pyrox.dev / nixpkgs
lol
fork atom
nixpkgs / nixos / modules / services / misc / docling-serve.nix
at 25.11-pre 3.7 kB view raw
1{ 2 config, 3 lib, 4 pkgs, 5 ... 6}: 7let 8 inherit (lib) types; 9 10 cfg = config.services.docling-serve; 11in 12{ 13 options = { 14 services.docling-serve = { 15 enable = lib.mkEnableOption "Docling Serve server"; 16 package = lib.mkPackageOption pkgs "docling-serve" { }; 17 18 stateDir = lib.mkOption { 19 type = types.path; 20 default = "/var/lib/docling-serve"; 21 example = "/home/foo"; 22 description = "State directory of Docling Serve."; 23 }; 24 25 host = lib.mkOption { 26 type = types.str; 27 default = "127.0.0.1"; 28 example = "0.0.0.0"; 29 description = '' 30 The host address which the Docling Serve server HTTP interface listens to. 31 ''; 32 }; 33 34 port = lib.mkOption { 35 type = types.port; 36 default = 5001; 37 example = 11111; 38 description = '' 39 Which port the Docling Serve server listens to. 40 ''; 41 }; 42 43 environment = lib.mkOption { 44 type = types.attrsOf types.str; 45 default = { 46 DOCLING_SERVE_ENABLE_UI = "False"; 47 }; 48 example = '' 49 { 50 DOCLING_SERVE_ENABLE_UI = "True"; 51 } 52 ''; 53 description = '' 54 Extra environment variables for Docling Serve. 55 For more details see <https://github.com/docling-project/docling-serve/blob/main/docs/configuration.md> 56 ''; 57 }; 58 59 environmentFile = lib.mkOption { 60 description = '' 61 Environment file to be passed to the systemd service. 62 Useful for passing secrets to the service to prevent them from being 63 world-readable in the Nix store. 64 ''; 65 type = lib.types.nullOr lib.types.path; 66 default = null; 67 example = "/var/lib/secrets/doclingServeSecrets"; 68 }; 69 70 openFirewall = lib.mkOption { 71 type = types.bool; 72 default = false; 73 description = '' 74 Whether to open the firewall for Docling Serve. 75 This adds `services.Docling Serve.port` to `networking.firewall.allowedTCPPorts`. 76 ''; 77 }; 78 }; 79 }; 80 81 config = lib.mkIf cfg.enable { 82 systemd.services.docling-serve = { 83 description = "Running Docling as an API service"; 84 wantedBy = [ "multi-user.target" ]; 85 after = [ "network.target" ]; 86 87 environment = { 88 HF_HOME = "."; 89 EASYOCR_MODULE_PATH = "."; 90 MPLCONFIGDIR = "."; 91 } // cfg.environment; 92 93 serviceConfig = { 94 ExecStart = "${lib.getExe cfg.package} run --host \"${cfg.host}\" --port ${toString cfg.port}"; 95 EnvironmentFile = lib.optional (cfg.environmentFile != null) cfg.environmentFile; 96 WorkingDirectory = cfg.stateDir; 97 StateDirectory = "docling-serve"; 98 RuntimeDirectory = "docling-serve"; 99 RuntimeDirectoryMode = "0755"; 100 PrivateTmp = true; 101 DynamicUser = true; 102 DevicePolicy = "closed"; 103 LockPersonality = true; 104 PrivateUsers = true; 105 ProtectHome = true; 106 ProtectHostname = true; 107 ProtectKernelLogs = true; 108 ProtectKernelModules = true; 109 ProtectKernelTunables = true; 110 ProtectControlGroups = true; 111 RestrictNamespaces = true; 112 RestrictRealtime = true; 113 SystemCallArchitectures = "native"; 114 UMask = "0077"; 115 CapabilityBoundingSet = ""; 116 RestrictAddressFamilies = [ 117 "AF_INET" 118 "AF_INET6" 119 "AF_UNIX" 120 ]; 121 ProtectClock = true; 122 ProtectProc = "invisible"; 123 }; 124 }; 125 126 networking.firewall = lib.mkIf cfg.openFirewall { allowedTCPPorts = [ cfg.port ]; }; 127 }; 128 129 meta.maintainers = with lib.maintainers; [ drupol ]; 130}