···
cfg = config.services.pumpio;
dataDir = "/var/lib/pump.io";
+
runDir = "/run/pump.io";
+
optionalSet = condition: value: if condition then value else {};
+
configScript = ./pump.io-configure.js;
+
outputFile = "${runDir}/config.json";
+
(optionalSet (cfg.driver != "disk") {
+
params = (optionalSet (cfg.driver == "disk") { dir = dataDir; }) //
+
(optionalSet (cfg.driver == "mongodb" || cfg.driver == "redis") {
+
dbpass = cfg.dbPassword;
+
(optionalSet (cfg.driver == "memcached") {
+
}) // cfg.driverParams;
+
hostname = cfg.hostname;
+
ownerURL = cfg.ownerURL;
+
spamhost = cfg.spamHost;
+
spamclientid = cfg.spamClientId;
+
spamclientsecret = cfg.spamClientSecret;
+
requireEmail = cfg.requireEmail;
+
smtpserver = cfg.smtpHost;
+
smtpport = cfg.smtpPort;
+
smtpuser = cfg.smtpUser;
+
smtppass = cfg.smtpPassword;
+
smtpusessl = cfg.smtpUseSSL;
+
smtpfrom = cfg.smtpFrom;
+
enableUploads = cfg.enableUploads;
+
firehose = cfg.firehose;
+
disableRegistration = cfg.disableRegistration;
+
inherit (cfg) secretFile dbPasswordFile smtpPasswordFile spamClientSecretFile;
+
(optionalSet (cfg.port < 1024) {
+
serverUser = user; # have pump.io listen then drop privileges
···
enable = mkEnableOption "Pump.io social streams server";
+
type = types.nullOr types.str;
example = "my dog has fleas";
A session-generating secret, server-wide password. Warning:
···
+
secretFile = mkOption {
+
type = types.nullOr types.path;
+
example = "/run/keys/pump.io-secret";
+
A file containing the session-generating secret,
example = "Awesome Sauce";
···
type = types.nullOr types.str;
The hostname of the server, used for generating
URLs. Defaults to "localhost" which doesn't do much for you.
···
+
dbPasswordFile = mkOption {
+
type = types.nullOr types.path;
+
example = "/run/keys/pump.io-dbpassword";
+
A file containing the password corresponding to dbUser.
type = types.nullOr types.str;
···
cleartext in the Nix store!
+
smtpPasswordFile = mkOption {
+
type = types.nullOr types.path;
+
example = "/run/keys/pump.io-smtppassword";
+
A file containing the password used to connect to SMTP
+
server. Might not be necessary for some servers.
···
stored in cleartext in the Nix store!
+
spamClientSecretFile = mkOption {
+
type = types.nullOr types.path;
+
example = "/run/keys/pump.io-spamclientsecret";
+
A file containing the OAuth key for the spam server.
config = mkIf cfg.enable {
+
warnings = let warn = k: optional (cfg.${k} != null)
+
"config.services.pumpio.${k} is insecure. Use ${k}File instead.";
+
in concatMap warn [ "secret" "dbPassword" "smtpPassword" "spamClientSecret" ];
+
{ assertion = !(isNull cfg.secret && isNull cfg.secretFile);
+
message = "pump.io needs a secretFile configured";
systemd.services."pump.io" =
+
{ description = "Pump.io - stream server that does most of what people really want from a social network";
after = [ "network.target" ];
wantedBy = [ "multi-user.target" ];
mkdir -p ${dataDir}/uploads
+
chown pumpio:pumpio ${dataDir}/uploads ${runDir}
+
chmod 770 ${dataDir}/uploads ${runDir}
+
${pkgs.nodejs}/bin/node ${configScript} <<EOF
+
${builtins.toJSON configOptions}
+
chgrp pumpio ${configOptions.outputFile}
+
chmod 640 ${configOptions.outputFile}
+
ExecStart = "${pkgs.pumpio}/bin/pump -c ${configOptions.outputFile}";
+
PermissionsStartOnly = true;
+
User = if cfg.port < 1024 then "root" else user;
+
environment = { NODE_ENV = "production"; };
users.extraGroups.pumpio.gid = config.ids.gids.pumpio;
pyrox.dev