foodogsquared/nixos-config
1
0
Fork 0
mirror of https://github.com/foo-dogsquared/nixos-config.git synced 2025-04-19 06:19:12 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity

services/archivebox: refactor and remove persistent option

Browse Source
This commit is contained in:
Gabriel Arazas 2023-10-27 13:23:37 +08:00
parent 29ddcaf501
commit 52871b4fa3
No known key found for this signature in database
GPG Key ID: ADE0C41DAB221FCC
1 changed files with 84 additions and 90 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

174
modules/nixos/services/archivebox.nix
View File

@ -38,10 +38,59 @@ let
defaultText = "weekly"; defaultText = "weekly";
example = "*-*-01/2"; example = "*-*-01/2";
}; };
persistent = lib.mkEnableOption "service persistence for this job";
}; };
}; };
mkJobService = name: value:
let
pkgSet = [ pkgs.archivebox ] ++ (lib.optionals cfg.withDependencies
(with pkgs; [ chromium nodejs_latest wget curl youtube-dl ]));
in
lib.nameValuePair
(jobUnitName name)
{
description =
"Archivebox archive group '${name}' for ${cfg.archivePath}";
after = [ "network.target" ];
documentation = [ "https://docs.archivebox.io/" ];
path = with pkgs; [ ripgrep coreutils ] ++ pkgSet ++ [ config.programs.git.package ];
preStart = ''
mkdir -p ${lib.escapeShellArg cfg.archivePath}
'';
script = ''
echo "${lib.concatStringsSep "\n" value.urls}" \
| archivebox add ${lib.concatStringsSep " " value.extraArgs}
'';
serviceConfig = {
LockPersonality = true;
NoNewPrivileges = true;
PrivateTmp = true;
PrivateUsers = true;
PrivateDevices = true;
ProtectControlGroups = true;
ProtectClock = true;
ProtectKernelLogs = true;
ProtectKernelModules = true;
ProtectKernelTunables = true;
SystemCallFilter = "@system-service";
SystemCallErrorNumber = "EPERM";
WorkingDirectory = cfg.archivePath;
};
};
mkTimerUnit = name: value:
lib.nameValuePair (jobUnitName name) {
description =
"Archivebox download job '${name}'";
after = [ "network.target" ];
documentation = [ "https://docs.archivebox.io/" ];
timerConfig = {
Persistent = true;
OnCalendar = value.startAt;
RandomizedDelaySec = 120;
};
wantedBy = [ "timers.target" ];
};
in in
{ {
options.services.archivebox = { options.services.archivebox = {
@ -97,93 +146,38 @@ in
}; };
}; };
config = config = lib.mkIf cfg.enable (lib.mkMerge [
let {
pkgSet = [ pkgs.archivebox ] ++ (lib.optionals cfg.withDependencies systemd.services = lib.mapAttrs' mkJobService cfg.jobs;
(with pkgs; [ chromium nodejs_latest wget curl youtube-dl ])); systemd.timers = lib.mapAttrs' mkTimerUnit cfg.jobs;
in }
lib.mkIf cfg.enable {
systemd.services = lib.mkMerge [
(lib.mapAttrs'
(name: value:
lib.nameValuePair (jobUnitName name) {
description =
"Archivebox archive group '${name}' for ${cfg.archivePath}";
after = [ "network.target" ];
documentation = [ "https://docs.archivebox.io/" ];
path = with pkgs;
[ ripgrep coreutils ] ++ pkgSet ++ [ config.programs.git.package ];
preStart = ''
mkdir -p ${lib.escapeShellArg cfg.archivePath}
'';
script = ''
echo "${lib.concatStringsSep "\n" value.urls}" \
| archivebox add ${lib.concatStringsSep " " value.extraArgs}
'';
serviceConfig = {
LockPersonality = true;
NoNewPrivileges = true;
PrivateTmp = true;
PrivateUsers = true;
PrivateDevices = true;
ProtectControlGroups = true;
ProtectClock = true;
ProtectKernelLogs = true;
ProtectKernelModules = true;
ProtectKernelTunables = true;
SystemCallFilter = "@system-service";
SystemCallErrorNumber = "EPERM";
WorkingDirectory = cfg.archivePath;
};
})
cfg.jobs)
(lib.mkIf cfg.webserver.enable { (lib.mkIf cfg.webserver.enable {
archivebox-server = { systemd.services.archivebox-server = {
description = "Archivebox server for ${cfg.archivePath}"; description = "Archivebox server for ${cfg.archivePath}";
after = [ "network.target" ]; after = [ "network.target" ];
documentation = [ "https://docs.archivebox.io/" ]; documentation = [ "https://docs.archivebox.io/" ];
wantedBy = [ "graphical-session.target" ]; wantedBy = [ "graphical-session.target" ];
preStart = '' serviceConfig = {
mkdir -p ${lib.escapeShellArg cfg.archivePath} ExecStart = "${pkgs.archivebox}/bin/archivebox server localhost:${
''; toString cfg.webserver.port
serviceConfig = { }";
ExecStart = "${pkgs.archivebox}/bin/archivebox server localhost:${ Restart = "on-failure";
toString cfg.webserver.port LockPersonality = true;
}"; NoNewPrivileges = true;
Restart = "on-failure"; PrivateTmp = true;
LockPersonality = true; PrivateUsers = true;
NoNewPrivileges = true; PrivateDevices = true;
PrivateTmp = true; ProtectControlGroups = true;
PrivateUsers = true; ProtectClock = true;
PrivateDevices = true; ProtectKernelLogs = true;
ProtectControlGroups = true; ProtectKernelModules = true;
ProtectClock = true; ProtectKernelTunables = true;
ProtectKernelLogs = true; SystemCallFilter = "@system-service";
ProtectKernelModules = true; SystemCallErrorNumber = "EPERM";
ProtectKernelTunables = true; WorkingDirectory = cfg.archivePath;
SystemCallFilter = "@system-service"; };
SystemCallErrorNumber = "EPERM"; };
WorkingDirectory = cfg.archivePath; })
}; ]);
};
})
];
systemd.timers = lib.mapAttrs'
(name: value:
lib.nameValuePair (jobUnitName name) {
description =
"Archivebox archive group '${name}' for ${cfg.archivePath}";
after = [ "network.target" ];
documentation = [ "https://docs.archivebox.io/" ];
timerConfig = {
Persistent = value.persistent;
OnCalendar = value.startAt;
RandomizedDelaySec = 120;
};
wantedBy = [ "timers.target" ];
})
cfg.jobs;
};
} }