321 lines
9.8 KiB
Nix
Raw Normal View History

2024-08-31 02:13:52 -05:00
{
description = "Build a cargo project";
inputs = {
nixpkgs.url = "github:NixOS/nixpkgs/nixpkgs-unstable";
crane = {
url = "github:ipetkov/crane";
inputs.nixpkgs.follows = "nixpkgs";
};
fenix = {
url = "github:nix-community/fenix";
inputs.nixpkgs.follows = "nixpkgs";
inputs.rust-analyzer-src.follows = "";
};
flake-utils.url = "github:numtide/flake-utils";
advisory-db = {
url = "github:rustsec/advisory-db";
flake = false;
};
};
outputs =
{
self,
nixpkgs,
crane,
fenix,
flake-utils,
advisory-db,
...
}:
flake-utils.lib.eachDefaultSystem (
system:
let
pkgs = nixpkgs.legacyPackages.${system};
inherit (pkgs) lib;
craneLib = crane.mkLib pkgs;
sqlFilter = path: _type: null != builtins.match ".*sql$" path;
sqlxFilter = path: _type: null != builtins.match ".*\.sqlx/query-.*json$" path;
sqlxOrCargo = path: type: (sqlxFilter path type) || (craneLib.filterCargoSources path type) || (sqlFilter path type);
src = lib.cleanSourceWith {
src = ./.;
filter = sqlxOrCargo;
name = "source";
};
# Common arguments can be set here to avoid repeating them later
commonArgs = {
inherit src;
strictDeps = true;
nativeBuildInputs = [ pkgs.pkg-config ];
buildInputs =
[
# Add additional build inputs here
pkgs.openssl
]
++ lib.optionals pkgs.stdenv.isDarwin [
# Additional darwin specific inputs can be set here
pkgs.libiconv
pkgs.darwin.apple_sdk.frameworks.Security
];
};
craneLibLLvmTools = craneLib.overrideToolchain (
fenix.packages.${system}.complete.withComponents [
"cargo"
"llvm-tools"
"rustc"
]
);
# Build *just* the cargo dependencies, so we can reuse
# all of that work (e.g. via cachix) when running in CI
cargoArtifacts = craneLib.buildDepsOnly commonArgs;
# Build the actual crate itself, reusing the dependency
# artifacts from above.
lakewatch-api = craneLib.buildPackage (
commonArgs
// {
inherit cargoArtifacts;
# Skip the tests due to deps on Sqlx and a valid DB
doCheck = false;
nativeBuildInputs = (commonArgs.nativeBuildInputs or [ ]) ++ [ pkgs.sqlx-cli ];
}
);
in
{
checks = {
# Build the crate as part of `nix flake check` for convenience
inherit lakewatch-api;
# Run clippy (and deny all warnings) on the crate source,
# again, reusing the dependency artifacts from above.
#
# Note that this is done as a separate derivation so that
# we can block the CI if there are issues here, but not
# prevent downstream consumers from building our crate by itself.
clippy = craneLib.cargoClippy (
commonArgs
// {
inherit cargoArtifacts;
cargoClippyExtraArgs = "--all-targets -- --deny warnings";
}
);
doc = craneLib.cargoDoc (commonArgs // { inherit cargoArtifacts; });
# Check formatting
fmt = craneLib.cargoFmt { inherit src; };
# Audit dependencies
audit = craneLib.cargoAudit { inherit src advisory-db; };
# Audit licenses
deny = craneLib.cargoDeny { inherit src; };
# Run tests with cargo-nextest
# Consider setting `doCheck = false` on `lakewatch-api` if you do not want
# the tests to run twice
nextest = craneLib.cargoNextest (
commonArgs
// {
inherit cargoArtifacts;
partitions = 1;
partitionType = "count";
}
);
};
packages =
{
default = lakewatch-api;
}
// lib.optionalAttrs (!pkgs.stdenv.isDarwin) {
lakewatch-api-llvm-coverage = craneLibLLvmTools.cargoLlvmCov (
commonArgs // { inherit cargoArtifacts; }
);
};
apps.default = flake-utils.lib.mkApp { drv = lakewatch-api; };
devShells.default = craneLib.devShell {
checks = self.checks.${system};
PKG_CONFIG_PATH = "${pkgs.openssl.dev}/lib/pkgconfig";
nativeBuildInputs = [ pkgs.pkg-config ];
buildInputs = [
pkgs.openssl
pkgs.openssl.dev
];
packages = with pkgs; [
cargo
cargo-watch
sqlx-cli
bunyan-rs
];
};
}
)
// {
nixosModules.default =
{
config,
lib,
pkgs,
...
}:
let
cfg = config.services.lakewatch-api;
in
{
options.services.lakewatch-api = {
enable = lib.mkEnableOption "Enable the lakewatch-api service";
host = lib.mkOption {
type = lib.types.str;
default = "127.0.0.1";
description = ''
The host to pass to lakewatch
'';
};
port = lib.mkOption {
type = lib.types.port;
default = 8000;
description = ''
The port to run the Lakewatch API on
'';
};
openFirewall = lib.mkOption {
type = lib.types.bool;
default = false;
description = ''
Whether to expose the Lakewatch app port on the firewall
'';
};
package = lib.mkOption {
type = lib.types.package;
default = self.packages.${pkgs.system}.default;
description = "Package to use for the API, defaults to the package provided in the flake";
};
db = lib.mkOption {
description = ''
Database settings for the application
'';
type = lib.types.submodule {
options = {
createService = lib.mkOption {
type = lib.types.bool;
default = false;
description = ''
Whether to create a local postgresql service for the API
'';
};
name = lib.mkOption {
type = lib.types.str;
default = "lakewatch";
description = ''
The database name to use
'';
};
host = lib.mkOption {
type = lib.types.str;
default = "localhost";
description = ''
The database host to use
'';
};
port = lib.mkOption {
type = lib.types.port;
default = 5432;
description = ''
The port of the database
'';
};
passwordFile = lib.mkOption {
type = lib.types.path;
description = ''
The file to read the database password from for the API
'';
};
};
};
};
};
config =
let
username = cfg.db.name;
in
lib.mkIf cfg.enable {
services = lib.mkIf cfg.db.createService {
postgresql = {
enable = true;
ensureDatabases = [ cfg.db.name ];
ensureUsers = [
{
name = username;
ensureClauses = {
login = true;
createdb = true;
};
ensureDBOwnership = true;
}
];
};
};
systemd.services.postgresql.postStart = lib.mkIf cfg.db.createService ''
$PSQL -tA << 'EOF'
DO $$
DECLARE password TEXT;
BEGIN
password := trim(both from replace(pg_read_file('${cfg.db.passwordFile}'), E'\n', '''));
EXECUTE format('ALTER ROLE ${username} WITH PASSWORD '''%s''';', password);
END $$;
EOF
'';
systemd.services.lakewatch-api = {
wantedBy = [ "multi-user.target" ];
environment = {
APP_API_HOST = "${cfg.host}";
APP_API_PORT = "${builtins.toString cfg.port}";
APP_DATABASE_HOST = "${cfg.db.host}";
APP_DATABASE_PORT = "${builtins.toString cfg.db.port}";
APP_DATABASE_USERNAME = "${username}";
APP_DATABASE_NAME = "${cfg.db.name}";
APP_DATABASE_REQUIRE_SSL = "true";
};
serviceConfig = {
DynamicUser = true;
LoadCredential = [ "APP_DATABASE_PASSWORD_FILE:${cfg.db.passwordFile}" ];
ExecStart = pkgs.writeScript "scraper" ''
#!${pkgs.bash}/bin/bash
export APP_DATABASE_PASSWORD="$(${pkgs.systemd}/bin/systemd-creds cat APP_DATABASE_PASSWORD_FILE)"
${cfg.package}/bin/lakewatch
'';
Restart = "on-failure";
RestartSec = "5s";
};
};
};
};
};
}