nixfiles/hosts/hetzner-vm/modules/piped/backend.nix

{ config, lib, pkgs, ... }:
with lib;
let
  cfg = config.services.piped;

  backend_config = {
    PORT = cfg.backend_port;
    HTTP_WORKERS = 2;
    PROXY_PART = "https://${cfg.proxy_domain}"; # TODO: fix
    API_URL = "https://${cfg.backend_domain}";
    FRONTEND_URL = "https://${cfg.frontend_domain}";
    DISABLE_REGISTRATION = false;
    COMPROMISED_PASSWORD_CHECK = false;
    FEED_RETENTION = 30;
    "hibernate.connection.url" = "jdbc:postgresql://localhost:5432/piped";
    "hibernate.connection.driver_class" = "org.postgresql.Driver";
    "hibernate.dialect" = "org.hibernate.dialect.PostgreSQLDialect";
    "hibernate.connection.username" = "piped";
    "hibernate.connection.password" = "password";
  };

  cfgToString = v: if builtins.isBool v then boolToString v else toString v;
  backend_config_file = pkgs.writeText "config.properties"
    (concatStringsSep "\n"
      (mapAttrsToList (n: v: "${n}:${cfgToString v}") backend_config));

in {
  config = (lib.mkIf cfg.enable) {
    systemd.tmpfiles.rules = [ "d /run/piped-backend - root root" ];

    systemd.services.piped-backend = {
      wantedBy = [ "multi-user.target" ];
      serviceConfig = {
        WorkingDirectory = "/run/piped-backend";
        ExecStartPre = "${pkgs.writeShellScript "piped-backend-init" ''
          cp ${backend_config_file} /run/piped-backend/config.properties
        ''}";
        ExecStart = "${pkgs.piped-backend}/bin/piped-backend";
      };
    };

    systemd.services.piped-password = {
      serviceConfig.Type = "oneshot";
      wantedBy = [ "piped-backend.service" ];
      wants = [ "postgresql.service" ];
      after = [ "postgresql.service" ];
      script = ''
        ${pkgs.postgresql}/bin/psql -c "ALTER USER piped WITH PASSWORD 'password';"
      '';
      serviceConfig.User = "postgres";
    };

    services.postgresql = {
      enable = true;
      ensureUsers = [{
        name = "piped";
        ensurePermissions."DATABASE piped" = "ALL PRIVILEGES";
      }];
      ensureDatabases = [ "piped" ];
    };

    services.nginx.virtualHosts."${cfg.backend_domain}" = {
      forceSSL = true;
      enableACME = true;
      locations."/" = {
        proxyPass = "http://127.0.0.1:${toString cfg.backend_port}";
      };
    };
  };
}