nixos/modules/services/databases/chromadb.nix at master · pyrox.dev/nixpkgs

pyrox.dev / nixpkgs
lol
nixpkgs / nixos / modules / services / databases / chromadb.nix
at master 2.5 kB view raw
 1{
 2  config,
 3  pkgs,
 4  lib,
 5  ...
 6}:
 7
 8let
 9  cfg = config.services.chromadb;
10  inherit (lib)
11    mkEnableOption
12    mkPackageOption
13    mkOption
14    mkIf
15    types
16    ;
17in
18{
19
20  meta.maintainers = with lib.maintainers; [ ];
21
22  imports = [
23    (lib.mkRemovedOptionModule [ "services" "chromadb" "logFile" ] ''
24      ChromaDB has removed the --log-path parameter that logFile relied on.
25    '')
26  ];
27
28  options = {
29    services.chromadb = {
30      enable = mkEnableOption "ChromaDB, an open-source AI application database.";
31
32      package = mkPackageOption pkgs [ "python3Packages" "chromadb" ] { };
33
34      host = mkOption {
35        type = types.str;
36        default = "127.0.0.1";
37        description = ''
38          Defines the IP address by which ChromaDB will be accessible.
39        '';
40      };
41
42      port = mkOption {
43        type = types.port;
44        default = 8000;
45        description = ''
46          Defined the port number to listen.
47        '';
48      };
49
50      dbpath = mkOption {
51        type = types.str;
52        default = "/var/lib/chromadb";
53        description = "Location where ChromaDB stores its files";
54      };
55
56      openFirewall = mkOption {
57        type = types.bool;
58        default = false;
59        description = ''
60          Whether to automatically open the specified TCP port in the firewall.
61        '';
62      };
63    };
64  };
65
66  config = mkIf cfg.enable {
67    systemd.services.chromadb = {
68      description = "ChromaDB";
69      after = [ "network.target" ];
70      wantedBy = [ "multi-user.target" ];
71      serviceConfig = {
72        Type = "simple";
73        StateDirectory = "chromadb";
74        WorkingDirectory = "/var/lib/chromadb";
75        LogsDirectory = "chromadb";
76        ExecStart = "${lib.getExe cfg.package} run --path ${cfg.dbpath} --host ${cfg.host} --port ${toString cfg.port}";
77        Restart = "on-failure";
78        ProtectHome = true;
79        ProtectSystem = "strict";
80        PrivateTmp = true;
81        PrivateDevices = true;
82        ProtectHostname = true;
83        ProtectClock = true;
84        ProtectKernelTunables = true;
85        ProtectKernelModules = true;
86        ProtectKernelLogs = true;
87        ProtectControlGroups = true;
88        NoNewPrivileges = true;
89        RestrictRealtime = true;
90        RestrictSUIDSGID = true;
91        RemoveIPC = true;
92        PrivateMounts = true;
93        DynamicUser = true;
94      };
95    };
96
97    networking.firewall.allowedTCPPorts = lib.optionals cfg.openFirewall [ cfg.port ];
98  };
99}