1
0
Fork 0
piped-flake/module/backend.nix
2023-09-14 22:25:34 +01:00

163 lines
5.5 KiB
Nix

{
config,
lib,
pkgs,
...
}: let
inherit (lib.modules) mkIf;
inherit (lib.trivial) boolToString;
inherit (lib.attrsets) mapAttrsToList optionalAttrs;
inherit (lib.strings) optionalString concatStringsSep;
inherit (pkgs) writeText writeShellScript;
cfg = config.services.piped;
sedEscapeSlashes = "sed 's#/#\\\/#'";
sedEscapeSingleQuotes = "sed \"s#'#\\\'#\"";
backendConfig =
{
PORT = cfg.internalBackendPort;
HTTP_WORKERS = cfg.httpWorkers;
PROXY_PART = "https://${cfg.proxyDomain}";
API_URL = "https://${cfg.backendDomain}";
FRONTEND_URL = "https://${cfg.frontendDomain}";
DISABLE_REGISTRATION = cfg.disableRegistrations;
COMPROMISED_PASSWORD_CHECK = cfg.enableCompromisedPasswordCheck;
FEED_RETENTION = cfg.feedRetentionDays;
SUBSCRIPTIONS_EXPIRY = cfg.subscriptionRetentionDays;
SPONSORBLOCK_SERVERS = concatStringsSep "," cfg.sponsorblockServers;
DISABLE_RYD = cfg.disableRYD;
DISABLE_LBRY = cfg.disableLBRYStreams;
RYD_PROXY_URL = cfg.rydAPIURL;
SENTRY_DSN = cfg.sentryDSN;
"hibernate.connection.url" = "jdbc:postgresql://${cfg.postgresDBHost}:${toString cfg.postgresDBPort}/${cfg.postgresDBName}";
"hibernate.connection.driver_class" = "org.postgresql.Driver";
"hibernate.dialect" = cfg.databaseDialect;
"hibernate.connection.username" = "${cfg.postgresDBUsername}";
"hibernate.connection.password" =
if cfg.postgresDBPasswordFile == null
then cfg.postgresDBPassword
else "POSTGRES_PASSWORD_PLACEHOLDER";
}
// (optionalAttrs cfg.enableCaptcha {
CAPTCHA_API_URL = cfg.captchaAPIURL;
# This is substituted in the PreStart of piped-backend.service
CAPTCHA_API_KEY =
if cfg.captchaAPIKeyFile != ""
then "CAPTCHA_API_KEY_FILE_PLACEHOLDER"
else cfg.captchaAPIKey;
})
// (optionalAttrs cfg.enableFederation {
MATRIX_SERVER = cfg.matrixServerAddr;
# also substituted
MATRIX_TOKEN =
if cfg.matrixTokenFile != ""
then "MATRIX_TOKEN_FILE_PLACEHOLDER"
else cfg.matrixToken;
});
cfgValueToString = value:
if builtins.isBool value
then boolToString value
else toString value;
cfgToLine = key: value: "${key}:${cfgValueToString value}";
cfgToString = config: (concatStringsSep "\n"
(mapAttrsToList cfgToLine config));
backendConfigFile =
writeText "config.properties"
(cfgToString backendConfig);
in {
config = mkIf (cfg.enable && !cfg.disableBackend) {
systemd.tmpfiles.rules = ["d /run/piped-backend - piped piped"];
systemd.services.piped-backend = {
wantedBy = ["multi-user.target"];
serviceConfig = {
WorkingDirectory = "/run/piped-backend";
ExecStartPre = let
confFile = "/run/piped-backend/config.properties";
in
writeShellScript "piped-backend-init" ''
[ -f "${confFile}" ] && rm ${confFile}
cp ${backendConfigFile} ${confFile}
chmod 660 ${confFile}
${optionalString (cfg.enableCaptcha && cfg.captchaAPIKeyFile != "") ''
sed -i "s/CAPTCHA_API_KEY_FILE_PLACEHOLDER/$(cat ${cfg.captchaAPIKeyFile} | ${sedEscapeSlashes})/" ${confFile}
''}
${optionalString
(cfg.enableFederation && cfg.matrixTokenFile != "") ''
sed -i "s/MATRIX_TOKEN_FILE_PLACEHOLDER/$(cat ${cfg.matrixTokenFile} | ${sedEscapeSlashes})/" ${confFile}
''}
${optionalString
(cfg.postgresDBPasswordFile != null) ''
sed -i "s/POSTGRES_PASSWORD_PLACEHOLDER/$(cat ${cfg.postgresDBPasswordFile} | ${sedEscapeSlashes})/" ${confFile}
''}
'';
ExecStart = "${cfg.backendPackage}/bin/piped-backend";
RestartSec = "5s";
User = "piped";
CapabilityBoundingSet = "";
PrivateDevices = true;
PrivateUsers = true;
ProtectHome = true;
ProtectKernelLogs = true;
ProtectProc = "invisible";
RestrictAddressFamilies = ["AF_UNIX" "AF_INET" "AF_INET6"];
RestrictNamespaces = true;
SystemCallArchitectures = "native";
SystemCallFilter = ["@system-service" "~@privileged" "~@resources"];
};
};
# Set password for piped when running postgres as piped won't run with
# passwordless authentication
systemd.services.piped-password = mkIf (!cfg.disablePostgresDB) {
serviceConfig = {
Type = "oneshot";
User = "postgres";
};
wantedBy = ["piped-backend.service"];
wants = ["postgresql.service"];
after = ["postgresql.service"];
script = ''
${config.services.postgresql.package}/bin/psql -c "ALTER USER ${cfg.postgresDBUsername} WITH PASSWORD '${
if cfg.postgresDBPasswordFile != null
then "$(cat ${cfg.postgresDBPasswordFile} | ${sedEscapeSingleQuotes})"
else cfg.postgresDBPassword
}';"
'';
};
services.postgresql = mkIf (!cfg.disablePostgresDB) {
enable = true;
ensureUsers = [
{
name = cfg.postgresDBUsername;
ensurePermissions."DATABASE ${cfg.postgresDBName}" = "ALL PRIVILEGES";
}
];
ensureDatabases = [cfg.postgresDBName];
};
services.nginx.virtualHosts."${cfg.backendDomain}" = mkIf (!cfg.disableNginx) {
forceSSL = cfg.nginxForceSSL;
enableACME = cfg.nginxEnableACME;
locations."/" = {
proxyPass = "http://127.0.0.1:${toString cfg.internalBackendPort}";
};
};
};
}