nixos/modules/services/misc/metabase.nix at 25.11-pre · pyrox.dev/nixpkgs

pyrox.dev / nixpkgs
lol
nixpkgs / nixos / modules / services / misc / metabase.nix
at 25.11-pre 2.7 kB view raw
  1{
  2  config,
  3  lib,
  4  pkgs,
  5  ...
  6}:
  7
  8let
  9  cfg = config.services.metabase;
 10
 11  inherit (lib) mkEnableOption mkIf mkOption;
 12  inherit (lib) optional optionalAttrs types;
 13
 14  dataDir = "/var/lib/metabase";
 15
 16in
 17{
 18
 19  options = {
 20
 21    services.metabase = {
 22      enable = mkEnableOption "Metabase service";
 23
 24      package = lib.mkPackageOption pkgs "metabase" { };
 25
 26      listen = {
 27        ip = mkOption {
 28          type = types.str;
 29          default = "0.0.0.0";
 30          description = ''
 31            IP address that Metabase should listen on.
 32          '';
 33        };
 34
 35        port = mkOption {
 36          type = types.port;
 37          default = 3000;
 38          description = ''
 39            Listen port for Metabase.
 40          '';
 41        };
 42      };
 43
 44      ssl = {
 45        enable = mkOption {
 46          type = types.bool;
 47          default = false;
 48          description = ''
 49            Whether to enable SSL (https) support.
 50          '';
 51        };
 52
 53        port = mkOption {
 54          type = types.port;
 55          default = 8443;
 56          description = ''
 57            Listen port over SSL (https) for Metabase.
 58          '';
 59        };
 60
 61        keystore = mkOption {
 62          type = types.nullOr types.path;
 63          default = "${dataDir}/metabase.jks";
 64          example = "/etc/secrets/keystore.jks";
 65          description = ''
 66            [Java KeyStore](https://www.digitalocean.com/community/tutorials/java-keytool-essentials-working-with-java-keystores) file containing the certificates.
 67          '';
 68        };
 69
 70      };
 71
 72      openFirewall = mkOption {
 73        type = types.bool;
 74        default = false;
 75        description = ''
 76          Open ports in the firewall for Metabase.
 77        '';
 78      };
 79    };
 80
 81  };
 82
 83  config = mkIf cfg.enable {
 84
 85    systemd.services.metabase = {
 86      description = "Metabase server";
 87      wantedBy = [ "multi-user.target" ];
 88      wants = [ "network-online.target" ];
 89      after = [ "network-online.target" ];
 90      environment =
 91        {
 92          MB_PLUGINS_DIR = "${dataDir}/plugins";
 93          MB_DB_FILE = "${dataDir}/metabase.db";
 94          MB_JETTY_HOST = cfg.listen.ip;
 95          MB_JETTY_PORT = toString cfg.listen.port;
 96        }
 97        // optionalAttrs (cfg.ssl.enable) {
 98          MB_JETTY_SSL = true;
 99          MB_JETTY_SSL_PORT = toString cfg.ssl.port;
100          MB_JETTY_SSL_KEYSTORE = cfg.ssl.keystore;
101        };
102      serviceConfig = {
103        DynamicUser = true;
104        StateDirectory = baseNameOf dataDir;
105        ExecStart = lib.getExe cfg.package;
106      };
107    };
108
109    networking.firewall = mkIf cfg.openFirewall {
110      allowedTCPPorts = [ cfg.listen.port ] ++ optional cfg.ssl.enable cfg.ssl.port;
111    };
112
113  };
114}