piped-flake/module/backend.nix

{
  config,
  lib,
  pkgs,
  ...
}: let
  inherit (lib.modules) mkIf mkDefault;
  inherit (lib.trivial) boolToString;
  inherit (lib.attrsets) mapAttrsToList optionalAttrs;
  inherit (lib.strings) optionalString concatStringsSep;
  inherit (pkgs) writeText;

  cfg = config.services.piped;
  backendConfig = cfg.backend;
  nginxConfig = backendConfig.nginx;
  databaseConfig = backendConfig.database;

  proxyConfig = cfg.proxy;
  frontendConfig = cfg.frontend;

  backendSettings = backendConfig.settings;

  sedEscapeSlashes = "sed 's#/#\\\/#'";

  backendConfigAttrs =
    {
      PORT = backendConfig.internalPort;
      PROXY_PART = "https://${proxyConfig.domain}";
      API_URL = "https://${backendConfig.domain}";
      FRONTEND_URL = "https://${frontendConfig.domain}";

      DISABLE_REGISTRATION = backendSettings.disableRegistrations;

      FEED_RETENTION = backendSettings.feedRetentionDays;
      SUBSCRIPTIONS_EXPIRY = backendSettings.subscriptionRetentionDays;
      HTTP_WORKERS = backendSettings.httpWorkers;

      SPONSORBLOCK_SERVERS = concatStringsSep "," backendSettings.sponsorblockServers;
      DISABLE_LBRY = backendSettings.disableLBRYStreams;
      COMPROMISED_PASSWORD_CHECK = backendSettings.enableCompromisedPasswordCheck;

      DISABLE_RYD = backendConfig.ryd.disable;
      RYD_PROXY_URL = backendConfig.ryd.apiURL;

      SENTRY_DSN = backendSettings.sentryDSN;

      "hibernate.connection.url" = let
        inherit (databaseConfig) host port name databaseOptions;
      in "jdbc:postgresql://${host}:${toString port}/${name}${databaseOptions}";
      "hibernate.connection.driver_class" = databaseConfig.driverClass;
      "hibernate.dialect" = databaseConfig.dialect;
      "hibernate.connection.username" = "${databaseConfig.username}";
    }
    // (optionalAttrs databaseConfig.usePassword {
      "hibernate.connection.password" =
        if databaseConfig.passwordFile == null
        then databaseConfig.password
        else "DATABASE_PASSWORD_PLACEHOLDER";
    })
    // (optionalAttrs backendConfig.captcha.enable {
      CAPTCHA_API_URL = backendConfig.captcha.apiURL;
      # This is substituted in the PreStart of piped-backend.service
      CAPTCHA_API_KEY =
        if backendConfig.captcha.apiKeyFile != null
        then "CAPTCHA_API_KEY_FILE_PLACEHOLDER"
        else backendSettings.apiKey;
    })
    // (optionalAttrs backendConfig.federation.enable {
      MATRIX_SERVER = backendConfig.federation.matrixServerAddr;
      # also substituted
      MATRIX_TOKEN =
        if backendConfig.federation.matrixTokenFile != ""
        then "MATRIX_TOKEN_FILE_PLACEHOLDER"
        else backendConfig.federation.matrixToken;
    })
    // backendSettings.extraSettings;

  cfgValueToString = value:
    if builtins.isBool value
    then boolToString value
    else toString value;

  cfgToLine = key: value: "${key}:${cfgValueToString value}";

  cfgToString = config: (concatStringsSep "\n"
    (mapAttrsToList cfgToLine config));

  backendConfigFile =
    writeText "config.properties"
    (cfgToString backendConfigAttrs);
in {
  config = mkIf (backendConfig.enable) {
    systemd.tmpfiles.rules = [
      "d /run/piped-backend - piped piped"
      "f /run/piped-backend/config.properties 660 piped piped"
    ];

    # I ran into some weird issues with ExecStartPre in piped-backend for this script
    # so moved it to its own unit to run before
    # some sort of syscall issue with
    systemd.services.piped-backend-config-init = {
      serviceConfig.User = "piped";
      wantedBy = ["piped-backend.service"];
      script = let
        confFile = "/run/piped-backend/config.properties";
      in ''
        cat ${backendConfigFile} > ${confFile}

        ${optionalString
          (backendConfig.captcha.enable && backendConfig.captcha.apiKeyFile != null) ''
            VALUE="$(cat ${backendConfig.captcha.apiKeyFile} | ${sedEscapeSlashes})"
            sed -i "s/CAPTCHA_API_KEY_FILE_PLACEHOLDER/$VALUE/" ${confFile}
          ''}

        ${optionalString
          (backendConfig.federation.enable && backendConfig.federation.matrixTokenFile != null) ''
            VALUE="$(cat ${backendConfig.federation.matrixTokenFile} | ${sedEscapeSlashes})"
            sed -i "s/MATRIX_TOKEN_FILE_PLACEHOLDER/$VALUE/" ${confFile}
          ''}

        ${optionalString
          (databaseConfig.passwordFile != null) ''
            VALUE=$(cat ${databaseConfig.passwordFile} | ${sedEscapeSlashes})
            sed -i "s/DATABASE_PASSWORD_PLACEHOLDER/$VALUE/" ${confFile}
          ''}

        chown piped:piped ${confFile}
      '';
    };

    systemd.services.piped-backend = {
      wantedBy = ["multi-user.target"];
      wants = [
        "piped-backend-config-init.service"
      ];
      after = [
        "piped-backend-config-init.service"
      ];

      serviceConfig = {
        ExecStart = "${backendConfig.package}/bin/piped-backend";

        RestartSec = "5s";
        User = "piped";

        WorkingDirectory = "/run/piped-backend";

        CapabilityBoundingSet = "";
        PrivateDevices = true;
        PrivateUsers = true;
        ProtectHome = true;
        ProtectKernelLogs = true;
        ProtectProc = "invisible";
        RestrictAddressFamilies = ["AF_UNIX" "AF_INET" "AF_INET6"];
        RestrictNamespaces = true;
        SystemCallArchitectures = "native";
        SystemCallFilter = ["@system-service" "~@privileged" "~@resources"];
      };
    };

    services.postgresql = mkIf (!databaseConfig.disablePostgresDB) {
      enable = true;
      ensureUsers = [
        {
          name = databaseConfig.username;
          ensurePermissions."DATABASE ${databaseConfig.name}" = "ALL PRIVILEGES";
        }
      ];
      ensureDatabases = [
        databaseConfig.name
      ];
      authentication = mkIf (databaseConfig.password == "") ''
        host ${databaseConfig.name} ${databaseConfig.username} samehost peer map=${databaseConfig.name}
      '';
    };

    services.nginx = mkIf (!nginxConfig.disableNginx) {
      enable = true;
      virtualHosts."${backendConfig.domain}" = {
        forceSSL = mkDefault nginxConfig.forceSSL;
        enableACME = mkDefault nginxConfig.enableACME;
        locations."/" = {
          proxyPass = "http://127.0.0.1:${toString backendConfig.internalPort}";
        };
      };
    };
  };
}
initial commit 2023-09-08 10:59:27 +01:00			`{`
			`config,`
			`lib,`
			`pkgs,`
			`...`
tidying and name changes to module 2023-09-08 11:36:35 +01:00			`}: let`
changes to the piped module to make config better 2023-09-19 17:50:52 +01:00			`inherit (lib.modules) mkIf mkDefault;`
tidying and name changes to module 2023-09-08 11:36:35 +01:00			`inherit (lib.trivial) boolToString;`
			`inherit (lib.attrsets) mapAttrsToList optionalAttrs;`
fix typo in optionalString 2023-09-08 11:48:25 +01:00			`inherit (lib.strings) optionalString concatStringsSep;`
changes to the piped module to make config better 2023-09-19 17:50:52 +01:00			`inherit (pkgs) writeText;`
tidying and name changes to module 2023-09-08 11:36:35 +01:00
initial commit 2023-09-08 10:59:27 +01:00			`cfg = config.services.piped;`
changes to the piped module to make config better 2023-09-19 17:50:52 +01:00			`backendConfig = cfg.backend;`
			`nginxConfig = backendConfig.nginx;`
			`databaseConfig = backendConfig.database;`

			`proxyConfig = cfg.proxy;`
			`frontendConfig = cfg.frontend;`

			`backendSettings = backendConfig.settings;`
initial commit 2023-09-08 10:59:27 +01:00
tidying and name changes to module 2023-09-08 11:36:35 +01:00			`sedEscapeSlashes = "sed 's#/#\\\/#'";`

changes to the piped module to make config better 2023-09-19 17:50:52 +01:00			`backendConfigAttrs =`
initial commit 2023-09-08 10:59:27 +01:00			`{`
changes to the piped module to make config better 2023-09-19 17:50:52 +01:00			`PORT = backendConfig.internalPort;`
			`PROXY_PART = "https://${proxyConfig.domain}";`
			`API_URL = "https://${backendConfig.domain}";`
			`FRONTEND_URL = "https://${frontendConfig.domain}";`

			`DISABLE_REGISTRATION = backendSettings.disableRegistrations;`

			`FEED_RETENTION = backendSettings.feedRetentionDays;`
			`SUBSCRIPTIONS_EXPIRY = backendSettings.subscriptionRetentionDays;`
			`HTTP_WORKERS = backendSettings.httpWorkers;`

			`SPONSORBLOCK_SERVERS = concatStringsSep "," backendSettings.sponsorblockServers;`
			`DISABLE_LBRY = backendSettings.disableLBRYStreams;`
			`COMPROMISED_PASSWORD_CHECK = backendSettings.enableCompromisedPasswordCheck;`

			`DISABLE_RYD = backendConfig.ryd.disable;`
			`RYD_PROXY_URL = backendConfig.ryd.apiURL;`

			`SENTRY_DSN = backendSettings.sentryDSN;`

			`"hibernate.connection.url" = let`
			`inherit (databaseConfig) host port name databaseOptions;`
			`in "jdbc:postgresql://${host}:${toString port}/${name}${databaseOptions}";`
			`"hibernate.connection.driver_class" = databaseConfig.driverClass;`
			`"hibernate.dialect" = databaseConfig.dialect;`
			`"hibernate.connection.username" = "${databaseConfig.username}";`
initial commit 2023-09-08 10:59:27 +01:00			`}`
changes to the piped module to make config better 2023-09-19 17:50:52 +01:00			`// (optionalAttrs databaseConfig.usePassword {`
			`"hibernate.connection.password" =`
			`if databaseConfig.passwordFile == null`
			`then databaseConfig.password`
			`else "DATABASE_PASSWORD_PLACEHOLDER";`
			`})`
			`// (optionalAttrs backendConfig.captcha.enable {`
			`CAPTCHA_API_URL = backendConfig.captcha.apiURL;`
initial commit 2023-09-08 10:59:27 +01:00			`# This is substituted in the PreStart of piped-backend.service`
			`CAPTCHA_API_KEY =`
changes to the piped module to make config better 2023-09-19 17:50:52 +01:00			`if backendConfig.captcha.apiKeyFile != null`
tidying and name changes to module 2023-09-08 11:36:35 +01:00			`then "CAPTCHA_API_KEY_FILE_PLACEHOLDER"`
changes to the piped module to make config better 2023-09-19 17:50:52 +01:00			`else backendSettings.apiKey;`
initial commit 2023-09-08 10:59:27 +01:00			`})`
changes to the piped module to make config better 2023-09-19 17:50:52 +01:00			`// (optionalAttrs backendConfig.federation.enable {`
			`MATRIX_SERVER = backendConfig.federation.matrixServerAddr;`
initial commit 2023-09-08 10:59:27 +01:00			`# also substituted`
			`MATRIX_TOKEN =`
changes to the piped module to make config better 2023-09-19 17:50:52 +01:00			`if backendConfig.federation.matrixTokenFile != ""`
tidying and name changes to module 2023-09-08 11:36:35 +01:00			`then "MATRIX_TOKEN_FILE_PLACEHOLDER"`
changes to the piped module to make config better 2023-09-19 17:50:52 +01:00			`else backendConfig.federation.matrixToken;`
			`})`
			`// backendSettings.extraSettings;`
initial commit 2023-09-08 10:59:27 +01:00
tidying and name changes to module 2023-09-08 11:36:35 +01:00			`cfgValueToString = value:`
			`if builtins.isBool value`
			`then boolToString value`
			`else toString value;`

			`cfgToLine = key: value: "${key}:${cfgValueToString value}";`

			`cfgToString = config: (concatStringsSep "\n"`
			`(mapAttrsToList cfgToLine config));`

			`backendConfigFile =`
			`writeText "config.properties"`
changes to the piped module to make config better 2023-09-19 17:50:52 +01:00			`(cfgToString backendConfigAttrs);`
initial commit 2023-09-08 10:59:27 +01:00			`in {`
allow specifying backend domain for frontend and remove check for cfg.enable as default for component.enable is cfg.enable 2023-10-01 18:42:26 +01:00			`config = mkIf (backendConfig.enable) {`
changes to the piped module to make config better 2023-09-19 17:50:52 +01:00			`systemd.tmpfiles.rules = [`
			`"d /run/piped-backend - piped piped"`
			`"f /run/piped-backend/config.properties 660 piped piped"`
			`];`

			`# I ran into some weird issues with ExecStartPre in piped-backend for this script`
			`# so moved it to its own unit to run before`
			`# some sort of syscall issue with`
			`systemd.services.piped-backend-config-init = {`
			`serviceConfig.User = "piped";`
			`wantedBy = ["piped-backend.service"];`
			`script = let`
			`confFile = "/run/piped-backend/config.properties";`
			`in ''`
			`cat ${backendConfigFile} > ${confFile}`

			`${optionalString`
			`(backendConfig.captcha.enable && backendConfig.captcha.apiKeyFile != null) ''`
			`VALUE="$(cat ${backendConfig.captcha.apiKeyFile} \| ${sedEscapeSlashes})"`
			`sed -i "s/CAPTCHA_API_KEY_FILE_PLACEHOLDER/$VALUE/" ${confFile}`
			`''}`

			`${optionalString`
			`(backendConfig.federation.enable && backendConfig.federation.matrixTokenFile != null) ''`
			`VALUE="$(cat ${backendConfig.federation.matrixTokenFile} \| ${sedEscapeSlashes})"`
			`sed -i "s/MATRIX_TOKEN_FILE_PLACEHOLDER/$VALUE/" ${confFile}`
			`''}`

			`${optionalString`
			`(databaseConfig.passwordFile != null) ''`
			`VALUE=$(cat ${databaseConfig.passwordFile} \| ${sedEscapeSlashes})`
			`sed -i "s/DATABASE_PASSWORD_PLACEHOLDER/$VALUE/" ${confFile}`
			`''}`

			`chown piped:piped ${confFile}`
			`'';`
			`};`
initial commit 2023-09-08 10:59:27 +01:00
			`systemd.services.piped-backend = {`
			`wantedBy = ["multi-user.target"];`
changes to the piped module to make config better 2023-09-19 17:50:52 +01:00			`wants = [`
			`"piped-backend-config-init.service"`
			`];`
			`after = [`
			`"piped-backend-config-init.service"`
			`];`

initial commit 2023-09-08 10:59:27 +01:00			`serviceConfig = {`
changes to the piped module to make config better 2023-09-19 17:50:52 +01:00			`ExecStart = "${backendConfig.package}/bin/piped-backend";`
initial commit 2023-09-08 10:59:27 +01:00
			`RestartSec = "5s";`
			`User = "piped";`

changes to the piped module to make config better 2023-09-19 17:50:52 +01:00			`WorkingDirectory = "/run/piped-backend";`

initial commit 2023-09-08 10:59:27 +01:00			`CapabilityBoundingSet = "";`
			`PrivateDevices = true;`
			`PrivateUsers = true;`
			`ProtectHome = true;`
			`ProtectKernelLogs = true;`
			`ProtectProc = "invisible";`
			`RestrictAddressFamilies = ["AF_UNIX" "AF_INET" "AF_INET6"];`
			`RestrictNamespaces = true;`
			`SystemCallArchitectures = "native";`
			`SystemCallFilter = ["@system-service" "~@privileged" "~@resources"];`
			`};`
			`};`

changes to the piped module to make config better 2023-09-19 17:50:52 +01:00			`services.postgresql = mkIf (!databaseConfig.disablePostgresDB) {`
initial commit 2023-09-08 10:59:27 +01:00			`enable = true;`
			`ensureUsers = [`
			`{`
changes to the piped module to make config better 2023-09-19 17:50:52 +01:00			`name = databaseConfig.username;`
			`ensurePermissions."DATABASE ${databaseConfig.name}" = "ALL PRIVILEGES";`
initial commit 2023-09-08 10:59:27 +01:00			`}`
			`];`
changes to the piped module to make config better 2023-09-19 17:50:52 +01:00			`ensureDatabases = [`
			`databaseConfig.name`
			`];`
			`authentication = mkIf (databaseConfig.password == "") ''`
			`host ${databaseConfig.name} ${databaseConfig.username} samehost peer map=${databaseConfig.name}`
			`'';`
initial commit 2023-09-08 10:59:27 +01:00			`};`

changes to the piped module to make config better 2023-09-19 17:50:52 +01:00			`services.nginx = mkIf (!nginxConfig.disableNginx) {`
			`enable = true;`
			`virtualHosts."${backendConfig.domain}" = {`
			`forceSSL = mkDefault nginxConfig.forceSSL;`
			`enableACME = mkDefault nginxConfig.enableACME;`
			`locations."/" = {`
			`proxyPass = "http://127.0.0.1:${toString backendConfig.internalPort}";`
			`};`
initial commit 2023-09-08 10:59:27 +01:00			`};`
			`};`
			`};`
			`}`