pyrox.dev / nixpkgs
lol
fork atom
nixpkgs / nixos / modules / services / networking / pleroma.nix
at 25.11-pre 5.7 kB view raw
1{ 2 config, 3 lib, 4 pkgs, 5 ... 6}: 7let 8 cfg = config.services.pleroma; 9in 10{ 11 options = { 12 services.pleroma = with lib; { 13 enable = mkEnableOption "pleroma"; 14 15 package = mkPackageOption pkgs "pleroma" { }; 16 17 user = mkOption { 18 type = types.str; 19 default = "pleroma"; 20 description = "User account under which pleroma runs."; 21 }; 22 23 group = mkOption { 24 type = types.str; 25 default = "pleroma"; 26 description = "Group account under which pleroma runs."; 27 }; 28 29 stateDir = mkOption { 30 type = types.str; 31 default = "/var/lib/pleroma"; 32 readOnly = true; 33 description = "Directory where the pleroma service will save the uploads and static files."; 34 }; 35 36 configs = mkOption { 37 type = with types; listOf str; 38 description = '' 39 Pleroma public configuration. 40 41 This list gets appended from left to 42 right into /etc/pleroma/config.exs. Elixir evaluates its 43 configuration imperatively, meaning you can override a 44 setting by appending a new str to this NixOS option list. 45 46 *DO NOT STORE ANY PLEROMA SECRET 47 HERE*, use 48 [services.pleroma.secretConfigFile](#opt-services.pleroma.secretConfigFile) 49 instead. 50 51 This setting is going to be stored in a file part of 52 the Nix store. The Nix store being world-readable, it's not 53 the right place to store any secret 54 55 Have a look to Pleroma section in the NixOS manual for more 56 information. 57 ''; 58 }; 59 60 secretConfigFile = mkOption { 61 type = types.str; 62 default = "/var/lib/pleroma/secrets.exs"; 63 description = '' 64 Path to the file containing your secret pleroma configuration. 65 66 *DO NOT POINT THIS OPTION TO THE NIX 67 STORE*, the store being world-readable, it'll 68 compromise all your secrets. 69 ''; 70 }; 71 }; 72 }; 73 74 config = lib.mkIf cfg.enable { 75 users = { 76 users."${cfg.user}" = { 77 description = "Pleroma user"; 78 home = cfg.stateDir; 79 group = cfg.group; 80 isSystemUser = true; 81 }; 82 groups."${cfg.group}" = { }; 83 }; 84 85 environment.systemPackages = [ cfg.package ]; 86 87 environment.etc."/pleroma/config.exs".text = '' 88 ${lib.concatMapStrings (x: "${x}") cfg.configs} 89 90 # The lau/tzdata library is trying to download the latest 91 # timezone database in the OTP priv directory by default. 92 # This directory being in the store, it's read-only. 93 # Setting that up to a more appropriate location. 94 config :tzdata, :data_dir, "/var/lib/pleroma/elixir_tzdata_data" 95 96 import_config "${cfg.secretConfigFile}" 97 ''; 98 99 systemd.services = 100 let 101 commonSystemdServiceConfig = { 102 User = cfg.user; 103 Group = cfg.group; 104 WorkingDirectory = "~"; 105 StateDirectory = "pleroma pleroma/static pleroma/uploads"; 106 StateDirectoryMode = "700"; 107 # Systemd sandboxing directives. 108 # Taken from the upstream contrib systemd service at 109 # pleroma/installation/pleroma.service 110 PrivateTmp = true; 111 ProtectHome = true; 112 ProtectSystem = "full"; 113 PrivateDevices = false; 114 NoNewPrivileges = true; 115 CapabilityBoundingSet = "~CAP_SYS_ADMIN"; 116 }; 117 118 in 119 { 120 pleroma-migrations = { 121 description = "Pleroma social network migrations"; 122 wants = [ "network-online.target" ]; 123 after = [ 124 "network-online.target" 125 "postgresql.service" 126 ]; 127 wantedBy = [ "pleroma.service" ]; 128 environment.RELEASE_COOKIE = "/var/lib/pleroma/.cookie"; 129 serviceConfig = commonSystemdServiceConfig // { 130 Type = "oneshot"; 131 # Checking the conf file is there then running the database 132 # migration before each service start, just in case there are 133 # some pending ones. 134 # 135 # It's sub-optimal as we'll always run this, even if pleroma 136 # has not been updated. But the no-op process is pretty fast. 137 # Better be safe than sorry migration-wise. 138 ExecStart = 139 let 140 preScript = pkgs.writers.writeBashBin "pleroma-migrations" '' 141 if [ ! -f /var/lib/pleroma/.cookie ] 142 then 143 echo "Creating cookie file" 144 dd if=/dev/urandom bs=1 count=16 | hexdump -e '16/1 "%02x"' > /var/lib/pleroma/.cookie 145 fi 146 ${cfg.package}/bin/pleroma_ctl migrate 147 ''; 148 in 149 "${preScript}/bin/pleroma-migrations"; 150 }; 151 # disksup requires bash 152 path = [ pkgs.bash ]; 153 }; 154 155 pleroma = { 156 description = "Pleroma social network"; 157 wants = [ "pleroma-migrations.service" ]; 158 after = [ "pleroma-migrations.service" ]; 159 wantedBy = [ "multi-user.target" ]; 160 restartTriggers = [ config.environment.etc."/pleroma/config.exs".source ]; 161 environment.RELEASE_COOKIE = "/var/lib/pleroma/.cookie"; 162 serviceConfig = commonSystemdServiceConfig // { 163 Type = "exec"; 164 ExecStart = "${cfg.package}/bin/pleroma start"; 165 ExecStop = "${cfg.package}/bin/pleroma stop"; 166 ExecReload = "${pkgs.coreutils}/bin/kill -HUP $MAINPID"; 167 }; 168 # disksup requires bash 169 path = [ pkgs.bash ]; 170 }; 171 }; 172 }; 173 meta.maintainers = with lib.maintainers; [ picnoir ]; 174 meta.doc = ./pleroma.md; 175}