From e16a2cf1c873d5cedf2b0932c9e15c0fe4ba51de Mon Sep 17 00:00:00 2001 From: Ivan Bushchik Date: Tue, 26 Dec 2023 21:16:35 +0300 Subject: [PATCH] nixos-not-a-luxury: add rust service --- ru/nixos-not-a-luxury/slides.md | 150 ++++++++++++++++++++++++++++++++ 1 file changed, 150 insertions(+) diff --git a/ru/nixos-not-a-luxury/slides.md b/ru/nixos-not-a-luxury/slides.md index b6e22c6..a717556 100644 --- a/ru/nixos-not-a-luxury/slides.md +++ b/ru/nixos-not-a-luxury/slides.md @@ -243,6 +243,156 @@ in { --- +## Упаковка сервиса на Rust + +```nix[1-17|1-3,5,9|] +{ pkgs ? import { system = builtins.currentSystem; }, +lib ? pkgs.lib, rustPlatform ? pkgs.rustPlatform, +fetchCrate ? pkgs.fetchCrate }: + +rustPlatform.buildRustPackage rec { + pname = "urouter"; + version = "0.6.0"; + + src = fetchCrate { + inherit pname version; + sha256 = "sha256-KfoZ9NinD6PCL4M3U4sB8GHdbDLeRW7uFeQpGxmzJ90="; + }; + + cargoSha256 = "sha256-VfoF4hzWf5j2QtXyS/jFYCMfowl47YcAjxs2PV9C6oo="; + + nativeBuildInputs = [ pkgs.pkg-config ]; +} +``` + +-- + +## Создание удобных опций + +```nix[|4|9-25|31-47|59-75] +{ config, lib, pkgs, ... }: +let + cfg = config.my.roles.server.urouter; + aliasFormat = pkgs.formats.json { }; +in { + options.my.roles.server.urouter = { + enable = lib.mkEnableOption "Enable urouter"; + + settings = lib.mkOption rec { + type = aliasFormat.type; + apply = lib.recursiveUpdate default; + default = { alias = [ ]; }; + example = { + alias = [ + { + uri = "/"; + alias = { url = "https://someurl"; }; + } + { + uri = "/"; + alias = { file = "some_file"; }; + agent = { regex = "^curl/[0-9].[0-9].[0-9]$"; }; + } + ]; + }; + description = lib.mdDoc '' + alias.json configuration in Nix format. + ''; + }; + + dir = lib.mkOption { + type = lib.types.str; + default = "/var/urouter"; + example = "/home/user/urouter"; + }; + + address = lib.mkOption { + type = lib.types.str; + default = "0.0.0.0"; + example = "0200::1"; + }; + + port = lib.mkOption { + type = lib.types.ints.u16; + default = 8080; + example = 80; + }; + + openFirewall = lib.mkOption { + type = lib.types.bool; + default = false; + description = lib.mdDoc "Open TCP port in the firewall"; + }; + }; + config = lib.mkIf (cfg.enable) { + networking.firewall.allowedTCPPorts = + lib.mkIf cfg.openFirewall [ cfg.port ]; + + systemd.services.urouter = { + description = "urouter HTTP Service"; + after = [ "network.target" ]; + wantedBy = [ "multi-user.target" ]; + serviceConfig = { + ExecStart = '' + ${ + pkgs.callPackage ../../pkgs/urouter.nix { } + }/bin/urouter --alias-file-is-set-not-a-list --alias-file ${ + aliasFormat.generate "alias.json" cfg.settings + } --dir ${cfg.dir} --address ${cfg.address} --port ${ + builtins.toString cfg.port + } + ''; + BindReadOnlyPaths = [ cfg.dir ]; + }; + }; + }; +} +``` + +-- + +## Использование + +```nix[|3-25|26-34] +{ config, pkgs, lib, ... }: +rec { + my.server.urouter = { + enable = true; + settings = { + alias = [ + { + uri = "/"; + alias = { url = "https://ivabus.dev"; }; + } + { + uri = "/"; + alias = { file = "dotfiles"; }; + agent = { regex = "^curl/[0-9].[0-9].[0-9]$"; }; + } + { + uri = "d"; + alias = { file = "dotfiles"; }; + } + ]; + }; + dir = "/var/urouter"; + port = 8090; + address = "127.0.0.1"; + }; + my.roles.server.nginx.enable = true; + services.nginx.virtualHosts."iva.bz" = { + locations."/".proxyPass = "http://${ + config.my.server.urouter.address}:${config.my.server.urouter.port}"; + enableACME = true; + addSSL = true; + http3 = true; + serverAliases = [ "www.iva.bz" ]; + }; +} +``` + +--- + ## Хранение секретиков ```nix[]