321 lines
9.8 KiB
Nix
321 lines
9.8 KiB
Nix
{
|
|
description = "Build a cargo project";
|
|
|
|
inputs = {
|
|
nixpkgs.url = "github:NixOS/nixpkgs/nixpkgs-unstable";
|
|
|
|
crane = {
|
|
url = "github:ipetkov/crane";
|
|
inputs.nixpkgs.follows = "nixpkgs";
|
|
};
|
|
|
|
fenix = {
|
|
url = "github:nix-community/fenix";
|
|
inputs.nixpkgs.follows = "nixpkgs";
|
|
inputs.rust-analyzer-src.follows = "";
|
|
};
|
|
|
|
flake-utils.url = "github:numtide/flake-utils";
|
|
|
|
advisory-db = {
|
|
url = "github:rustsec/advisory-db";
|
|
flake = false;
|
|
};
|
|
};
|
|
|
|
outputs =
|
|
{
|
|
self,
|
|
nixpkgs,
|
|
crane,
|
|
fenix,
|
|
flake-utils,
|
|
advisory-db,
|
|
...
|
|
}:
|
|
flake-utils.lib.eachDefaultSystem (
|
|
system:
|
|
let
|
|
pkgs = nixpkgs.legacyPackages.${system};
|
|
|
|
inherit (pkgs) lib;
|
|
|
|
craneLib = crane.mkLib pkgs;
|
|
|
|
sqlFilter = path: _type: null != builtins.match ".*sql$" path;
|
|
sqlxFilter = path: _type: null != builtins.match ".*\.sqlx/query-.*json$" path;
|
|
sqlxOrCargo = path: type: (sqlxFilter path type) || (craneLib.filterCargoSources path type) || (sqlFilter path type);
|
|
src = lib.cleanSourceWith {
|
|
src = ./.;
|
|
filter = sqlxOrCargo;
|
|
name = "source";
|
|
};
|
|
|
|
# Common arguments can be set here to avoid repeating them later
|
|
commonArgs = {
|
|
inherit src;
|
|
strictDeps = true;
|
|
|
|
nativeBuildInputs = [ pkgs.pkg-config ];
|
|
|
|
buildInputs =
|
|
[
|
|
# Add additional build inputs here
|
|
pkgs.openssl
|
|
]
|
|
++ lib.optionals pkgs.stdenv.isDarwin [
|
|
# Additional darwin specific inputs can be set here
|
|
pkgs.libiconv
|
|
pkgs.darwin.apple_sdk.frameworks.Security
|
|
];
|
|
};
|
|
|
|
craneLibLLvmTools = craneLib.overrideToolchain (
|
|
fenix.packages.${system}.complete.withComponents [
|
|
"cargo"
|
|
"llvm-tools"
|
|
"rustc"
|
|
]
|
|
);
|
|
|
|
# Build *just* the cargo dependencies, so we can reuse
|
|
# all of that work (e.g. via cachix) when running in CI
|
|
cargoArtifacts = craneLib.buildDepsOnly commonArgs;
|
|
|
|
# Build the actual crate itself, reusing the dependency
|
|
# artifacts from above.
|
|
lakewatch-api = craneLib.buildPackage (
|
|
commonArgs
|
|
// {
|
|
inherit cargoArtifacts;
|
|
# Skip the tests due to deps on Sqlx and a valid DB
|
|
doCheck = false;
|
|
|
|
nativeBuildInputs = (commonArgs.nativeBuildInputs or [ ]) ++ [ pkgs.sqlx-cli ];
|
|
}
|
|
);
|
|
in
|
|
{
|
|
checks = {
|
|
# Build the crate as part of `nix flake check` for convenience
|
|
inherit lakewatch-api;
|
|
|
|
# Run clippy (and deny all warnings) on the crate source,
|
|
# again, reusing the dependency artifacts from above.
|
|
#
|
|
# Note that this is done as a separate derivation so that
|
|
# we can block the CI if there are issues here, but not
|
|
# prevent downstream consumers from building our crate by itself.
|
|
clippy = craneLib.cargoClippy (
|
|
commonArgs
|
|
// {
|
|
inherit cargoArtifacts;
|
|
cargoClippyExtraArgs = "--all-targets -- --deny warnings";
|
|
}
|
|
);
|
|
|
|
doc = craneLib.cargoDoc (commonArgs // { inherit cargoArtifacts; });
|
|
|
|
# Check formatting
|
|
fmt = craneLib.cargoFmt { inherit src; };
|
|
|
|
# Audit dependencies
|
|
audit = craneLib.cargoAudit { inherit src advisory-db; };
|
|
|
|
# Audit licenses
|
|
deny = craneLib.cargoDeny { inherit src; };
|
|
|
|
# Run tests with cargo-nextest
|
|
# Consider setting `doCheck = false` on `lakewatch-api` if you do not want
|
|
# the tests to run twice
|
|
nextest = craneLib.cargoNextest (
|
|
commonArgs
|
|
// {
|
|
inherit cargoArtifacts;
|
|
partitions = 1;
|
|
partitionType = "count";
|
|
}
|
|
);
|
|
};
|
|
|
|
packages =
|
|
{
|
|
default = lakewatch-api;
|
|
}
|
|
// lib.optionalAttrs (!pkgs.stdenv.isDarwin) {
|
|
lakewatch-api-llvm-coverage = craneLibLLvmTools.cargoLlvmCov (
|
|
commonArgs // { inherit cargoArtifacts; }
|
|
);
|
|
};
|
|
|
|
apps.default = flake-utils.lib.mkApp { drv = lakewatch-api; };
|
|
|
|
devShells.default = craneLib.devShell {
|
|
checks = self.checks.${system};
|
|
|
|
PKG_CONFIG_PATH = "${pkgs.openssl.dev}/lib/pkgconfig";
|
|
nativeBuildInputs = [ pkgs.pkg-config ];
|
|
buildInputs = [
|
|
pkgs.openssl
|
|
pkgs.openssl.dev
|
|
];
|
|
|
|
packages = with pkgs; [
|
|
cargo
|
|
cargo-watch
|
|
sqlx-cli
|
|
bunyan-rs
|
|
];
|
|
};
|
|
|
|
}
|
|
)
|
|
// {
|
|
|
|
nixosModules.default =
|
|
{
|
|
config,
|
|
lib,
|
|
pkgs,
|
|
...
|
|
}:
|
|
let
|
|
cfg = config.services.lakewatch-api;
|
|
in
|
|
{
|
|
options.services.lakewatch-api = {
|
|
enable = lib.mkEnableOption "Enable the lakewatch-api service";
|
|
host = lib.mkOption {
|
|
type = lib.types.str;
|
|
default = "127.0.0.1";
|
|
description = ''
|
|
The host to pass to lakewatch
|
|
'';
|
|
};
|
|
port = lib.mkOption {
|
|
type = lib.types.port;
|
|
default = 8000;
|
|
description = ''
|
|
The port to run the Lakewatch API on
|
|
'';
|
|
};
|
|
|
|
openFirewall = lib.mkOption {
|
|
type = lib.types.bool;
|
|
default = false;
|
|
description = ''
|
|
Whether to expose the Lakewatch app port on the firewall
|
|
'';
|
|
};
|
|
|
|
package = lib.mkOption {
|
|
type = lib.types.package;
|
|
default = self.packages.${pkgs.system}.default;
|
|
description = "Package to use for the API, defaults to the package provided in the flake";
|
|
};
|
|
|
|
db = lib.mkOption {
|
|
description = ''
|
|
Database settings for the application
|
|
'';
|
|
type = lib.types.submodule {
|
|
options = {
|
|
createService = lib.mkOption {
|
|
type = lib.types.bool;
|
|
default = false;
|
|
description = ''
|
|
Whether to create a local postgresql service for the API
|
|
'';
|
|
};
|
|
name = lib.mkOption {
|
|
type = lib.types.str;
|
|
default = "lakewatch";
|
|
description = ''
|
|
The database name to use
|
|
'';
|
|
};
|
|
host = lib.mkOption {
|
|
type = lib.types.str;
|
|
default = "localhost";
|
|
description = ''
|
|
The database host to use
|
|
'';
|
|
};
|
|
port = lib.mkOption {
|
|
type = lib.types.port;
|
|
default = 5432;
|
|
description = ''
|
|
The port of the database
|
|
'';
|
|
};
|
|
passwordFile = lib.mkOption {
|
|
type = lib.types.path;
|
|
description = ''
|
|
The file to read the database password from for the API
|
|
'';
|
|
};
|
|
};
|
|
};
|
|
};
|
|
};
|
|
|
|
config =
|
|
let
|
|
username = cfg.db.name;
|
|
in
|
|
lib.mkIf cfg.enable {
|
|
services = lib.mkIf cfg.db.createService {
|
|
postgresql = {
|
|
enable = true;
|
|
ensureDatabases = [ cfg.db.name ];
|
|
ensureUsers = [
|
|
{
|
|
name = username;
|
|
ensureClauses = {
|
|
login = true;
|
|
createdb = true;
|
|
};
|
|
ensureDBOwnership = true;
|
|
}
|
|
];
|
|
};
|
|
};
|
|
|
|
systemd.services.postgresql.postStart = lib.mkIf cfg.db.createService ''
|
|
$PSQL -tA << 'EOF'
|
|
DO $$
|
|
DECLARE password TEXT;
|
|
BEGIN
|
|
password := trim(both from replace(pg_read_file('${cfg.db.passwordFile}'), E'\n', '''));
|
|
EXECUTE format('ALTER ROLE ${username} WITH PASSWORD '''%s''';', password);
|
|
END $$;
|
|
EOF
|
|
'';
|
|
systemd.services.lakewatch-api = {
|
|
wantedBy = [ "multi-user.target" ];
|
|
environment = {
|
|
APP_API_HOST = "${cfg.host}";
|
|
APP_API_PORT = "${builtins.toString cfg.port}";
|
|
APP_DATABASE_HOST = "${cfg.db.host}";
|
|
APP_DATABASE_PORT = "${builtins.toString cfg.db.port}";
|
|
APP_DATABASE_USERNAME = "${username}";
|
|
APP_DATABASE_NAME = "${cfg.db.name}";
|
|
APP_DATABASE_REQUIRE_SSL = "true";
|
|
};
|
|
serviceConfig = {
|
|
DynamicUser = true;
|
|
LoadCredential = [ "APP_DATABASE_PASSWORD_FILE:${cfg.db.passwordFile}" ];
|
|
ExecStart = pkgs.writeScript "scraper" ''
|
|
#!${pkgs.bash}/bin/bash
|
|
export APP_DATABASE_PASSWORD="$(${pkgs.systemd}/bin/systemd-creds cat APP_DATABASE_PASSWORD_FILE)"
|
|
${cfg.package}/bin/lakewatch
|
|
'';
|
|
Restart = "on-failure";
|
|
RestartSec = "5s";
|
|
};
|
|
};
|
|
};
|
|
};
|
|
};
|
|
}
|