2022-12-04 13:45:43 +00:00
|
|
|
{
|
|
|
|
|
config,
|
|
|
|
|
lib,
|
|
|
|
|
pkgs,
|
|
|
|
|
...
|
|
|
|
|
}:
|
|
|
|
|
with lib; let
|
2022-12-03 13:16:22 +00:00
|
|
|
cfg = config.services.piped;
|
|
|
|
|
|
2022-12-04 13:45:43 +00:00
|
|
|
backend_config =
|
|
|
|
|
{
|
|
|
|
|
PORT = cfg.internalBackendPort;
|
|
|
|
|
HTTP_WORKERS = cfg.httpWorkers;
|
|
|
|
|
PROXY_PART = "https://${cfg.proxyDomain}";
|
|
|
|
|
API_URL = "https://${cfg.backendDomain}";
|
|
|
|
|
FRONTEND_URL = "https://${cfg.frontendDomain}";
|
|
|
|
|
DISABLE_REGISTRATION = cfg.disableRegistrations;
|
|
|
|
|
COMPROMISED_PASSWORD_CHECK = cfg.enableCompromisedPasswordCheck;
|
|
|
|
|
FEED_RETENTION = cfg.feedRetentionDays;
|
|
|
|
|
SUBSCRIPTIONS_EXPIRY = cfg.subscriptionRetentionDays;
|
|
|
|
|
SPONSORBLOCK_SERVERS = concatStringsSep "," cfg.sponsorblockServers;
|
|
|
|
|
DISABLE_RYD = cfg.disableRYD;
|
|
|
|
|
DISABLE_LBRY = cfg.disableLBRYStreams;
|
|
|
|
|
RYD_PROXY_URL = cfg.rydAPIURL;
|
|
|
|
|
SENTRY_DSN = cfg.sentryDSN;
|
|
|
|
|
"hibernate.connection.url" = "jdbc:postgresql://localhost:5432/piped";
|
|
|
|
|
"hibernate.connection.driver_class" = "org.postgresql.Driver";
|
|
|
|
|
"hibernate.dialect" = "org.hibernate.dialect.PostgreSQLDialect";
|
|
|
|
|
"hibernate.connection.username" = "piped";
|
|
|
|
|
"hibernate.connection.password" = "password";
|
|
|
|
|
}
|
|
|
|
|
// (optionalAttrs cfg.enableCaptcha {
|
|
|
|
|
CAPTCHA_API_URL = cfg.captchaAPIURL;
|
|
|
|
|
# This is substituted in the PreStart of piped-backend.service
|
|
|
|
|
CAPTCHA_API_KEY =
|
|
|
|
|
if cfg.captchaAPIKeyFile != ""
|
|
|
|
|
then "CAPTCHA_API_KEY_FILE"
|
|
|
|
|
else cfg.captchaAPIKey;
|
|
|
|
|
})
|
|
|
|
|
// (optionalAttrs cfg.enableFederation {
|
|
|
|
|
MATRIX_SERVER = cfg.matrixServerAddr;
|
|
|
|
|
# also substituted
|
|
|
|
|
MATRIX_TOKEN =
|
|
|
|
|
if cfg.matrixTokenFile != ""
|
|
|
|
|
then "MATRIX_TOKEN_FILE"
|
|
|
|
|
else cfg.matrixToken;
|
|
|
|
|
});
|
2022-12-03 13:16:22 +00:00
|
|
|
|
2022-12-04 13:45:43 +00:00
|
|
|
cfgToString = v:
|
|
|
|
|
if builtins.isBool v
|
|
|
|
|
then boolToString v
|
|
|
|
|
else toString v;
|
|
|
|
|
backend_config_file =
|
|
|
|
|
pkgs.writeText "config.properties"
|
2022-12-03 13:16:22 +00:00
|
|
|
(concatStringsSep "\n"
|
|
|
|
|
(mapAttrsToList (n: v: "${n}:${cfgToString v}") backend_config));
|
|
|
|
|
in {
|
2022-12-03 15:01:58 +00:00
|
|
|
config = lib.mkIf (cfg.enable && !cfg.disableBackend) {
|
2022-12-04 13:45:43 +00:00
|
|
|
systemd.tmpfiles.rules = ["d /run/piped-backend - piped piped"];
|
2022-12-03 13:16:22 +00:00
|
|
|
|
|
|
|
|
systemd.services.piped-backend = {
|
2022-12-04 13:45:43 +00:00
|
|
|
wantedBy = ["multi-user.target"];
|
2022-12-03 13:16:22 +00:00
|
|
|
serviceConfig = {
|
|
|
|
|
WorkingDirectory = "/run/piped-backend";
|
2022-12-04 13:45:43 +00:00
|
|
|
ExecStartPre = let
|
|
|
|
|
confFile = "/run/piped-backend/config.properties";
|
2022-12-03 15:58:03 +00:00
|
|
|
in "${pkgs.writeShellScript "piped-backend-init" ''
|
|
|
|
|
[ -f "${confFile}" ] && rm ${confFile}
|
|
|
|
|
cp ${backend_config_file} ${confFile}
|
|
|
|
|
chmod 660 ${confFile}
|
2022-12-03 17:17:36 +00:00
|
|
|
${optionalString (cfg.enableCaptcha && cfg.captchaAPIKeyFile != "") ''
|
2022-12-03 15:58:03 +00:00
|
|
|
sed -i "s/CAPTCHA_API_KEY_FILE/$(cat cfg.captchaAPIKeyFile | sed "s#/#\\\/#")/" ${confFile}
|
2022-12-03 17:17:36 +00:00
|
|
|
''}
|
|
|
|
|
${optionalString
|
2022-12-04 13:45:43 +00:00
|
|
|
(cfg.enableFederation && cfg.matrixTokenFile != "") ''
|
|
|
|
|
sed -i "s/MATRIX_TOKEN_FILE/$(cat cfg.matrixTokenFile | sed "s#/#\\\/#")/" ${confFile}
|
|
|
|
|
''}
|
2022-12-03 13:16:22 +00:00
|
|
|
''}";
|
|
|
|
|
ExecStart = "${pkgs.piped-backend}/bin/piped-backend";
|
2022-12-03 15:30:16 +00:00
|
|
|
|
|
|
|
|
RestartSec = "5s";
|
|
|
|
|
User = "piped";
|
|
|
|
|
|
|
|
|
|
CapabilityBoundingSet = "";
|
|
|
|
|
PrivateDevices = true;
|
|
|
|
|
PrivateUsers = true;
|
|
|
|
|
ProtectHome = true;
|
|
|
|
|
ProtectKernelLogs = true;
|
|
|
|
|
ProtectProc = "invisible";
|
2022-12-04 13:45:43 +00:00
|
|
|
RestrictAddressFamilies = ["AF_UNIX" "AF_INET" "AF_INET6"];
|
2022-12-03 15:30:16 +00:00
|
|
|
RestrictNamespaces = true;
|
|
|
|
|
SystemCallArchitectures = "native";
|
2022-12-04 13:45:43 +00:00
|
|
|
SystemCallFilter = ["@system-service" "~@privileged" "~@resources"];
|
2022-12-03 13:16:22 +00:00
|
|
|
};
|
|
|
|
|
};
|
|
|
|
|
|
|
|
|
|
systemd.services.piped-password = {
|
|
|
|
|
serviceConfig.Type = "oneshot";
|
2022-12-04 13:45:43 +00:00
|
|
|
wantedBy = ["piped-backend.service"];
|
|
|
|
|
wants = ["postgresql.service"];
|
|
|
|
|
after = ["postgresql.service"];
|
2022-12-03 13:16:22 +00:00
|
|
|
script = ''
|
|
|
|
|
${pkgs.postgresql}/bin/psql -c "ALTER USER piped WITH PASSWORD 'password';"
|
|
|
|
|
'';
|
|
|
|
|
serviceConfig.User = "postgres";
|
|
|
|
|
};
|
|
|
|
|
|
|
|
|
|
services.postgresql = {
|
|
|
|
|
enable = true;
|
2022-12-04 13:45:43 +00:00
|
|
|
ensureUsers = [
|
|
|
|
|
{
|
|
|
|
|
name = "piped";
|
|
|
|
|
ensurePermissions."DATABASE piped" = "ALL PRIVILEGES";
|
|
|
|
|
}
|
|
|
|
|
];
|
|
|
|
|
ensureDatabases = ["piped"];
|
2022-12-03 13:16:22 +00:00
|
|
|
};
|
|
|
|
|
|
2022-12-03 14:45:31 +00:00
|
|
|
services.nginx.virtualHosts."${cfg.backendDomain}" = {
|
2022-12-03 13:16:22 +00:00
|
|
|
forceSSL = true;
|
|
|
|
|
enableACME = true;
|
|
|
|
|
locations."/" = {
|
2022-12-03 15:30:16 +00:00
|
|
|
proxyPass = "http://127.0.0.1:${toString cfg.internalBackendPort}";
|
2022-12-03 13:16:22 +00:00
|
|
|
};
|
|
|
|
|
};
|
|
|
|
|
};
|
|
|
|
|
}
|
