nixfiles/hosts/hetzner-vm/profiles/misskey.nix

{
  config,
  pkgs,
  tree,
  ...
}: let
  secrets = config.services.secrets.secrets;

  ports = import ../ports.nix {};

  misskeyDomain = "social.owo.monster";

  misskeyPackages = with pkgs; [
    nodejs
    nodePackages.node-gyp
    nodePackages.pnpm

    python3
    pkg-config
    glib
    vips

    stdenv
  ];

  misskeyConfig = {
    url = "https://${misskeyDomain}/";
    port = ports.misskey;
    id = "aid";

    db = {
      host = "localhost";
      port = "5432";
      db = "misskey";
      user = "misskey";
      pass = "password";
    };

    redis = {
      host = "127.0.0.1";
      port = ports.misskey-redis;
    };

    # Allows federation with gotosocial which requires AP Get to be signed
    signToActivityPubGet = true;
    clusterLimit = 4;
    outgoingAddressFamily = "dual";
  };
in {
  environment.etc."misskey.yml".text = pkgs.lib.generators.toYAML {} misskeyConfig;

  users.users."misskey" = {
    isNormalUser = true;
    createHome = true;
  };

  home-manager.users."misskey" = {
    home.packages = misskeyPackages;
    home.stateVersion = "22.05";

    imports = with tree; [home.base home.dev.small];
  };

  systemd.services.misskey-password = {
    serviceConfig.Type = "oneshot";
    wantedBy = ["misskey.service"];
    wants = ["postgresql.service"];
    after = ["postgresql.service"];
    script = ''
      ${pkgs.postgresql}/bin/psql -c "ALTER USER misskey WITH PASSWORD 'password';"
    '';
    serviceConfig.User = "misskey";
  };

  systemd.services.misskey = {
    wantedBy = ["multi-user.target"];
    after = ["misskey-password.service"];
    wants = ["postgresql.service" "redis-misskey.service"];
    path = with pkgs; [bash git] ++ misskeyPackages;
    environment.NODE_ENV = "production";
    serviceConfig = {
      User = "misskey";
      WorkingDirectory = "/home/misskey/misskey";
      ExecStartPre = "${pkgs.nodePackages.pnpm}/bin/pnpm migrate";
      ExecStart = "${pkgs.nodePackages.pnpm}/bin/pnpm start";
      #TimeoutSec = 60;
      #StandardOutput = "syslog";
      #StandardError = "syslog";
      #SyslogIdentifier = "misskey";
      #Restart = "always";
    };
  };

  services.nginx.virtualHosts."${misskeyDomain}" = {
    forceSSL = true;
    enableACME = true;
    locations = {
      "/" = {
        proxyPass = "http://127.0.0.1:${toString ports.misskey}";
        proxyWebsockets = true;
      };
    };
  };

  services.postgresql = {
    enable = true;
    ensureUsers = [
      {
        name = "misskey";
        ensurePermissions."DATABASE misskey" = "ALL PRIVILEGES";
      }
    ];
    ensureDatabases = ["misskey"];
  };

  services.redis.servers."misskey" = {
    enable = true;
    port = ports.misskey-redis;
  };

  environment.systemPackages = with pkgs; [
    rclone
    (pkgs.writeShellScriptBin "rclone-misskey" ''
      ${pkgs.rclone}/bin/rclone --config ${secrets.misskey_storage_rclone_config.path} \
        $@
    '')
  ];

  systemd.tmpfiles.rules = [
    "d /home/misskey/misskey-files - misskey users"

    "d /home/misskey/.config - misskey users"
    "d /home/misskey/.config/rclone - misskey users"
    "L /home/misskey/.config/rclone/rclone.conf - - - - ${secrets.misskey_storage_rclone_config.path}"
  ];

  systemd.services."misskey-files-sync" = {
    serviceConfig.Type = "oneshot";
    script = let
      bsdtar = "${pkgs.libarchive}/bin/bsdtar";
      rclone = "${pkgs.rclone}/bin/rclone";
    in ''
      pushd /home/misskey
      pushd /home/misskey/misskey-files
      ${bsdtar} cvf ../Media.tar .
      popd
      ${rclone} copy Media.tar Storage-Media-Crypt:Media.tar
      rm Media.tar
      popd
    '';
    serviceConfig.User = "misskey";
  };

  systemd.timers."misskey-files-sync" = {
    wantedBy = ["timers.target"];
    partOf = ["misskey-files-sync.service"];
    timerConfig = {
      OnStartupSec = "60";
      OnCalendar = "4h";
    };
  };
}