diff options
Diffstat (limited to 'nixos/modules/services/networking/pleroma.nix')
-rw-r--r-- | nixos/modules/services/networking/pleroma.nix | 149 |
1 files changed, 149 insertions, 0 deletions
diff --git a/nixos/modules/services/networking/pleroma.nix b/nixos/modules/services/networking/pleroma.nix new file mode 100644 index 00000000000..c6d4c14dcb7 --- /dev/null +++ b/nixos/modules/services/networking/pleroma.nix @@ -0,0 +1,149 @@ +{ config, options, lib, pkgs, stdenv, ... }: +let + cfg = config.services.pleroma; + cookieFile = "/var/lib/pleroma/.cookie"; +in { + options = { + services.pleroma = with lib; { + enable = mkEnableOption "pleroma"; + + package = mkOption { + type = types.package; + default = pkgs.pleroma.override { inherit cookieFile; }; + defaultText = literalExpression "pkgs.pleroma"; + description = "Pleroma package to use."; + }; + + user = mkOption { + type = types.str; + default = "pleroma"; + description = "User account under which pleroma runs."; + }; + + group = mkOption { + type = types.str; + default = "pleroma"; + description = "Group account under which pleroma runs."; + }; + + stateDir = mkOption { + type = types.str; + default = "/var/lib/pleroma"; + readOnly = true; + description = "Directory where the pleroma service will save the uploads and static files."; + }; + + configs = mkOption { + type = with types; listOf str; + description = '' + Pleroma public configuration. + + This list gets appended from left to + right into /etc/pleroma/config.exs. Elixir evaluates its + configuration imperatively, meaning you can override a + setting by appending a new str to this NixOS option list. + + <emphasis>DO NOT STORE ANY PLEROMA SECRET + HERE</emphasis>, use + <link linkend="opt-services.pleroma.secretConfigFile">services.pleroma.secretConfigFile</link> + instead. + + This setting is going to be stored in a file part of + the Nix store. The Nix store being world-readable, it's not + the right place to store any secret + + Have a look to Pleroma section in the NixOS manual for more + informations. + ''; + }; + + secretConfigFile = mkOption { + type = types.str; + default = "/var/lib/pleroma/secrets.exs"; + description = '' + Path to the file containing your secret pleroma configuration. + + <emphasis>DO NOT POINT THIS OPTION TO THE NIX + STORE</emphasis>, the store being world-readable, it'll + compromise all your secrets. + ''; + }; + }; + }; + + config = lib.mkIf cfg.enable { + users = { + users."${cfg.user}" = { + description = "Pleroma user"; + home = cfg.stateDir; + group = cfg.group; + isSystemUser = true; + }; + groups."${cfg.group}" = {}; + }; + + environment.systemPackages = [ cfg.package ]; + + environment.etc."/pleroma/config.exs".text = '' + ${lib.concatMapStrings (x: "${x}") cfg.configs} + + # The lau/tzdata library is trying to download the latest + # timezone database in the OTP priv directory by default. + # This directory being in the store, it's read-only. + # Setting that up to a more appropriate location. + config :tzdata, :data_dir, "/var/lib/pleroma/elixir_tzdata_data" + + import_config "${cfg.secretConfigFile}" + ''; + + systemd.services.pleroma = { + description = "Pleroma social network"; + after = [ "network-online.target" "postgresql.service" ]; + wantedBy = [ "multi-user.target" ]; + restartTriggers = [ config.environment.etc."/pleroma/config.exs".source ]; + serviceConfig = { + User = cfg.user; + Group = cfg.group; + Type = "exec"; + WorkingDirectory = "~"; + StateDirectory = "pleroma pleroma/static pleroma/uploads"; + StateDirectoryMode = "700"; + + # Checking the conf file is there then running the database + # migration before each service start, just in case there are + # some pending ones. + # + # It's sub-optimal as we'll always run this, even if pleroma + # has not been updated. But the no-op process is pretty fast. + # Better be safe than sorry migration-wise. + ExecStartPre = + let preScript = pkgs.writers.writeBashBin "pleromaStartPre" '' + if [ ! -f "${cookieFile}" ] || [ ! -s "${cookieFile}" ] + then + echo "Creating cookie file" + dd if=/dev/urandom bs=1 count=16 | ${pkgs.hexdump}/bin/hexdump -e '16/1 "%02x"' > "${cookieFile}" + fi + ${cfg.package}/bin/pleroma_ctl migrate + ''; + in "${preScript}/bin/pleromaStartPre"; + + ExecStart = "${cfg.package}/bin/pleroma start"; + ExecStop = "${cfg.package}/bin/pleroma stop"; + ExecReload = "${pkgs.coreutils}/bin/kill -HUP $MAINPID"; + + # Systemd sandboxing directives. + # Taken from the upstream contrib systemd service at + # pleroma/installation/pleroma.service + PrivateTmp = true; + ProtectHome = true; + ProtectSystem = "full"; + PrivateDevices = false; + NoNewPrivileges = true; + CapabilityBoundingSet = "~CAP_SYS_ADMIN"; + }; + }; + + }; + meta.maintainers = with lib.maintainers; [ ninjatrappeur ]; + meta.doc = ./pleroma.xml; +} |