commit 234dd85da0ff4e1bb263adfe035157a0570b1a2e

+2

nixos/doc/manual/release-notes/rl-2311.section.md

··· 18 19 - [GoToSocial](https://gotosocial.org/), an ActivityPub social network server, written in Golang. Available as [services.gotosocial](#opt-services.gotosocial.enable). 20 21 - [Anuko Time Tracker](https://github.com/anuko/timetracker), a simple, easy to use, open source time tracking system. Available as [services.anuko-time-tracker](#opt-services.anuko-time-tracker.enable). 22 23 - [sitespeed-io](https://sitespeed.io), a tool that can generate metrics (timings, diagnostics) for websites. Available as [services.sitespeed-io](#opt-services.sitespeed-io.enable).

··· 18 19 - [GoToSocial](https://gotosocial.org/), an ActivityPub social network server, written in Golang. Available as [services.gotosocial](#opt-services.gotosocial.enable). 20 21 + - [Typesense](https://github.com/typesense/typesense), a fast, typo-tolerant search engine for building delightful search experiences. Available as [services.typesense](#opt-services.typesense.enable). 22 + 23 - [Anuko Time Tracker](https://github.com/anuko/timetracker), a simple, easy to use, open source time tracking system. Available as [services.anuko-time-tracker](#opt-services.anuko-time-tracker.enable). 24 25 - [sitespeed-io](https://sitespeed.io), a tool that can generate metrics (timings, diagnostics) for websites. Available as [services.sitespeed-io](#opt-services.sitespeed-io.enable).

+1

nixos/modules/module-list.nix

··· 1103 ./services/search/meilisearch.nix 1104 ./services/search/opensearch.nix 1105 ./services/search/qdrant.nix 1106 ./services/security/aesmd.nix 1107 ./services/security/authelia.nix 1108 ./services/security/certmgr.nix

··· 1103 ./services/search/meilisearch.nix 1104 ./services/search/opensearch.nix 1105 ./services/search/qdrant.nix 1106 + ./services/search/typesense.nix 1107 ./services/security/aesmd.nix 1108 ./services/security/authelia.nix 1109 ./services/security/certmgr.nix

+125

nixos/modules/services/search/typesense.nix

···

··· 1 + { config, lib, pkgs, ... }: let 2 + inherit 3 + (lib) 4 + concatMapStringsSep 5 + generators 6 + mdDoc 7 + mkEnableOption 8 + mkIf 9 + mkOption 10 + mkPackageOption 11 + optionalString 12 + types 13 + ; 14 + 15 + cfg = config.services.typesense; 16 + settingsFormatIni = pkgs.formats.ini { 17 + listToValue = concatMapStringsSep " " (generators.mkValueStringDefault { }); 18 + mkKeyValue = generators.mkKeyValueDefault 19 + { 20 + mkValueString = v: 21 + if v == null then "" 22 + else generators.mkValueStringDefault { } v; 23 + } 24 + "="; 25 + }; 26 + configFile = settingsFormatIni.generate "typesense.ini" cfg.settings; 27 + in { 28 + options.services.typesense = { 29 + enable = mkEnableOption "typesense"; 30 + package = mkPackageOption pkgs "typesense" {}; 31 + 32 + apiKeyFile = mkOption { 33 + type = types.path; 34 + description = '' 35 + Sets the admin api key for typesense. Always use this option 36 + instead of {option}`settings.server.api-key` to prevent the key 37 + from being written to the world-readable nix store. 38 + ''; 39 + }; 40 + 41 + settings = mkOption { 42 + description = mdDoc "Typesense configuration. Refer to [the documentation](https://typesense.org/docs/0.24.1/api/server-configuration.html) for supported values."; 43 + default = {}; 44 + type = types.submodule { 45 + freeformType = settingsFormatIni.type; 46 + options.server = { 47 + data-dir = mkOption { 48 + type = types.str; 49 + default = "/var/lib/typesense"; 50 + description = mdDoc "Path to the directory where data will be stored on disk."; 51 + }; 52 + 53 + api-address = mkOption { 54 + type = types.str; 55 + description = mdDoc "Address to which Typesense API service binds."; 56 + }; 57 + 58 + api-port = mkOption { 59 + type = types.port; 60 + default = 8108; 61 + description = mdDoc "Port on which the Typesense API service listens."; 62 + }; 63 + }; 64 + }; 65 + }; 66 + }; 67 + 68 + config = mkIf cfg.enable { 69 + systemd.services.typesense = { 70 + description = "Typesense search engine"; 71 + wantedBy = [ "multi-user.target" ]; 72 + after = [ "network.target" ]; 73 + 74 + script = '' 75 + export TYPESENSE_API_KEY=$(cat ${cfg.apiKeyFile}) 76 + exec ${cfg.package}/bin/typesense-server --config ${configFile} 77 + ''; 78 + 79 + serviceConfig = { 80 + Restart = "on-failure"; 81 + DynamicUser = true; 82 + User = "typesense"; 83 + Group = "typesense"; 84 + 85 + StateDirectory = "typesense"; 86 + StateDirectoryMode = "0700"; 87 + 88 + # Hardening 89 + CapabilityBoundingSet = ""; 90 + LockPersonality = true; 91 + MemoryDenyWriteExecute = true; 92 + NoNewPrivileges = true; 93 + PrivateUsers = true; 94 + PrivateTmp = true; 95 + PrivateDevices = true; 96 + PrivateMounts = true; 97 + ProtectClock = true; 98 + ProtectControlGroups = true; 99 + ProtectHome = true; 100 + ProtectHostname = true; 101 + ProtectKernelLogs = true; 102 + ProtectKernelModules = true; 103 + ProtectKernelTunables = true; 104 + ProtectProc = "invisible"; 105 + ProcSubset = "pid"; 106 + ProtectSystem = "strict"; 107 + RemoveIPC = true; 108 + RestrictAddressFamilies = [ 109 + "AF_INET" 110 + "AF_INET6" 111 + "AF_UNIX" 112 + ]; 113 + RestrictNamespaces = true; 114 + RestrictRealtime = true; 115 + RestrictSUIDSGID = true; 116 + SystemCallArchitectures = "native"; 117 + SystemCallFilter = [ 118 + "@system-service" 119 + "~@privileged" 120 + ]; 121 + UMask = "0077"; 122 + }; 123 + }; 124 + }; 125 + }

+1

nixos/tests/all-tests.nix

··· 804 turbovnc-headless-server = handleTest ./turbovnc-headless-server.nix {}; 805 tuxguitar = handleTest ./tuxguitar.nix {}; 806 twingate = runTest ./twingate.nix; 807 ucarp = handleTest ./ucarp.nix {}; 808 udisks2 = handleTest ./udisks2.nix {}; 809 ulogd = handleTest ./ulogd.nix {};

··· 804 turbovnc-headless-server = handleTest ./turbovnc-headless-server.nix {}; 805 tuxguitar = handleTest ./tuxguitar.nix {}; 806 twingate = runTest ./twingate.nix; 807 + typesense = handleTest ./typesense.nix {}; 808 ucarp = handleTest ./ucarp.nix {}; 809 udisks2 = handleTest ./udisks2.nix {}; 810 ulogd = handleTest ./ulogd.nix {};

+23

nixos/tests/typesense.nix

···

··· 1 + import ./make-test-python.nix ({ pkgs, ... }: let 2 + testPort = 8108; 3 + in { 4 + name = "typesense"; 5 + meta.maintainers = with pkgs.lib.maintainers; [ oddlama ]; 6 + 7 + nodes.machine = { ... }: { 8 + services.typesense = { 9 + enable = true; 10 + apiKeyFile = pkgs.writeText "typesense-api-key" "dummy"; 11 + settings.server = { 12 + api-port = testPort; 13 + api-address = "0.0.0.0"; 14 + }; 15 + }; 16 + }; 17 + 18 + testScript = '' 19 + machine.wait_for_unit("typesense.service") 20 + machine.wait_for_open_port(${toString testPort}) 21 + assert machine.succeed("curl --fail http://localhost:${toString testPort}/health") == '{"ok":true}' 22 + ''; 23 + })

+64

pkgs/servers/search/typesense/default.nix

···

··· 1 + { lib 2 + , stdenv 3 + , fetchurl 4 + , autoPatchelfHook 5 + , nixosTests 6 + }: 7 + let 8 + inherit (stdenv.hostPlatform) system; 9 + throwSystem = throw "Unsupported system: ${system}"; 10 + 11 + sources = lib.importJSON ./sources.json; 12 + platform = sources.platforms.${system} or throwSystem; 13 + inherit (sources) version; 14 + inherit (platform) arch hash; 15 + in 16 + stdenv.mkDerivation { 17 + pname = "typesense"; 18 + inherit version; 19 + src = fetchurl { 20 + url = "https://dl.typesense.org/releases/${version}/typesense-server-${version}-${arch}.tar.gz"; 21 + inherit hash; 22 + }; 23 + 24 + nativeBuildInputs = [ 25 + autoPatchelfHook 26 + ]; 27 + 28 + # The tar.gz contains no subdirectory 29 + sourceRoot = "."; 30 + 31 + installPhase = '' 32 + mkdir -p $out/bin 33 + cp $sourceRoot/typesense-server $out/bin 34 + ''; 35 + 36 + passthru = { 37 + tests = { inherit (nixosTests) typesense; }; 38 + updateScript = ./update.sh; 39 + }; 40 + 41 + meta = with lib; { 42 + homepage = "https://typesense.org"; 43 + description = "Typesense is a fast, typo-tolerant search engine for building delightful search experiences."; 44 + license = licenses.gpl3; 45 + # There has been an attempt at building this from source, which were deemed 46 + # unfeasible at the time of writing this (July 2023) for the following reasons. 47 + # - Pre 0.25 would have been possible, but typesense has switched to bazel for 0.25+, 48 + # so the build would break immediately next version 49 + # - The new bazel build has many issues, only some of which were fixable: 50 + # - preBuild requires export LANG="C.UTF-8", since onxxruntime contains a 51 + # unicode file path that is handled incorrectly and otherwise leads to a build failure 52 + # - bazel downloads extensions to the build systems at build time which have 53 + # invalid shebangs that need to be fixed by patching rules_foreign_cc through 54 + # bazel (so a patch in nix that adds a patch to the bazel WORKSPACE) 55 + # - WORKSPACE has to be patched to use system cmake and ninja instead of downloaded toolchains 56 + # - The cmake dependencies that are pulled in via bazel at build time will 57 + # try to download stuff via cmake again, which is not possible in the sandbox. 58 + # This is where I stopped trying for now. 59 + # XXX: retry once typesense has officially released their bazel based build. 60 + sourceProvenance = with sourceTypes; [ binaryNativeCode ]; 61 + platforms = [ "x86_64-linux" "aarch64-linux" "x86_64-darwin" ]; 62 + maintainers = with maintainers; [ oddlama ]; 63 + }; 64 + }

+17

pkgs/servers/search/typesense/sources.json

···

··· 1 + { 2 + "version": "0.24.1", 3 + "platforms": { 4 + "aarch64-linux": { 5 + "arch": "linux-arm64", 6 + "hash": "sha256-TI/bjGqyEZpGDq1F9MBaDypm5XDTlsw9OGd3lIn7JCI=" 7 + }, 8 + "x86_64-linux": { 9 + "arch": "linux-amd64", 10 + "hash": "sha256-bmvje439QYivV96fjnEXblYJnSk8C916OwVeK2n/QR8=" 11 + }, 12 + "x86_64-darwin": { 13 + "arch": "darwin-amd64", 14 + "hash": "sha256-24odPFqHWQoGXXXDLxvMDjCRu81Y+I5QOdK/KLdeH5o=" 15 + } 16 + } 17 + }

+42

pkgs/servers/search/typesense/update.sh

···

··· 1 + #!/usr/bin/env nix-shell 2 + #!nix-shell -i bash -p curl jq nix-prefetch common-updater-scripts nix coreutils 3 + # shellcheck shell=bash 4 + set -euo pipefail 5 + cd "$(dirname "${BASH_SOURCE[0]}")" 6 + 7 + old_version=$(jq -r ".version" sources.json || echo -n "0.0.1") 8 + version=$(curl -s "https://api.github.com/repos/typesense/typesense/releases/latest" | jq -r ".tag_name") 9 + version="${version#v}" 10 + 11 + if [[ "$old_version" == "$version" ]]; then 12 + echo "Already up to date!" 13 + exit 0 14 + fi 15 + 16 + declare -A platforms=( 17 + [aarch64-linux]="linux-arm64" 18 + [x86_64-darwin]="darwin-amd64" 19 + [x86_64-linux]="linux-amd64" 20 + ) 21 + 22 + sources_tmp="$(mktemp)" 23 + cat <<EOF > "$sources_tmp" 24 + { 25 + "version": "$version", 26 + "platforms": {} 27 + } 28 + EOF 29 + 30 + for platform in "${!platforms[@]}"; do 31 + arch="${platforms[$platform]}" 32 + url="https://dl.typesense.org/releases/${version}/typesense-server-${version}-${arch}.tar.gz" 33 + sha256hash="$(nix-prefetch-url --type sha256 "$url")" 34 + hash="$(nix hash to-sri --type sha256 "$sha256hash")" 35 + echo "$(jq --arg arch "$arch" \ 36 + --arg platform "$platform" \ 37 + --arg hash "$hash" \ 38 + '.platforms += {($platform): {arch: $arch, hash: $hash}}' \ 39 + "$sources_tmp")" > "$sources_tmp" 40 + done 41 + 42 + cp "$sources_tmp" sources.json

+2

pkgs/top-level/all-packages.nix

··· 13693 13694 tydra = callPackage ../tools/misc/tydra { }; 13695 13696 typos = callPackage ../development/tools/typos { }; 13697 13698 typst = callPackage ../tools/typesetting/typst { };

··· 13693 13694 tydra = callPackage ../tools/misc/tydra { }; 13695 13696 + typesense = callPackage ../servers/search/typesense { }; 13697 + 13698 typos = callPackage ../development/tools/typos { }; 13699 13700 typst = callPackage ../tools/typesetting/typst { };