nixos/modules/services/misc/metabase.nix at 23.11-beta · pyrox.dev/nixpkgs

pyrox.dev / nixpkgs
lol
nixpkgs / nixos / modules / services / misc / metabase.nix
at 23.11-beta 2.6 kB view raw
  1{ config, lib, pkgs, ... }:
  2
  3let
  4  cfg = config.services.metabase;
  5
  6  inherit (lib) mkEnableOption mkIf mkOption;
  7  inherit (lib) optional optionalAttrs types;
  8
  9  dataDir = "/var/lib/metabase";
 10
 11in {
 12
 13  options = {
 14
 15    services.metabase = {
 16      enable = mkEnableOption (lib.mdDoc "Metabase service");
 17
 18      listen = {
 19        ip = mkOption {
 20          type = types.str;
 21          default = "0.0.0.0";
 22          description = lib.mdDoc ''
 23            IP address that Metabase should listen on.
 24          '';
 25        };
 26
 27        port = mkOption {
 28          type = types.port;
 29          default = 3000;
 30          description = lib.mdDoc ''
 31            Listen port for Metabase.
 32          '';
 33        };
 34      };
 35
 36      ssl = {
 37        enable = mkOption {
 38          type = types.bool;
 39          default = false;
 40          description = lib.mdDoc ''
 41            Whether to enable SSL (https) support.
 42          '';
 43        };
 44
 45        port = mkOption {
 46          type = types.port;
 47          default = 8443;
 48          description = lib.mdDoc ''
 49            Listen port over SSL (https) for Metabase.
 50          '';
 51        };
 52
 53        keystore = mkOption {
 54          type = types.nullOr types.path;
 55          default = "${dataDir}/metabase.jks";
 56          example = "/etc/secrets/keystore.jks";
 57          description = lib.mdDoc ''
 58            [Java KeyStore](https://www.digitalocean.com/community/tutorials/java-keytool-essentials-working-with-java-keystores) file containing the certificates.
 59          '';
 60        };
 61
 62      };
 63
 64      openFirewall = mkOption {
 65        type = types.bool;
 66        default = false;
 67        description = lib.mdDoc ''
 68          Open ports in the firewall for Metabase.
 69        '';
 70      };
 71    };
 72
 73  };
 74
 75  config = mkIf cfg.enable {
 76
 77    systemd.services.metabase = {
 78      description = "Metabase server";
 79      wantedBy = [ "multi-user.target" ];
 80      after = [ "network-online.target" ];
 81      environment = {
 82        MB_PLUGINS_DIR = "${dataDir}/plugins";
 83        MB_DB_FILE = "${dataDir}/metabase.db";
 84        MB_JETTY_HOST = cfg.listen.ip;
 85        MB_JETTY_PORT = toString cfg.listen.port;
 86      } // optionalAttrs (cfg.ssl.enable) {
 87        MB_JETTY_SSL = true;
 88        MB_JETTY_SSL_PORT = toString cfg.ssl.port;
 89        MB_JETTY_SSL_KEYSTORE = cfg.ssl.keystore;
 90      };
 91      serviceConfig = {
 92        DynamicUser = true;
 93        StateDirectory = baseNameOf dataDir;
 94        ExecStart = "${pkgs.metabase}/bin/metabase";
 95      };
 96    };
 97
 98    networking.firewall = mkIf cfg.openFirewall {
 99      allowedTCPPorts = [ cfg.listen.port ] ++ optional cfg.ssl.enable cfg.ssl.port;
100    };
101
102  };
103}