objectifier/objectifier-module.nix

{ config, lib, pkgs, ... }:

with lib;
let
  cfg = config.services.objectifier;

  pythonYolo = pkgs.python3.withPackages (pyPkgs:
    with pyPkgs; [
      fastapi
      gunicorn
      opencv4
      python-multipart
      uvicorn
    ]);

in {
  options.services.objectifier = with types; {
    enable = mkEnableOption "Enable Objectifier object-detection web sevice.";

    port = mkOption {
      type = port;
      description = "Port on which to run the Objectifier web service.";
      default = 5121;
    };

    workers = mkOption {
      type = int;
      description = "Number of worker threads to launch.";
      default = 3;
    };

    listen-addresses = mkOption {
      type = listOf str;
      description =
        "List of IP addresses on which to listen for incoming requests.";
      default = [ "127.0.0.1" ];
    };
  };

  config = mkIf cfg.enable {
    systemd.services.objectifier = {
      after = [ "network-online.target" ];
      wantedBy = [ "default.target" ];
      reloadIfChanged = true;
      path = with pkgs; [ pythonYolo ];
      environment = {
        OBJECTIFIER_YOLOV3_CONFIG = "${yolo-data}/yolov3.cfg";
        OBJECTIFIER_YOLOV3_WEIGHTS = "${yolo-data}/yolov3.weights";
        OBJECTIFIER_YOLOV3_LABELS = "${yolo-data}/labels";
        OBJECTIFIER_BUFFER_SIZE = 524288;
      };
      serviceConfig = {
        # PrivateUsers = true;
        # PrivateDevices = true;
        # PrivateTmp = true;
        # PrivateMounts = true;
        # ProtectControlGroups = true;
        # ProtectKernelTunables = true;
        # ProtectKernelModules = true;
        # ProtectSystem = true;
        # ProtectHostname = true;
        # ProtectHome = true;
        # ProtectClock = true;
        # ProtectKernelLogs = true;
        # DynamicUser = true;
        # MemoryDenyWriteExecute = true;
        # RestrictRealtime = true;
        # LockPersonality = true;
        # PermissionsStartOnly = true;
        WorkingDirectory = "${pkgs.objectifier}";
        Restart = "on-failure";
        Type = "simple";
        PIDFile = "/run/objectifier.pid";
        ExecStart = let
          bindClause =
            map (addr: "--bind ${addr}:${cfg.port}") cfg.listen-addresses;
        in concatStringsSep " " [
          "gunicorn"
          bindClause
          "--workers ${cfg.workers}"
          "-k uvicorn.workers.UvicornWorker"
          "objectifier:app"
          "--pid /run/objectifier.pid"
        ];
      };
    };
  };
}
Initial commit 2023-01-06 14:46:11 -08:00			`{ config, lib, pkgs, ... }:`

			`with lib;`
			`let`
			`cfg = config.services.objectifier;`

			`pythonYolo = pkgs.python3.withPackages (pyPkgs:`
			`with pyPkgs; [`
			`fastapi`
			`gunicorn`
			`opencv4`
			`python-multipart`
			`uvicorn`
			`]);`

			`in {`
			`options.services.objectifier = with types; {`
			`enable = mkEnableOption "Enable Objectifier object-detection web sevice.";`

			`port = mkOption {`
			`type = port;`
			`description = "Port on which to run the Objectifier web service.";`
			`default = 5121;`
			`};`

			`workers = mkOption {`
			`type = int;`
			`description = "Number of worker threads to launch.";`
			`default = 3;`
			`};`

			`listen-addresses = mkOption {`
			`type = listOf str;`
			`description =`
			`"List of IP addresses on which to listen for incoming requests.";`
			`default = [ "127.0.0.1" ];`
			`};`
			`};`

			`config = mkIf cfg.enable {`
			`systemd.services.objectifier = {`
			`after = [ "network-online.target" ];`
			`wantedBy = [ "default.target" ];`
			`reloadIfChanged = true;`
			`path = with pkgs; [ pythonYolo ];`
			`environment = {`
			`OBJECTIFIER_YOLOV3_CONFIG = "${yolo-data}/yolov3.cfg";`
			`OBJECTIFIER_YOLOV3_WEIGHTS = "${yolo-data}/yolov3.weights";`
			`OBJECTIFIER_YOLOV3_LABELS = "${yolo-data}/labels";`
			`OBJECTIFIER_BUFFER_SIZE = 524288;`
			`};`
			`serviceConfig = {`
			`# PrivateUsers = true;`
			`# PrivateDevices = true;`
			`# PrivateTmp = true;`
			`# PrivateMounts = true;`
			`# ProtectControlGroups = true;`
			`# ProtectKernelTunables = true;`
			`# ProtectKernelModules = true;`
			`# ProtectSystem = true;`
			`# ProtectHostname = true;`
			`# ProtectHome = true;`
			`# ProtectClock = true;`
			`# ProtectKernelLogs = true;`
			`# DynamicUser = true;`
			`# MemoryDenyWriteExecute = true;`
			`# RestrictRealtime = true;`
			`# LockPersonality = true;`
			`# PermissionsStartOnly = true;`
			`WorkingDirectory = "${pkgs.objectifier}";`
			`Restart = "on-failure";`
			`Type = "simple";`
			`PIDFile = "/run/objectifier.pid";`
			`ExecStart = let`
			`bindClause =`
			`map (addr: "--bind ${addr}:${cfg.port}") cfg.listen-addresses;`
			`in concatStringsSep " " [`
			`"gunicorn"`
			`bindClause`
			`"--workers ${cfg.workers}"`
			`"-k uvicorn.workers.UvicornWorker"`
			`"objectifier:app"`
			`"--pid /run/objectifier.pid"`
			`];`
			`};`
			`};`
			`};`
			`}`