objectifier/objectifier-module.nix

{ config, lib, pkgs, ... }:

with lib;
let
  cfg = config.services.objectifier;

  pythonYolo = pkgs.python3.withPackages (pyPkgs:
    with pyPkgs; [
      fastapi
      gunicorn
      opencv4
      python-multipart
      uvicorn
    ]);

in {
  options.services.objectifier = with types; {
    enable = mkEnableOption "Enable Objectifier object-detection web sevice.";

    port = mkOption {
      type = port;
      description = "Port on which to run the Objectifier web service.";
      default = 5121;
    };

    workers = mkOption {
      type = int;
      description = "Number of worker threads to launch.";
      default = 3;
    };

    listen-addresses = mkOption {
      type = listOf str;
      description =
        "List of IP addresses on which to listen for incoming requests.";
      default = [ "127.0.0.1" ];
    };
  };

  config = mkIf cfg.enable {
    systemd.services.objectifier = {
      after = [ "network-online.target" ];
      wantedBy = [ "default.target" ];
      reloadIfChanged = true;
      path = with pkgs; [ pythonYolo ];
      environment = {
        OBJECTIFIER_YOLOV3_CONFIG = "${yolo-data}/yolov3.cfg";
        OBJECTIFIER_YOLOV3_WEIGHTS = "${yolo-data}/yolov3.weights";
        OBJECTIFIER_YOLOV3_LABELS = "${yolo-data}/labels";
        OBJECTIFIER_BUFFER_SIZE = 524288;
      };
      serviceConfig = {
        # PrivateUsers = true;
        # PrivateDevices = true;
        # PrivateTmp = true;
        # PrivateMounts = true;
        # ProtectControlGroups = true;
        # ProtectKernelTunables = true;
        # ProtectKernelModules = true;
        # ProtectSystem = true;
        # ProtectHostname = true;
        # ProtectHome = true;
        # ProtectClock = true;
        # ProtectKernelLogs = true;
        # DynamicUser = true;
        # MemoryDenyWriteExecute = true;
        # RestrictRealtime = true;
        # LockPersonality = true;
        # PermissionsStartOnly = true;
        WorkingDirectory = "${pkgs.objectifier}";
        Restart = "on-failure";
        Type = "simple";
        PIDFile = "/run/objectifier.pid";
        ExecStart = let
          bindClause =
            map (addr: "--bind ${addr}:${cfg.port}") cfg.listen-addresses;
        in concatStringsSep " " [
          "gunicorn"
          bindClause
          "--workers ${cfg.workers}"
          "-k uvicorn.workers.UvicornWorker"
          "objectifier:app"
          "--pid /run/objectifier.pid"
        ];
      };
    };
  };
}