chaos/nixfiles
1
0
Fork 0
Code Issues 2 Releases Activity
nixfiles/hosts/hetzner-vm/modules/piped/backend.nix

119 lines
4.1 KiB
Nix
Raw Blame History

{ config, lib, pkgs, ... }:
with lib;
let
cfg = config.services.piped;
backend_config = {
PORT = cfg.internalBackendPort;
HTTP_WORKERS = cfg.httpWorkers;
PROXY_PART = "https://${cfg.proxyDomain}";
API_URL = "https://${cfg.backendDomain}";
FRONTEND_URL = "https://${cfg.frontendDomain}";
DISABLE_REGISTRATION = cfg.disableRegistrations;
COMPROMISED_PASSWORD_CHECK = cfg.enableCompromisedPasswordCheck;
FEED_RETENTION = cfg.feedRetentionDays;
SUBSCRIPTIONS_EXPIRY = cfg.subscriptionRetentionDays;
SPONSORBLOCK_SERVERS = lib.concatStringsSep "," cfg.sponsorblockServers;
DISABLE_RYD = cfg.disableRYD;
DISABLE_LBRY = cfg.disableLBRYStreams;
RYD_PROXY_URL = cfg.rydAPIURL;
SENTRY_DSN = cfg.sentryDSN;
"hibernate.connection.url" = "jdbc:postgresql://localhost:5432/piped";
"hibernate.connection.driver_class" = "org.postgresql.Driver";
"hibernate.dialect" = "org.hibernate.dialect.PostgreSQLDialect";
"hibernate.connection.username" = "piped";
"hibernate.connection.password" = "password";
} // (if cfg.enableCaptcha then {
CAPTCHA_API_URL = cfg.captchaAPIURL;
# This is substituted in the PreStart of piped-backend.service
CAPTCHA_API_KEY = if cfg.captchaAPIKeyFile != "" then
"CAPTCHA_API_KEY_FILE"
else
cfg.captchaAPIKey;
} else
{ }) // (if cfg.enableFederation then {
MATRIX_SERVER = cfg.matrixServerAddr;
# also substituted
MATRIX_TOKEN = if cfg.matrixTokenFile != "" then
"MATRIX_TOKEN_FILE"
else
cfg.matrixToken;
} else
{ });
cfgToString = v: if builtins.isBool v then boolToString v else toString v;
backend_config_file = pkgs.writeText "config.properties"
(concatStringsSep "\n"
(mapAttrsToList (n: v: "${n}:${cfgToString v}") backend_config));
in {
config = lib.mkIf (cfg.enable && !cfg.disableBackend) {
systemd.tmpfiles.rules = [ "d /run/piped-backend - piped piped" ];
systemd.services.piped-backend = {
wantedBy = [ "multi-user.target" ];
serviceConfig = {
WorkingDirectory = "/run/piped-backend";
ExecStartPre = let
confFile = "/run/piped-backend/config.properties";
in "${pkgs.writeShellScript "piped-backend-init" ''
[ -f "${confFile}" ] && rm ${confFile}
cp ${backend_config_file} ${confFile}
chmod 660 ${confFile}
${if (cfg.enableCaptcha && cfg.captchaAPIKeyFile != "") then ''
sed -i "s/CAPTCHA_API_KEY_FILE/$(cat cfg.captchaAPIKeyFile | sed "s#/#\\\/#")/" ${confFile}
'' else
""}
${if (cfg.enableFederation && cfg.matrixTokenFile != "") then ''
sed -i "s/MATRIX_TOKEN_FILE/$(cat cfg.matrixTokenFile | sed "s#/#\\\/#")/" ${confFile}
'' else
""}
''}";
ExecStart = "${pkgs.piped-backend}/bin/piped-backend";
RestartSec = "5s";
User = "piped";
CapabilityBoundingSet = "";
PrivateDevices = true;
PrivateUsers = true;
ProtectHome = true;
ProtectKernelLogs = true;
ProtectProc = "invisible";
RestrictAddressFamilies = [ "AF_UNIX" "AF_INET" "AF_INET6" ];
RestrictNamespaces = true;
SystemCallArchitectures = "native";
SystemCallFilter = [ "@system-service" "~@privileged" "~@resources" ];
};
};
systemd.services.piped-password = {
serviceConfig.Type = "oneshot";
wantedBy = [ "piped-backend.service" ];
wants = [ "postgresql.service" ];
after = [ "postgresql.service" ];
script = ''
${pkgs.postgresql}/bin/psql -c "ALTER USER piped WITH PASSWORD 'password';"
'';
serviceConfig.User = "postgres";
};
services.postgresql = {
enable = true;
ensureUsers = [{
name = "piped";
ensurePermissions."DATABASE piped" = "ALL PRIVILEGES";
}];
ensureDatabases = [ "piped" ];
};
services.nginx.virtualHosts."${cfg.backendDomain}" = {
forceSSL = true;
enableACME = true;
locations."/" = {
proxyPass = "http://127.0.0.1:${toString cfg.internalBackendPort}";
};
};
};
}
Reference in a new issue View git blame Copy permalink