From 42a99b1be2955eb007a199f319b3afa47d6da780 Mon Sep 17 00:00:00 2001 From: Izorkin Date: Mon, 25 Feb 2019 17:08:01 +0300 Subject: nixos/unit: init service unit --- .../modules/services/web-servers/unit/default.nix | 125 +++++++++++++++++++++ 1 file changed, 125 insertions(+) create mode 100644 nixos/modules/services/web-servers/unit/default.nix (limited to 'nixos/modules/services/web-servers') diff --git a/nixos/modules/services/web-servers/unit/default.nix b/nixos/modules/services/web-servers/unit/default.nix new file mode 100644 index 00000000000..a4a9d370d64 --- /dev/null +++ b/nixos/modules/services/web-servers/unit/default.nix @@ -0,0 +1,125 @@ +{ config, lib, pkgs, ... }: + +with lib; + +let + cfg = config.services.unit; + + configFile = pkgs.writeText "unit.json" cfg.config; + +in { + options = { + services.unit = { + enable = mkEnableOption "Unit App Server"; + package = mkOption { + type = types.package; + default = pkgs.unit; + defaultText = "pkgs.unit"; + description = "Unit package to use."; + }; + user = mkOption { + type = types.str; + default = "unit"; + description = "User account under which unit runs."; + }; + group = mkOption { + type = types.str; + default = "unit"; + description = "Group account under which unit runs."; + }; + stateDir = mkOption { + default = "/var/spool/unit"; + description = "Unit data directory."; + }; + logDir = mkOption { + default = "/var/log/unit"; + description = "Unit log directory."; + }; + config = mkOption { + type = types.str; + default = '' + { + "listeners": {}, + "applications": {} + } + ''; + example = literalExample '' + { + "listeners": { + "*:8300": { + "application": "example-php-72" + } + }, + "applications": { + "example-php-72": { + "type": "php 7.2", + "processes": 4, + "user": "nginx", + "group": "nginx", + "root": "/var/www", + "index": "index.php", + "options": { + "file": "/etc/php.d/default.ini", + "admin": { + "max_execution_time": "30", + "max_input_time": "30", + "display_errors": "off", + "display_startup_errors": "off", + "open_basedir": "/dev/urandom:/proc/cpuinfo:/proc/meminfo:/etc/ssl/certs:/var/www", + "disable_functions": "exec,passthru,shell_exec,system" + } + } + } + } + } + ''; + description = "Unit configuration in JSON format. More details here https://unit.nginx.org/configuration"; + }; + }; + }; + + config = mkIf cfg.enable { + + environment.systemPackages = [ cfg.package ]; + + systemd.tmpfiles.rules = [ + "d '${cfg.stateDir}' 0750 ${cfg.user} ${cfg.group} - -" + "d '${cfg.logDir}' 0750 ${cfg.user} ${cfg.group} - -" + ]; + + systemd.services.unit = { + description = "Unit App Server"; + after = [ "network.target" ]; + wantedBy = [ "multi-user.target" ]; + path = with pkgs; [ curl ]; + preStart = '' + test -f '/run/unit/control.unit.sock' || rm -f '/run/unit/control.unit.sock' + ''; + postStart = '' + curl -X PUT --data-binary '@${configFile}' --unix-socket '/run/unit/control.unit.sock' 'http://localhost/config' + ''; + serviceConfig = { + User = cfg.user; + Group = cfg.group; + AmbientCapabilities = "CAP_NET_BIND_SERVICE CAP_SETGID CAP_SETUID"; + CapabilityBoundingSet = "CAP_NET_BIND_SERVICE CAP_SETGID CAP_SETUID"; + ExecStart = '' + ${cfg.package}/bin/unitd --control 'unix:/run/unit/control.unit.sock' --pid '/run/unit/unit.pid' \ + --log '${cfg.logDir}/unit.log' --state '${cfg.stateDir}' --no-daemon \ + --user ${cfg.user} --group ${cfg.group} + ''; + RuntimeDirectory = "unit"; + RuntimeDirectoryMode = "0750"; + }; + }; + + users.users = optionalAttrs (cfg.user == "unit") (singleton { + name = "unit"; + group = cfg.group; + }); + + users.groups = optionalAttrs (cfg.group == "unit") (singleton { + name = "unit"; + }); + }; +} -- cgit 1.4.1