163 lines
5.5 KiB
Nix
163 lines
5.5 KiB
Nix
{
|
|
config,
|
|
lib,
|
|
pkgs,
|
|
...
|
|
}: let
|
|
inherit (lib.modules) mkIf;
|
|
inherit (lib.trivial) boolToString;
|
|
inherit (lib.attrsets) mapAttrsToList optionalAttrs;
|
|
inherit (lib.strings) optionalString concatStringsSep;
|
|
inherit (pkgs) writeText writeShellScript;
|
|
|
|
cfg = config.services.piped;
|
|
|
|
sedEscapeSlashes = "sed 's#/#\\\/#'";
|
|
sedEscapeSingleQuotes = "sed \"s#'#\\\'#\"";
|
|
|
|
backendConfig =
|
|
{
|
|
PORT = cfg.internalBackendPort;
|
|
HTTP_WORKERS = cfg.httpWorkers;
|
|
PROXY_PART = "https://${cfg.proxyDomain}";
|
|
API_URL = "https://${cfg.backendDomain}";
|
|
FRONTEND_URL = "https://${cfg.frontendDomain}";
|
|
DISABLE_REGISTRATION = cfg.disableRegistrations;
|
|
COMPROMISED_PASSWORD_CHECK = cfg.enableCompromisedPasswordCheck;
|
|
FEED_RETENTION = cfg.feedRetentionDays;
|
|
SUBSCRIPTIONS_EXPIRY = cfg.subscriptionRetentionDays;
|
|
SPONSORBLOCK_SERVERS = concatStringsSep "," cfg.sponsorblockServers;
|
|
DISABLE_RYD = cfg.disableRYD;
|
|
DISABLE_LBRY = cfg.disableLBRYStreams;
|
|
RYD_PROXY_URL = cfg.rydAPIURL;
|
|
SENTRY_DSN = cfg.sentryDSN;
|
|
"hibernate.connection.url" = "jdbc:postgresql://${cfg.postgresDBHost}:${toString cfg.postgresDBPort}/${cfg.postgresDBName}";
|
|
"hibernate.connection.driver_class" = "org.postgresql.Driver";
|
|
"hibernate.dialect" = "org.hibernate.dialect.PostgreSQLDialect";
|
|
"hibernate.connection.username" = "${cfg.postgresDBUsername}";
|
|
"hibernate.connection.password" =
|
|
if cfg.postgresDBPasswordFile == null
|
|
then cfg.postgresDBPassword
|
|
else "POSTGRES_PASSWORD_PLACEHOLDER";
|
|
}
|
|
// (optionalAttrs cfg.enableCaptcha {
|
|
CAPTCHA_API_URL = cfg.captchaAPIURL;
|
|
# This is substituted in the PreStart of piped-backend.service
|
|
CAPTCHA_API_KEY =
|
|
if cfg.captchaAPIKeyFile != ""
|
|
then "CAPTCHA_API_KEY_FILE_PLACEHOLDER"
|
|
else cfg.captchaAPIKey;
|
|
})
|
|
// (optionalAttrs cfg.enableFederation {
|
|
MATRIX_SERVER = cfg.matrixServerAddr;
|
|
# also substituted
|
|
MATRIX_TOKEN =
|
|
if cfg.matrixTokenFile != ""
|
|
then "MATRIX_TOKEN_FILE_PLACEHOLDER"
|
|
else cfg.matrixToken;
|
|
});
|
|
|
|
cfgValueToString = value:
|
|
if builtins.isBool value
|
|
then boolToString value
|
|
else toString value;
|
|
|
|
cfgToLine = key: value: "${key}:${cfgValueToString value}";
|
|
|
|
cfgToString = config: (concatStringsSep "\n"
|
|
(mapAttrsToList cfgToLine config));
|
|
|
|
backendConfigFile =
|
|
writeText "config.properties"
|
|
(cfgToString backendConfig);
|
|
in {
|
|
config = mkIf (cfg.enable && !cfg.disableBackend) {
|
|
systemd.tmpfiles.rules = ["d /run/piped-backend - piped piped"];
|
|
|
|
systemd.services.piped-backend = {
|
|
wantedBy = ["multi-user.target"];
|
|
serviceConfig = {
|
|
WorkingDirectory = "/run/piped-backend";
|
|
ExecStartPre = let
|
|
confFile = "/run/piped-backend/config.properties";
|
|
in
|
|
writeShellScript "piped-backend-init" ''
|
|
[ -f "${confFile}" ] && rm ${confFile}
|
|
cp ${backendConfigFile} ${confFile}
|
|
chmod 660 ${confFile}
|
|
|
|
${optionalString (cfg.enableCaptcha && cfg.captchaAPIKeyFile != "") ''
|
|
sed -i "s/CAPTCHA_API_KEY_FILE_PLACEHOLDER/$(cat ${cfg.captchaAPIKeyFile} | ${sedEscapeSlashes})/" ${confFile}
|
|
''}
|
|
|
|
${optionalString
|
|
(cfg.enableFederation && cfg.matrixTokenFile != "") ''
|
|
sed -i "s/MATRIX_TOKEN_FILE_PLACEHOLDER/$(cat ${cfg.matrixTokenFile} | ${sedEscapeSlashes})/" ${confFile}
|
|
''}
|
|
|
|
${optionalString
|
|
(cfg.postgresDBPasswordFile != null) ''
|
|
sed -i "s/POSTGRES_PASSWORD_PLACEHOLDER/$(cat ${cfg.postgresDBPasswordFile} | ${sedEscapeSlashes})/" ${confFile}
|
|
''}
|
|
'';
|
|
|
|
ExecStart = "${pkgs.piped-backend}/bin/piped-backend";
|
|
|
|
RestartSec = "5s";
|
|
User = "piped";
|
|
|
|
CapabilityBoundingSet = "";
|
|
PrivateDevices = true;
|
|
PrivateUsers = true;
|
|
ProtectHome = true;
|
|
ProtectKernelLogs = true;
|
|
ProtectProc = "invisible";
|
|
RestrictAddressFamilies = ["AF_UNIX" "AF_INET" "AF_INET6"];
|
|
RestrictNamespaces = true;
|
|
SystemCallArchitectures = "native";
|
|
SystemCallFilter = ["@system-service" "~@privileged" "~@resources"];
|
|
};
|
|
};
|
|
|
|
# Set password for piped when running postgres as piped won't run with
|
|
# passwordless authentication
|
|
systemd.services.piped-password = mkIf (!cfg.disablePostgresDB) {
|
|
serviceConfig = {
|
|
Type = "oneshot";
|
|
User = "postgres";
|
|
};
|
|
|
|
wantedBy = ["piped-backend.service"];
|
|
wants = ["postgresql.service"];
|
|
after = ["postgresql.service"];
|
|
|
|
script = ''
|
|
${config.services.postgresql.package}/bin/psql -c "ALTER USER ${cfg.postgresDBUsername} WITH PASSWORD '${
|
|
if cfg.postgresDBPasswordFile != null
|
|
then "$(cat ${cfg.postgresDBPasswordFile} | ${sedEscapeSingleQuotes})"
|
|
else cfg.postgresDBPassword
|
|
}';"
|
|
'';
|
|
};
|
|
|
|
services.postgresql = mkIf (!cfg.disablePostgresDB) {
|
|
enable = true;
|
|
ensureUsers = [
|
|
{
|
|
name = cfg.postgresDBUsername;
|
|
ensurePermissions."DATABASE ${cfg.postgresDBName}" = "ALL PRIVILEGES";
|
|
}
|
|
];
|
|
ensureDatabases = [cfg.postgresDBName];
|
|
};
|
|
|
|
services.nginx.virtualHosts."${cfg.backendDomain}" = mkIf (!cfg.disableNginx) {
|
|
forceSSL = cfg.nginxForceSSL;
|
|
enableACME = cfg.nginxEnableACME;
|
|
locations."/" = {
|
|
proxyPass = "http://127.0.0.1:${toString cfg.internalBackendPort}";
|
|
};
|
|
};
|
|
};
|
|
}
|