Add jupyter

This commit is contained in:
Felix Albrigtsen 2023-09-18 13:59:48 +02:00 committed by Felix Albrigtsen
parent 398c1ba29e
commit 3394242bcc
3 changed files with 109 additions and 3 deletions

View File

@ -26,7 +26,8 @@
./services/vaultwarden.nix ./services/vaultwarden.nix
./services/calibre.nix ./services/calibre.nix
./services/fancontrol.nix ./services/fancontrol.nix
./services/searx.nix ./services/jupyter.nix
# ./services/searx.nix
# ./services/code-server.nix # ./services/code-server.nix
]; ];

View File

@ -0,0 +1,103 @@
{ config, pkgs, lib, ... }: let
cfg = config.services.jupyter;
in {
sops.secrets."jupyter/password" = {
restartUnits = [ "jupyter.service" ];
owner = cfg.user;
group = cfg.group;
};
users.users."jupyter".group = "jupyter";
users.groups."jupyter".members = [ "nginx" ];
services.jupyter = {
enable = true;
group = "jupyter";
password = let
readFile = f: "open('${f}', 'r', encoding='utf8').read().strip()";
in
readFile config.sops.secrets."jupyter/password".path;
kernels = {
pythonDS = let
env = (pkgs.python3.withPackages (pythonPackages: with pythonPackages; [
numpy
matplotlib
scipy
ipykernel
]));
in {
displayName = "Python for data science";
argv = [
"${env.interpreter}"
"-m"
"ipykernel_launcher"
"-f"
"{connection_file}"
];
language = "python";
logo32 = "${env}/${env.sitePackages}/ipykernel/resources/logo-32x32.png";
logo64 = "${env}/${env.sitePackages}/ipykernel/resources/logo-64x64.png";
};
};
};
systemd.services.jupyter = let
notebookConfig = pkgs.writeText "jupyter_config.py" ''
c.NotebookApp.notebook_dir = 'notebooks'
c.NotebookApp.open_browser = False
c.NotebookApp.password = ${cfg.password}
c.NotebookApp.password_required = True
c.NotebookApp.sock = '/run/jupyter/jupyter.sock'
c.NotebookApp.sock_mode = '0660'
c.NotebookApp.local_hostnames = ['jupyter.feal.no']
c.ConnectionFileMixin.transport = 'ipc'
${cfg.notebookConfig}
'';
in {
environment = {
JUPYTER_DATA_DIR = "$STATE_DIRECTORY/data";
JUPYTER_RUNTIME_DIR = "$RUNTIME_DIRECTORY";
};
serviceConfig = {
RuntimeDirectory = "jupyter";
StateDirectory = "jupyter";
# Hardening
CapabilityBoundingSet = "";
LockPersonality = true;
NoNewPrivileges = true;
PrivateDevices = true;
PrivateMounts = true;
PrivateTmp = true;
PrivateUsers = true;
ProtectClock = true;
ProtectHome = true;
ProtectHostname = true;
ProtectKernelLogs = true;
ProtectKernelModules = true;
ProtectKernelTunables = true;
ProtectProc = "invisible";
ProtectSystem = "strict";
RemoveIPC = true;
RestrictSUIDSGID = true;
UMask = "0007";
RestrictAddressFamilies = [ "AF_INET" "AF_INET6" "AF_UNIX" ];
SystemCallArchitectures = "native";
ExecStartPre = ''
${pkgs.coreutils}/bin/mkdir -p /var/lib/jupyter/{notebooks,data}
'';
ExecStart = lib.mkForce ''
${cfg.package}/bin/${cfg.command} --NotebookApp.config_file=${notebookConfig}
'';
};
};
services.nginx.virtualHosts."jupyter.feal.no" = {
locations."/".proxyPass = "http://unix:/run/jupyter/jupyter.sock:/";
};
}

View File

@ -23,6 +23,8 @@ wireguard:
private: ENC[AES256_GCM,data:XF89i1/TF5CpOvixwFDNOpke0YdWQDAMbvf/jOGR7iHKzz4OJu7K33lQbObT,iv:tVGdkkUU83Ba7VxHa7AJaIHFETp2Dy72dya3FDjnPZY=,tag:h9IJVeGnK7gABbu9hWZpww==,type:str] private: ENC[AES256_GCM,data:XF89i1/TF5CpOvixwFDNOpke0YdWQDAMbvf/jOGR7iHKzz4OJu7K33lQbObT,iv:tVGdkkUU83Ba7VxHa7AJaIHFETp2Dy72dya3FDjnPZY=,tag:h9IJVeGnK7gABbu9hWZpww==,type:str]
vaultwarden: vaultwarden:
admintoken: ENC[AES256_GCM,data:mJDiu0tgJQmvmJcJMULmctJvPN6/uM9VaoigHOMFkve9Vd3IMrpDmyJq+ibLpul+hw4PlLARjRzOxdZVcX7AB+uOOOrypppOIfvYC6U=,iv:YcyYLEHeIsCchcEy+fOMiQi8Cgf24AwQDpL7fhogNEU=,tag:1SqpNvuPhfjYIjvvRV34/Q==,type:str] admintoken: ENC[AES256_GCM,data:mJDiu0tgJQmvmJcJMULmctJvPN6/uM9VaoigHOMFkve9Vd3IMrpDmyJq+ibLpul+hw4PlLARjRzOxdZVcX7AB+uOOOrypppOIfvYC6U=,iv:YcyYLEHeIsCchcEy+fOMiQi8Cgf24AwQDpL7fhogNEU=,tag:1SqpNvuPhfjYIjvvRV34/Q==,type:str]
jupyter:
password: ENC[AES256_GCM,data:eTcjhRphz+2+QAPIPh/H4Dy3SK5bhUVTMkg=,iv:I+fdFG/zNqCj5Wl2H+qJb/eIfjrWmu2fUsxITBMM2N8=,tag:Vim/Fepf/Q67hjUJlXIkbg==,type:str]
sops: sops:
kms: [] kms: []
gcp_kms: [] gcp_kms: []
@ -56,8 +58,8 @@ sops:
NENEM2VLRDBzTWM0ckdPVThaeE0xL2MKTAvsDKgaoj0Fz9CoNbP6s1kROlDbbXtB NENEM2VLRDBzTWM0ckdPVThaeE0xL2MKTAvsDKgaoj0Fz9CoNbP6s1kROlDbbXtB
4rFRGN+WZJrBioz5nN4kR7mVFKa4w6z6Pu3D5WLyK7UQQkZJ64avdw== 4rFRGN+WZJrBioz5nN4kR7mVFKa4w6z6Pu3D5WLyK7UQQkZJ64avdw==
-----END AGE ENCRYPTED FILE----- -----END AGE ENCRYPTED FILE-----
lastmodified: "2023-08-22T15:28:28Z" lastmodified: "2023-09-18T11:59:23Z"
mac: ENC[AES256_GCM,data:Fj4acVrxZJjJTXQAFedzdra3L3rupGbP4SnymkN/vd9dFm0iFNUXF1ZybQGtLFsEBtKZqlNxUMcyGz3/jbWfTDEoItITc+rjHFoWpTDyT81aGGSQFr/NYyGI421stn9x4uZgh2SZZAepYDWb7gLLhw24kvFW3XMV08m6XatUn9I=,iv:g7uQE40u6q373X4hiL8HPlm3rLRU/o1NTrSYcSQVgao=,tag:M0ul7bVOdwZKT4BrhcbEFw==,type:str] mac: ENC[AES256_GCM,data:dTejNchI4iKODArCaotXwVkLmjm+mt0u9KOajj1MBAUQ31p+0r5v3smrOO6ZdlCn4t+F8C8F//pnTw/zr8TSRYFbwMaJtDpPn5Dl/ZNuHmWgEM1JN/1obA6kfGaj5LVM01DhfzD5MGU9s3gSA9SjdRB4I1iT33nuO6xGIXgESn8=,iv:8isU2ZBSKqsmSZMRgebuP17o/tWSiq+nSmN5QyAAwPM=,tag:GVwlBmvvo5s7y3CIvyGi4Q==,type:str]
pgp: [] pgp: []
unencrypted_suffix: _unencrypted unencrypted_suffix: _unencrypted
version: 3.7.3 version: 3.7.3