blob: 0234db4bc2c5b68c88aa2023eb99e0dd72ba3e7f (
plain) (
blame)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
|
{
pkgs,
lib,
config,
...
}:
with lib;
let
cfg = config.services.devpi-server;
secretsFileName = "devpi-secret-file";
stateDirName = "devpi";
runtimeDir = "/run/${stateDirName}";
serverDir = "/var/lib/${stateDirName}";
in
{
options.services.devpi-server = {
enable = mkEnableOption "Devpi Server";
package = mkPackageOption pkgs "devpi-server" { };
primaryUrl = mkOption {
type = types.str;
description = "Url for the primary node. Required option for replica nodes.";
};
replica = mkOption {
type = types.bool;
default = false;
description = ''
Run node as a replica.
Requires the secretFile option and the primaryUrl to be enabled.
'';
};
secretFile = mkOption {
type = types.nullOr types.path;
default = null;
description = ''
Path to a shared secret file used for synchronization,
Required for all nodes in a replica/primary setup.
'';
};
host = mkOption {
type = types.str;
default = "localhost";
description = ''
domain/ip address to listen on
'';
};
port = mkOption {
type = types.port;
default = 3141;
description = "The port on which Devpi Server will listen.";
};
openFirewall = mkEnableOption "opening the default ports in the firewall for Devpi Server";
};
config = mkIf cfg.enable {
systemd.services.devpi-server = {
enable = true;
description = "devpi PyPI-compatible server";
documentation = [ "https://devpi.net/docs/devpi/devpi/stable/+d/index.html" ];
wants = [ "network-online.target" ];
wantedBy = [ "multi-user.target" ];
after = [ "network-online.target" ];
# Since at least devpi-server 6.10.0, devpi requires the secrets file to
# have 0600 permissions.
preStart =
''
cp ${cfg.secretFile} ${runtimeDir}/${secretsFileName}
chmod 0600 ${runtimeDir}/*${secretsFileName}
if [ -f ${serverDir}/.nodeinfo ]; then
# already initialized the package index, exit gracefully
exit 0
fi
${cfg.package}/bin/devpi-init --serverdir ${serverDir} ''
+ strings.optionalString cfg.replica "--role=replica --master-url=${cfg.primaryUrl}";
serviceConfig = {
Restart = "always";
ExecStart =
let
args =
[
"--request-timeout=5"
"--serverdir=${serverDir}"
"--host=${cfg.host}"
"--port=${builtins.toString cfg.port}"
]
++ lib.optionals (! isNull cfg.secretFile) [
"--secretfile=${runtimeDir}/${secretsFileName}"
]
++ (
if cfg.replica then
[
"--role=replica"
"--master-url=${cfg.primaryUrl}"
]
else
[ "--role=master" ]
);
in
"${cfg.package}/bin/devpi-server ${concatStringsSep " " args}";
DynamicUser = true;
StateDirectory = stateDirName;
RuntimeDirectory = stateDirName;
PrivateDevices = true;
PrivateTmp = true;
ProtectHome = true;
ProtectSystem = "strict";
};
};
networking.firewall = mkIf cfg.openFirewall {
allowedTCPPorts = [ cfg.port ];
};
meta.maintainers = [ cafkafk ];
};
}
|
