From 0cffa02748ff89ef043c6e0d2dedb64bf5e1ffb9 Mon Sep 17 00:00:00 2001
From: markoburcul <marko@status.im>
Date: Thu, 9 Jan 2025 18:29:14 +0100
Subject: [PATCH] nix: add codex service definition

Referenced issue: https://github.com/codex-storage/nim-codex/issues/940

Signed-off-by: markoburcul <marko@status.im>
---
 flake.lock      |  5 ++---
 flake.nix       | 46 ++++++++++++++++++++++++++++++++-------
 nix/README.md   | 12 ++++++++---
 nix/default.nix | 15 +++++++------
 nix/service.nix | 57 +++++++++++++++++++++++++++++++++++++++++++++++++
 5 files changed, 115 insertions(+), 20 deletions(-)
 create mode 100644 nix/service.nix

diff --git a/flake.lock b/flake.lock
index 56d5a06a..decca52e 100644
--- a/flake.lock
+++ b/flake.lock
@@ -7,17 +7,16 @@
         ]
       },
       "locked": {
-        "lastModified": 1736348751,
+        "lastModified": 1736521871,
         "narHash": "sha256-d34XNLg9NGPEOARHW+BIOAWalkHdEUAwsv3mpLZQxds=",
         "owner": "codex-storage",
         "repo": "circom-compat-ffi",
-        "rev": "afadf4d9a411ce0589f6b4c1858a9a5a4e7f4661",
+        "rev": "8cd4ed44fdafe59d4ec1184420639cae4c4dbab9",
         "type": "github"
       },
       "original": {
         "owner": "codex-storage",
         "repo": "circom-compat-ffi",
-        "rev": "afadf4d9a411ce0589f6b4c1858a9a5a4e7f4661",
         "type": "github"
       }
     },
diff --git a/flake.nix b/flake.nix
index b4fa8151..37d459a0 100644
--- a/flake.nix
+++ b/flake.nix
@@ -1,10 +1,10 @@
 {
-  description = "Codex build flake";
-  
+  description = "Nim Codex build flake";
+
   inputs = {
     nixpkgs.url = "github:NixOS/nixpkgs/nixos-24.11";
     circom-compat = {
-      url = "github:codex-storage/circom-compat-ffi/afadf4d9a411ce0589f6b4c1858a9a5a4e7f4661";
+      url = "github:codex-storage/circom-compat-ffi";
       inputs.nixpkgs.follows = "nixpkgs";
     };
   };
@@ -20,27 +20,57 @@
     in rec {
       packages = forAllSystems (system: let
         circomCompatPkg = circom-compat.packages.${system}.default;
-        buildTarget = pkgsFor.${system}.callPackage ./nix/default.nix {
+        buildTarget = pkgsFor.${system}.callPackage ./nix/default.nix rec {
           inherit stableSystems circomCompatPkg;
-          src = self;
+          src = pkgsFor.${system}.lib.traceValFn (v: "self.submodules: ${toString v.submodules}") self;
         };
         build = targets: buildTarget.override { inherit targets; };
       in rec {
-        codex   = build ["all"];
-        default = codex;
+        nim-codex   = build ["all"];
+        default = nim-codex;
       });
 
+      nixosModules.nim-codex = { config, lib, pkgs, ... }: import ./nix/service.nix {
+        inherit config lib pkgs self;
+        circomCompatPkg = circom-compat.packages.${pkgs.system}.default;
+      };
+
       devShells = forAllSystems (system: let
         pkgs = pkgsFor.${system};
       in {
         default = pkgs.mkShell {
           inputsFrom = [
-            packages.${system}.codex
+            packages.${system}.nim-codex
             circom-compat.packages.${system}.default
           ];
           # Not using buildInputs to override fakeGit and fakeCargo.
           nativeBuildInputs = with pkgs; [ git cargo nodejs_18 ];
         };
       });
+
+      checks = forAllSystems (system: let
+        pkgs = pkgsFor.${system};
+      in {
+        nim-codex-test = pkgs.nixosTest {
+          name = "nim-codex-test";
+          nodes = {
+            server = { config, pkgs, ... }: {
+              imports = [ self.nixosModules.nim-codex ];
+              services.nim-codex.enable = true;
+              services.nim-codex.settings = {
+                data-dir = "/var/lib/nim-codex-test";
+              };
+              systemd.services.nim-codex.serviceConfig.StateDirectory = "nim-codex-test";
+            };
+          };
+          testScript = ''
+            print("Starting test: nim-codex-test")
+            machine.start()
+            machine.wait_for_unit("nim-codex.service")
+            machine.succeed("test -d /var/lib/nim-codex-test")
+            machine.wait_until_succeeds("journalctl -u nim-codex.service | grep 'Started codex node'", 10)
+          '';
+        };
+      });
     };
 }
\ No newline at end of file
diff --git a/nix/README.md b/nix/README.md
index ba663622..3b827e24 100644
--- a/nix/README.md
+++ b/nix/README.md
@@ -11,7 +11,7 @@ nix develop
 
 To build a Codex you can use:
 ```sh
-nix build '.?submodules=1#codex'
+nix build '.?submodules=1#default'
 ```
 The `?submodules=1` part should eventually not be necessary.
 For more details see:
@@ -19,11 +19,17 @@ https://github.com/NixOS/nix/issues/4423
 
 It can be also done without even cloning the repo:
 ```sh
-nix build 'github:codex-storage/nim-codex?submodules=1'
+nix build 'git+https://github.com/codex-storage/nim-codex?submodules=1#'
 ```
 
 ## Running
 
 ```sh
-nix run 'github:codex-storage/nim-codex?submodules=1'
+nix run 'git+https://github.com/codex-storage/nim-codex?submodules=1#''
 ```
+
+## Testing
+
+```sh
+nix flake check ".?submodules=1#"
+```
\ No newline at end of file
diff --git a/nix/default.nix b/nix/default.nix
index 63970106..b4030095 100644
--- a/nix/default.nix
+++ b/nix/default.nix
@@ -17,18 +17,21 @@
   ).packages.${builtins.currentSystem}.default
 }:
 
+assert pkgs.lib.assertMsg ((src.submodules or true) == true)
+  "Unable to build without submodules. Append '?submodules=1#' to the URI.";
+
 let
   inherit (pkgs) stdenv lib writeScriptBin callPackage;
-  
+
   revision = lib.substring 0 8 (src.rev or "dirty");
 
   tools = callPackage ./tools.nix {};
 in pkgs.gcc11Stdenv.mkDerivation rec {
-  
+
   pname = "codex";
 
   version = "${tools.findKeyValue "version = \"([0-9]+\.[0-9]+\.[0-9]+)\"" ../codex.nimble}-${revision}";
-  
+
   inherit src;
 
   # Dependencies that should exist in the runtime environment.
@@ -69,16 +72,16 @@ in pkgs.gcc11Stdenv.mkDerivation rec {
   configurePhase = ''
     patchShebangs . > /dev/null
   '';
- 
+
   installPhase = ''
     mkdir -p $out/bin
     cp build/codex $out/bin/
   '';
 
   meta = with pkgs.lib; {
-    description = "Codex storage system";
+    description = "Nim Codex storage system";
     homepage = "https://github.com/codex-storage/nim-codex";
     license = licenses.mit;
     platforms = stableSystems;
   };
-}
+}
\ No newline at end of file
diff --git a/nix/service.nix b/nix/service.nix
new file mode 100644
index 00000000..c22a2166
--- /dev/null
+++ b/nix/service.nix
@@ -0,0 +1,57 @@
+{ self, config, lib, pkgs, circomCompatPkg, ... }:
+
+let
+  inherit (lib)
+    types mkEnableOption mkOption mkIf literalExpression
+    mdDoc;
+
+  toml = pkgs.formats.toml { };
+
+  cfg = config.services.nim-codex;
+in
+{
+  options = {
+    services.nim-codex = {
+      enable = mkEnableOption "Nim Codex Node service.";
+
+      package = mkOption {
+        type = types.package;
+        default = pkgs.callPackage ./default.nix { src = self; inherit circomCompatPkg; };
+        defaultText = literalExpression "pkgs.codex";
+        description = mdDoc "Package to use as Nim Codex node.";
+      };
+
+      settings = mkOption {
+        default = { };
+        type = toml.type;
+        description = ''Structured settings object that will be used to generate a TOML config file.'';
+      };
+    };
+  };
+
+  config = mkIf cfg.enable {
+    environment.etc = {
+      "nim-codex/config.toml".source = toml.generate "config.toml" cfg.settings;
+    };
+    systemd.services.nim-codex = {
+      description = "Nim Codex Node";
+      wantedBy = [ "multi-user.target" ];
+      requires = [ "network.target" ];
+      serviceConfig = {
+        DynamicUser = true;
+        PrivateTmp = true;
+        ProtectHome = true;
+        ProtectSystem = "full";
+        NoNewPrivileges = true;
+        PrivateDevices = true;
+        MemoryDenyWriteExecute = true;
+        ExecStart = "${cfg.package}/bin/codex --config-file=/etc/nim-codex/config.toml";
+        Restart = "on-failure";
+      };
+      restartIfChanged = true;
+      restartTriggers = [
+        "/etc/nim-codex/config.toml"
+      ];
+    };
+  };
+}
\ No newline at end of file