfg.enable (lib.mkMerge [ + { + systemd.services = lib.mapAttrs' mkJobService cfg.jobs; + systemd.timers = lib.mapAttrs' mkTimerUnit cfg.jobs; + } - (lib.mkIf cfg.webserver.enable { - archivebox-server = { - description = "Archivebox server for ${cfg.archivePath}"; - after = [ "network.target" ]; - documentation = [ "https://docs.archivebox.io/" ]; - wantedBy = [ "graphical-session.target" ]; - preStart = '' - mkdir -p ${lib.escapeShellArg cfg.archivePath} - ''; - serviceConfig = { - ExecStart = "${pkgs.archivebox}/bin/archivebox server localhost:${ - toString cfg.webserver.port - }"; - Restart = "on-failure"; - LockPersonality = true; - NoNewPrivileges = true; - PrivateTmp = true; - PrivateUsers = true; - PrivateDevices = true; - ProtectControlGroups = true; - ProtectClock = true; - ProtectKernelLogs = true; - ProtectKernelModules = true; - ProtectKernelTunables = true; - SystemCallFilter = "@system-service"; - SystemCallErrorNumber = "EPERM"; - WorkingDirectory = cfg.archivePath; - }; - }; - }) - ]; - - systemd.timers = lib.mapAttrs' - (name: value: - lib.nameValuePair (jobUnitName name) { - description = - "Archivebox archive group '${name}' for ${cfg.archivePath}"; - after = [ "network.target" ]; - documentation = [ "https://docs.archivebox.io/" ]; - timerConfig = { - Persistent = value.persistent; - OnCalendar = value.startAt; - RandomizedDelaySec = 120; - }; - wantedBy = [ "timers.target" ]; - }) - cfg.jobs; - }; + (lib.mkIf cfg.webserver.enable { + systemd.services.archivebox-server = { + description = "Archivebox server for ${cfg.archivePath}"; + after = [ "network.target" ]; + documentation = [ "https://docs.archivebox.io/" ]; + wantedBy = [ "graphical-session.target" ]; + serviceConfig = { + ExecStart = "${pkgs.archivebox}/bin/archivebox server localhost:${ + toString cfg.webserver.port + }"; + Restart = "on-failure"; + LockPersonality = true; + NoNewPrivileges = true; + PrivateTmp = true; + PrivateUsers = true; + PrivateDevices = true; + ProtectControlGroups = true; + ProtectClock = true; + ProtectKernelLogs = true; + ProtectKernelModules = true; + ProtectKernelTunables = true; + SystemCallFilter = "@system-service"; + SystemCallErrorNumber = "EPERM"; + WorkingDirectory = cfg.archivePath; + }; + }; + }) + ]); }