nixcfg/modules/nixos/services/attic/default.nix

{ lib, config, pkgs, ... }:

with lib;
with lib.plusultra;
let
  cfg = config.plusultra.services.attic;

  toml-format = pkgs.formats.toml { };

  raw-server-toml = toml-format.generate "server.toml" cfg.settings;

  server-toml = pkgs.runCommand "checked-server.toml" { config = raw-server-toml; } ''
    cat $config

    export ATTIC_SERVER_TOKEN_HS256_SECRET_BASE64="dGVzdCBzZWNyZXQ="
    export ATTIC_SERVER_DATABASE_URL="sqlite://:memory:"

    ${cfg.package}/bin/atticd --mode check-config -f "$config"

    cat < $config > $out
  '';

  is-local-postgres =
    let
      url = cfg.settings.database.url or "";
      local-db-strings = [ "localhost" "127.0.0.1" "/run/postgresql" ];
      is-local-db-url = any (flip hasInfix url) local-db-strings;
    in
    config.services.postgresql.enable
    && hasPrefix "postgresql://" url
    && is-local-db-url;
in
{
  options.plusultra.services.attic = {
    enable = mkEnableOption "Attic";

    package = mkOpt types.package pkgs.attic-server "The attic-server package to use.";

    credentials = mkOpt (types.nullOr types.path) null "The path to an optional EnvironmentFile for the atticd service to use.";

    user = mkOpt types.str "atticd" "The user under which attic runs.";
    group = mkOpt types.str "atticd" "The group under which attic runs.";

    settings = mkOpt toml-format.type { } "Settings for the atticd config file.";
  };

  config = mkIf cfg.enable {
    assertions = [
      {
        assertion = !isStorePath cfg.credentials;
        message = "plusultra.services.attic.credentials CANNOT be in the Nix Store.";
      }
    ];

    users = {
      users = optionalAttrs (cfg.user == "atticd") {
        atticd = {
          group = cfg.group;
          isSystemUser = true;
        };
      };

      groups = optionalAttrs (cfg.group == "atticd") {
        atticd = { };
      };
    };

    plusultra = {
      tools.attic = enabled;

      services.attic.settings = {
        database.url = mkDefault "sqlite:///var/lib/atticd/server.db?mode=rwc";

        storage = mkDefault {
          type = "local";
          path = "/var/lib/atticd/storage";
        };
      };
    };

    systemd.services.atticd = {
      wantedBy = [ "multi-user.target" ];
      after = [ "network.target" ]
        ++ optionals is-local-postgres [ "postgresql.service" "nss-lookup.target" ];

      serviceConfig = {
        ExecStart = "${cfg.package}/bin/atticd -f ${server-toml}";
        StateDirectory = "atticd";
        User = cfg.user;
        Group = cfg.group;
        DynamicUser = true;
      } // optionalAttrs (cfg.credentials != null) {
        EnvironmentFile = mkDefault cfg.credentials;
      };
    };
  };
}
refactor 2024-01-11 11:26:46 +01:00			`{ lib, config, pkgs, ... }:`

			`with lib;`
			`with lib.plusultra;`
			`let`
			`cfg = config.plusultra.services.attic;`

			`toml-format = pkgs.formats.toml { };`

			`raw-server-toml = toml-format.generate "server.toml" cfg.settings;`

			`server-toml = pkgs.runCommand "checked-server.toml" { config = raw-server-toml; } ''`
			`cat $config`

			`export ATTIC_SERVER_TOKEN_HS256_SECRET_BASE64="dGVzdCBzZWNyZXQ="`
			`export ATTIC_SERVER_DATABASE_URL="sqlite://:memory:"`

			`${cfg.package}/bin/atticd --mode check-config -f "$config"`

			`cat < $config > $out`
			`'';`

			`is-local-postgres =`
			`let`
			`url = cfg.settings.database.url or "";`
			`local-db-strings = [ "localhost" "127.0.0.1" "/run/postgresql" ];`
			`is-local-db-url = any (flip hasInfix url) local-db-strings;`
			`in`
			`config.services.postgresql.enable`
			`&& hasPrefix "postgresql://" url`
			`&& is-local-db-url;`
			`in`
			`{`
			`options.plusultra.services.attic = {`
			`enable = mkEnableOption "Attic";`

			`package = mkOpt types.package pkgs.attic-server "The attic-server package to use.";`

			`credentials = mkOpt (types.nullOr types.path) null "The path to an optional EnvironmentFile for the atticd service to use.";`

			`user = mkOpt types.str "atticd" "The user under which attic runs.";`
			`group = mkOpt types.str "atticd" "The group under which attic runs.";`

			`settings = mkOpt toml-format.type { } "Settings for the atticd config file.";`
			`};`

			`config = mkIf cfg.enable {`
			`assertions = [`
			`{`
			`assertion = !isStorePath cfg.credentials;`
			`message = "plusultra.services.attic.credentials CANNOT be in the Nix Store.";`
			`}`
			`];`

			`users = {`
			`users = optionalAttrs (cfg.user == "atticd") {`
			`atticd = {`
			`group = cfg.group;`
			`isSystemUser = true;`
			`};`
			`};`

			`groups = optionalAttrs (cfg.group == "atticd") {`
			`atticd = { };`
			`};`
			`};`

			`plusultra = {`
			`tools.attic = enabled;`

			`services.attic.settings = {`
			`database.url = mkDefault "sqlite:///var/lib/atticd/server.db?mode=rwc";`

			`storage = mkDefault {`
			`type = "local";`
			`path = "/var/lib/atticd/storage";`
			`};`
			`};`
			`};`

			`systemd.services.atticd = {`
			`wantedBy = [ "multi-user.target" ];`
			`after = [ "network.target" ]`
			`++ optionals is-local-postgres [ "postgresql.service" "nss-lookup.target" ];`

			`serviceConfig = {`
			`ExecStart = "${cfg.package}/bin/atticd -f ${server-toml}";`
			`StateDirectory = "atticd";`
			`User = cfg.user;`
			`Group = cfg.group;`
			`DynamicUser = true;`
			`} // optionalAttrs (cfg.credentials != null) {`
			`EnvironmentFile = mkDefault cfg.credentials;`
			`};`
			`};`
			`};`
			`}`