nixos-not-a-luxury: add rust service

2024-11-10 02:25:21 +03:00 · 2023-12-26 21:16:35 +03:00 · 2023-12-26 21:16:35 +03:00 · e16a2cf1c8
parent 107f8e0d7e
commit e16a2cf1c8
1 changed files with 150 additions and 0 deletions
--- a/ru/nixos-not-a-luxury/slides.md
+++ b/ru/nixos-not-a-luxury/slides.md
@ -243,6 +243,156 @@ in {
 ---
 ## Упаковка сервиса на Rust
 ```nix[1-17|1-3,5,9|]
 { pkgs ? import <nixpkgs> { system = builtins.currentSystem; },
 lib ? pkgs.lib, rustPlatform ? pkgs.rustPlatform,
 fetchCrate ? pkgs.fetchCrate }:
 rustPlatform.buildRustPackage rec {
  pname = "urouter";
  version = "0.6.0";
  src = fetchCrate {
    inherit pname version;
    sha256 = "sha256-KfoZ9NinD6PCL4M3U4sB8GHdbDLeRW7uFeQpGxmzJ90=";
  };
  cargoSha256 = "sha256-VfoF4hzWf5j2QtXyS/jFYCMfowl47YcAjxs2PV9C6oo=";
  nativeBuildInputs = [ pkgs.pkg-config ];
 }
 ```
 --
 ## Создание удобных опций
 ```nix[|4|9-25|31-47|59-75]
 { config, lib, pkgs, ... }:
 let
  cfg = config.my.roles.server.urouter;
  aliasFormat = pkgs.formats.json { };
 in {
  options.my.roles.server.urouter = {
    enable = lib.mkEnableOption "Enable urouter";
    settings = lib.mkOption rec {
      type = aliasFormat.type;
      apply = lib.recursiveUpdate default;
      default = { alias = [ ]; };
      example = {
        alias = [
          {
            uri = "/";
            alias = { url = "https://someurl"; };
          }
          {
            uri = "/";
            alias = { file = "some_file"; };
            agent = { regex = "^curl/[0-9].[0-9].[0-9]$"; };
          }
        ];
      };
      description = lib.mdDoc ''
        alias.json configuration in Nix format.
      '';
    };
    dir = lib.mkOption {
      type = lib.types.str;
      default = "/var/urouter";
      example = "/home/user/urouter";
    };
    address = lib.mkOption {
      type = lib.types.str;
      default = "0.0.0.0";
      example = "0200::1";
    };
    port = lib.mkOption {
      type = lib.types.ints.u16;
      default = 8080;
      example = 80;
    };
    openFirewall = lib.mkOption {
      type = lib.types.bool;
      default = false;
      description = lib.mdDoc "Open TCP port in the firewall";
    };
  };
  config = lib.mkIf (cfg.enable) {
    networking.firewall.allowedTCPPorts =
      lib.mkIf cfg.openFirewall [ cfg.port ];
    systemd.services.urouter = {
      description = "urouter HTTP Service";
      after = [ "network.target" ];
      wantedBy = [ "multi-user.target" ];
      serviceConfig = {
        ExecStart = ''
          ${
            pkgs.callPackage ../../pkgs/urouter.nix { }
          }/bin/urouter --alias-file-is-set-not-a-list --alias-file ${
            aliasFormat.generate "alias.json" cfg.settings
          } --dir ${cfg.dir} --address ${cfg.address} --port ${
            builtins.toString cfg.port
          }
        '';
        BindReadOnlyPaths = [ cfg.dir ];
      };
    };
  };
 }
 ```
 --
 ## Использование
 ```nix[|3-25|26-34]
 { config, pkgs, lib, ... }:
 rec {
  my.server.urouter = {
    enable = true;
    settings = {
      alias = [
        {
          uri = "/";
          alias = { url = "https://ivabus.dev"; };
        }
        {
          uri = "/";
          alias = { file = "dotfiles"; };
          agent = { regex = "^curl/[0-9].[0-9].[0-9]$"; };
        }
        {
          uri = "d";
          alias = { file = "dotfiles"; };
        }
      ];
    };
    dir = "/var/urouter";
    port = 8090;
    address = "127.0.0.1";
  };
  my.roles.server.nginx.enable = true;
  services.nginx.virtualHosts."iva.bz" = {
    locations."/".proxyPass = "http://${
      config.my.server.urouter.address}:${config.my.server.urouter.port}";
    enableACME = true;
    addSSL = true;
    http3 = true;
    serverAliases = [ "www.iva.bz" ];
  };
 }
 ```
 ---
 ## Хранение секретиков
 ```nix[]