Merge pull request #251323 from saserr/improve-healthchecks

pyrox.dev / nixpkgs

fork atom

lol

fork atom

healthchecks: add DB, DB_NAME and support for several _FILE options

authored by

Lassulus and committed by

GitHub 2 years ago 38e6d285 9daac02a

+63 -13

2 changed files

expand all

nixos

modules

services

web-apps

healthchecks.nix

pkgs

servers

web-apps

healthchecks

default.nix

+36 -9

nixos/modules/services/web-apps/healthchecks.nix

··· 1 - { config, lib, pkgs, buildEnv, ... }: 1 + { config, lib, options, pkgs, buildEnv, ... }: 2 2 3 3 with lib; 4 4 5 5 let 6 6 defaultUser = "healthchecks"; 7 7 cfg = config.services.healthchecks; 8 + opt = options.services.healthchecks; 8 9 pkg = cfg.package; 9 10 boolToPython = b: if b then "True" else "False"; 10 11 environment = { 11 12 PYTHONPATH = pkg.pythonPath; 12 13 STATIC_ROOT = cfg.dataDir + "/static"; 13 - DB_NAME = "${cfg.dataDir}/healthchecks.sqlite"; 14 14 } // cfg.settings; 15 15 16 16 environmentFile = pkgs.writeText "healthchecks-environment" (lib.generators.toKeyValue { } environment); ··· 98 98 description = lib.mdDoc '' 99 99 Environment variables which are read by healthchecks `(local)_settings.py`. 100 100 101 - Settings which are explicitly covered in options bewlow, are type-checked and/or transformed 101 + Settings which are explicitly covered in options below, are type-checked and/or transformed 102 102 before added to the environment, everything else is passed as a string. 103 103 104 104 See <https://healthchecks.io/docs/self_hosted_configuration/> 105 105 for a full documentation of settings. 106 106 107 - We add two variables to this list inside the packages `local_settings.py.` 108 - - STATIC_ROOT to set a state directory for dynamically generated static files. 109 - - SECRET_KEY_FILE to read SECRET_KEY from a file at runtime and keep it out of /nix/store. 107 + We add additional variables to this list inside the packages `local_settings.py.` 108 + - `STATIC_ROOT` to set a state directory for dynamically generated static files. 109 + - `SECRET_KEY_FILE` to read `SECRET_KEY` from a file at runtime and keep it out of 110 + /nix/store. 111 + - `_FILE` variants for several values that hold sensitive information in 112 + [Healthchecks configuration](https://healthchecks.io/docs/self_hosted_configuration/) so 113 + that they also can be read from a file and kept out of /nix/store. To see which values 114 + have support for a `_FILE` variant, run: 115 + - `nix-instantiate --eval --expr '(import <nixpkgs> {}).healthchecks.secrets'` 116 + - or `nix eval 'nixpkgs#healthchecks.secrets'` if the flake support has been enabled. 110 117 ''; 111 - type = types.submodule { 118 + type = types.submodule (settings: { 112 119 freeformType = types.attrsOf types.str; 113 120 options = { 114 121 ALLOWED_HOSTS = lib.mkOption { ··· 143 150 ''; 144 151 apply = boolToPython; 145 152 }; 153 + 154 + DB = mkOption { 155 + type = types.enum [ "sqlite" "postgres" "mysql" ]; 156 + default = "sqlite"; 157 + description = lib.mdDoc "Database engine to use."; 158 + }; 159 + 160 + DB_NAME = mkOption { 161 + type = types.str; 162 + default = 163 + if settings.config.DB == "sqlite" 164 + then "${cfg.dataDir}/healthchecks.sqlite" 165 + else "hc"; 166 + defaultText = lib.literalExpression '' 167 + if config.${settings.options.DB} == "sqlite" 168 + then "''${config.${opt.dataDir}}/healthchecks.sqlite" 169 + else "hc" 170 + ''; 171 + description = lib.mdDoc "Database name."; 172 + }; 146 173 }; 147 - }; 174 + }); 148 175 }; 149 176 }; 150 177 ··· 168 195 StateDirectoryMode = mkIf (cfg.dataDir == "/var/lib/healthchecks") "0750"; 169 196 }; 170 197 in 171 - { 198 + { 172 199 healthchecks-migration = { 173 200 description = "Healthchecks migrations"; 174 201 wantedBy = [ "healthchecks.target" ];

+27 -4

pkgs/servers/web-apps/healthchecks/default.nix

··· 39 39 whitenoise 40 40 ]; 41 41 42 + secrets = [ 43 + "DB_PASSWORD" 44 + "DISCORD_CLIENT_SECRET" 45 + "EMAIL_HOST_PASSWORD" 46 + "LINENOTIFY_CLIENT_SECRET" 47 + "MATRIX_ACCESS_TOKEN" 48 + "PD_APP_ID" 49 + "PUSHBULLET_CLIENT_SECRET" 50 + "PUSHOVER_API_TOKEN" 51 + "S3_SECRET_KEY" 52 + "SECRET_KEY" 53 + "SLACK_CLIENT_SECRET" 54 + "TELEGRAM_TOKEN" 55 + "TRELLO_APP_KEY" 56 + "TWILIO_AUTH" 57 + ]; 58 + 42 59 localSettings = writeText "local_settings.py" '' 43 60 import os 61 + 44 62 STATIC_ROOT = os.getenv("STATIC_ROOT") 45 - SECRET_KEY_FILE = os.getenv("SECRET_KEY_FILE") 46 - if SECRET_KEY_FILE: 47 - with open(SECRET_KEY_FILE, "r") as file: 48 - SECRET_KEY = file.readline() 63 + 64 + ${lib.concatLines (map 65 + (secret: '' 66 + ${secret}_FILE = os.getenv("${secret}_FILE") 67 + if ${secret}_FILE: 68 + with open(${secret}_FILE, "r") as file: 69 + ${secret} = file.readline() 70 + '') 71 + secrets)} 49 72 ''; 50 73 51 74 installPhase = ''