From 0d179b477c8fe4d111200b705c425e2430860843 Mon Sep 17 00:00:00 2001
From: Joonas Rautiola <joonas.rautiola@unikie.com>
Date: Tue, 2 Apr 2024 18:14:29 +0300
Subject: [PATCH] Refactor rclone-http into a module

Signed-off-by: Joonas Rautiola <joonas.rautiola@unikie.com>
---
 hosts/azure/binary-cache/configuration.nix    | 44 +++----------
 hosts/azure/builder/configuration.nix         | 28 ++------
 .../jenkins-controller/configuration.nix      | 41 +++---------
 services/default.nix                          |  1 +
 services/rclone-http/default.nix              | 64 +++++++++++++++++++
 5 files changed, 88 insertions(+), 90 deletions(-)
 create mode 100644 services/rclone-http/default.nix

diff --git a/hosts/azure/binary-cache/configuration.nix b/hosts/azure/binary-cache/configuration.nix
index 5b48dd41..62fc2165 100644
--- a/hosts/azure/binary-cache/configuration.nix
+++ b/hosts/azure/binary-cache/configuration.nix
@@ -2,7 +2,6 @@
 # SPDX-License-Identifier: Apache-2.0
 {
   self,
-  config,
   pkgs,
   lib,
   ...
@@ -10,6 +9,7 @@
   imports = [
     ../../azure-common.nix
     self.nixosModules.service-openssh
+    self.nixosModules.service-rclone-http
   ];
 
   nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
@@ -26,38 +26,21 @@
     ];
   };
 
-  # Run a read-only HTTP webserver proxying to the "binary-cache-v1" storage
-  # container at a unix socket.
-  # This relies on IAM to grant access to the storage container.
-  systemd.services.rclone-http = {
-    after = ["network.target"];
-    requires = ["network.target"];
-    wantedBy = ["multi-user.target"];
-    serviceConfig = {
-      Type = "notify";
-      Restart = "always";
-      RestartSec = 2;
-      DynamicUser = true;
-      RuntimeDirectory = "rclone-http";
-      ExecStart =
-        "${pkgs.rclone}/bin/rclone "
-        + "serve http "
-        + "--azureblob-env-auth "
-        + "--read-only "
-        + "--addr unix://%t/rclone-http/socket "
-        + ":azureblob:binary-cache-v1";
-      # On successful startup, grant caddy write permissions to the socket.
-      ExecStartPost = "${pkgs.acl.bin}/bin/setfacl -m u:caddy:rw %t/rclone-http/socket";
-      EnvironmentFile = "/var/lib/rclone-http/env";
-    };
+  services.rclone-http = {
+    enable = true;
+    readOnly = true;
+    remote = ":azureblob:binary-cache-v1";
+    listenAddress = "unix://%t/rclone-http/socket";
   };
 
+  # On successful startup, grant caddy write permissions to the socket.
+  systemd.services.rclone-http.serviceConfig.ExecStartPost = "${pkgs.acl.bin}/bin/setfacl -m u:caddy:rw %t/rclone-http/socket";
+
   # Expose the rclone-http unix socket over a HTTPS, limiting to certain
   # keys only, disallowing listing too.
-  # TODO: use https://caddyserver.com/docs/caddyfile-tutorial#environment-variables for domain
   services.caddy = {
     enable = true;
-    configFile = pkgs.writeTextDir "Caddyfile" ''
+    configFile = pkgs.writeText "Caddyfile" ''
       # Disable the admin API, we don't want to reconfigure Caddy at runtime.
       {
         admin off
@@ -81,13 +64,6 @@
     '';
   };
 
-  # workaround for https://github.com/NixOS/nixpkgs/issues/272532
-  # FUTUREWORK: rebase once https://github.com/NixOS/nixpkgs/pull/272617 landed
-  services.caddy.enableReload = false;
-  systemd.services.caddy.serviceConfig.ExecStart = lib.mkForce [
-    ""
-    "${pkgs.caddy}/bin/caddy run --environ --config ${config.services.caddy.configFile}/Caddyfile"
-  ];
   systemd.services.caddy.serviceConfig.EnvironmentFile = "/var/lib/caddy/caddy.env";
 
   # Configure Nix to use the bucket (through rclone-http) as a substitutor.
diff --git a/hosts/azure/builder/configuration.nix b/hosts/azure/builder/configuration.nix
index 74d02ad3..53310ab9 100644
--- a/hosts/azure/builder/configuration.nix
+++ b/hosts/azure/builder/configuration.nix
@@ -2,7 +2,6 @@
 # SPDX-License-Identifier: Apache-2.0
 {
   self,
-  pkgs,
   lib,
   ...
 }: {
@@ -10,32 +9,15 @@
     ../../azure-common.nix
     self.nixosModules.service-openssh
     self.nixosModules.service-remote-build
+    self.nixosModules.service-rclone-http
   ];
 
   nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
 
-  # Run a read-only HTTP webserver proxying to the "binary-cache-v1" storage
-  # container via http://localhost:8080.
-  # This relies on IAM to grant access to the storage container.
-  systemd.services.rclone-http = {
-    after = ["network.target"];
-    requires = ["network.target"];
-    wantedBy = ["multi-user.target"];
-    serviceConfig = {
-      Type = "notify";
-      Restart = "always";
-      RestartSec = 2;
-      DynamicUser = true;
-      RuntimeDirectory = "rclone-http";
-      ExecStart =
-        "${pkgs.rclone}/bin/rclone "
-        + "serve http "
-        + "--azureblob-env-auth "
-        + "--read-only "
-        + "--addr localhost:8080 "
-        + ":azureblob:binary-cache-v1";
-      EnvironmentFile = "/var/lib/rclone-http/env";
-    };
+  services.rclone-http = {
+    enable = true;
+    readOnly = true;
+    remote = ":azureblob:binary-cache-v1";
   };
 
   # Configure Nix to use this as a substitutor, and the public key used for signing.
diff --git a/hosts/azure/jenkins-controller/configuration.nix b/hosts/azure/jenkins-controller/configuration.nix
index ca105c00..ecdc31b7 100644
--- a/hosts/azure/jenkins-controller/configuration.nix
+++ b/hosts/azure/jenkins-controller/configuration.nix
@@ -2,7 +2,6 @@
 # SPDX-License-Identifier: Apache-2.0
 {
   pkgs,
-  config,
   self,
   lib,
   ...
@@ -76,6 +75,7 @@ in {
   imports = [
     ../../azure-common.nix
     self.nixosModules.service-openssh
+    self.nixosModules.service-rclone-http
   ];
 
   # Configure /var/lib/jenkins in /etc/fstab.
@@ -268,29 +268,6 @@ in {
     '';
   };
 
-  # Run a read-write HTTP webserver proxying to the "binary-cache-v1" storage
-  # This is used by the post-build-hook to upload to the binary cache.
-  # This relies on IAM to grant access to the storage container.
-  systemd.services.rclone-http = {
-    after = ["network.target"];
-    requires = ["network.target"];
-    wantedBy = ["multi-user.target"];
-    serviceConfig = {
-      Type = "notify";
-      Restart = "always";
-      RestartSec = 2;
-      DynamicUser = true;
-      RuntimeDirectory = "rclone-http";
-      ExecStart =
-        "${pkgs.rclone}/bin/rclone "
-        + "serve webdav "
-        + "--azureblob-env-auth "
-        + "--addr localhost:8080 "
-        + ":azureblob:binary-cache-v1";
-      EnvironmentFile = "/var/lib/rclone-http/env";
-    };
-  };
-
   # Enable early out-of-memory killing.
   # Make nix builds more likely to be killed over more important services.
   services.earlyoom = {
@@ -318,10 +295,15 @@ in {
     post-build-hook = ${post-build-hook}
   '';
 
-  # TODO: use https://caddyserver.com/docs/caddyfile-tutorial#environment-variables for domain
+  services.rclone-http = {
+    enable = true;
+    protocol = "webdav";
+    remote = ":azureblob:binary-cache-v1";
+  };
+
   services.caddy = {
     enable = true;
-    configFile = pkgs.writeTextDir "Caddyfile" ''
+    configFile = pkgs.writeText "Caddyfile" ''
       # Disable the admin API, we don't want to reconfigure Caddy at runtime.
       {
         admin off
@@ -334,13 +316,6 @@ in {
     '';
   };
 
-  # workaround for https://github.com/NixOS/nixpkgs/issues/272532
-  # FUTUREWORK: rebase once https://github.com/NixOS/nixpkgs/pull/272617 landed
-  services.caddy.enableReload = false;
-  systemd.services.caddy.serviceConfig.ExecStart = lib.mkForce [
-    ""
-    "${pkgs.caddy}/bin/caddy run --environ --config ${config.services.caddy.configFile}/Caddyfile"
-  ];
   systemd.services.caddy.serviceConfig.EnvironmentFile = "/var/lib/caddy/caddy.env";
 
   # Configure Nix to use the bucket (through rclone-http) as a substitutor.
diff --git a/services/default.nix b/services/default.nix
index b204b17c..8a9bd973 100644
--- a/services/default.nix
+++ b/services/default.nix
@@ -8,5 +8,6 @@
     service-node-exporter = import ./node-exporter;
     service-openssh = import ./openssh;
     service-remote-build = import ./remote-build;
+    service-rclone-http = import ./rclone-http;
   };
 }
diff --git a/services/rclone-http/default.nix b/services/rclone-http/default.nix
new file mode 100644
index 00000000..b2842ad9
--- /dev/null
+++ b/services/rclone-http/default.nix
@@ -0,0 +1,64 @@
+# SPDX-FileCopyrightText: 2022-2024 TII (SSRC) and the Ghaf contributors
+# SPDX-License-Identifier: Apache-2.0
+{
+  pkgs,
+  lib,
+  config,
+  ...
+}:
+with lib; let
+  cfg = config.services.rclone-http;
+in {
+  options.services.rclone-http = {
+    enable = mkEnableOption "rclone-http service";
+
+    listenAddress = mkOption {
+      type = types.str;
+      default = "localhost:8080";
+      description = "IPaddress:Port, :Port or unix:///path/to/socket to bind server to";
+    };
+
+    readOnly = mkOption {
+      type = types.bool;
+      default = false;
+      description = "Only allow read-only access";
+    };
+
+    protocol = mkOption {
+      type = types.enum ["http" "webdav"];
+      default = "http";
+      description = "The protocol to serve the remote over";
+    };
+
+    remote = mkOption {
+      type = types.str;
+      description = "The remote to serve";
+    };
+  };
+
+  config = mkIf cfg.enable {
+    # Run a read-only HTTP webserver proxying to an rclone remote at the configured address
+    # This relies on IAM to grant access to the storage container.
+    systemd.services.rclone-http = {
+      after = ["network.target"];
+      requires = ["network.target"];
+      wantedBy = ["multi-user.target"];
+      serviceConfig = {
+        Type = "notify";
+        Restart = "always";
+        RestartSec = 2;
+        DynamicUser = true;
+        RuntimeDirectory = "rclone-http";
+        EnvironmentFile = "/var/lib/rclone-http/env";
+
+        ExecStart =
+          "${pkgs.rclone}/bin/rclone "
+          + "serve ${cfg.protocol} "
+          + "--azureblob-env-auth "
+          + "${optionalString cfg.readOnly "--read-only "}"
+          + "--addr ${cfg.listenAddress} "
+          + "${cfg.remote}";
+      };
+    };
+  };
+}