qbit/nixpkgs
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

nixos/services.athens: remove with lib;

Browse Source
This commit is contained in:
Felix Buehler 2024-08-27 20:43:07 +02:00
parent 8cf91e2c5b
commit 0717502d60
1 changed files with 203 additions and 206 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

409
nixos/modules/services/development/athens.nix
View File

@ -1,11 +1,8 @@
{ config, lib, pkgs, ... }:
with lib;
let
cfg = config.services.athens;
athensConfig = flip recursiveUpdate cfg.extraConfig (
athensConfig = lib.flip lib.recursiveUpdate cfg.extraConfig (
{
GoBinary = "${cfg.goBinary}/bin/go";
GoEnv = cfg.goEnv;
@ -157,20 +154,20 @@ in
};
options.services.athens = {
enable = mkEnableOption "Go module datastore and proxy";
enable = lib.mkEnableOption "Go module datastore and proxy";
package = mkOption {
package = lib.mkOption {
default = pkgs.athens;
defaultText = literalExpression "pkgs.athens";
defaultText = lib.literalExpression "pkgs.athens";
example = "pkgs.athens";
description = "Which athens derivation to use";
type = types.package;
type = lib.types.package;
};
goBinary = mkOption {
type = types.package;
goBinary = lib.mkOption {
type = lib.types.package;
default = pkgs.go;
defaultText = literalExpression "pkgs.go";
defaultText = lib.literalExpression "pkgs.go";
example = "pkgs.go_1_21";
description = ''
The Go package used by Athens at runtime.
@ -181,15 +178,15 @@ in
'';
};
goEnv = mkOption {
type = types.enum [ "development" "production" ];
goEnv = lib.mkOption {
type = lib.types.enum [ "development" "production" ];
description = "Specifies the type of environment to run. One of 'development' or 'production'.";
default = "development";
example = "production";
};
goBinaryEnvVars = mkOption {
type = types.attrs;
goBinaryEnvVars = lib.mkOption {
type = lib.types.attrs;
description = "Environment variables to pass to the Go binary.";
example = ''
{ "GOPROXY" = "direct", "GODEBUG" = "true" }
@ -197,15 +194,15 @@ in
default = { };
};
goGetWorkers = mkOption {
type = types.int;
goGetWorkers = lib.mkOption {
type = lib.types.int;
description = "Number of workers concurrently downloading modules.";
default = 10;
example = 32;
};
goGetDir = mkOption {
type = types.nullOr types.path;
goGetDir = lib.mkOption {
type = lib.types.nullOr lib.types.path;
description = ''
Temporary directory that Athens will use to
fetch modules from VCS prior to persisting
@ -218,14 +215,14 @@ in
example = "/tmp/athens";
};
protocolWorkers = mkOption {
type = types.int;
protocolWorkers = lib.mkOption {
type = lib.types.int;
description = "Number of workers concurrently serving protocol paths.";
default = 30;
};
logLevel = mkOption {
type = types.nullOr (types.enum [ "panic" "fatal" "error" "warning" "info" "debug" "trace" ]);
logLevel = lib.mkOption {
type = lib.types.nullOr (lib.types.enum [ "panic" "fatal" "error" "warning" "info" "debug" "trace" ]);
description = ''
Log level for Athens.
Supports all logrus log levels (https://github.com/Sirupsen/logrus#level-logging)".
@ -234,8 +231,8 @@ in
example = "debug";
};
cloudRuntime = mkOption {
type = types.enum [ "GCP" "none" ];
cloudRuntime = lib.mkOption {
type = lib.types.enum [ "GCP" "none" ];
description = ''
Specifies the Cloud Provider on which the Proxy/registry is running.
'';
@ -243,24 +240,24 @@ in
example = "GCP";
};
enablePprof = mkOption {
type = types.bool;
enablePprof = lib.mkOption {
type = lib.types.bool;
description = "Enable pprof endpoints.";
default = false;
};
pprofPort = mkOption {
type = types.port;
pprofPort = lib.mkOption {
type = lib.types.port;
description = "Port number for pprof endpoints.";
default = 3301;
example = 443;
};
filterFile = mkOption {
type = types.nullOr types.path;
filterFile = lib.mkOption {
type = lib.types.nullOr lib.types.path;
description = ''Filename for the include exclude filter.'';
default = null;
example = literalExpression ''
example = lib.literalExpression ''
pkgs.writeText "filterFile" '''
- github.com/azure
+ github.com/azure/azure-sdk-for-go
@ -269,42 +266,42 @@ in
'';
};
robotsFile = mkOption {
type = types.nullOr types.path;
robotsFile = lib.mkOption {
type = lib.types.nullOr lib.types.path;
description = ''Provides /robots.txt for net crawlers.'';
default = null;
example = literalExpression ''pkgs.writeText "robots.txt" "# my custom robots.txt ..."'';
example = lib.literalExpression ''pkgs.writeText "robots.txt" "# my custom robots.txt ..."'';
};
timeout = mkOption {
type = types.int;
timeout = lib.mkOption {
type = lib.types.int;
description = "Timeout for external network calls in seconds.";
default = 300;
example = 3;
};
storageType = mkOption {
type = types.enum [ "memory" "disk" "mongo" "gcp" "minio" "s3" "azureblob" "external" ];
storageType = lib.mkOption {
type = lib.types.enum [ "memory" "disk" "mongo" "gcp" "minio" "s3" "azureblob" "external" ];
description = "Specifies the type of storage backend to use.";
default = "disk";
};
tlsCertFile = mkOption {
type = types.nullOr types.path;
tlsCertFile = lib.mkOption {
type = lib.types.nullOr lib.types.path;
description = "Path to the TLS certificate file.";
default = null;
example = "/etc/ssl/certs/athens.crt";
};
tlsKeyFile = mkOption {
type = types.nullOr types.path;
tlsKeyFile = lib.mkOption {
type = lib.types.nullOr lib.types.path;
description = "Path to the TLS key file.";
default = null;
example = "/etc/ssl/certs/athens.key";
};
port = mkOption {
type = types.port;
port = lib.mkOption {
type = lib.types.port;
default = 3000;
description = ''
Port number Athens listens on.
@ -312,8 +309,8 @@ in
example = 443;
};
unixSocket = mkOption {
type = types.nullOr types.path;
unixSocket = lib.mkOption {
type = lib.types.nullOr lib.types.path;
description = ''
Path to the unix socket file.
If set, Athens will listen on the unix socket instead of TCP socket.
@ -322,8 +319,8 @@ in
example = "/run/athens.sock";
};
globalEndpoint = mkOption {
type = types.str;
globalEndpoint = lib.mkOption {
type = lib.types.str;
description = ''
Endpoint for a package registry in case of a proxy cache miss.
'';
@ -331,8 +328,8 @@ in
example = "http://upstream-athens.example.com:3000";
};
basicAuthUser = mkOption {
type = types.nullOr types.str;
basicAuthUser = lib.mkOption {
type = lib.types.nullOr lib.types.str;
description = ''
Username for basic auth.
'';
@ -340,8 +337,8 @@ in
example = "user";
};
basicAuthPass = mkOption {
type = types.nullOr types.str;
basicAuthPass = lib.mkOption {
type = lib.types.nullOr lib.types.str;
description = ''
Password for basic auth. Warning: this is stored in plain text in the config file.
'';
@ -349,16 +346,16 @@ in
example = "swordfish";
};
forceSSL = mkOption {
type = types.bool;
forceSSL = lib.mkOption {
type = lib.types.bool;
description = ''
Force SSL redirects for incoming requests.
'';
default = false;
};
validatorHook = mkOption {
type = types.nullOr types.str;
validatorHook = lib.mkOption {
type = lib.types.nullOr lib.types.str;
description = ''
Endpoint to validate modules against.
@ -368,8 +365,8 @@ in
example = "https://validation.example.com";
};
pathPrefix = mkOption {
type = types.nullOr types.str;
pathPrefix = lib.mkOption {
type = lib.types.nullOr lib.types.str;
description = ''
Sets basepath for all routes.
'';
@ -377,8 +374,8 @@ in
example = "/athens";
};
netrcPath = mkOption {
type = types.nullOr types.path;
netrcPath = lib.mkOption {
type = lib.types.nullOr lib.types.path;
description = ''
Path to the .netrc file.
'';
@ -386,8 +383,8 @@ in
example = "/home/user/.netrc";
};
githubToken = mkOption {
type = types.nullOr types.str;
githubToken = lib.mkOption {
type = lib.types.nullOr lib.types.str;
description = ''
Creates .netrc file with the given token to be used for GitHub.
Warning: this is stored in plain text in the config file.
@ -396,8 +393,8 @@ in
example = "ghp_1234567890";
};
hgrcPath = mkOption {
type = types.nullOr types.path;
hgrcPath = lib.mkOption {
type = lib.types.nullOr lib.types.path;
description = ''
Path to the .hgrc file.
'';
@ -405,16 +402,16 @@ in
example = "/home/user/.hgrc";
};
traceExporter = mkOption {
type = types.nullOr (types.enum [ "jaeger" "datadog" ]);
traceExporter = lib.mkOption {
type = lib.types.nullOr (lib.types.enum [ "jaeger" "datadog" ]);
description = ''
Trace exporter to use.
'';
default = null;
};
traceExporterURL = mkOption {
type = types.nullOr types.str;
traceExporterURL = lib.mkOption {
type = lib.types.nullOr lib.types.str;
description = ''
URL endpoint that traces will be sent to.
'';
@ -422,14 +419,14 @@ in
example = "http://localhost:14268";
};
statsExporter = mkOption {
type = types.nullOr (types.enum [ "prometheus" ]);
statsExporter = lib.mkOption {
type = lib.types.nullOr (lib.types.enum [ "prometheus" ]);
description = "Stats exporter to use.";
default = null;
};
sumDBs = mkOption {
type = types.listOf types.str;
sumDBs = lib.mkOption {
type = lib.types.listOf lib.types.str;
description = ''
List of fully qualified URLs that Athens will proxy
that the go command can use a checksum verifier.
@ -437,8 +434,8 @@ in
default = [ "https://sum.golang.org" ];
};
noSumPatterns = mkOption {
type = types.listOf types.str;
noSumPatterns = lib.mkOption {
type = lib.types.listOf lib.types.str;
description = ''
List of patterns that Athens sum db proxy will return a 403 for.
'';
@ -446,8 +443,8 @@ in
example = [ "github.com/mycompany/*" ];
};
downloadMode = mkOption {
type = types.oneOf [ (types.enum [ "sync" "async" "redirect" "async_redirect" "none" ]) (types.strMatching "^file:.*$|^custom:.*$") ];
downloadMode = lib.mkOption {
type = lib.types.oneOf [ (lib.types.enum [ "sync" "async" "redirect" "async_redirect" "none" ]) (lib.types.strMatching "^file:.*$|^custom:.*$") ];
description = ''
Defines how Athens behaves when a module@version
is not found in storage. There are 7 options:
@ -470,8 +467,8 @@ in
default = "async_redirect";
};
networkMode = mkOption {
type = types.enum [ "strict" "offline" "fallback" ];
networkMode = lib.mkOption {
type = lib.types.enum [ "strict" "offline" "fallback" ];
description = ''
Configures how Athens will return the results
of the /list endpoint as it can be assembled from both its own
@ -490,30 +487,30 @@ in
default = "strict";
};
downloadURL = mkOption {
type = types.str;
downloadURL = lib.mkOption {
type = lib.types.str;
description = "URL used if DownloadMode is set to redirect.";
default = "https://proxy.golang.org";
};
singleFlightType = mkOption {
type = types.enum [ "memory" "etcd" "redis" "redis-sentinel" "gcp" "azureblob" ];
singleFlightType = lib.mkOption {
type = lib.types.enum [ "memory" "etcd" "redis" "redis-sentinel" "gcp" "azureblob" ];
description = ''
Determines what mechanism Athens uses to manage concurrency flowing into the Athens backend.
'';
default = "memory";
};
indexType = mkOption {
type = types.enum [ "none" "memory" "mysql" "postgres" ];
indexType = lib.mkOption {
type = lib.types.enum [ "none" "memory" "mysql" "postgres" ];
description = ''
Type of index backend Athens will use.
'';
default = "none";
};
shutdownTimeout = mkOption {
type = types.int;
shutdownTimeout = lib.mkOption {
type = lib.types.int;
description = ''
Number of seconds to wait for the server to shutdown gracefully.
'';
@ -523,42 +520,42 @@ in
singleFlight = {
etcd = {
endpoints = mkOption {
type = types.listOf types.str;
endpoints = lib.mkOption {
type = lib.types.listOf lib.types.str;
description = "URLs that determine all distributed etcd servers.";
default = [ ];
example = [ "localhost:2379" ];
};
};
redis = {
endpoint = mkOption {
type = types.str;
endpoint = lib.mkOption {
type = lib.types.str;
description = "URL of the redis server.";
default = "";
example = "localhost:6379";
};
password = mkOption {
type = types.str;
password = lib.mkOption {
type = lib.types.str;
description = "Password for the redis server. Warning: this is stored in plain text in the config file.";
default = "";
example = "swordfish";
};
lockConfig = {
ttl = mkOption {
type = types.int;
ttl = lib.mkOption {
type = lib.types.int;
description = "TTL for the lock in seconds.";
default = 900;
example = 1;
};
timeout = mkOption {
type = types.int;
timeout = lib.mkOption {
type = lib.types.int;
description = "Timeout for the lock in seconds.";
default = 15;
example = 1;
};
maxRetries = mkOption {
type = types.int;
maxRetries = lib.mkOption {
type = lib.types.int;
description = "Maximum number of retries for the lock.";
default = 10;
example = 1;
@ -567,40 +564,40 @@ in
};
redisSentinel = {
endpoints = mkOption {
type = types.listOf types.str;
endpoints = lib.mkOption {
type = lib.types.listOf lib.types.str;
description = "URLs that determine all distributed redis servers.";
default = [ ];
example = [ "localhost:26379" ];
};
masterName = mkOption {
type = types.str;
masterName = lib.mkOption {
type = lib.types.str;
description = "Name of the sentinel master server.";
default = "";
example = "redis-1";
};
sentinelPassword = mkOption {
type = types.str;
sentinelPassword = lib.mkOption {
type = lib.types.str;
description = "Password for the sentinel server. Warning: this is stored in plain text in the config file.";
default = "";
example = "swordfish";
};
lockConfig = {
ttl = mkOption {
type = types.int;
ttl = lib.mkOption {
type = lib.types.int;
description = "TTL for the lock in seconds.";
default = 900;
example = 1;
};
timeout = mkOption {
type = types.int;
timeout = lib.mkOption {
type = lib.types.int;
description = "Timeout for the lock in seconds.";
default = 15;
example = 1;
};
maxRetries = mkOption {
type = types.int;
maxRetries = lib.mkOption {
type = lib.types.int;
description = "Maximum number of retries for the lock.";
default = 10;
example = 1;
@ -611,8 +608,8 @@ in
storage = {
cdn = {
endpoint = mkOption {
type = types.nullOr types.str;
endpoint = lib.mkOption {
type = lib.types.nullOr lib.types.str;
description = "hostname of the CDN server.";
example = "cdn.example.com";
default = null;
@ -620,65 +617,65 @@ in
};
disk = {
rootPath = mkOption {
type = types.nullOr types.path;
rootPath = lib.mkOption {
type = lib.types.nullOr lib.types.path;
description = "Athens disk root folder.";
default = "/var/lib/athens";
};
};
gcp = {
projectID = mkOption {
type = types.nullOr types.str;
projectID = lib.mkOption {
type = lib.types.nullOr lib.types.str;
description = "GCP project ID.";
example = "my-project";
default = null;
};
bucket = mkOption {
type = types.nullOr types.str;
bucket = lib.mkOption {
type = lib.types.nullOr lib.types.str;
description = "GCP backend storage bucket.";
example = "my-bucket";
default = null;
};
jsonKey = mkOption {
type = types.nullOr types.str;
jsonKey = lib.mkOption {
type = lib.types.nullOr lib.types.str;
description = "Base64 encoded GCP service account key. Warning: this is stored in plain text in the config file.";
default = null;
};
};
minio = {
endpoint = mkOption {
type = types.nullOr types.str;
endpoint = lib.mkOption {
type = lib.types.nullOr lib.types.str;
description = "Endpoint of the minio storage backend.";
example = "minio.example.com:9001";
default = null;
};
key = mkOption {
type = types.nullOr types.str;
key = lib.mkOption {
type = lib.types.nullOr lib.types.str;
description = "Access key id for the minio storage backend.";
example = "minio";
default = null;
};
secret = mkOption {
type = types.nullOr types.str;
secret = lib.mkOption {
type = lib.types.nullOr lib.types.str;
description = "Secret key for the minio storage backend. Warning: this is stored in plain text in the config file.";
example = "minio123";
default = null;
};
enableSSL = mkOption {
type = types.bool;
enableSSL = lib.mkOption {
type = lib.types.bool;
description = "Enable SSL for the minio storage backend.";
default = false;
};
bucket = mkOption {
type = types.nullOr types.str;
bucket = lib.mkOption {
type = lib.types.nullOr lib.types.str;
description = "Bucket name for the minio storage backend.";
example = "gomods";
default = null;
};
region = mkOption {
type = types.nullOr types.str;
region = lib.mkOption {
type = lib.types.nullOr lib.types.str;
description = "Region for the minio storage backend.";
example = "us-east-1";
default = null;
@ -686,108 +683,108 @@ in
};
mongo = {
url = mkOption {
type = types.nullOr types.str;
url = lib.mkOption {
type = lib.types.nullOr lib.types.str;
description = "URL of the mongo database.";
example = "mongodb://localhost:27017";
default = null;
};
defaultDBName = mkOption {
type = types.nullOr types.str;
defaultDBName = lib.mkOption {
type = lib.types.nullOr lib.types.str;
description = "Name of the mongo database.";
example = "athens";
default = null;
};
certPath = mkOption {
type = types.nullOr types.path;
certPath = lib.mkOption {
type = lib.types.nullOr lib.types.path;
description = "Path to the certificate file for the mongo database.";
example = "/etc/ssl/mongo.pem";
default = null;
};
insecure = mkOption {
type = types.bool;
insecure = lib.mkOption {
type = lib.types.bool;
description = "Allow insecure connections to the mongo database.";
default = false;
};
};
s3 = {
region = mkOption {
type = types.nullOr types.str;
region = lib.mkOption {
type = lib.types.nullOr lib.types.str;
description = "Region of the S3 storage backend.";
example = "eu-west-3";
default = null;
};
key = mkOption {
type = types.nullOr types.str;
key = lib.mkOption {
type = lib.types.nullOr lib.types.str;
description = "Access key id for the S3 storage backend.";
example = "minio";
default = null;
};
secret = mkOption {
type = types.str;
secret = lib.mkOption {
type = lib.types.str;
description = "Secret key for the S3 storage backend. Warning: this is stored in plain text in the config file.";
default = "";
};
token = mkOption {
type = types.nullOr types.str;
token = lib.mkOption {
type = lib.types.nullOr lib.types.str;
description = "Token for the S3 storage backend. Warning: this is stored in plain text in the config file.";
default = null;
};
bucket = mkOption {
type = types.nullOr types.str;
bucket = lib.mkOption {
type = lib.types.nullOr lib.types.str;
description = "Bucket name for the S3 storage backend.";
example = "gomods";
default = null;
};
forcePathStyle = mkOption {
type = types.bool;
forcePathStyle = lib.mkOption {
type = lib.types.bool;
description = "Force path style for the S3 storage backend.";
default = false;
};
useDefaultConfiguration = mkOption {
type = types.bool;
useDefaultConfiguration = lib.mkOption {
type = lib.types.bool;
description = "Use default configuration for the S3 storage backend.";
default = false;
};
credentialsEndpoint = mkOption {
type = types.str;
credentialsEndpoint = lib.mkOption {
type = lib.types.str;
description = "Credentials endpoint for the S3 storage backend.";
default = "";
};
awsContainerCredentialsRelativeURI = mkOption {
type = types.nullOr types.str;
awsContainerCredentialsRelativeURI = lib.mkOption {
type = lib.types.nullOr lib.types.str;
description = "Container relative url (used by fargate).";
default = null;
};
endpoint = mkOption {
type = types.nullOr types.str;
endpoint = lib.mkOption {
type = lib.types.nullOr lib.types.str;
description = "Endpoint for the S3 storage backend.";
default = null;
};
};
azureblob = {
accountName = mkOption {
type = types.nullOr types.str;
accountName = lib.mkOption {
type = lib.types.nullOr lib.types.str;
description = "Account name for the Azure Blob storage backend.";
default = null;
};
accountKey = mkOption {
type = types.nullOr types.str;
accountKey = lib.mkOption {
type = lib.types.nullOr lib.types.str;
description = "Account key for the Azure Blob storage backend. Warning: this is stored in plain text in the config file.";
default = null;
};
containerName = mkOption {
type = types.nullOr types.str;
containerName = lib.mkOption {
type = lib.types.nullOr lib.types.str;
description = "Container name for the Azure Blob storage backend.";
default = null;
};
};
external = {
url = mkOption {
type = types.nullOr types.str;
url = lib.mkOption {
type = lib.types.nullOr lib.types.str;
description = "URL of the backend storage layer.";
example = "https://athens.example.com";
default = null;
@ -797,44 +794,44 @@ in
index = {
mysql = {
protocol = mkOption {
type = types.str;
protocol = lib.mkOption {
type = lib.types.str;
description = "Protocol for the MySQL database.";
default = "tcp";
};
host = mkOption {
type = types.str;
host = lib.mkOption {
type = lib.types.str;
description = "Host for the MySQL database.";
default = "localhost";
};
port = mkOption {
type = types.int;
port = lib.mkOption {
type = lib.types.int;
description = "Port for the MySQL database.";
default = 3306;
};
user = mkOption {
type = types.str;
user = lib.mkOption {
type = lib.types.str;
description = "User for the MySQL database.";
default = "root";
};
password = mkOption {
type = types.nullOr types.str;
password = lib.mkOption {
type = lib.types.nullOr lib.types.str;
description = "Password for the MySQL database. Warning: this is stored in plain text in the config file.";
default = null;
};
database = mkOption {
type = types.str;
database = lib.mkOption {
type = lib.types.str;
description = "Database name for the MySQL database.";
default = "athens";
};
params = {
parseTime = mkOption {
type = types.nullOr types.str;
parseTime = lib.mkOption {
type = lib.types.nullOr lib.types.str;
description = "Parse time for the MySQL database.";
default = "true";
};
timeout = mkOption {
type = types.nullOr types.str;
timeout = lib.mkOption {
type = lib.types.nullOr lib.types.str;
description = "Timeout for the MySQL database.";
default = "30s";
};
@ -842,39 +839,39 @@ in
};
postgres = {
host = mkOption {
type = types.str;
host = lib.mkOption {
type = lib.types.str;
description = "Host for the Postgres database.";
default = "localhost";
};
port = mkOption {
type = types.int;
port = lib.mkOption {
type = lib.types.int;
description = "Port for the Postgres database.";
default = 5432;
};
user = mkOption {
type = types.str;
user = lib.mkOption {
type = lib.types.str;
description = "User for the Postgres database.";
default = "postgres";
};
password = mkOption {
type = types.nullOr types.str;
password = lib.mkOption {
type = lib.types.nullOr lib.types.str;
description = "Password for the Postgres database. Warning: this is stored in plain text in the config file.";
default = null;
};
database = mkOption {
type = types.str;
database = lib.mkOption {
type = lib.types.str;
description = "Database name for the Postgres database.";
default = "athens";
};
params = {
connect_timeout = mkOption {
type = types.nullOr types.str;
connect_timeout = lib.mkOption {
type = lib.types.nullOr lib.types.str;
description = "Connect timeout for the Postgres database.";
default = "30s";
};
sslmode = mkOption {
type = types.nullOr types.str;
sslmode = lib.mkOption {
type = lib.types.nullOr lib.types.str;
description = "SSL mode for the Postgres database.";
default = "disable";
};
@ -882,8 +879,8 @@ in
};
};
extraConfig = mkOption {
type = types.attrs;
extraConfig = lib.mkOption {
type = lib.types.attrs;
description = ''
Extra configuration options for the athens config file.
'';
@ -891,7 +888,7 @@ in
};
};
config = mkIf cfg.enable {
config = lib.mkIf cfg.enable {
systemd.services.athens = {
description = "Athens Go module proxy";
documentation = [ "https://docs.gomods.io" ];
@ -918,8 +915,8 @@ in
ProtectHome = "read-only";
ProtectSystem = "full";
ReadWritePaths = mkIf (cfg.storage.disk.rootPath != null && (! hasPrefix "/var/lib/" cfg.storage.disk.rootPath)) [ cfg.storage.disk.rootPath ];
StateDirectory = mkIf (hasPrefix "/var/lib/" cfg.storage.disk.rootPath) [ (removePrefix "/var/lib/" cfg.storage.disk.rootPath) ];
ReadWritePaths = lib.mkIf (cfg.storage.disk.rootPath != null && (! lib.hasPrefix "/var/lib/" cfg.storage.disk.rootPath)) [ cfg.storage.disk.rootPath ];
StateDirectory = lib.mkIf (lib.hasPrefix "/var/lib/" cfg.storage.disk.rootPath) [ (lib.removePrefix "/var/lib/" cfg.storage.disk.rootPath) ];
CapabilityBoundingSet = [ "CAP_NET_BIND_SERVICE" ];
AmbientCapabilities = [ "CAP_NET_BIND_SERVICE" ];
@ -928,8 +925,8 @@ in
};
networking.firewall = {
allowedTCPPorts = optionals (cfg.unixSocket == null) [ cfg.port ]
++ optionals cfg.enablePprof [ cfg.pprofPort ];
allowedTCPPorts = lib.optionals (cfg.unixSocket == null) [ cfg.port ]
++ lib.optionals cfg.enablePprof [ cfg.pprofPort ];
};
};