+1

nixos/modules/module-list.nix

··· 865 865 ./services/networking/bitlbee.nix 866 866 ./services/networking/blockbook-frontend.nix 867 867 ./services/networking/blocky.nix 868 868 + ./services/networking/centrifugo.nix 868 869 ./services/networking/cgit.nix 869 870 ./services/networking/charybdis.nix 870 871 ./services/networking/chisel-server.nix

+123

nixos/modules/services/networking/centrifugo.nix

··· 1 1 + { config, lib, pkgs, ... }: 2 2 + let 3 3 + cfg = config.services.centrifugo; 4 4 + 5 5 + settingsFormat = pkgs.formats.json { }; 6 6 + 7 7 + configFile = settingsFormat.generate "centrifugo.json" cfg.settings; 8 8 + in 9 9 + { 10 10 + options.services.centrifugo = { 11 11 + enable = lib.mkEnableOption (lib.mdDoc "Centrifugo messaging server"); 12 12 + 13 13 + package = lib.mkPackageOptionMD pkgs "centrifugo" { }; 14 14 + 15 15 + settings = lib.mkOption { 16 16 + type = settingsFormat.type; 17 17 + default = { }; 18 18 + description = lib.mdDoc '' 19 19 + Declarative Centrifugo configuration. See the [Centrifugo 20 20 + documentation] for a list of options. 21 21 + 22 22 + [Centrifugo documentation]: https://centrifugal.dev/docs/server/configuration 23 23 + ''; 24 24 + }; 25 25 + 26 26 + credentials = lib.mkOption { 27 27 + type = lib.types.attrsOf lib.types.path; 28 28 + default = { }; 29 29 + example = { 30 30 + CENTRIFUGO_UNI_GRPC_TLS_KEY = "/run/keys/centrifugo-uni-grpc-tls.key"; 31 31 + }; 32 32 + description = lib.mdDoc '' 33 33 + Environment variables with absolute paths to credentials files to load 34 34 + on service startup. 35 35 + ''; 36 36 + }; 37 37 + 38 38 + environmentFiles = lib.mkOption { 39 39 + type = lib.types.listOf lib.types.path; 40 40 + default = [ ]; 41 41 + description = lib.mdDoc '' 42 42 + Files to load environment variables from. Options set via environment 43 43 + variables take precedence over {option}`settings`. 44 44 + 45 45 + See the [Centrifugo documentation] for the environment variable name 46 46 + format. 47 47 + 48 48 + [Centrifugo documentation]: https://centrifugal.dev/docs/server/configuration#os-environment-variables 49 49 + ''; 50 50 + }; 51 51 + 52 52 + extraGroups = lib.mkOption { 53 53 + type = lib.types.listOf lib.types.str; 54 54 + default = [ ]; 55 55 + example = [ "redis-centrifugo" ]; 56 56 + description = lib.mdDoc '' 57 57 + Additional groups for the systemd service. 58 58 + ''; 59 59 + }; 60 60 + }; 61 61 + 62 62 + config = lib.mkIf cfg.enable { 63 63 + systemd.services.centrifugo = { 64 64 + description = "Centrifugo messaging server"; 65 65 + wantedBy = [ "multi-user.target" ]; 66 66 + after = [ "network.target" ]; 67 67 + 68 68 + serviceConfig = { 69 69 + Type = "exec"; 70 70 + 71 71 + ExecStartPre = "${lib.getExe cfg.package} checkconfig --config ${configFile}"; 72 72 + ExecStart = "${lib.getExe cfg.package} --config ${configFile}"; 73 73 + ExecReload = "${pkgs.coreutils}/bin/kill -HUP $MAINPID"; 74 74 + 75 75 + Restart = "always"; 76 76 + RestartSec = "1s"; 77 77 + 78 78 + # Copy files to the credentials directory with file name being the 79 79 + # environment variable name. Note that "%d" specifier expands to the 80 80 + # path of the credentials directory. 81 81 + LoadCredential = lib.mapAttrsToList (name: value: "${name}:${value}") cfg.credentials; 82 82 + Environment = lib.mapAttrsToList (name: _: "${name}=%d/${name}") cfg.credentials; 83 83 + 84 84 + EnvironmentFile = cfg.environmentFiles; 85 85 + 86 86 + SupplementaryGroups = cfg.extraGroups; 87 87 + 88 88 + DynamicUser = true; 89 89 + UMask = "0077"; 90 90 + 91 91 + ProtectHome = true; 92 92 + ProtectProc = "invisible"; 93 93 + ProcSubset = "pid"; 94 94 + ProtectClock = true; 95 95 + ProtectHostname = true; 96 96 + ProtectControlGroups = true; 97 97 + ProtectKernelLogs = true; 98 98 + ProtectKernelModules = true; 99 99 + ProtectKernelTunables = true; 100 100 + PrivateUsers = true; 101 101 + PrivateDevices = true; 102 102 + RestrictRealtime = true; 103 103 + RestrictNamespaces = true; 104 104 + RestrictAddressFamilies = [ 105 105 + "AF_INET" 106 106 + "AF_INET6" 107 107 + "AF_UNIX" 108 108 + ]; 109 109 + DeviceAllow = [ "" ]; 110 110 + DevicePolicy = "closed"; 111 111 + CapabilityBoundingSet = [ "" ]; 112 112 + MemoryDenyWriteExecute = true; 113 113 + LockPersonality = true; 114 114 + SystemCallArchitectures = "native"; 115 115 + SystemCallErrorNumber = "EPERM"; 116 116 + SystemCallFilter = [ 117 117 + "@system-service" 118 118 + "~@privileged" 119 119 + ]; 120 120 + }; 121 121 + }; 122 122 + }; 123 123 + }

+1

nixos/tests/all-tests.nix

··· 163 163 cassandra_3_0 = handleTest ./cassandra.nix { testPackage = pkgs.cassandra_3_0; }; 164 164 cassandra_3_11 = handleTest ./cassandra.nix { testPackage = pkgs.cassandra_3_11; }; 165 165 cassandra_4 = handleTest ./cassandra.nix { testPackage = pkgs.cassandra_4; }; 166 166 + centrifugo = runTest ./centrifugo.nix; 166 167 ceph-multi-node = handleTestOn [ "aarch64-linux" "x86_64-linux" ] ./ceph-multi-node.nix {}; 167 168 ceph-single-node = handleTestOn [ "aarch64-linux" "x86_64-linux" ] ./ceph-single-node.nix {}; 168 169 ceph-single-node-bluestore = handleTestOn [ "aarch64-linux" "x86_64-linux" ] ./ceph-single-node-bluestore.nix {};

+80

nixos/tests/centrifugo.nix

··· 1 1 + let 2 2 + redisPort = 6379; 3 3 + centrifugoPort = 8080; 4 4 + nodes = [ 5 5 + "centrifugo1" 6 6 + "centrifugo2" 7 7 + "centrifugo3" 8 8 + ]; 9 9 + in 10 10 + { lib, ... }: { 11 11 + name = "centrifugo"; 12 12 + meta.maintainers = [ lib.maintainers.tie ]; 13 13 + 14 14 + nodes = lib.listToAttrs (lib.imap0 15 15 + (index: name: { 16 16 + inherit name; 17 17 + value = { config, ... }: { 18 18 + services.centrifugo = { 19 19 + enable = true; 20 20 + settings = { 21 21 + inherit name; 22 22 + port = centrifugoPort; 23 23 + # See https://centrifugal.dev/docs/server/engines#redis-sharding 24 24 + engine = "redis"; 25 25 + # Connect to local Redis shard via Unix socket. 26 26 + redis_address = 27 27 + let 28 28 + otherNodes = lib.take index nodes ++ lib.drop (index + 1) nodes; 29 29 + in 30 30 + map (name: "${name}:${toString redisPort}") otherNodes ++ [ 31 31 + "unix://${config.services.redis.servers.centrifugo.unixSocket}" 32 32 + ]; 33 33 + usage_stats_disable = true; 34 34 + api_insecure = true; 35 35 + }; 36 36 + extraGroups = [ 37 37 + config.services.redis.servers.centrifugo.user 38 38 + ]; 39 39 + }; 40 40 + services.redis.servers.centrifugo = { 41 41 + enable = true; 42 42 + bind = null; # all interfaces 43 43 + port = redisPort; 44 44 + openFirewall = true; 45 45 + settings.protected-mode = false; 46 46 + }; 47 47 + }; 48 48 + }) 49 49 + nodes); 50 50 + 51 51 + testScript = '' 52 52 + import json 53 53 + 54 54 + redisPort = ${toString redisPort} 55 55 + centrifugoPort = ${toString centrifugoPort} 56 56 + 57 57 + start_all() 58 58 + 59 59 + for machine in machines: 60 60 + machine.wait_for_unit("redis-centrifugo.service") 61 61 + machine.wait_for_open_port(redisPort) 62 62 + 63 63 + for machine in machines: 64 64 + machine.wait_for_unit("centrifugo.service") 65 65 + machine.wait_for_open_port(centrifugoPort) 66 66 + 67 67 + # See https://centrifugal.dev/docs/server/server_api#info 68 68 + def list_nodes(machine): 69 69 + curl = "curl --fail-with-body --silent" 70 70 + body = "{}" 71 71 + resp = json.loads(machine.succeed(f"{curl} -d '{body}' http://localhost:{centrifugoPort}/api/info")) 72 72 + return resp["result"]["nodes"] 73 73 + machineNames = {m.name for m in machines} 74 74 + for machine in machines: 75 75 + nodes = list_nodes(machine) 76 76 + assert len(nodes) == len(machines) 77 77 + nodeNames = {n['name'] for n in nodes} 78 78 + assert machineNames == nodeNames 79 79 + ''; 80 80 + }

+60

pkgs/by-name/ce/centrifugo/package.nix

··· 1 1 + { lib 2 2 + , buildGoModule 3 3 + , fetchFromGitHub 4 4 + , nix-update-script 5 5 + , nixosTests 6 6 + , testers 7 7 + , centrifugo 8 8 + }: 9 9 + let 10 10 + # Inspect build flags with `go version -m centrifugo`. 11 11 + statsEndpoint = "https://graphite-prod-01-eu-west-0.grafana.net/graphite/metrics,https://stats.centrifugal.dev/usage"; 12 12 + statsToken = "425599:eyJrIjoi" + 13 13 + "OWJhMTcyZGNjN2FkYjEzM2E1OTQwZjIyMTU3MTBjMjUyYzAyZWE2MSIsIm4iOiJVc2FnZSBTdGF0cyIsImlkIjo2NDUzOTN9"; 14 14 + in 15 15 + buildGoModule rec { 16 16 + pname = "centrifugo"; 17 17 + version = "5.1.1"; 18 18 + 19 19 + src = fetchFromGitHub { 20 20 + owner = "centrifugal"; 21 21 + repo = "centrifugo"; 22 22 + rev = "v${version}"; 23 23 + hash = "sha256-g496cXjgliDi2XLkdE+dERrUl5hBGLICJx5JundeOfo="; 24 24 + }; 25 25 + 26 26 + vendorHash = "sha256-VuxnP9Dryo0L7sGvtvAIicYGkHoQ2iGVBtAdkmiqL7E="; 27 27 + 28 28 + ldflags = [ 29 29 + "-s" 30 30 + "-w" 31 31 + "-X=github.com/centrifugal/centrifugo/v5/internal/build.Version=${version}" 32 32 + "-X=github.com/centrifugal/centrifugo/v5/internal/build.UsageStatsEndpoint=${statsEndpoint}" 33 33 + "-X=github.com/centrifugal/centrifugo/v5/internal/build.UsageStatsToken=${statsToken}" 34 34 + ]; 35 35 + 36 36 + excludedPackages = [ 37 37 + "./internal/gen/api" 38 38 + ]; 39 39 + 40 40 + passthru = { 41 41 + updateScript = nix-update-script { }; 42 42 + tests = { 43 43 + inherit (nixosTests) centrifugo; 44 44 + version = testers.testVersion { 45 45 + package = centrifugo; 46 46 + command = "${pname} version"; 47 47 + version = "v${version}"; 48 48 + }; 49 49 + }; 50 50 + }; 51 51 + 52 52 + meta = { 53 53 + description = "Scalable real-time messaging server"; 54 54 + homepage = "https://centrifugal.dev"; 55 55 + changelog = "https://github.com/centrifugal/centrifugo/releases/tag/v${version}"; 56 56 + license = lib.licenses.asl20; 57 57 + maintainers = [ lib.maintainers.tie ]; 58 58 + mainProgram = "centrifugo"; 59 59 + }; 60 60 + }