talexander/nixpkgs
1
0
Fork 0
Code Issues Pull Requests Releases Activity
nixpkgs/nixos/modules/services/search/hound.nix
shelvacu 1a4575f9db
nixos/modules: Add security.pki.caBundle option and make all services use it for CA bundles (#352244) 
Previously some modules used `config.environment.etc."ssl/certs/ca-certificates.crt".source`, some used `"/etc/ssl/certs/ca-certificates.crt"`, and some used `"${pkgs.cacert}/etc/ssl/certs/ca-bundle.crt"`. These were all bad in one way or another:

- `config.environment.etc."ssl/certs/ca-certificates.crt".source` relies on `source` being set; if `text` is set instead this breaks, introducing a weird undocumented requirement
- `"/etc/ssl/certs/ca-certificates.crt"` is probably okay but very un-nix. It's a magic string, and the path doesn't change when the file changes (and so you can't trigger service reloads, for example, when the contents change in a new system activation)
- `"${pkgs.cacert}/etc/ssl/certs/ca-bundle.crt"` silently doesn't include the options from `security.pki`

Co-authored-by: Shelvacu <git@shelvacu.com>
2025-03-08 08:41:08 +00:00

127 lines
3.3 KiB
Nix
Raw Permalink Blame History

{
config,
lib,
pkgs,
...
}:
let
cfg = config.services.hound;
settingsFormat = pkgs.formats.json { };
houndConfigFile = pkgs.writeTextFile {
name = "hound-config.json";
text = builtins.toJSON cfg.settings;
checkPhase = ''
${cfg.package}/bin/houndd -check-conf -conf $out
'';
};
in
{
imports = [
(lib.mkRemovedOptionModule [
"services"
"hound"
"extraGroups"
] "Use users.users.hound.extraGroups instead")
(lib.mkChangedOptionModule [ "services" "hound" "config" ] [ "services" "hound" "settings" ] (
config: builtins.fromJSON config.services.hound.config
))
];
meta.maintainers = with lib.maintainers; [ SuperSandro2000 ];
options = {
services.hound = {
enable = lib.mkEnableOption "hound";
package = lib.mkPackageOption pkgs "hound" { };
user = lib.mkOption {
default = "hound";
type = lib.types.str;
description = ''
User the hound daemon should execute under.
'';
};
group = lib.mkOption {
default = "hound";
type = lib.types.str;
description = ''
Group the hound daemon should execute under.
'';
};
home = lib.mkOption {
default = "/var/lib/hound";
type = lib.types.path;
description = ''
The path to use as hound's $HOME.
If the default user "hound" is configured then this is the home of the "hound" user.
'';
};
settings = lib.mkOption {
type = settingsFormat.type;
example = lib.literalExpression ''
{
max-concurrent-indexers = 2;
repos.nixpkgs.url = "https://www.github.com/NixOS/nixpkgs.git";
}
'';
description = ''
The full configuration of the Hound daemon.
See the upstream documentation <https://github.com/hound-search/hound/blob/main/docs/config-options.md> for details.
:::{.note}
The `dbpath` should be an absolute path to a writable directory.
:::.com/hound-search/hound/blob/main/docs/config-options.md>.
'';
};
listen = lib.mkOption {
type = lib.types.str;
default = "0.0.0.0:6080";
example = ":6080";
description = ''
Listen on this [IP]:port
'';
};
};
};
config = lib.mkIf cfg.enable {
users.groups = lib.mkIf (cfg.group == "hound") {
hound = { };
};
users.users = lib.mkIf (cfg.user == "hound") {
hound = {
description = "Hound code search";
createHome = true;
isSystemUser = true;
inherit (cfg) home group;
};
};
environment.etc."hound/config.json".source = houndConfigFile;
services.hound.settings = {
dbpath = "${config.services.hound.home}/data";
};
systemd.services.hound = {
description = "Hound Code Search";
wantedBy = [ "multi-user.target" ];
after = [ "network.target" ];
restartTriggers = [ houndConfigFile ];
serviceConfig = {
User = cfg.user;
Group = cfg.group;
WorkingDirectory = cfg.home;
ExecStartPre = "${pkgs.git}/bin/git config --global --replace-all http.sslCAinfo ${config.security.pki.caBundle}";
ExecStart = "${cfg.package}/bin/houndd -addr ${cfg.listen} -conf /etc/hound/config.json";
};
};
};
}
Reference in New Issue View Git Blame Copy Permalink