pykms: nixos module

7 years ago · c640e790d5
parent 62e73a75f1
commit c640e790d5
3 changed files with 93 additions and 0 deletions
--- a/nixos/modules/misc/ids.nix
+++ b/nixos/modules/misc/ids.nix
@ -297,6 +297,7 @@
      rslsync = 279;
      minio = 280;
      kanboard = 281;
+      pykms = 282;

      # When adding a uid, make sure it doesn't match an existing gid. And don't use uids above 399!

@ -563,6 +564,7 @@
      rslsync = 279;
      minio = 280;
      kanboard = 281;
+      pykms = 282;

      # When adding a gid, make sure it doesn't match an existing
      # uid. Users and groups with the same name should have equal
--- a/nixos/modules/module-list.nix
+++ b/nixos/modules/module-list.nix
@ -333,6 +333,7 @@
  ./services/misc/parsoid.nix
  ./services/misc/phd.nix
  ./services/misc/plex.nix
+  ./services/misc/pykms.nix
  ./services/misc/radarr.nix
  ./services/misc/redmine.nix
  ./services/misc/rippled.nix
--- a/nixos/modules/services/misc/pykms.nix
+++ b/nixos/modules/services/misc/pykms.nix
@ -0,0 +1,90 @@
+{ config, lib, pkgs, ... }:
+
+with lib;
+
+let
+  cfg = config.services.pykms;
+
+  home = "/var/lib/pykms";
+
+  services = {
+    serviceConfig = {
+      Restart = "on-failure";
+      RestartSec = "10s";
+      StartLimitInterval = "1min";
+      PrivateTmp = true;
+      ProtectSystem = "full";
+      ProtectHome = true;
+    };
+  };
+
+in {
+
+  options = {
+    services.pykms = rec {
+      enable = mkOption {
+        type = types.bool;
+        default = false;
+        description = "Whether to enable the PyKMS service.";
+      };
+
+      listenAddress = mkOption {
+        type = types.str;
+        default = "0.0.0.0";
+        description = "The IP address on which to listen.";
+      };
+
+      port = mkOption {
+        type = types.int;
+        default = 1688;
+        description = "The port on which to listen.";
+      };
+
+      verbose = mkOption {
+        type = types.bool;
+        default = false;
+        description = "Show verbose output.";
+      };
+
+      openFirewallPort = mkOption {
+        type = types.bool;
+        default = false;
+        description = "Whether the listening port should be opened automatically.";
+      };
+    };
+  };
+
+  config = mkIf cfg.enable {
+    networking.firewall.allowedTCPPorts = lib.mkIf cfg.openFirewallPort [ cfg.port ];
+
+    systemd.services = {
+      pykms = services // {
+        description = "Python KMS";
+        wantedBy = [ "multi-user.target" ];
+        serviceConfig = with pkgs; {
+          User = "pykms";
+          Group = "pykms";
+          ExecStartPre = "${getBin pykms}/bin/create_pykms_db.sh ${home}/clients.db";
+          ExecStart = "${getBin pykms}/bin/server.py ${optionalString cfg.verbose "--verbose"} ${cfg.listenAddress} ${toString cfg.port}";
+          WorkingDirectory = home;
+          MemoryLimit = "64M";
+        };
+      };
+    };
+
+    users = {
+      extraUsers.pykms = {
+        name = "pykms";
+        group = "pykms";
+        home  = home;
+        createHome = true;
+        uid = config.ids.uids.pykms;
+        description = "PyKMS daemon user";
+      };
+
+      extraGroups.pykms = {
+        gid = config.ids.gids.pykms;
+      };
+    };
+  };
+}