pyrox.dev / nixpkgs
lol
fork atom
nixpkgs / nixos / modules / services / misc / docling-serve.nix
at master 3.7 kB view raw
1{ 2 config, 3 lib, 4 pkgs, 5 ... 6}: 7let 8 inherit (lib) types; 9 10 cfg = config.services.docling-serve; 11in 12{ 13 options = { 14 services.docling-serve = { 15 enable = lib.mkEnableOption "Docling Serve server"; 16 package = lib.mkPackageOption pkgs "docling-serve" { }; 17 18 stateDir = lib.mkOption { 19 type = types.path; 20 default = "/var/lib/docling-serve"; 21 example = "/home/foo"; 22 description = "State directory of Docling Serve."; 23 }; 24 25 host = lib.mkOption { 26 type = types.str; 27 default = "127.0.0.1"; 28 example = "0.0.0.0"; 29 description = '' 30 The host address which the Docling Serve server HTTP interface listens to. 31 ''; 32 }; 33 34 port = lib.mkOption { 35 type = types.port; 36 default = 5001; 37 example = 11111; 38 description = '' 39 Which port the Docling Serve server listens to. 40 ''; 41 }; 42 43 environment = lib.mkOption { 44 type = types.attrsOf types.str; 45 default = { 46 DOCLING_SERVE_ENABLE_UI = "False"; 47 }; 48 example = '' 49 { 50 DOCLING_SERVE_ENABLE_UI = "True"; 51 } 52 ''; 53 description = '' 54 Extra environment variables for Docling Serve. 55 For more details see <https://github.com/docling-project/docling-serve/blob/main/docs/configuration.md> 56 ''; 57 }; 58 59 environmentFile = lib.mkOption { 60 description = '' 61 Environment file to be passed to the systemd service. 62 Useful for passing secrets to the service to prevent them from being 63 world-readable in the Nix store. 64 ''; 65 type = lib.types.nullOr lib.types.path; 66 default = null; 67 example = "/var/lib/secrets/doclingServeSecrets"; 68 }; 69 70 openFirewall = lib.mkOption { 71 type = types.bool; 72 default = false; 73 description = '' 74 Whether to open the firewall for Docling Serve. 75 This adds `services.Docling Serve.port` to `networking.firewall.allowedTCPPorts`. 76 ''; 77 }; 78 }; 79 }; 80 81 config = lib.mkIf cfg.enable { 82 systemd.services.docling-serve = { 83 description = "Running Docling as an API service"; 84 wantedBy = [ "multi-user.target" ]; 85 after = [ "network.target" ]; 86 87 environment = { 88 HF_HOME = "."; 89 EASYOCR_MODULE_PATH = "."; 90 MPLCONFIGDIR = "."; 91 } 92 // cfg.environment; 93 94 serviceConfig = { 95 ExecStart = "${lib.getExe cfg.package} run --host \"${cfg.host}\" --port ${toString cfg.port}"; 96 EnvironmentFile = lib.optional (cfg.environmentFile != null) cfg.environmentFile; 97 WorkingDirectory = cfg.stateDir; 98 StateDirectory = "docling-serve"; 99 RuntimeDirectory = "docling-serve"; 100 RuntimeDirectoryMode = "0755"; 101 PrivateTmp = true; 102 DynamicUser = true; 103 DevicePolicy = "closed"; 104 LockPersonality = true; 105 PrivateUsers = true; 106 ProtectHome = true; 107 ProtectHostname = true; 108 ProtectKernelLogs = true; 109 ProtectKernelModules = true; 110 ProtectKernelTunables = true; 111 ProtectControlGroups = true; 112 RestrictNamespaces = true; 113 RestrictRealtime = true; 114 SystemCallArchitectures = "native"; 115 UMask = "0077"; 116 CapabilityBoundingSet = ""; 117 RestrictAddressFamilies = [ 118 "AF_INET" 119 "AF_INET6" 120 "AF_UNIX" 121 ]; 122 ProtectClock = true; 123 ProtectProc = "invisible"; 124 }; 125 }; 126 127 networking.firewall = lib.mkIf cfg.openFirewall { allowedTCPPorts = [ cfg.port ]; }; 128 }; 129 130 meta.maintainers = with lib.maintainers; [ ]; 131}