archive replay: add HLS DVR serve path and web mode

2026-02-24 03:19:56 -08:00 · 2026-02-24 03:19:56 -08:00 · b35de70789
commit b35de70789
parent 656ec11c73
9 changed files with 904 additions and 26 deletions
--- a/nix/modules/ec-node.nix
+++ b/nix/modules/ec-node.nix
@ -244,6 +244,20 @@ in
        default = false;
        description = "Danger: disable TLS verification for relay archive subscribers.";
      };
+
+      serve = {
+        enable = lib.mkOption {
+          type = lib.types.bool;
+          default = false;
+          description = "Run `ec-node wt-archive-serve` HTTP endpoints for archived replay/scrubbing.";
+        };
+
+        listen = lib.mkOption {
+          type = lib.types.str;
+          default = "0.0.0.0:7788";
+          description = "Listen address passed to `ec-node wt-archive-serve --listen`.";
+        };
+      };
    };

    broadcasts = lib.mkOption {
@ -771,6 +785,62 @@ in
              ];
            };

+            environment = cfg.environment;
+          };
+        })
+      // lib.optionalAttrs (cfg.archive.enable && cfg.archive.serve.enable)
+        (let
+          archiveServeUnit = "every-channel-wt-archive-serve";
+          archiveServeRunner = pkgs.writeShellApplication {
+            name = archiveServeUnit;
+            runtimeInputs = [
+              cfg.package
+            ];
+            text = ''
+              set -euo pipefail
+              exec ${lib.escapeShellArg "${cfg.package}/bin/ec-node"} \
+                wt-archive-serve \
+                --output-dir ${lib.escapeShellArg cfg.archive.outputDir} \
+                --manifest-dir ${lib.escapeShellArg cfg.archive.manifestDir} \
+                --listen ${lib.escapeShellArg cfg.archive.serve.listen}
+            '';
+          };
+        in
+        {
+          "${archiveServeUnit}" = {
+            description = "every.channel archived replay HTTP server";
+            wantedBy = [ "multi-user.target" ];
+            after = [ "network-online.target" ];
+            wants = [ "network-online.target" ];
+
+            unitConfig = {
+              StartLimitIntervalSec = 0;
+            };
+
+            serviceConfig = {
+              Type = "simple";
+              ExecStart = "${archiveServeRunner}/bin/${archiveServeUnit}";
+              Restart = "always";
+              RestartSec = 2;
+
+              NoNewPrivileges = true;
+              PrivateTmp = true;
+              ProtectSystem = "strict";
+              ProtectHome = true;
+              ProtectKernelTunables = true;
+              ProtectKernelModules = true;
+              ProtectControlGroups = true;
+              LockPersonality = true;
+              MemoryDenyWriteExecute = true;
+              RestrictSUIDSGID = true;
+              RestrictRealtime = true;
+              SystemCallArchitectures = "native";
+              ReadWritePaths = [
+                cfg.archive.outputDir
+                cfg.archive.manifestDir
+              ];
+            };
+
            environment = cfg.environment;
          };
        });