Merge pull request #306516 from gador/init-blenderfarm

blendfarm: init at 1.1.6; nixos/blendfarm: init
NixOS · Jul 15, 2024 · a14c5d6 · a14c5d6
2 parents b8b4648 + f312bdb
commit a14c5d6
Show file tree

Hide file tree

Showing 4 changed files with 462 additions and 0 deletions.
diff --git a/nixos/modules/module-list.nix b/nixos/modules/module-list.nix
@@ -705,6 +705,7 @@
   ./services/misc/beanstalkd.nix
   ./services/misc/bees.nix
   ./services/misc/bepasty.nix
+  ./services/misc/blenderfarm.nix
   ./services/misc/calibre-server.nix
   ./services/misc/canto-daemon.nix
   ./services/misc/cfdyndns.nix

diff --git a/nixos/modules/services/misc/blenderfarm.nix b/nixos/modules/services/misc/blenderfarm.nix
@@ -0,0 +1,141 @@
+{ config
+, lib
+, pkgs
+, ...
+}:
+let
+  cfg = config.services.blendfarm;
+  json = pkgs.formats.json { };
+  configFile = json.generate "ServerSettings" (defaultConfig // cfg.serverConfig);
+  defaultConfig = {
+    Port = 15000;
+    BroadcastPort = 16342;
+    BypassScriptUpdate = false;
+    BasicSecurityPassword = null;
+  };
+in
+{
+  meta.maintainers = with lib.maintainers; [ gador ];
+
+  options.services.blendfarm = with lib.types; {
+    enable = lib.mkEnableOption "Blendfarm, a render farm management software for Blender.";
+    package = lib.mkPackageOption pkgs "blendfarm" { };
+    openFirewall = lib.mkEnableOption "Allow blendfarm network access through the firewall.";
+
+    user = lib.mkOption {
+      description = "User under which blendfarm runs.";
+      default = "blendfarm";
+      type = str;
+    };
+
+    group = lib.mkOption {
+      description = "Group under which blendfarm runs.";
+      default = "blendfarm";
+      type = str;
+    };
+
+    basicSecurityPasswordFile = lib.mkOption {
+      description = ''Path to the password file the client needs to connect to the server.
+      The password must not contain a forward slash.'';
+      default = null;
+      type = nullOr str;
+    };
+
+    blenderPackage = lib.mkPackageOption pkgs "blender" { };
+
+    serverConfig = lib.mkOption {
+      description = "Server configuration";
+      default = defaultConfig;
+      type = submodule {
+        freeformType = attrsOf anything;
+        options = {
+          Port = lib.mkOption {
+            description = "Default port blendfarm server listens on.";
+            default = 15000;
+            type = types.port;
+          };
+          BroadcastPort = lib.mkOption {
+            description = "Default port blendfarm server advertises itself on.";
+            default = 16342;
+            type = types.port;
+          };
+
+          BypassScriptUpdate = lib.mkOption {
+            description = "Prevents blendfarm from replacing the .py self-generated scripts.";
+            default = false;
+            type = bool;
+          };
+        };
+      };
+    };
+  };
+
+  config = lib.mkIf cfg.enable {
+    environment.systemPackages = [ cfg.package ];
+    networking.firewall = lib.optionalAttrs (cfg.openFirewall) {
+      allowedTCPPorts = [ cfg.serverConfig.Port ];
+      allowedUDPPorts = [ cfg.serverConfig.BroadcastPort ];
+    };
+
+    systemd.services.blendfarm-server = {
+      wantedBy = [ "multi-user.target" ];
+      after = [ "network-online.target" ];
+      wants = [ "network-online.target" ];
+      description = "blendfarm server";
+      path = [ cfg.blenderPackage ];
+      preStart = ''
+        rm -f ServerSettings
+        install -m640 ${configFile} ServerSettings
+        if [ ! -d "BlenderData/nix-blender-linux64" ]; then
+          mkdir -p BlenderData/nix-blender-linux64
+          echo "nix-blender" > VersionCustom
+        fi
+        rm -f BlenderData/nix-blender-linux64/blender
+        ln -s ${lib.getExe cfg.blenderPackage} BlenderData/nix-blender-linux64/blender
+      '' +
+      lib.optionalString (cfg.basicSecurityPasswordFile != null) ''
+        BLENDFARM_PASSWORD=$(${pkgs.systemd}/bin/systemd-creds cat BLENDFARM_PASS_FILE)
+        sed -i "s/null/\"$BLENDFARM_PASSWORD\"/g" ServerSettings
+      '';
+      serviceConfig = {
+        ExecStart = "${cfg.package}/bin/LogicReinc.BlendFarm.Server";
+        DynamicUser = true;
+        LogsDirectory = "blendfarm";
+        StateDirectory = "blendfarm";
+        WorkingDirectory = "/var/lib/blendfarm";
+        User = cfg.user;
+        Group = cfg.group;
+        StateDirectoryMode = "0755";
+        LoadCredential = lib.optional (cfg.basicSecurityPasswordFile != null) "BLENDFARM_PASS_FILE:${cfg.basicSecurityPasswordFile}";
+        ReadWritePaths = "";
+        CapabilityBoundingSet = "";
+        RestrictAddressFamilies = [ "AF_UNIX" "AF_INET" "AF_INET6" ];
+        RestrictNamespaces = true;
+        PrivateDevices = true;
+        PrivateUsers = true;
+        ProtectClock = true;
+        ProtectControlGroups = true;
+        ProtectHome = true;
+        ProtectKernelLogs = true;
+        ProtectKernelModules = true;
+        ProtectKernelTunables = true;
+        SystemCallArchitectures = "native";
+        SystemCallFilter = [
+          "@system-service"
+          "~@privileged"
+          "@chown"
+        ];
+        RestrictRealtime = true;
+        LockPersonality = true;
+        UMask = "0066";
+        ProtectHostname = true;
+      };
+    };
+
+    users.users.blendfarm = {
+      isSystemUser = true;
+      group = "blendfarm";
+    };
+    users.groups.blendfarm = { };
+  };
+}