nixpkgs/nixos/modules/services/web-apps/healthchecks.nix
Sanjin Sehic 7f5e8a0113
nixos/healthchecks: enable _FILE variants for all secrets
This change enables _FILE variants for all secrets in Healthchecks
configuration so they can be read from a file and not stored in
/nix/store.

In particular, it adds support for these secrets:
DB_PASSWORD, DISCORD_CLIENT_SECRET, EMAIL_HOST_PASSWORD,
LINENOTIFY_CLIENT_SECRET, MATRIX_ACCESS_TOKEN, PD_APP_ID,
PUSHBULLET_CLIENT_SECRET, PUSHOVER_API_TOKEN, S3_SECRET_KEY, SECRET_KEY,
SLACK_CLIENT_SECRET, TELEGRAM_TOKEN, TRELLO_APP_KEY, and TWILIO_AUTH.
2023-09-02 09:43:19 +01:00

277 lines
9.1 KiB
Nix

{ config, lib, options, pkgs, buildEnv, ... }:
with lib;
let
defaultUser = "healthchecks";
cfg = config.services.healthchecks;
opt = options.services.healthchecks;
pkg = cfg.package;
boolToPython = b: if b then "True" else "False";
environment = {
PYTHONPATH = pkg.pythonPath;
STATIC_ROOT = cfg.dataDir + "/static";
} // cfg.settings;
environmentFile = pkgs.writeText "healthchecks-environment" (lib.generators.toKeyValue { } environment);
healthchecksManageScript = pkgs.writeShellScriptBin "healthchecks-manage" ''
sudo=exec
if [[ "$USER" != "${cfg.user}" ]]; then
sudo='exec /run/wrappers/bin/sudo -u ${cfg.user} --preserve-env --preserve-env=PYTHONPATH'
fi
export $(cat ${environmentFile} | xargs)
$sudo ${pkg}/opt/healthchecks/manage.py "$@"
'';
in
{
options.services.healthchecks = {
enable = mkEnableOption (lib.mdDoc "healthchecks") // {
description = lib.mdDoc ''
Enable healthchecks.
It is expected to be run behind a HTTP reverse proxy.
'';
};
package = mkOption {
default = pkgs.healthchecks;
defaultText = literalExpression "pkgs.healthchecks";
type = types.package;
description = lib.mdDoc "healthchecks package to use.";
};
user = mkOption {
default = defaultUser;
type = types.str;
description = lib.mdDoc ''
User account under which healthchecks runs.
::: {.note}
If left as the default value this user will automatically be created
on system activation, otherwise you are responsible for
ensuring the user exists before the healthchecks service starts.
:::
'';
};
group = mkOption {
default = defaultUser;
type = types.str;
description = lib.mdDoc ''
Group account under which healthchecks runs.
::: {.note}
If left as the default value this group will automatically be created
on system activation, otherwise you are responsible for
ensuring the group exists before the healthchecks service starts.
:::
'';
};
listenAddress = mkOption {
type = types.str;
default = "localhost";
description = lib.mdDoc "Address the server will listen on.";
};
port = mkOption {
type = types.port;
default = 8000;
description = lib.mdDoc "Port the server will listen on.";
};
dataDir = mkOption {
type = types.str;
default = "/var/lib/healthchecks";
description = lib.mdDoc ''
The directory used to store all data for healthchecks.
::: {.note}
If left as the default value this directory will automatically be created before
the healthchecks server starts, otherwise you are responsible for ensuring the
directory exists with appropriate ownership and permissions.
:::
'';
};
settings = lib.mkOption {
description = lib.mdDoc ''
Environment variables which are read by healthchecks `(local)_settings.py`.
Settings which are explicitly covered in options below, are type-checked and/or transformed
before added to the environment, everything else is passed as a string.
See <https://healthchecks.io/docs/self_hosted_configuration/>
for a full documentation of settings.
We add additional variables to this list inside the packages `local_settings.py.`
- `STATIC_ROOT` to set a state directory for dynamically generated static files.
- `SECRET_KEY_FILE` to read `SECRET_KEY` from a file at runtime and keep it out of
/nix/store.
- `_FILE` variants for several values that hold sensitive information in
[Healthchecks configuration](https://healthchecks.io/docs/self_hosted_configuration/) so
that they also can be read from a file and kept out of /nix/store. To see which values
have support for a `_FILE` variant, run:
- `nix-instantiate --eval --expr '(import <nixpkgs> {}).healthchecks.secrets'`
- or `nix eval 'nixpkgs#healthchecks.secrets'` if the flake support has been enabled.
'';
type = types.submodule (settings: {
freeformType = types.attrsOf types.str;
options = {
ALLOWED_HOSTS = lib.mkOption {
type = types.listOf types.str;
default = [ "*" ];
description = lib.mdDoc "The host/domain names that this site can serve.";
apply = lib.concatStringsSep ",";
};
SECRET_KEY_FILE = mkOption {
type = types.path;
description = lib.mdDoc "Path to a file containing the secret key.";
};
DEBUG = mkOption {
type = types.bool;
default = false;
description = lib.mdDoc "Enable debug mode.";
apply = boolToPython;
};
REGISTRATION_OPEN = mkOption {
type = types.bool;
default = false;
description = lib.mdDoc ''
A boolean that controls whether site visitors can create new accounts.
Set it to false if you are setting up a private Healthchecks instance,
but it needs to be publicly accessible (so, for example, your cloud
services can send pings to it).
If you close new user registration, you can still selectively invite
users to your team account.
'';
apply = boolToPython;
};
DB = mkOption {
type = types.enum [ "sqlite" "postgres" "mysql" ];
default = "sqlite";
description = lib.mdDoc "Database engine to use.";
};
DB_NAME = mkOption {
type = types.str;
default =
if settings.config.DB == "sqlite"
then "${cfg.dataDir}/healthchecks.sqlite"
else "hc";
defaultText = lib.literalExpression ''
if config.${settings.options.DB} == "sqlite"
then "''${config.${opt.dataDir}}/healthchecks.sqlite"
else "hc"
'';
description = lib.mdDoc "Database name.";
};
};
});
};
};
config = mkIf cfg.enable {
environment.systemPackages = [ healthchecksManageScript ];
systemd.targets.healthchecks = {
description = "Target for all Healthchecks services";
wantedBy = [ "multi-user.target" ];
after = [ "network.target" "network-online.target" ];
};
systemd.services =
let
commonConfig = {
WorkingDirectory = cfg.dataDir;
User = cfg.user;
Group = cfg.group;
EnvironmentFile = [ environmentFile ];
StateDirectory = mkIf (cfg.dataDir == "/var/lib/healthchecks") "healthchecks";
StateDirectoryMode = mkIf (cfg.dataDir == "/var/lib/healthchecks") "0750";
};
in
{
healthchecks-migration = {
description = "Healthchecks migrations";
wantedBy = [ "healthchecks.target" ];
serviceConfig = commonConfig // {
Restart = "on-failure";
Type = "oneshot";
ExecStart = ''
${pkg}/opt/healthchecks/manage.py migrate
'';
};
};
healthchecks = {
description = "Healthchecks WSGI Service";
wantedBy = [ "healthchecks.target" ];
after = [ "healthchecks-migration.service" ];
preStart = ''
${pkg}/opt/healthchecks/manage.py collectstatic --no-input
${pkg}/opt/healthchecks/manage.py remove_stale_contenttypes --no-input
${pkg}/opt/healthchecks/manage.py compress
'';
serviceConfig = commonConfig // {
Restart = "always";
ExecStart = ''
${pkgs.python3Packages.gunicorn}/bin/gunicorn hc.wsgi \
--bind ${cfg.listenAddress}:${toString cfg.port} \
--pythonpath ${pkg}/opt/healthchecks
'';
};
};
healthchecks-sendalerts = {
description = "Healthchecks Alert Service";
wantedBy = [ "healthchecks.target" ];
after = [ "healthchecks.service" ];
serviceConfig = commonConfig // {
Restart = "always";
ExecStart = ''
${pkg}/opt/healthchecks/manage.py sendalerts
'';
};
};
healthchecks-sendreports = {
description = "Healthchecks Reporting Service";
wantedBy = [ "healthchecks.target" ];
after = [ "healthchecks.service" ];
serviceConfig = commonConfig // {
Restart = "always";
ExecStart = ''
${pkg}/opt/healthchecks/manage.py sendreports --loop
'';
};
};
};
users.users = optionalAttrs (cfg.user == defaultUser) {
${defaultUser} =
{
description = "healthchecks service owner";
isSystemUser = true;
group = defaultUser;
};
};
users.groups = optionalAttrs (cfg.user == defaultUser) {
${defaultUser} =
{
members = [ defaultUser ];
};
};
};
}