|
1 | 1 | { hoogle, cores ? 4 }: |
2 | | -{ config, pkgs, ... }: |
| 2 | +{ config, lib, pkgs, ... }: |
3 | 3 |
|
4 | 4 | # The Plan: |
5 | 5 | # Hoogle serves on a uniquely-named UNIX domain socket which we |
|
12 | 12 | let |
13 | 13 | hoogleRun = "/run/hoogle"; |
14 | 14 | nginxConf = "${hoogleRun}/nginx.conf"; |
15 | | - socket = "/run/hoogle/hoogle.sock"; |
| 15 | + socket = inst: "/run/hoogle/hoogle-${inst}.sock"; |
| 16 | + nServers = 12; |
16 | 17 | in |
17 | 18 | { |
18 | 19 | users.users.hoogle = { |
|
35 | 36 | wantedBy = [ "timers.target" ]; |
36 | 37 | }; |
37 | 38 |
|
38 | | - systemd.services."generate-hoogle" = { |
39 | | - script = '' |
40 | | - hoogle generate --database=$DB_DIR/haskell-new.hoo --insecure --download +RTS -N${toString cores} -RTS |
41 | | - mv $DB_DIR/haskell-new.hoo $DB_DIR/haskell.hoo |
42 | | - ''; |
43 | | - path = [ hoogle ]; |
44 | | - after = [ "network.target" ]; |
45 | | - serviceConfig = { |
46 | | - User = "hoogle"; |
47 | | - Group = "hoogle"; |
48 | | - Type = "oneshot"; |
49 | | - TimeoutStartSec = 600; |
50 | | - ExecStartPost = "+systemctl restart hoogle.service"; |
51 | | - BindReadOnlyPaths = [ |
52 | | - # mount the nix store read-only |
53 | | - "/nix/store" |
54 | | - # getAppUserDataDirectory needs getUserEntryForID |
55 | | - "/etc/passwd" |
56 | | - ]; |
57 | | - PrivateNetwork = false; |
58 | | - RuntimeDirectory = "generate-hoogle"; |
59 | | - StateDirectory = [ "hoogle" ]; |
| 39 | + systemd.services = { |
| 40 | + "generate-hoogle" = { |
| 41 | + script = '' |
| 42 | + hoogle generate --database=$DB_DIR/haskell-new.hoo --insecure --download +RTS -N${toString cores} -RTS |
| 43 | + mv $DB_DIR/haskell-new.hoo $DB_DIR/haskell.hoo |
| 44 | + ''; |
| 45 | + path = [ hoogle ]; |
| 46 | + after = [ "network.target" ]; |
| 47 | + serviceConfig = { |
| 48 | + User = "hoogle"; |
| 49 | + Group = "hoogle"; |
| 50 | + Type = "oneshot"; |
| 51 | + TimeoutStartSec = 600; |
| 52 | + ExecStartPost = "+systemctl restart 'hoogle@*'"; |
| 53 | + BindReadOnlyPaths = [ |
| 54 | + # mount the nix store read-only |
| 55 | + "/nix/store" |
| 56 | + # getAppUserDataDirectory needs getUserEntryForID |
| 57 | + "/etc/passwd" |
| 58 | + ]; |
| 59 | + PrivateNetwork = false; |
| 60 | + RuntimeDirectory = "generate-hoogle"; |
| 61 | + StateDirectory = [ "hoogle" ]; |
| 62 | + }; |
| 63 | + environment = { |
| 64 | + DB_DIR = "%S/hoogle"; |
| 65 | + }; |
60 | 66 | }; |
61 | | - environment = { |
62 | | - DB_DIR = "%S/hoogle"; |
63 | | - }; |
64 | | - }; |
65 | 67 |
|
66 | | - systemd.services."hoogle" = { |
67 | | - script = '' |
68 | | - hoogle serve \ |
69 | | - --database=$DB_DIR/haskell.hoo \ |
70 | | - --scope=set:stackage \ |
71 | | - --socket=${socket} \ |
72 | | - --links \ |
73 | | - +RTS -T -N${toString cores} -RTS; |
74 | | - ''; |
75 | | - path = [ hoogle ]; |
76 | | - serviceConfig = { |
77 | | - User = "nginx"; |
78 | | - Group = "hoogle"; |
79 | | - BindReadOnlyPaths = [ |
80 | | - # mount the nix store read-only |
81 | | - "/nix/store" |
82 | | - # getAppUserDataDirectory needs getUserEntryForID |
83 | | - "/etc/passwd" |
84 | | - #"/etc/ssl" "/etc/ssl/certs" |
85 | | - ]; |
86 | | - PrivateTmp = false; |
87 | | - ProtectSystem = false; |
88 | | - ProtectHome = false; |
89 | | - NoNewPrivileges = false; |
90 | | - Restart = "on-failure"; |
91 | | - RestartSec = "5s"; |
92 | | - RuntimeDirectory = "hoogle"; |
93 | | - }; |
94 | | - environment = { |
95 | | - DB_DIR = "%S/hoogle"; |
96 | | - SSL_CERT_FILE = "${pkgs.cacert}/etc/ssl/certs/ca-bundle.crt"; |
97 | | - NIX_SSL_CERT_FILE = "${pkgs.cacert}/etc/ssl/certs/ca-bundle.crt"; |
| 68 | + "hoogle@" = { |
| 69 | + script = '' |
| 70 | + ${hoogle}/bin/hoogle serve \ |
| 71 | + --database=$DB_DIR/haskell.hoo \ |
| 72 | + --scope=set:stackage \ |
| 73 | + --socket=$SOCKET \ |
| 74 | + --links \ |
| 75 | + +RTS -T -RTS; |
| 76 | + ''; |
| 77 | + serviceConfig = { |
| 78 | + User = "nginx"; |
| 79 | + Group = "hoogle"; |
| 80 | + BindReadOnlyPaths = [ |
| 81 | + # mount the nix store read-only |
| 82 | + "/nix/store" |
| 83 | + # getAppUserDataDirectory needs getUserEntryForID |
| 84 | + "/etc/passwd" |
| 85 | + #"/etc/ssl" "/etc/ssl/certs" |
| 86 | + ]; |
| 87 | + PrivateTmp = false; |
| 88 | + ProtectSystem = false; |
| 89 | + ProtectHome = false; |
| 90 | + NoNewPrivileges = false; |
| 91 | + Restart = "on-failure"; |
| 92 | + RestartSec = "5s"; |
| 93 | + RuntimeDirectory = "hoogle"; |
| 94 | + }; |
| 95 | + environment = { |
| 96 | + DB_DIR = "%S/hoogle"; |
| 97 | + SOCKET = socket "%i"; |
| 98 | + SSL_CERT_FILE = "${pkgs.cacert}/etc/ssl/certs/ca-bundle.crt"; |
| 99 | + NIX_SSL_CERT_FILE = "${pkgs.cacert}/etc/ssl/certs/ca-bundle.crt"; |
| 100 | + }; |
98 | 101 | }; |
99 | | - wantedBy = [ "multi-user.target" ]; |
100 | | - }; |
| 102 | + } // ( |
| 103 | + let |
| 104 | + mkInst = n: |
| 105 | + lib.attrsets.nameValuePair "hoogle@${toString n}" |
| 106 | + { |
| 107 | + wantedBy = [ "multi-user.target" ]; |
| 108 | + overrideStrategy = "asDropin"; |
| 109 | + }; |
| 110 | + in lib.listToAttrs (map mkInst (lib.range 1 nServers)) |
| 111 | + ); |
101 | 112 |
|
102 | 113 | systemd.tmpfiles.rules = [ |
103 | 114 | "f ${nginxConf} 0755 nginx nginx -" |
104 | 115 | ]; |
105 | 116 |
|
106 | | - services.nginx = { |
107 | | - upstreams.hoogle.extraConfig = '' |
108 | | - server unix:${socket}; |
109 | | - ''; |
110 | | - }; |
| 117 | + services.nginx.upstreams.hoogle.servers = |
| 118 | + let mkInst = n: lib.attrsets.nameValuePair "unix:${socket (toString n)}" { }; |
| 119 | + in lib.listToAttrs (map mkInst (lib.range 1 nServers)); |
111 | 120 | } |
112 | 121 |
|
0 commit comments