nixos/modules/services/web-apps/photoprism.nix at 25.11-pre · pyrox.dev/nixpkgs

pyrox.dev / nixpkgs
lol
nixpkgs / nixos / modules / services / web-apps / photoprism.nix
at 25.11-pre 4.6 kB view raw
  1{
  2  config,
  3  pkgs,
  4  lib,
  5  ...
  6}:
  7let
  8  cfg = config.services.photoprism;
  9
 10  env = {
 11    PHOTOPRISM_ORIGINALS_PATH = cfg.originalsPath;
 12    PHOTOPRISM_STORAGE_PATH = cfg.storagePath;
 13    PHOTOPRISM_IMPORT_PATH = cfg.importPath;
 14    PHOTOPRISM_HTTP_HOST = cfg.address;
 15    PHOTOPRISM_HTTP_PORT = toString cfg.port;
 16  } // (lib.mapAttrs (_: toString) cfg.settings);
 17
 18  manage = pkgs.writeShellScript "manage" ''
 19    set -o allexport # Export the following env vars
 20    ${lib.toShellVars env}
 21    eval "$(${config.systemd.package}/bin/systemctl show -pUID,MainPID photoprism.service | ${pkgs.gnused}/bin/sed "s/UID/ServiceUID/")"
 22    exec ${pkgs.util-linux}/bin/nsenter \
 23      -t $MainPID -m -S $ServiceUID -G $ServiceUID --wdns=${cfg.storagePath} \
 24      ${cfg.package}/bin/photoprism "$@"
 25  '';
 26in
 27{
 28  meta.maintainers = with lib.maintainers; [ stunkymonkey ];
 29
 30  options.services.photoprism = {
 31
 32    enable = lib.mkEnableOption "Photoprism web server";
 33
 34    passwordFile = lib.mkOption {
 35      type = lib.types.nullOr lib.types.path;
 36      default = null;
 37      description = ''
 38        Admin password file.
 39      '';
 40    };
 41
 42    address = lib.mkOption {
 43      type = lib.types.str;
 44      default = "localhost";
 45      description = ''
 46        Web interface address.
 47      '';
 48    };
 49
 50    port = lib.mkOption {
 51      type = lib.types.port;
 52      default = 2342;
 53      description = ''
 54        Web interface port.
 55      '';
 56    };
 57
 58    originalsPath = lib.mkOption {
 59      type = lib.types.path;
 60      default = null;
 61      example = "/data/photos";
 62      description = ''
 63        Storage path of your original media files (photos and videos).
 64      '';
 65    };
 66
 67    importPath = lib.mkOption {
 68      type = lib.types.str;
 69      default = "import";
 70      description = ''
 71        Relative or absolute to the `originalsPath` from where the files should be imported.
 72      '';
 73    };
 74
 75    storagePath = lib.mkOption {
 76      type = lib.types.path;
 77      default = "/var/lib/photoprism";
 78      description = ''
 79        Location for sidecar, cache, and database files.
 80      '';
 81    };
 82
 83    package = lib.mkPackageOption pkgs "photoprism" { };
 84
 85    settings = lib.mkOption {
 86      type = lib.types.attrsOf lib.types.str;
 87      default = { };
 88      description = ''
 89        See [the getting-started guide](https://docs.photoprism.app/getting-started/config-options/) for available options.
 90      '';
 91      example = {
 92        PHOTOPRISM_DEFAULT_LOCALE = "de";
 93        PHOTOPRISM_ADMIN_USER = "root";
 94      };
 95    };
 96  };
 97
 98  config = lib.mkIf cfg.enable {
 99    systemd.services.photoprism = {
100      description = "Photoprism server";
101
102      serviceConfig = {
103        Restart = "on-failure";
104        User = "photoprism";
105        Group = "photoprism";
106        DynamicUser = true;
107        StateDirectory = "photoprism";
108        WorkingDirectory = "/var/lib/photoprism";
109        RuntimeDirectory = "photoprism";
110        ReadWritePaths = [
111          cfg.originalsPath
112          cfg.importPath
113          cfg.storagePath
114        ];
115
116        LoadCredential = lib.optionalString (
117          cfg.passwordFile != null
118        ) "PHOTOPRISM_ADMIN_PASSWORD:${cfg.passwordFile}";
119
120        LockPersonality = true;
121        PrivateDevices = true;
122        PrivateUsers = true;
123        ProtectClock = true;
124        ProtectControlGroups = true;
125        ProtectHome = true;
126        ProtectHostname = true;
127        ProtectKernelLogs = true;
128        ProtectKernelModules = true;
129        ProtectKernelTunables = true;
130        RestrictAddressFamilies = [
131          "AF_UNIX"
132          "AF_INET"
133          "AF_INET6"
134        ];
135        RestrictNamespaces = true;
136        RestrictRealtime = true;
137        SystemCallArchitectures = "native";
138        SystemCallFilter = [
139          "@system-service"
140          "~@setuid @keyring"
141        ];
142        UMask = "0066";
143      };
144
145      wantedBy = [ "multi-user.target" ];
146      environment = env;
147
148      # reminder: easier password configuration will come in https://github.com/photoprism/photoprism/pull/2302
149      preStart = ''
150        ln -sf ${manage} photoprism-manage
151
152        ${lib.optionalString (cfg.passwordFile != null) ''
153          export PHOTOPRISM_ADMIN_PASSWORD=$(cat "$CREDENTIALS_DIRECTORY/PHOTOPRISM_ADMIN_PASSWORD")
154        ''}
155        exec ${cfg.package}/bin/photoprism migrations run -f
156      '';
157
158      script = ''
159        ${lib.optionalString (cfg.passwordFile != null) ''
160          export PHOTOPRISM_ADMIN_PASSWORD=$(cat "$CREDENTIALS_DIRECTORY/PHOTOPRISM_ADMIN_PASSWORD")
161        ''}
162        exec ${cfg.package}/bin/photoprism start
163      '';
164    };
165  };
166}