{ config, lib, pkgs, ... }:
with lib;
let
cfg = config.services.uwsgi;
isEmperor = cfg.instance.type == "emperor";
imperialPowers =
[
# spawn other user processes
"CAP_SETUID" "CAP_SETGID"
"CAP_SYS_CHROOT"
# transfer capabilities
"CAP_SETPCAP"
# create other user sockets
"CAP_CHOWN"
];
buildCfg = name: c:
let
plugins =
if any (n: !any (m: m == n) cfg.plugins) (c.plugins or [])
then throw "`plugins` attribute in uWSGI configuration contains plugins not in config.services.uwsgi.plugins"
else c.plugins or cfg.plugins;
hasPython = v: filter (n: n == "python${v}") plugins != [];
hasPython2 = hasPython "2";
hasPython3 = hasPython "3";
python =
if hasPython2 && hasPython3 then
throw "`plugins` attribute in uWSGI configuration shouldn't contain both python2 and python3"
else if hasPython2 then cfg.package.python2
else if hasPython3 then cfg.package.python3
else null;
pythonEnv = python.withPackages (c.pythonPackages or (self: []));
uwsgiCfg = {
uwsgi =
if c.type == "normal"
then {
inherit plugins;
} // removeAttrs c [ "type" "pythonPackages" ]
// optionalAttrs (python != null) {
pyhome = "${pythonEnv}";
env =
# Argh, uwsgi expects list of key-values there instead of a dictionary.
let env' = c.env or [];
getPath =
x: if hasPrefix "PATH=" x
then substring (stringLength "PATH=") (stringLength x) x
else null;
oldPaths = filter (x: x != null) (map getPath env');
in env' ++ [ "PATH=${optionalString (oldPaths != []) "${last oldPaths}:"}${pythonEnv}/bin" ];
}
else if isEmperor
then {
emperor = if builtins.typeOf c.vassals != "set" then c.vassals
else pkgs.buildEnv {
name = "vassals";
paths = mapAttrsToList buildCfg c.vassals;
};
} // removeAttrs c [ "type" "vassals" ]
else throw "`type` attribute in uWSGI configuration should be either 'normal' or 'emperor'";
};
in pkgs.writeTextDir "${name}.json" (builtins.toJSON uwsgiCfg);
in {
options = {
services.uwsgi = {
enable = mkOption {
type = types.bool;
default = false;
description = "Enable uWSGI";
};
runDir = mkOption {
type = types.path;
default = "/run/uwsgi";
description = "Where uWSGI communication sockets can live";
};
package = mkOption {
type = types.package;
internal = true;
};
instance = mkOption {
type = with types; let
valueType = nullOr (oneOf [
bool
int
float
str
(lazyAttrsOf valueType)
(listOf valueType)
(mkOptionType {
name = "function";
description = "function";
check = x: isFunction x;
merge = mergeOneOption;
})
]) // {
description = "Json value or lambda";
emptyValue.value = {};
};
in valueType;
default = {
type = "normal";
};
example = literalExpression ''
{
type = "emperor";
vassals = {
moin = {
type = "normal";
pythonPackages = self: with self; [ moinmoin ];
socket = "''${config.services.uwsgi.runDir}/uwsgi.sock";
};
};
}
'';
description = ''
uWSGI configuration. It awaits an attribute type inside which can be either
normal or emperor.
For normal mode you can specify pythonPackages as a function
from libraries set into a list of libraries. pythonpath will be set accordingly.
For emperor mode, you should use vassals attribute
which should be either a set of names and configurations or a path to a directory.
Other attributes will be used in configuration file as-is. Notice that you can redefine
plugins setting here.
'';
};
plugins = mkOption {
type = types.listOf types.str;
default = [];
description = "Plugins used with uWSGI";
};
user = mkOption {
type = types.str;
default = "uwsgi";
description = "User account under which uWSGI runs.";
};
group = mkOption {
type = types.str;
default = "uwsgi";
description = "Group account under which uWSGI runs.";
};
capabilities = mkOption {
type = types.listOf types.str;
apply = caps: caps ++ optionals isEmperor imperialPowers;
default = [ ];
example = literalExpression ''
[
"CAP_NET_BIND_SERVICE" # bind on ports <1024
"CAP_NET_RAW" # open raw sockets
]
'';
description = ''
Grant capabilities to the uWSGI instance. See the
capabilities(7) for available values.
uWSGI runs as an unprivileged user (even as Emperor) with the minimal
capabilities required. This option can be used to add fine-grained
permissions without running the service as root.
When in Emperor mode, any capability to be inherited by a vassal must
be specified again in the vassal configuration using cap.
See the uWSGI docs
for more information.
'';
};
};
};
config = mkIf cfg.enable {
systemd.tmpfiles.rules = optional (cfg.runDir != "/run/uwsgi") ''
d ${cfg.runDir} 775 ${cfg.user} ${cfg.group}
'';
systemd.services.uwsgi = {
wantedBy = [ "multi-user.target" ];
serviceConfig = {
User = cfg.user;
Group = cfg.group;
Type = "notify";
ExecStart = "${cfg.package}/bin/uwsgi --json ${buildCfg "server" cfg.instance}/server.json";
ExecReload = "${pkgs.coreutils}/bin/kill -HUP $MAINPID";
ExecStop = "${pkgs.coreutils}/bin/kill -INT $MAINPID";
NotifyAccess = "main";
KillSignal = "SIGQUIT";
AmbientCapabilities = cfg.capabilities;
CapabilityBoundingSet = cfg.capabilities;
RuntimeDirectory = mkIf (cfg.runDir == "/run/uwsgi") "uwsgi";
};
};
users.users = optionalAttrs (cfg.user == "uwsgi") {
uwsgi = {
group = cfg.group;
uid = config.ids.uids.uwsgi;
};
};
users.groups = optionalAttrs (cfg.group == "uwsgi") {
uwsgi.gid = config.ids.gids.uwsgi;
};
services.uwsgi.package = pkgs.uwsgi.override {
inherit (cfg) plugins;
};
};
}