{ config, lib, pkgs, ... }: with lib; let cfg = config.services.objectifier; pythonYolo = pkgs.python3.withPackages (pyPkgs: with pyPkgs; [ fastapi gunicorn opencv4 python-multipart uvicorn ]); in { options.services.objectifier = with types; { enable = mkEnableOption "Enable Objectifier object-detection web sevice."; port = mkOption { type = port; description = "Port on which to run the Objectifier web service."; default = 5121; }; workers = mkOption { type = int; description = "Number of worker threads to launch."; default = 3; }; listen-addresses = mkOption { type = listOf str; description = "List of IP addresses on which to listen for incoming requests."; default = [ "127.0.0.1" ]; }; }; config = mkIf cfg.enable { systemd.services.objectifier = { after = [ "network-online.target" ]; wantedBy = [ "multi-user.target" ]; reloadIfChanged = true; path = with pkgs; [ pythonYolo ]; environment = { OBJECTIFIER_YOLOV3_CONFIG = "${yolo-data}/yolov3.cfg"; OBJECTIFIER_YOLOV3_WEIGHTS = "${yolo-data}/yolov3.weights"; OBJECTIFIER_YOLOV3_LABELS = "${yolo-data}/labels"; OBJECTIFIER_BUFFER_SIZE = 524288; }; serviceConfig = { # PrivateUsers = true; # PrivateDevices = true; # PrivateTmp = true; # PrivateMounts = true; # ProtectControlGroups = true; # ProtectKernelTunables = true; # ProtectKernelModules = true; # ProtectSystem = true; # ProtectHostname = true; # ProtectHome = true; # ProtectClock = true; # ProtectKernelLogs = true; # DynamicUser = true; # MemoryDenyWriteExecute = true; # RestrictRealtime = true; # LockPersonality = true; # PermissionsStartOnly = true; WorkingDirectory = "${pkgs.objectifier}"; LimitNOFILE = 4096; Restart = "on-failure"; RestartSec = "5s"; Type = "simple"; PIDFile = "/run/objectifier.pid"; ExecStart = let bindClause = concatStringsSep " " (map (addr: "--bind ${addr}:${toString cfg.port}") cfg.listen-addresses); in (concatStringsSep " " [ "gunicorn" bindClause "--workers ${cfg.workers}" "-k uvicorn.workers.UvicornWorker" "--pid /run/objectifier.pid" "objectifier:app" ]); }; }; }; }