257 lines
7.3 KiB
Nix
257 lines
7.3 KiB
Nix
{
|
|
config,
|
|
lib,
|
|
pkgs,
|
|
...
|
|
}:
|
|
|
|
with lib;
|
|
|
|
let
|
|
cfg = config.services.uwsgi;
|
|
|
|
isEmperor = cfg.instance.type == "emperor";
|
|
|
|
imperialPowers = [
|
|
# spawn other user processes
|
|
"CAP_SETUID"
|
|
"CAP_SETGID"
|
|
"CAP_SYS_CHROOT"
|
|
# transfer capabilities
|
|
"CAP_SETPCAP"
|
|
# create other user sockets
|
|
"CAP_CHOWN"
|
|
];
|
|
|
|
buildCfg =
|
|
name: c:
|
|
let
|
|
plugins' =
|
|
if any (n: !any (m: m == n) cfg.plugins) (c.plugins or [ ]) then
|
|
throw "`plugins` attribute in uWSGI configuration contains plugins not in config.services.uwsgi.plugins"
|
|
else
|
|
c.plugins or cfg.plugins;
|
|
plugins = unique plugins';
|
|
|
|
hasPython = v: filter (n: n == "python${v}") plugins != [ ];
|
|
hasPython2 = hasPython "2";
|
|
hasPython3 = hasPython "3";
|
|
|
|
python =
|
|
if hasPython2 && hasPython3 then
|
|
throw "`plugins` attribute in uWSGI configuration shouldn't contain both python2 and python3"
|
|
else if hasPython2 then
|
|
cfg.package.python2
|
|
else if hasPython3 then
|
|
cfg.package.python3
|
|
else
|
|
null;
|
|
|
|
pythonEnv = python.withPackages (c.pythonPackages or (self: [ ]));
|
|
|
|
uwsgiCfg = {
|
|
uwsgi =
|
|
if c.type == "normal" then
|
|
{
|
|
inherit plugins;
|
|
}
|
|
// removeAttrs c [
|
|
"type"
|
|
"pythonPackages"
|
|
]
|
|
// optionalAttrs (python != null) {
|
|
pyhome = "${pythonEnv}";
|
|
env =
|
|
# Argh, uwsgi expects list of key-values there instead of a dictionary.
|
|
let
|
|
envs = partition (hasPrefix "PATH=") (c.env or [ ]);
|
|
oldPaths = map (x: substring (stringLength "PATH=") (stringLength x) x) envs.right;
|
|
paths = oldPaths ++ [ "${pythonEnv}/bin" ];
|
|
in
|
|
[ "PATH=${concatStringsSep ":" paths}" ] ++ envs.wrong;
|
|
}
|
|
else if isEmperor then
|
|
{
|
|
emperor =
|
|
if builtins.typeOf c.vassals != "set" then
|
|
c.vassals
|
|
else
|
|
pkgs.buildEnv {
|
|
name = "vassals";
|
|
paths = mapAttrsToList buildCfg c.vassals;
|
|
};
|
|
}
|
|
// removeAttrs c [
|
|
"type"
|
|
"vassals"
|
|
]
|
|
else
|
|
throw "`type` attribute in uWSGI configuration should be either 'normal' or 'emperor'";
|
|
};
|
|
|
|
in
|
|
pkgs.writeTextDir "${name}.json" (builtins.toJSON uwsgiCfg);
|
|
|
|
in
|
|
{
|
|
|
|
options = {
|
|
services.uwsgi = {
|
|
|
|
enable = mkOption {
|
|
type = types.bool;
|
|
default = false;
|
|
description = "Enable uWSGI";
|
|
};
|
|
|
|
runDir = mkOption {
|
|
type = types.path;
|
|
default = "/run/uwsgi";
|
|
description = "Where uWSGI communication sockets can live";
|
|
};
|
|
|
|
package = mkOption {
|
|
type = types.package;
|
|
internal = true;
|
|
};
|
|
|
|
instance = mkOption {
|
|
type =
|
|
with types;
|
|
let
|
|
valueType =
|
|
nullOr (oneOf [
|
|
bool
|
|
int
|
|
float
|
|
str
|
|
(lazyAttrsOf valueType)
|
|
(listOf valueType)
|
|
(mkOptionType {
|
|
name = "function";
|
|
description = "function";
|
|
check = x: isFunction x;
|
|
merge = mergeOneOption;
|
|
})
|
|
])
|
|
// {
|
|
description = "Json value or lambda";
|
|
emptyValue.value = { };
|
|
};
|
|
in
|
|
valueType;
|
|
default = {
|
|
type = "normal";
|
|
};
|
|
example = literalExpression ''
|
|
{
|
|
type = "emperor";
|
|
vassals = {
|
|
moin = {
|
|
type = "normal";
|
|
pythonPackages = self: with self; [ moinmoin ];
|
|
socket = "''${config.services.uwsgi.runDir}/uwsgi.sock";
|
|
};
|
|
};
|
|
}
|
|
'';
|
|
description = ''
|
|
uWSGI configuration. It awaits an attribute `type` inside which can be either
|
|
`normal` or `emperor`.
|
|
|
|
For `normal` mode you can specify `pythonPackages` as a function
|
|
from libraries set into a list of libraries. `pythonpath` will be set accordingly.
|
|
|
|
For `emperor` mode, you should use `vassals` attribute
|
|
which should be either a set of names and configurations or a path to a directory.
|
|
|
|
Other attributes will be used in configuration file as-is. Notice that you can redefine
|
|
`plugins` setting here.
|
|
'';
|
|
};
|
|
|
|
plugins = mkOption {
|
|
type = types.listOf types.str;
|
|
default = [ ];
|
|
description = "Plugins used with uWSGI";
|
|
};
|
|
|
|
user = mkOption {
|
|
type = types.str;
|
|
default = "uwsgi";
|
|
description = "User account under which uWSGI runs.";
|
|
};
|
|
|
|
group = mkOption {
|
|
type = types.str;
|
|
default = "uwsgi";
|
|
description = "Group account under which uWSGI runs.";
|
|
};
|
|
|
|
capabilities = mkOption {
|
|
type = types.listOf types.str;
|
|
apply = caps: caps ++ optionals isEmperor imperialPowers;
|
|
default = [ ];
|
|
example = literalExpression ''
|
|
[
|
|
"CAP_NET_BIND_SERVICE" # bind on ports <1024
|
|
"CAP_NET_RAW" # open raw sockets
|
|
]
|
|
'';
|
|
description = ''
|
|
Grant capabilities to the uWSGI instance. See the
|
|
`capabilities(7)` for available values.
|
|
|
|
::: {.note}
|
|
uWSGI runs as an unprivileged user (even as Emperor) with the minimal
|
|
capabilities required. This option can be used to add fine-grained
|
|
permissions without running the service as root.
|
|
|
|
When in Emperor mode, any capability to be inherited by a vassal must
|
|
be specified again in the vassal configuration using `cap`.
|
|
See the uWSGI [docs](https://uwsgi-docs.readthedocs.io/en/latest/Capabilities.html)
|
|
for more information.
|
|
:::
|
|
'';
|
|
};
|
|
};
|
|
};
|
|
|
|
config = mkIf cfg.enable {
|
|
systemd.tmpfiles.rules = optional (cfg.runDir != "/run/uwsgi") ''
|
|
d ${cfg.runDir} 775 ${cfg.user} ${cfg.group}
|
|
'';
|
|
|
|
systemd.services.uwsgi = {
|
|
wantedBy = [ "multi-user.target" ];
|
|
serviceConfig = {
|
|
User = cfg.user;
|
|
Group = cfg.group;
|
|
Type = "notify";
|
|
ExecStart = "${cfg.package}/bin/uwsgi --json ${buildCfg "server" cfg.instance}/server.json";
|
|
ExecReload = "${pkgs.coreutils}/bin/kill -HUP $MAINPID";
|
|
ExecStop = "${pkgs.coreutils}/bin/kill -INT $MAINPID";
|
|
NotifyAccess = "main";
|
|
KillSignal = "SIGQUIT";
|
|
AmbientCapabilities = cfg.capabilities;
|
|
CapabilityBoundingSet = cfg.capabilities;
|
|
RuntimeDirectory = mkIf (cfg.runDir == "/run/uwsgi") "uwsgi";
|
|
};
|
|
};
|
|
|
|
users.users = optionalAttrs (cfg.user == "uwsgi") {
|
|
uwsgi = {
|
|
group = cfg.group;
|
|
uid = config.ids.uids.uwsgi;
|
|
};
|
|
};
|
|
|
|
users.groups = optionalAttrs (cfg.group == "uwsgi") {
|
|
uwsgi.gid = config.ids.gids.uwsgi;
|
|
};
|
|
|
|
services.uwsgi.package = pkgs.uwsgi.override {
|
|
plugins = unique cfg.plugins;
|
|
};
|
|
};
|
|
}
|