118 lines
4.1 KiB
Nix
118 lines
4.1 KiB
Nix
{ config, lib, pkgs, ... }:
|
|
with lib;
|
|
let
|
|
cfg = config.services.piped;
|
|
|
|
backend_config = {
|
|
PORT = cfg.internalBackendPort;
|
|
HTTP_WORKERS = cfg.httpWorkers;
|
|
PROXY_PART = "https://${cfg.proxyDomain}";
|
|
API_URL = "https://${cfg.backendDomain}";
|
|
FRONTEND_URL = "https://${cfg.frontendDomain}";
|
|
DISABLE_REGISTRATION = cfg.disableRegistrations;
|
|
COMPROMISED_PASSWORD_CHECK = cfg.enableCompromisedPasswordCheck;
|
|
FEED_RETENTION = cfg.feedRetentionDays;
|
|
SUBSCRIPTIONS_EXPIRY = cfg.subscriptionRetentionDays;
|
|
SPONSORBLOCK_SERVERS = lib.concatStringsSep "," cfg.sponsorblockServers;
|
|
DISABLE_RYD = cfg.disableRYD;
|
|
DISABLE_LBRY = cfg.disableLBRYStreams;
|
|
RYD_PROXY_URL = cfg.rydAPIURL;
|
|
SENTRY_DSN = cfg.sentryDSN;
|
|
"hibernate.connection.url" = "jdbc:postgresql://localhost:5432/piped";
|
|
"hibernate.connection.driver_class" = "org.postgresql.Driver";
|
|
"hibernate.dialect" = "org.hibernate.dialect.PostgreSQLDialect";
|
|
"hibernate.connection.username" = "piped";
|
|
"hibernate.connection.password" = "password";
|
|
} // (if cfg.enableCaptcha then {
|
|
CAPTCHA_API_URL = cfg.captchaAPIURL;
|
|
# This is substituted in the PreStart of piped-backend.service
|
|
CAPTCHA_API_KEY = if cfg.captchaAPIKeyFile != "" then
|
|
"CAPTCHA_API_KEY_FILE"
|
|
else
|
|
cfg.captchaAPIKey;
|
|
} else
|
|
{ }) // (if cfg.enableFederation then {
|
|
MATRIX_SERVER = cfg.matrixServerAddr;
|
|
# also substituted
|
|
MATRIX_TOKEN = if cfg.matrixTokenFile != "" then
|
|
"MATRIX_TOKEN_FILE"
|
|
else
|
|
cfg.matrixToken;
|
|
} else
|
|
{ });
|
|
|
|
cfgToString = v: if builtins.isBool v then boolToString v else toString v;
|
|
backend_config_file = pkgs.writeText "config.properties"
|
|
(concatStringsSep "\n"
|
|
(mapAttrsToList (n: v: "${n}:${cfgToString v}") backend_config));
|
|
|
|
in {
|
|
config = lib.mkIf (cfg.enable && !cfg.disableBackend) {
|
|
systemd.tmpfiles.rules = [ "d /run/piped-backend - piped piped" ];
|
|
|
|
systemd.services.piped-backend = {
|
|
wantedBy = [ "multi-user.target" ];
|
|
serviceConfig = {
|
|
WorkingDirectory = "/run/piped-backend";
|
|
ExecStartPre = let confFile = "/run/piped-backend/config.properties";
|
|
in "${pkgs.writeShellScript "piped-backend-init" ''
|
|
[ -f "${confFile}" ] && rm ${confFile}
|
|
cp ${backend_config_file} ${confFile}
|
|
chmod 660 ${confFile}
|
|
${if (cfg.enableCaptcha && cfg.captchaAPIKeyFile != "") then ''
|
|
sed -i "s/CAPTCHA_API_KEY_FILE/$(cat cfg.captchaAPIKeyFile | sed "s#/#\\\/#")/" ${confFile}
|
|
'' else
|
|
""}
|
|
${if (cfg.enableFederation && cfg.matrixTokenFile != "") then ''
|
|
sed -i "s/MATRIX_TOKEN_FILE/$(cat cfg.matrixTokenFile | sed "s#/#\\\/#")/" ${confFile}
|
|
'' else
|
|
""}
|
|
''}";
|
|
ExecStart = "${pkgs.piped-backend}/bin/piped-backend";
|
|
|
|
RestartSec = "5s";
|
|
User = "piped";
|
|
|
|
CapabilityBoundingSet = "";
|
|
PrivateDevices = true;
|
|
PrivateUsers = true;
|
|
ProtectHome = true;
|
|
ProtectKernelLogs = true;
|
|
ProtectProc = "invisible";
|
|
RestrictAddressFamilies = [ "AF_UNIX" "AF_INET" "AF_INET6" ];
|
|
RestrictNamespaces = true;
|
|
SystemCallArchitectures = "native";
|
|
SystemCallFilter = [ "@system-service" "~@privileged" "~@resources" ];
|
|
};
|
|
};
|
|
|
|
systemd.services.piped-password = {
|
|
serviceConfig.Type = "oneshot";
|
|
wantedBy = [ "piped-backend.service" ];
|
|
wants = [ "postgresql.service" ];
|
|
after = [ "postgresql.service" ];
|
|
script = ''
|
|
${pkgs.postgresql}/bin/psql -c "ALTER USER piped WITH PASSWORD 'password';"
|
|
'';
|
|
serviceConfig.User = "postgres";
|
|
};
|
|
|
|
services.postgresql = {
|
|
enable = true;
|
|
ensureUsers = [{
|
|
name = "piped";
|
|
ensurePermissions."DATABASE piped" = "ALL PRIVILEGES";
|
|
}];
|
|
ensureDatabases = [ "piped" ];
|
|
};
|
|
|
|
services.nginx.virtualHosts."${cfg.backendDomain}" = {
|
|
forceSSL = true;
|
|
enableACME = true;
|
|
locations."/" = {
|
|
proxyPass = "http://127.0.0.1:${toString cfg.internalBackendPort}";
|
|
};
|
|
};
|
|
};
|
|
}
|