{ config, lib, pkgs, ... }: with lib; let cfg = config.services.piped; backend_config = { PORT = cfg.internalBackendPort; HTTP_WORKERS = cfg.httpWorkers; PROXY_PART = "https://${cfg.proxyDomain}"; API_URL = "https://${cfg.backendDomain}"; FRONTEND_URL = "https://${cfg.frontendDomain}"; DISABLE_REGISTRATION = cfg.disableRegistrations; COMPROMISED_PASSWORD_CHECK = cfg.enableCompromisedPasswordCheck; FEED_RETENTION = cfg.feedRetentionDays; SUBSCRIPTIONS_EXPIRY = cfg.subscriptionRetentionDays; SPONSORBLOCK_SERVERS = concatStringsSep "," cfg.sponsorblockServers; DISABLE_RYD = cfg.disableRYD; DISABLE_LBRY = cfg.disableLBRYStreams; RYD_PROXY_URL = cfg.rydAPIURL; SENTRY_DSN = cfg.sentryDSN; "hibernate.connection.url" = "jdbc:postgresql://localhost:5432/piped"; "hibernate.connection.driver_class" = "org.postgresql.Driver"; "hibernate.dialect" = "org.hibernate.dialect.PostgreSQLDialect"; "hibernate.connection.username" = "piped"; "hibernate.connection.password" = "password"; } // (optionalAttrs cfg.enableCaptcha { CAPTCHA_API_URL = cfg.captchaAPIURL; # This is substituted in the PreStart of piped-backend.service CAPTCHA_API_KEY = if cfg.captchaAPIKeyFile != "" then "CAPTCHA_API_KEY_FILE" else cfg.captchaAPIKey; }) // (optionalAttrs cfg.enableFederation { MATRIX_SERVER = cfg.matrixServerAddr; # also substituted MATRIX_TOKEN = if cfg.matrixTokenFile != "" then "MATRIX_TOKEN_FILE" else cfg.matrixToken; }); cfgToString = v: if builtins.isBool v then boolToString v else toString v; backend_config_file = pkgs.writeText "config.properties" (concatStringsSep "\n" (mapAttrsToList (n: v: "${n}:${cfgToString v}") backend_config)); in { config = lib.mkIf (cfg.enable && !cfg.disableBackend) { systemd.tmpfiles.rules = ["d /run/piped-backend - piped piped"]; systemd.services.piped-backend = { wantedBy = ["multi-user.target"]; serviceConfig = { WorkingDirectory = "/run/piped-backend"; ExecStartPre = let confFile = "/run/piped-backend/config.properties"; in "${pkgs.writeShellScript "piped-backend-init" '' [ -f "${confFile}" ] && rm ${confFile} cp ${backend_config_file} ${confFile} chmod 660 ${confFile} ${optionalString (cfg.enableCaptcha && cfg.captchaAPIKeyFile != "") '' sed -i "s/CAPTCHA_API_KEY_FILE/$(cat cfg.captchaAPIKeyFile | sed "s#/#\\\/#")/" ${confFile} ''} ${optionalString (cfg.enableFederation && cfg.matrixTokenFile != "") '' sed -i "s/MATRIX_TOKEN_FILE/$(cat cfg.matrixTokenFile | sed "s#/#\\\/#")/" ${confFile} ''} ''}"; ExecStart = "${pkgs.piped-backend}/bin/piped-backend"; RestartSec = "5s"; User = "piped"; CapabilityBoundingSet = ""; PrivateDevices = true; PrivateUsers = true; ProtectHome = true; ProtectKernelLogs = true; ProtectProc = "invisible"; RestrictAddressFamilies = ["AF_UNIX" "AF_INET" "AF_INET6"]; RestrictNamespaces = true; SystemCallArchitectures = "native"; SystemCallFilter = ["@system-service" "~@privileged" "~@resources"]; }; }; systemd.services.piped-password = { serviceConfig.Type = "oneshot"; wantedBy = ["piped-backend.service"]; wants = ["postgresql.service"]; after = ["postgresql.service"]; script = '' ${pkgs.postgresql}/bin/psql -c "ALTER USER piped WITH PASSWORD 'password';" ''; serviceConfig.User = "postgres"; }; services.postgresql = { enable = true; ensureUsers = [ { name = "piped"; ensurePermissions."DATABASE piped" = "ALL PRIVILEGES"; } ]; ensureDatabases = ["piped"]; }; services.nginx.virtualHosts."${cfg.backendDomain}" = { forceSSL = true; enableACME = true; locations."/" = { proxyPass = "http://127.0.0.1:${toString cfg.internalBackendPort}"; }; }; }; }