e11sync-backend systemd unit

2024-01-16 15:38:00 +02:00 · 2024-01-16 15:38:00 +02:00 · 8bd66dab15
parent e5d01f23ad
commit 8bd66dab15
3 changed files with 59 additions and 9 deletions
--- a/modules/e11sync/default.nix
+++ b/modules/e11sync/default.nix
@ -6,11 +6,57 @@ e11sync-backend: {
  options.e11sync = with lib.types; {
    enable = lib.mkEnableOption "Enable e11sync";
    secretKeyPath = lib.mkOption {type = path;};
+    migrateOnStart = lib.mkOption {
+      type = bool;
+      default = false;
+    };
+    backendPort = lib.mkOption {
+      type = int;
+      default = 8002;
+    };
  };

-  config = lib.mkIf config.e11sync.enable {
-    environment.systemPackages = [
-      e11sync-backend
-    ];
-  };
+  config = let
+    cfg = config.e11sync;
+    pkg-backend = e11sync-backend.override {
+      inherit (cfg) backendPort;
+      databasePath = "/var/lib/e11sync/db.sqlite3";
+    };
+  in
+    lib.mkIf cfg.enable {
+      environment.systemPackages = [
+        pkg-backend
+      ];
+
+      systemd.services = {
+        e11sync-backend = {
+          description = "e11sync backend";
+          environment = {
+            TZ = "UTC";
+            E11SYNC_SECRET_KEY_PATH = "/run/credentials/secret_key";
+          };
+          wantedBy = ["multi-user.target"];
+          serviceConfig =
+            {
+              Type = "notify";
+              NotifyAccess = "all";
+              Restart = "on-failure";
+              RuntimeDirectory = "e11sync";
+              StateDirectory = "e11sync";
+              WorkingDirectory = "/var/lib/e11sync";
+              LoadCredential = "secret_key:${cfg.secretKeyPath}";
+              ExecStart = "${pkg-backend}/bin/e11sync-backend";
+
+              DynamicUser = true;
+              NoNewPrivileges = true;
+              PrivateDevices = true;
+              ProtectKernelTunables = true;
+              ProtectControlGroups = true;
+            }
+            // lib.mkIf cfg.migrateOnStart {
+              ExecStartPre = "${pkg-backend}/bin/e11sync migrate";
+            };
+        };
+      };
+    };
 }
--- a/pkgs/e11sync-backend.nix
+++ b/pkgs/e11sync-backend.nix
@ -9,7 +9,7 @@
  dart-sass,
  uwsgi,
  backendPort ? 8002,
-  database-path ? null,
+  databasePath ? null,
  geoip-mmdb,
 }: let
  uwsgi-python = uwsgi.override {plugins = ["python3"];};
@ -41,8 +41,8 @@ in
        --add-flags "--http-socket 127.0.0.1:${toString backendPort}" \
        --add-flags "--wsgi-file e11sync/wsgi.py" \
        --add-flags --master \
-        ${lib.optionalString (database-path != null) ''
-        --set E11SYNC_DATABASE_PATH "${database-path}" \
+        ${lib.optionalString (databasePath != null) ''
+        --set E11SYNC_DATABASE_PATH "${databasePath}" \
      ''} \
        --set E11SYNC_DEBUG "" \
        --set E11SYNC_COMPRESS_OFFLINE 1 \
--- a/vm.nix
+++ b/vm.nix
@ -1,5 +1,9 @@
 {pkgs, ...}: {
-  e11sync.enable = true;
+  e11sync = {
+    enable = true;
+    secretKeyPath = "/etc/super";
+    migrateOnStart = true;
+  };

  environment.systemPackages = with pkgs; [
    tmux