schmittlauch/nixos-seafile-overlay
1
0
Fork 0
Code Issues 7 Pull requests Releases Wiki Activity

Compare commits

base: schmittlauch:mainline
Branches Tags
schmittlauch:mainline
schmittlauch:python3
..
compare: schmittlauch:python3
Branches Tags
schmittlauch:mainline
schmittlauch:python3

No commits in common. "mainline" and "python3" have entirely different histories.
mainline ... python3

4 changed files with 96 additions and 234 deletions
Show stats Expand all files Collapse all files

222
mod-seafile-server.nix
View file

@ -2,40 +2,6 @@
with lib; with lib;
let let
cfg = config.services.seafile-server; cfg = config.services.seafile-server;
seafileConfigFile = pkgs.writeText "seafile.conf"
(generators.toINI {} cfg.seafileSettings);
ccnetConfigFile = pkgs.writeText "ccnet.conf"
(generators.toINI {} cfg.ccnetSettings);
gunicornConfigFile = pkgs.writeText "gunicorn.conf.py"
''
import os
daemon = True
workers = 5
# default localhost:8000
bind = "127.0.0.1:8000"
# Pid
pids_dir = '${cfg.storagePath}/pids'
pidfile = os.path.join(pids_dir, 'seahub.pid')
# for file upload, we need a longer timeout value (default is only 30s, too short)
timeout = 1200
limit_request_line = 8190
'';
seahubConfigFile = pkgs.writeText "seahub_settings.py"
''
SECRET_KEY = #seckey#
DATABASES = {
'default': {
'ENGINE': 'django.db.backends.${if cfg.db.type == "mysql" then
"mysql" else abort "invalid db type"}',
'NAME': '${cfg.db.dbnameSeahub}',
'USER': '${cfg.db.user}',
'PASSWORD': '#dbpass#',
'HOST': '${cfg.db.host}',
'PORT': '${toString cfg.db.port}'
}
}
'';
# fix permissions at start # fix permissions at start
in in
{ {
@ -46,20 +12,6 @@ in
default = "/srv/seafile"; default = "/srv/seafile";
description = "where to store uploaded file data"; description = "where to store uploaded file data";
}; };
ccnetSettings = mkOption {
type = with types; attrsOf (attrsOf (oneOf [ bool int str ]));
default = {};
description = ''
all possible ccnet.conf settings
'';
};
seafileSettings = mkOption {
type = with types; attrsOf (attrsOf (oneOf [ bool int str ]));
default = {};
description = ''
all possible seafile.conf settings
'';
};
autorun = mkOption { autorun = mkOption {
type = types.bool; type = types.bool;
default = true; default = true;
@ -76,27 +28,25 @@ in
default = "seafile"; default = "seafile";
description = "Database user name. Not required for sqlite."; description = "Database user name. Not required for sqlite.";
}; };
dbnameSeafile = mkOption { dbname = mkOption {
type = types.nullOr types.str; type = types.nullOr types.str;
default = "seafile"; default = "seafile";
description = "Database name for Seafile server. Not required for sqlite."; description = "Database name. Not required for sqlite.";
}; };
dbnameCcnet = mkOption { password = mkOption {
type = types.nullOr types.str; type = types.nullOr types.str;
default = "seafile"; default = null;
description = "Database name for Ccnet server. Not required for sqlite."; description = ''
}; Database password. Use <literal>passwordFile</literal> to avoid this
dbnameSeahub = mkOption { being world-readable in the <literal>/nix/store</literal>.
type = types.nullOr types.str;
default = "seafile"; Not required for sqlite.'';
description = "Database name for Seahub web interface. Not required for sqlite.";
}; };
passwordFile = mkOption { passwordFile = mkOption {
type = types.nullOr types.str; type = types.nullOr types.str;
default = null; default = null;
description = '' description = ''
The full path to a file that contains the database password. The full path to a file that contains the database password.
Not required for sqlite.
''; '';
}; };
host = mkOption { host = mkOption {
@ -104,7 +54,7 @@ in
default = "localhost"; default = "localhost";
description = "Database host."; description = "Database host.";
}; };
port = mkOption { dbport = mkOption {
type = with types; nullOr (either int str); type = with types; nullOr (either int str);
default = 3306; default = 3306;
description = "Database port. Not required for sqlite."; description = "Database port. Not required for sqlite.";
@ -123,11 +73,11 @@ in
description = "Group account under which the Seafile server runs."; description = "Group account under which the Seafile server runs.";
}; };
name = mkOption { # name = mkOption {
type = types.str; # type = types.str;
default = "Seafile"; # default = "Seafile";
description = "name of the Seafile instance, will show up in client and web interface"; # description = "name of the Seafile instance, will show up in client and web interface";
}; # };
domainName = mkOption { domainName = mkOption {
type = types.str; type = types.str;
@ -222,68 +172,16 @@ in
directoriesToManage = [ cfg.storagePath ]; directoriesToManage = [ cfg.storagePath ];
in in
mkIf cfg.enable { mkIf cfg.enable {
services.seafile-server.ccnetSettings = {
# TODO: ID and NAME might be required
General.SERVICE_URL="http${if cfg.enableTLS then "s" else ""}://${cfg.domainName}:${toString cfg.externalPort}/";
Database = mkMerge [
{
ENGINE = cfg.db.type;
}
(mkIf (cfg.db.type == "mysql") {
HOST = cfg.db.host;
PORT = cfg.db.port;
USER = cfg.db.user;
CONNECTION_CHARSET = "utf8";
DB = cfg.db.dbnameCcnet;
password = "#dbpass#";
})
];
};
services.seafile-server.seafileSettings = {
library_trash.expire_days = cfg.trashExpirationTime;
fileserver = {
host = cfg.fileserverBindAddress;
port = cfg.fileserverPort;
worker_threads = cfg.fileserverWorkers;
max_indexing_threads = cfg.fileserverIndexers;
fixed_block_size = cfg.fileserverBlockSize;
};
quota = mkIf (! isNull cfg.defaultQuota) {
default = cfg.defaultQuota;
};
history = mkIf (! isNull cfg.fileRevisionHistoryDays) {
keep_days = cfg.fileRevisionHistoryDays;
};
database = mkMerge [
{
type = cfg.db.type;
}
# while just using the cfg.db set directly might be possible and
# save lines of code, I prefer hand-picking options
(mkIf (cfg.db.type == "mysql") {
host = cfg.db.host;
port = cfg.db.port;
user = cfg.db.user;
connection_charset = "utf8";
db_name = cfg.db.dbnameSeafile;
max_connections = 100;
password = "#dbpass#";
})
];
};
systemd = { systemd = {
# state directory permissions managed by systemd # state directory permissions managed by systemd
tmpfiles.rules = [ tmpfiles.rules = [
"d ${cfg.storagePath} 0750 ${cfg.user} ${cfg.group} -" "d ${cfg.storagePath} 0750 ${cfg.user} ${cfg.group} -"
"d ${cfg.storagePath}/conf 0700 ${cfg.user} ${cfg.group} -" "d ${cfg.storagePath}/conf 0750 ${cfg.user} ${cfg.group} -"
"d ${cfg.storagePath}/pids 0710 ${cfg.user} ${cfg.group} -" "d ${cfg.storagePath}/home 0710 ${cfg.user} ${cfg.group} -"
]; ];
services.seafile-server = { services.seafile-server = {
path = with pkgs; [ seafile-server.seafile-server-core ]; path = with pkgs; [ seafile-server.ccnet-server seafile-server.seafile-server-core ];
script = '' script = ''
./seafile-server/seafile-server-latest/bin/seafile-admin start ./seafile-server/seafile-server-latest/bin/seafile-admin start
''; '';
@ -295,46 +193,66 @@ in
''}") ''}")
("${pkgs.writeShellScript "seafile-server-preStart-unprivileged" '' ("${pkgs.writeShellScript "seafile-server-preStart-unprivileged" ''
# stuff run as seafile user # stuff run as seafile user
set -ex
# ccnet-init must only be run once per installation, as it also generates stateful key and ID
# solution: invoke it once, use result as template
if [ ! -e ./ccnet/mykey.peer ]; then
${pkgs.seafile-server.ccnet-server}/bin/ccnet-init -c ./ccnet -H 'TEMPLATEHOST'
mv ./ccnet/ccnet.conf{,.template}
fi
# generate actual ccnet config file
echo "[General]" > ./conf/ccnet.conf
grep "^ID =" ./ccnet/ccnet.conf.template >> ./conf/ccnet.conf
# outside URL
SERVICE_URL = http${if cfg.enableTLS then "s" else ""}://${cfg.domainName}:${toString cfg.externalPort}
# seafile.conf generation # seafile.conf generation
# move config templates from nix store echo '[library_trash]
${pkgs.coreutils}/bin/install ${ccnetConfigFile} ./conf/ccnet.conf expire_days ${toString cfg.trashExpirationTime}
${pkgs.coreutils}/bin/install ${seafileConfigFile} ./conf/seafile.conf
${pkgs.coreutils}/bin/install ${gunicornConfigFile} ./conf/gunicorn.conf.py
${pkgs.coreutils}/bin/install ${seahubConfigFile} ./conf/seahub_settings.py
# seahub secret key [fileserver]
if [ ! -e .seahubSecret ]; then host = ${cfg.fileserverBindAddress}
${pkgs.seafile-server.pythonEnv}/bin/python ${pkgs.seafile-server}/seahub/tools/secret_key_generator.py > .seahubSecret port = ${toString cfg.fileserverPort}
chmod 400 .seahubSecret worker_threads = ${toString cfg.fileserverWorkers}
fi max_indexing_threads = ${toString cfg.fileserverIndexers}
SEAHUB_SECRET="$(head -n1 .seahubSecret)" fixed_block_size = ${toString cfg.fileserverIndexers}' > ./conf/seafile.conf
# TODO: check for special characters needing to be escaped
sed -e "s,#seckey#,$SEAHUB_SECRET,g" -i ./conf/seahub_settings.py
# replace placeholder secrets with real secret read from file if [ ${toString (! isNull cfg.defaultQuota)} ]; then
#TODO: unset -x to prevent DBPASS from being leaked in journal echo '[quota]' >> ./conf/seafile.conf
${if !(isNull cfg.db.passwordFile) then '' echo 'default = ${toString cfg.defaultQuota}' >> ./conf/seafile.conf
DBPASS="$(head -n1 ${toString cfg.db.passwordFile})"
sed -e "s,#dbpass#,$DBPASS,g" -i ./conf/seafile.conf ./conf/ccnet.conf ./conf/seahub_settings.py
''
else ""
}
# initialise db and other things needed at first run
if [ -e .initialised ]; then
#TODO: db initialisation
touch .initialised
fi fi
ln -nsf ${pkgs.seafile-server} seafile-server if [ ${toString (! isNull cfg.fileRevisionHistoryDays)} ]; then
echo '[history]' >> ./conf/seafile.conf
echo 'keep_days = ${toString cfg.defaultQuota}' >> ./conf/seafile.conf
fi
# for determining update version mismatches # seafile database settings
${pkgs.coreutils}/bin/install ${pkgs.seafile-server}/installed_version .
if [ ${cfg.db.type} = "mysql" ]; then
echo '[database]
type = mysql
host = ${cfg.db.host}
port = ${toString cfg.db.dbport}
user = ${cfg.db.user}
connection_charset = utf8
db_name = ${cfg.db.dbname}
max_connections = 100' >> ./conf/seafile.conf
if [ ${toString (! isNull cfg.db.password)}; then
echo 'password = ${toString cfg.db.password}' >> ./conf/seafile.conf
else
echo "password = $(cat ${toString cfg.db.passwordFile})" >> ./conf/seafile.conf
fi
else
echo '[database]
type = sqlite' >> ./conf/seafile.conf
fi
ln -s ${pkgs.seafile-server} seafile-server
./seafile-server/seafile-server-latest/bin/seafile-admin setup
''}") ''}")
]; ];
User = cfg.user; User = cfg.user;

2
seafile-nixos-tests.nix
View file

@ -15,7 +15,7 @@ import (<nixos-unstable/nixos/tests/make-test-python.nix>) {
(import ./default.nix) (import ./default.nix)
]; ];
console.keyMap = "de"; i18n.consoleKeyMap = "de";
users.mutableUsers = false; users.mutableUsers = false;
users.users.test = { users.users.test = {
isNormalUser = true; isNormalUser = true;

42
seafile-server/default.nix
View file

@ -28,7 +28,7 @@
, python3Packages , python3Packages
}: }:
let let
version = "8.0.3"; version = "8.0.0";
python = python3; python = python3;
pythonPackages = python3Packages; pythonPackages = python3Packages;
django = pythonPackages.django; django = pythonPackages.django;
@ -49,8 +49,6 @@ let
pycryptodome pycryptodome
] ]
++ map (p: p.override { inherit django; }) djangoModules; # build django modules with required version ++ map (p: p.override { inherit django; }) djangoModules; # build django modules with required version
# defining them here to be able to expose them in a python environment as well
pythonEnvDeps = seahubPythonDependencies ++ [ libsearpc ];
seafile-server-core = stdenv.mkDerivation rec { seafile-server-core = stdenv.mkDerivation rec {
name = "seafile-server-core"; name = "seafile-server-core";
inherit version; inherit version;
@ -58,7 +56,7 @@ let
owner = "haiwen"; owner = "haiwen";
repo = "seafile-server"; repo = "seafile-server";
rev = "v${version}-server"; rev = "v${version}-server";
sha256 = "1wmbx4smf342b5pars1zm9af2i0yaq7kjj7ry0gr337gdpa4qn3b"; sha256 = "0pd1zjsw6lkpxd54ln0dz5r9zx9585nib10kvpl1vgzp61g4d223";
}; };
# patch to work with latest, non-vulnerable libevhtp # patch to work with latest, non-vulnerable libevhtp
patches = [ patches = [
@ -68,14 +66,7 @@ let
# `which` is called directly from python during buildPhase, so we need the binary # `which` is called directly from python during buildPhase, so we need the binary
nativeBuildInputs = [ autoconf automake libtool pkgconfig vala autoreconfHook which pythonPackages.wrapPython ]; nativeBuildInputs = [ autoconf automake libtool pkgconfig vala autoreconfHook which pythonPackages.wrapPython ];
buildInputs = [ sqlite glib python libuuid openssl oniguruma fuse libarchive libevent libevhtp ]; buildInputs = [ sqlite glib python libuuid openssl oniguruma fuse libarchive libevent libevhtp ];
propagatedBuildInputs = pythonEnvDeps; propagatedBuildInputs = [ libsearpc ] ++ seahubPythonDependencies;
# copy manual to required location
postInstall = ''
mkdir $out/doc
cp ${src}/doc/*.doc $out/doc/
'';
# prevent doc directory from being moved to share in fixupPhase
forceShare = [ "man" "info" ];
postFixup = '' postFixup = ''
buildPythonPath $propagatedBuildInputs buildPythonPath $propagatedBuildInputs
wrapPythonProgramsIn "$out/bin" "$out $pythonPath" wrapPythonProgramsIn "$out/bin" "$out $pythonPath"
@ -94,7 +85,7 @@ let
owner = "haiwen"; owner = "haiwen";
repo = "seahub"; repo = "seahub";
rev = "v${version}-server"; rev = "v${version}-server";
sha256 = "0vfkiavsmpjm6wjr5rcnmnpnb3rxr3svwk8fsh5c76zg87ckdz4d"; sha256 = "0j7g43j7w1zb00pg4aaacdv5ycva3qf561hj9pbwh4709mbiykip";
}; };
phases = [ "unpackPhase" "installPhase" "fixupPhase" "distPhase" ]; phases = [ "unpackPhase" "installPhase" "fixupPhase" "distPhase" ];
buildInputs = [ python pythonPackages.wrapPython ]; buildInputs = [ python pythonPackages.wrapPython ];
@ -129,40 +120,19 @@ stdenv.mkDerivation {
name = "seafile-server"; name = "seafile-server";
inherit version; inherit version;
nativeBuildInputs = [ python3Packages.wrapPython ];
buildInputs = [ seahub seafile-server-core libsearpc ] buildInputs = [ seahub seafile-server-core libsearpc ]
++ lib.optional withMysql libmysqlclient; ++ lib.optional withMysql libmysqlclient;
phases = [ "installPhase" "fixupPhase" "distPhase" ]; phases = [ "installPhase" "fixupPhase" "distPhase" ];
# create required directory structure # todo: create data directory in /srv in activation script
# Which files need to be copied is specified in the function `copy_scripts_and_libs`
# of ${seafile-server-core.src}/scripts/build/build-server.py
# The install script below has been hand crafted from that list of files and needs to be updated on new releases.
installPhase = '' installPhase = ''
mkdir "$out" mkdir "$out"
cd "$out" cd "$out"
ln -s ${seahub} seahub ln -s ${seahub} seahub
ln -s ${seafile-server-core} seafile-server ln -s ${seafile-server-core} seafile-server-latest
# copy general scripts
cp ${seafile-server-core.src}/scripts/{setup-seafile.sh,setup-seafile-mysql.sh,setup-seafile-mysql.py,seafile.sh,seahub.sh,reset-admin.sh,seaf-fuse.sh,check_init_admin.py,seaf-gc.sh,seaf-fsck.sh} .
# copy update scripts (and their sql)
cp -r ${seafile-server-core.src}/scripts/upgrade .
cp -r ${seafile-server-core.src}/scripts/sql .
# copy_user_manual is already done in the postInstall hook of seafile-server-core
# python admin scripts need to be made executable and patched with python path
chmod ugo+x *.py
buildPythonPath $propagatedBuildInputs
wrapPythonProgramsIn "$out/*.py" "$out $pythonPath"
echo -n "${version}" > installed_version
''; '';
meta = with lib; { meta = with lib; {
maintainers = with maintainers; [ schmittlauch ]; maintainers = with maintainers; [ schmittlauch ];
license = licenses.free; # components with different free software licenses are combined license = licenses.free; # components with different free software licenses are combined
}; };
inherit seafile-server-core seahub;# for using the path in the NixOS module inherit seafile-server-core seahub;# for using the path in the NixOS module
pythonEnv = python3.buildEnv.override {
extraLibs = pythonEnvDeps;
ignoreCollisions = true;
};
} }

32
seafile-test.nix
View file

@ -10,13 +10,13 @@
(import ./default.nix) (import ./default.nix)
]; ];
console.keyMap = "de"; i18n.consoleKeyMap = "de";
users.mutableUsers = false; users.mutableUsers = false;
users.users.test = { users.users.test = {
isNormalUser = true; isNormalUser = true;
extraGroups = [ "wheel" ]; extraGroups = [ "wheel" ];
#hashedPassword = "$6$SZCzE/xB$Hr9sfsJ7xAcBCoptG39cxxQk8RZfldDjjGpSngOvn9Ufex5dHBEbdncXRZnfrGATsGcYPvLi7m4wIu.f8tY9B."; #hashedPassword = "$6$SZCzE/xB$Hr9sfsJ7xAcBCoptG39cxxQk8RZfldDjjGpSngOvn9Ufex5dHBEbdncXRZnfrGATsGcYPvLi7m4wIu.f8tY9B.";
password = "test"; password = "";
home = "/home/test"; home = "/home/test";
createHome = true; createHome = true;
}; };
@ -25,33 +25,7 @@
services.seafile-server = { services.seafile-server = {
enable = true; enable = true;
#autorun = false; #autorun = false;
domainName = "seaf.local"; domainName = "localhost";
db = {
type = "mysql";
passwordFile = toString (pkgs.writeText "testPW" "test");
};
};
# db backend
services.mysql =
{
enable = true;
package = pkgs.mariadb;
ensureDatabases = [ "ccnet" "seafile" "seahub" ];
ensureUsers = [
rec {
name = config.services.seafile-server.db.user;
ensurePermissions = {
"ccnet.*" = "ALL PRIVILEGES";
"seafile.*" = "ALL PRIVILEGES";
"seahub.*" = "ALL PRIVILEGES";
};
}
];
# set a password for the seafile user
initialScript = pkgs.writeText "mariadb-init.sql" ''
CREATE USER ${config.services.seafile-server.db.user}@localhost IDENTIFIED VIA mysql_native_password USING PASSWORD("test");
'';
}; };
} }