about summary refs log tree commit diff
path: root/nixos
diff options
context:
space:
mode:
Diffstat (limited to 'nixos')
-rw-r--r--nixos/doc/manual/release-notes/rl-2405.section.md7
-rw-r--r--nixos/modules/services/development/livebook.md24
-rw-r--r--nixos/modules/services/development/livebook.nix100
-rw-r--r--nixos/tests/livebook-service.nix10
4 files changed, 78 insertions, 63 deletions
diff --git a/nixos/doc/manual/release-notes/rl-2405.section.md b/nixos/doc/manual/release-notes/rl-2405.section.md
index 27dd9a3d8cb29..c034abf281741 100644
--- a/nixos/doc/manual/release-notes/rl-2405.section.md
+++ b/nixos/doc/manual/release-notes/rl-2405.section.md
@@ -202,6 +202,13 @@ The pre-existing [services.ankisyncd](#opt-services.ankisyncd.enable) has been m
 
   - `nomad_1_4` has been removed, as it is now unsupported upstream.
 
+- The `livebook` package is now built as a `mix release` instead of an `escript`.
+  This means that configuration now has to be done using [environment variables](https://hexdocs.pm/livebook/readme.html#environment-variables) instead of command line arguments.
+  This has the further implication that the `livebook` service configuration has changed:
+
+  - The `erlang_node_short_name`, `erlang_node_name`, `port` and `options` configuration parameters are gone, and have been replaced with an `environment` parameter.
+    Use the appropriate [environment variables](https://hexdocs.pm/livebook/readme.html#environment-variables) inside `environment` to configure the service instead.
+
 ## Other Notable Changes {#sec-release-24.05-notable-changes}
 
 <!-- To avoid merge conflicts, consider adding your item at an arbitrary place in the list instead. -->
diff --git a/nixos/modules/services/development/livebook.md b/nixos/modules/services/development/livebook.md
index 5012e977a4f7f..5315f2c2755a0 100644
--- a/nixos/modules/services/development/livebook.md
+++ b/nixos/modules/services/development/livebook.md
@@ -15,11 +15,12 @@ which runs the server.
 {
   services.livebook = {
     enableUserService = true;
-    port = 20123;
+    environment = {
+      LIVEBOOK_PORT = 20123;
+      LIVEBOOK_PASSWORD = "mypassword";
+    };
     # See note below about security
-    environmentFile = pkgs.writeText "livebook.env" ''
-      LIVEBOOK_PASSWORD = "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxx"
-    '';
+    environmentFile = "/var/lib/livebook.env";
   };
 }
 ```
@@ -30,14 +31,19 @@ The Livebook server has the ability to run any command as the user it
 is running under, so securing access to it with a password is highly
 recommended.
 
-Putting the password in the Nix configuration like above is an easy
-way to get started but it is not recommended in the real world because
-the `livebook.env` file will be added to the world-readable Nix store.
-A better approach would be to put the password in some secure
-user-readable location and set `environmentFile = /home/user/secure/livebook.env`.
+Putting the password in the Nix configuration like above is an easy way to get
+started but it is not recommended in the real world because the resulting
+environment variables can be read by unprivileged users.  A better approach
+would be to put the password in some secure user-readable location and set
+`environmentFile = /home/user/secure/livebook.env`.
 
 :::
 
+The [Livebook
+documentation](https://hexdocs.pm/livebook/readme.html#environment-variables)
+lists all the applicable environment variables. It is recommended to at least
+set `LIVEBOOK_PASSWORD` or `LIVEBOOK_TOKEN_ENABLED=false`.
+
 ### Extra dependencies {#module-services-livebook-extra-dependencies}
 
 By default, the Livebook service is run with minimum dependencies, but
diff --git a/nixos/modules/services/development/livebook.nix b/nixos/modules/services/development/livebook.nix
index 75729ff28efaf..30ab7ae3f1286 100644
--- a/nixos/modules/services/development/livebook.nix
+++ b/nixos/modules/services/development/livebook.nix
@@ -14,58 +14,64 @@ in
 
     package = mkPackageOption pkgs "livebook" { };
 
-    environmentFile = mkOption {
-      type = types.path;
+    environment = mkOption {
+      type = with types; attrsOf (nullOr (oneOf [ bool int str ]));
+      default = { };
       description = lib.mdDoc ''
-        Environment file as defined in {manpage}`systemd.exec(5)` passed to the service.
+        Environment variables to set.
 
-        This must contain at least `LIVEBOOK_PASSWORD` or
-        `LIVEBOOK_TOKEN_ENABLED=false`.  See `livebook server --help`
-        for other options.'';
-    };
+        Livebook is configured through the use of environment variables. The
+        available configuration options can be found in the [Livebook
+        documentation](https://hexdocs.pm/livebook/readme.html#environment-variables).
 
-    erlang_node_short_name = mkOption {
-      type = with types; nullOr str;
-      default = null;
-      example = "livebook";
-      description = "A short name for the distributed node.";
-    };
+        Note that all environment variables set through this configuration
+        parameter will be readable by anyone with access to the host
+        machine. Therefore, sensitive information like {env}`LIVEBOOK_PASSWORD`
+        or {env}`LIVEBOOK_COOKIE` should never be set using this configuration
+        option, but should instead use
+        [](#opt-services.livebook.environmentFile). See the documentation for
+        that option for more information.
 
-    erlang_node_name = mkOption {
-      type = with types; nullOr str;
-      default = null;
-      example = "livebook@127.0.0.1";
-      description = "The name for the app distributed node.";
-    };
-
-    port = mkOption {
-      type = types.port;
-      default = 8080;
-      description = "The port to start the web application on.";
-    };
-
-    address = mkOption {
-      type = types.str;
-      default = "127.0.0.1";
-      description = lib.mdDoc ''
-        The address to start the web application on.  Must be a valid IPv4 or
-        IPv6 address.
+        Any environment variables specified in the
+        [](#opt-services.livebook.environmentFile) will supersede environment
+        variables specified in this option.
       '';
-    };
 
-    options = mkOption {
-      type = with types; attrsOf str;
-      default = { };
-      description = lib.mdDoc ''
-        Additional options to pass as command-line arguments to the server.
-      '';
       example = literalExpression ''
         {
-          cookie = "a value shared by all nodes in this cluster";
+          LIVEBOOK_PORT = 8080;
         }
       '';
     };
 
+    environmentFile = mkOption {
+      type = with types; nullOr types.path;
+      default = null;
+      description = lib.mdDoc ''
+        Additional dnvironment file as defined in {manpage}`systemd.exec(5)`.
+
+        Secrets like {env}`LIVEBOOK_PASSWORD` (which is used to specify the
+        password needed to access the livebook site) or {env}`LIVEBOOK_COOKIE`
+        (which is used to specify the
+        [cookie](https://www.erlang.org/doc/reference_manual/distributed.html#security)
+        used to connect to the running Elixir system) may be passed to the
+        service without making them readable to everyone with access to
+        systemctl by using this configuration parameter.
+
+        Note that this file needs to be available on the host on which
+        `livebook` is running.
+
+        For security purposes, this file should contain at least
+        {env}`LIVEBOOK_PASSWORD` or {env}`LIVEBOOK_TOKEN_ENABLED=false`.
+
+        See the [Livebook
+        documentation](https://hexdocs.pm/livebook/readme.html#environment-variables)
+        and the [](#opt-services.livebook.environment) configuration parameter
+        for further options.
+      '';
+      example = "/var/lib/livebook.env";
+    };
+
     extraPackages = mkOption {
       type = with types; listOf package;
       default = [ ];
@@ -81,17 +87,11 @@ in
       serviceConfig = {
         Restart = "always";
         EnvironmentFile = cfg.environmentFile;
-        ExecStart =
-          let
-            args = lib.cli.toGNUCommandLineShell { } ({
-              inherit (cfg) port;
-              ip = cfg.address;
-              name = cfg.erlang_node_name;
-              sname = cfg.erlang_node_short_name;
-            } // cfg.options);
-          in
-            "${cfg.package}/bin/livebook server ${args}";
+        ExecStart = "${cfg.package}/bin/livebook start";
       };
+      environment = mapAttrs (name: value:
+        if isBool value then boolToString value else toString value)
+        cfg.environment;
       path = [ pkgs.bash ] ++ cfg.extraPackages;
       wantedBy = [ "default.target" ];
     };
diff --git a/nixos/tests/livebook-service.nix b/nixos/tests/livebook-service.nix
index 56b4eb932f343..f428412e16448 100644
--- a/nixos/tests/livebook-service.nix
+++ b/nixos/tests/livebook-service.nix
@@ -9,13 +9,15 @@ import ./make-test-python.nix ({ lib, pkgs, ... }: {
 
       services.livebook = {
         enableUserService = true;
-        port = 20123;
+        environment = {
+          LIVEBOOK_PORT = 20123;
+          LIVEBOOK_COOKIE = "chocolate chip";
+          LIVEBOOK_TOKEN_ENABLED = true;
+
+        };
         environmentFile = pkgs.writeText "livebook.env" ''
           LIVEBOOK_PASSWORD = "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxx"
         '';
-        options = {
-          cookie = "chocolate chip";
-        };
       };
     };
   };
generated by cgit-pink 1.4.1 (git 2.36.1) at 2024-07-19 03:50:08 +0000