nixos/languagetool-http: added services.languageToolHttp option #84115
Conversation
|
This pull request has been mentioned on NixOS Discourse. There might be relevant details there: |
|
This pull request has been mentioned on NixOS Discourse. There might be relevant details there: |
|
This pull request has been mentioned on NixOS Discourse. There might be relevant details there: |
| "${pkgs.languagetool}/bin/languagetool-http-server ${cli.toGNUCommandLineShell {} cfg.args}"; | ||
| }; | ||
| }; | ||
| } |
There was a problem hiding this comment.
Missing final new line.
|
I marked this as stale due to inactivity. → More info |
stale
bot
added
the
2.status: stale
|
This pull request has been mentioned on NixOS Discourse. There might be relevant details there: |
stale
bot
removed
the
2.status: stale
|
This pull request has been mentioned on NixOS Discourse. There might be relevant details there: |
|
Please rebase this PR on master. |
|
This pull request has been mentioned on NixOS Discourse. There might be relevant details there: |
|
This pull request has been mentioned on NixOS Discourse. There might be relevant details there: |
|
Any progress on this? |
It works and I'm using it on my system |
|
This pull request has been mentioned on NixOS Discourse. There might be relevant details there: |
| allowBrowserPluginAccess = mkEnableOption "access from the browser plugin"; | ||
| settings = mkOption { | ||
| description = '' | ||
| Contents of the configuration file. |
There was a problem hiding this comment.
Please link to specification. After a very quick look at the github project I didn't see anything about it.
| in | ||
| { | ||
| options.services.languageToolHttp = { | ||
| enable = mkEnableOption "the LanguagTool http server"; |
There was a problem hiding this comment.
It seems relevant to include this in the description here.
There was a problem hiding this comment.
| enable = mkEnableOption "the LanguagTool http server"; | |
| enable = mkEnableOption "the LanguageTool http server"; |
| config = mkIf cfg.enable { | ||
| services.languageToolHttp.args = { | ||
| allow-origin = mkIf cfg.allowBrowserPluginAccess (mkDefault "*"); | ||
| config = builtins.toString (format.generate "LanguageTool.cfg" cfg.settings); |
There was a problem hiding this comment.
toString shouldn't be needed: adjust args to take a path as well. Maybe?
|
I have hardened the service |
|
This pull request has been mentioned on NixOS Discourse. There might be relevant details there: https://discourse.nixos.org/t/prs-ready-for-review/3032/1049 |
|
ok removed the confinement |
| in | ||
| { | ||
| options.services.languageToolHttp = { | ||
| enable = mkEnableOption "the LanguagTool http server"; |
There was a problem hiding this comment.
| enable = mkEnableOption "the LanguagTool http server"; | |
| enable = mkEnableOption "the LanguageTool http server"; |
| PrivateTmp = true; | ||
| NoNewPrivileges = true; | ||
| PrivateDevices = true; | ||
| PrivateMounts = true; |
There was a problem hiding this comment.
Due to the hardening, it is not possible to just put a path into settings for e.g. pre-downloaded languageModel.
A solution should be to add a StateDirectory or to use DynamicUser (i.e. a less confined environment) to have a place for/access to these models.
ReadOnlyPaths didn't work for me with this config (Resulting in a directory not found):
services.languageToolHttp = {
enable = true;
args = {
port = 8081;
};
settings = {
fasttextBinary = "${pkgs.fasttext}/bin/fasttext";
fasttextModel = "/var/lib/languagetool/lid.176.bin";
# Approx. 10GB.
# Data from:
# https://languagetool.org/download/ngram-data/
languageModel = "/var/lib/languagetool/languageModel";
# Download all data here! Otherwise, it fails to start
# Data from:
# https://languagetool.org/download/word2vec/
word2vecModel = "/var/lib/languagetool/word2vec";
pipelinePrewarming = true;
prometheusMonitoring = true;
prometheusPort = 9301;
};
};
systemd.services.languagetool-http.serviceConfig = {
ReadOnlyPaths = [
"/var/lib/languagetool/"
];
};There was a problem hiding this comment.
I would ask you, as I do not use that functionality, what would be a good interface.
In the interim, have you tried BindReadOnlyPaths=?
There was a problem hiding this comment.
BindReadOnlyPaths= did not work for me, with the same result:
Exception in thread "main" java.lang.RuntimeException: LanguageModel directory not found or is not a directory: "/var/lib/languagetool/languageModel"
But I now noticed the problem: TOML is the wrong format, the configuration is actually a Java properties file, similar to what minecraft server.properties does. Comparing the outputs configurations, the main difference is the absence of quotations. So obviously, the path "/var/lib/... will not exist, because it tries to open the (relative) directory ./"/var/lib/....
With this change in mind, BindReadOnlyPaths works - actually, no additional configuration is needed at all with the current state of this PR, i.e. with DynamicUser=true.
| RestrictAddressFamilies = [ "AF_INET" "AF_INET6" ]; | ||
| }; | ||
| }; | ||
| users.users.langtool = { |
There was a problem hiding this comment.
Personal preference, but I'd rather call the user languagetool. It's not harmful to use the longer name (it's automated, after all) and it's clearer for what the user/group is intended, as lang is (at least for me) a common abbreviation for language - thus I don't associate the name langtool with languagetool.
Again - just my personal preference.
| ''; | ||
| settings = mkOption { | ||
| description = '' | ||
| Contents of the configuration file. ${confDoc} |
There was a problem hiding this comment.
| Contents of the configuration file. ${confDoc} | |
| Content of the configuration file. ${confDoc} |
| allow-origin = mkIf cfg.allowBrowserPluginAccess (mkDefault "*"); | ||
| config = format.generate "LanguageTool.cfg" cfg.settings; | ||
| public = mkIf cfg.public ""; |
There was a problem hiding this comment.
Note that the documentation says the following:
--allow-origin [ORIGIN] set the Access-Control-Allow-Origin header in the HTTP response,
used for direct (non-proxy) JavaScript-based access from browsers.
Example: --allow-origin "https://my-website.org"
Don't set a parameter for `*`, i.e. access from all websites.
But also note that using mkDefault "" will cause Allow-Origin to be empty.
toGNUCommandLineShell should translate bools to flags:
nix-repl> lib.cli.toGNUCommandLineShell {} {foo = true;}
"'--foo'"
but I wasn't able to make it work here.
| with lib; | ||
| let | ||
| cfg = config.services.languageToolHttp; | ||
| format = pkgs.formats.toml { }; |
There was a problem hiding this comment.
Note that the config file is not TOML, but
a Java property file (one key=value entry per line)
(According to languagetool-http-server --help). This explains the problem with paths in the config, as described below.
|
#187147 got merged, so I don't know whether this needs to stay open. |
You're right, that is a better pr |
Motivation for this change
Things done
sandboxinnix.confon non-NixOS linux)nix-shell -p nixpkgs-review --run "nixpkgs-review wip"./result/bin/)nix path-info -Sbefore and after)