nixos/modules/services/misc/blenderfarm.nix at 25.11-pre · pyrox.dev/nixpkgs

pyrox.dev / nixpkgs
lol
nixpkgs / nixos / modules / services / misc / blenderfarm.nix
at 25.11-pre 4.7 kB view raw
  1{
  2  config,
  3  lib,
  4  pkgs,
  5  ...
  6}:
  7let
  8  cfg = config.services.blendfarm;
  9  json = pkgs.formats.json { };
 10  configFile = json.generate "ServerSettings" (defaultConfig // cfg.serverConfig);
 11  defaultConfig = {
 12    Port = 15000;
 13    BroadcastPort = 16342;
 14    BypassScriptUpdate = false;
 15    BasicSecurityPassword = null;
 16  };
 17in
 18{
 19  meta.maintainers = with lib.maintainers; [ gador ];
 20
 21  options.services.blendfarm = with lib.types; {
 22    enable = lib.mkEnableOption "Blendfarm, a render farm management software for Blender";
 23    package = lib.mkPackageOption pkgs "blendfarm" { };
 24    openFirewall = lib.mkEnableOption "allowing blendfarm network access through the firewall";
 25
 26    user = lib.mkOption {
 27      description = "User under which blendfarm runs.";
 28      default = "blendfarm";
 29      type = str;
 30    };
 31
 32    group = lib.mkOption {
 33      description = "Group under which blendfarm runs.";
 34      default = "blendfarm";
 35      type = str;
 36    };
 37
 38    basicSecurityPasswordFile = lib.mkOption {
 39      description = ''
 40        Path to the password file the client needs to connect to the server.
 41              The password must not contain a forward slash.'';
 42      default = null;
 43      type = nullOr str;
 44    };
 45
 46    blenderPackage = lib.mkPackageOption pkgs "blender" { };
 47
 48    serverConfig = lib.mkOption {
 49      description = "Server configuration";
 50      default = defaultConfig;
 51      type = submodule {
 52        freeformType = attrsOf anything;
 53        options = {
 54          Port = lib.mkOption {
 55            description = "Default port blendfarm server listens on.";
 56            default = 15000;
 57            type = types.port;
 58          };
 59          BroadcastPort = lib.mkOption {
 60            description = "Default port blendfarm server advertises itself on.";
 61            default = 16342;
 62            type = types.port;
 63          };
 64
 65          BypassScriptUpdate = lib.mkOption {
 66            description = "Prevents blendfarm from replacing the .py self-generated scripts.";
 67            default = false;
 68            type = bool;
 69          };
 70        };
 71      };
 72    };
 73  };
 74
 75  config = lib.mkIf cfg.enable {
 76    environment.systemPackages = [ cfg.package ];
 77    networking.firewall = lib.optionalAttrs (cfg.openFirewall) {
 78      allowedTCPPorts = [ cfg.serverConfig.Port ];
 79      allowedUDPPorts = [ cfg.serverConfig.BroadcastPort ];
 80    };
 81
 82    systemd.services.blendfarm-server = {
 83      wantedBy = [ "multi-user.target" ];
 84      after = [ "network-online.target" ];
 85      wants = [ "network-online.target" ];
 86      description = "blendfarm server";
 87      path = [ cfg.blenderPackage ];
 88      preStart =
 89        ''
 90          rm -f ServerSettings
 91          install -m640 ${configFile} ServerSettings
 92          if [ ! -d "BlenderData/nix-blender-linux64" ]; then
 93            mkdir -p BlenderData/nix-blender-linux64
 94            echo "nix-blender" > VersionCustom
 95          fi
 96          rm -f BlenderData/nix-blender-linux64/blender
 97          ln -s ${lib.getExe cfg.blenderPackage} BlenderData/nix-blender-linux64/blender
 98        ''
 99        + lib.optionalString (cfg.basicSecurityPasswordFile != null) ''
100          BLENDFARM_PASSWORD=$(${pkgs.systemd}/bin/systemd-creds cat BLENDFARM_PASS_FILE)
101          sed -i "s/null/\"$BLENDFARM_PASSWORD\"/g" ServerSettings
102        '';
103      serviceConfig = {
104        ExecStart = "${cfg.package}/bin/LogicReinc.BlendFarm.Server";
105        DynamicUser = true;
106        LogsDirectory = "blendfarm";
107        StateDirectory = "blendfarm";
108        WorkingDirectory = "/var/lib/blendfarm";
109        User = cfg.user;
110        Group = cfg.group;
111        StateDirectoryMode = "0755";
112        LoadCredential = lib.optional (
113          cfg.basicSecurityPasswordFile != null
114        ) "BLENDFARM_PASS_FILE:${cfg.basicSecurityPasswordFile}";
115        ReadWritePaths = "";
116        CapabilityBoundingSet = "";
117        RestrictAddressFamilies = [
118          "AF_UNIX"
119          "AF_INET"
120          "AF_INET6"
121        ];
122        RestrictNamespaces = true;
123        PrivateDevices = true;
124        PrivateUsers = true;
125        ProtectClock = true;
126        ProtectControlGroups = true;
127        ProtectHome = true;
128        ProtectKernelLogs = true;
129        ProtectKernelModules = true;
130        ProtectKernelTunables = true;
131        SystemCallArchitectures = "native";
132        SystemCallFilter = [
133          "@system-service"
134          "~@privileged"
135          "@chown"
136        ];
137        RestrictRealtime = true;
138        LockPersonality = true;
139        UMask = "0066";
140        ProtectHostname = true;
141      };
142    };
143
144    users.users.blendfarm = {
145      isSystemUser = true;
146      group = "blendfarm";
147    };
148    users.groups.blendfarm = { };
149  };
150}