{ description = "Build a cargo project"; inputs = { nixpkgs.url = "github:NixOS/nixpkgs/nixpkgs-unstable"; crane = { url = "github:ipetkov/crane"; inputs.nixpkgs.follows = "nixpkgs"; }; fenix = { url = "github:nix-community/fenix"; inputs.nixpkgs.follows = "nixpkgs"; inputs.rust-analyzer-src.follows = ""; }; flake-utils.url = "github:numtide/flake-utils"; advisory-db = { url = "github:rustsec/advisory-db"; flake = false; }; }; outputs = { self, nixpkgs, crane, fenix, flake-utils, advisory-db, ... }: flake-utils.lib.eachDefaultSystem ( system: let pkgs = nixpkgs.legacyPackages.${system}; inherit (pkgs) lib; craneLib = crane.mkLib pkgs; sqlFilter = path: _type: null != builtins.match ".*sql$" path; sqlxFilter = path: _type: null != builtins.match ".*\.sqlx/query-.*json$" path; sqlxOrCargo = path: type: (sqlxFilter path type) || (craneLib.filterCargoSources path type) || (sqlFilter path type); src = lib.cleanSourceWith { src = ./.; filter = sqlxOrCargo; name = "source"; }; # Common arguments can be set here to avoid repeating them later commonArgs = { inherit src; strictDeps = true; nativeBuildInputs = [ pkgs.pkg-config ]; buildInputs = [ # Add additional build inputs here pkgs.openssl ] ++ lib.optionals pkgs.stdenv.isDarwin [ # Additional darwin specific inputs can be set here pkgs.libiconv pkgs.darwin.apple_sdk.frameworks.Security ]; }; craneLibLLvmTools = craneLib.overrideToolchain ( fenix.packages.${system}.complete.withComponents [ "cargo" "llvm-tools" "rustc" ] ); # Build *just* the cargo dependencies, so we can reuse # all of that work (e.g. via cachix) when running in CI cargoArtifacts = craneLib.buildDepsOnly commonArgs; # Build the actual crate itself, reusing the dependency # artifacts from above. lakewatch-api = craneLib.buildPackage ( commonArgs // { inherit cargoArtifacts; # Skip the tests due to deps on Sqlx and a valid DB doCheck = false; nativeBuildInputs = (commonArgs.nativeBuildInputs or [ ]) ++ [ pkgs.sqlx-cli ]; } ); in { checks = { # Build the crate as part of `nix flake check` for convenience inherit lakewatch-api; # Run clippy (and deny all warnings) on the crate source, # again, reusing the dependency artifacts from above. # # Note that this is done as a separate derivation so that # we can block the CI if there are issues here, but not # prevent downstream consumers from building our crate by itself. clippy = craneLib.cargoClippy ( commonArgs // { inherit cargoArtifacts; cargoClippyExtraArgs = "--all-targets -- --deny warnings"; } ); doc = craneLib.cargoDoc (commonArgs // { inherit cargoArtifacts; }); # Check formatting fmt = craneLib.cargoFmt { inherit src; }; # Audit dependencies audit = craneLib.cargoAudit { inherit src advisory-db; }; # Audit licenses deny = craneLib.cargoDeny { inherit src; }; # Run tests with cargo-nextest # Consider setting `doCheck = false` on `lakewatch-api` if you do not want # the tests to run twice nextest = craneLib.cargoNextest ( commonArgs // { inherit cargoArtifacts; partitions = 1; partitionType = "count"; } ); }; packages = { default = lakewatch-api; } // lib.optionalAttrs (!pkgs.stdenv.isDarwin) { lakewatch-api-llvm-coverage = craneLibLLvmTools.cargoLlvmCov ( commonArgs // { inherit cargoArtifacts; } ); }; apps.default = flake-utils.lib.mkApp { drv = lakewatch-api; }; devShells.default = craneLib.devShell { checks = self.checks.${system}; PKG_CONFIG_PATH = "${pkgs.openssl.dev}/lib/pkgconfig"; nativeBuildInputs = [ pkgs.pkg-config ]; buildInputs = [ pkgs.openssl pkgs.openssl.dev ]; packages = with pkgs; [ cargo cargo-watch sqlx-cli bunyan-rs ]; }; } ) // { nixosModules.default = { config, lib, pkgs, ... }: let cfg = config.services.lakewatch-api; in { options.services.lakewatch-api = { enable = lib.mkEnableOption "Enable the lakewatch-api service"; host = lib.mkOption { type = lib.types.str; default = "127.0.0.1"; description = '' The host to pass to lakewatch ''; }; port = lib.mkOption { type = lib.types.port; default = 8000; description = '' The port to run the Lakewatch API on ''; }; openFirewall = lib.mkOption { type = lib.types.bool; default = false; description = '' Whether to expose the Lakewatch app port on the firewall ''; }; package = lib.mkOption { type = lib.types.package; default = self.packages.${pkgs.system}.default; description = "Package to use for the API, defaults to the package provided in the flake"; }; db = lib.mkOption { description = '' Database settings for the application ''; type = lib.types.submodule { options = { createService = lib.mkOption { type = lib.types.bool; default = false; description = '' Whether to create a local postgresql service for the API ''; }; name = lib.mkOption { type = lib.types.str; default = "lakewatch"; description = '' The database name to use ''; }; host = lib.mkOption { type = lib.types.str; default = "localhost"; description = '' The database host to use ''; }; port = lib.mkOption { type = lib.types.port; default = 5432; description = '' The port of the database ''; }; passwordFile = lib.mkOption { type = lib.types.path; description = '' The file to read the database password from for the API ''; }; }; }; }; }; config = let username = cfg.db.name; in lib.mkIf cfg.enable { services = lib.mkIf cfg.db.createService { postgresql = { enable = true; ensureDatabases = [ cfg.db.name ]; ensureUsers = [ { name = username; ensureClauses = { login = true; createdb = true; }; ensureDBOwnership = true; } ]; }; }; systemd.services.postgresql.postStart = lib.mkIf cfg.db.createService '' $PSQL -tA << 'EOF' DO $$ DECLARE password TEXT; BEGIN password := trim(both from replace(pg_read_file('${cfg.db.passwordFile}'), E'\n', ''')); EXECUTE format('ALTER ROLE ${username} WITH PASSWORD '''%s''';', password); END $$; EOF ''; systemd.services.lakewatch-api = { wantedBy = [ "multi-user.target" ]; environment = { APP_API_HOST = "${cfg.host}"; APP_API_PORT = "${builtins.toString cfg.port}"; APP_DATABASE_HOST = "${cfg.db.host}"; APP_DATABASE_PORT = "${builtins.toString cfg.db.port}"; APP_DATABASE_USERNAME = "${username}"; APP_DATABASE_NAME = "${cfg.db.name}"; APP_DATABASE_REQUIRE_SSL = "true"; }; serviceConfig = { DynamicUser = true; LoadCredential = [ "APP_DATABASE_PASSWORD_FILE:${cfg.db.passwordFile}" ]; ExecStart = pkgs.writeScript "scraper" '' #!${pkgs.bash}/bin/bash export APP_DATABASE_PASSWORD="$(${pkgs.systemd}/bin/systemd-creds cat APP_DATABASE_PASSWORD_FILE)" ${cfg.package}/bin/lakewatch ''; Restart = "on-failure"; RestartSec = "5s"; }; }; }; }; }; }