From 796e641d97b4948e393f94fa70e94ee4eb3d8c70 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?F=C3=A9lix=20Baylac-Jacqu=C3=A9?= Date: Sat, 26 Sep 2020 13:34:22 +0200 Subject: [PATCH] nixos/pleroma: add pleroma NixOS module This module is not trying to configure either postgresql nor nginx. It's is a design decision, not an omission. A webserver setup can be highly complex. The idea is trying not to be smarter than the user, providing them with a simple tool. They are smart enough to figure the interaction between the various component by themselves! The module has one and only job: setting up a pleroma service. --- modules/pleroma.nix | 88 +++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 88 insertions(+) create mode 100644 modules/pleroma.nix diff --git a/modules/pleroma.nix b/modules/pleroma.nix new file mode 100644 index 0000000..7cb6f2e --- /dev/null +++ b/modules/pleroma.nix @@ -0,0 +1,88 @@ +{ config, options, lib, pkgs, stdenv, ... }: +let + cfg = config.services.pleroma; +in { + options = { + services.pleroma = with lib; { + enable = mkEnableOption "pleroma"; + + package = mkOption { + type = types.package; + default = import ../default.nix { inherit pkgs; }; + description = "Pleroma package to use."; + }; + + user = mkOption { + type = types.str; + default = "pleroma"; + description = "User account under which pleroma runs."; + }; + + group = mkOption { + type = types.str; + default = "pleroma"; + description = "Group account under which pleroma runs."; + }; + }; + }; + + config = lib.mkIf cfg.enable { + users = { + users."${cfg.user}" = { + description = "Pleroma user"; + home = "/var/lib/pleroma"; + extraGroups = [ cfg.group ]; + }; + groups."${cfg.group}" = {}; + }; + + environment.systemPackages = [ cfg.package ]; + + systemd.services.pleroma = { + description = "Pleroma social network"; + after = [ "network-online.target" "postgresql.service" ]; + wantedBy = [ "multi-user.target" ]; + serviceConfig = { + User = cfg.user; + Group = cfg.group; + Type = "forking"; + WorkingDirectory = "~"; + StateDirectory = "pleroma pleroma/static pleroma/uploads"; + StateDirectoryMode = "700"; + + # Checking the conf file is there then running the database + # migration before each service start, just in case there are + # some pending ones. + # + # It's sub-optimal as we'll always run this, even if pleroma + # has not been updated. But the no-op process is pretty fast. + # Better be safe than sorry migration-wise. + ExecStartPre = + let preScript = pkgs.writers.writeBashBin "pleromaStartPre" '' + if [ ! -f "/etc/pleroma/config.exs" ]; then + echo "ERROR: Missing pleroma config file at /etc/pleroma/config.exs" + echo "Did you read https://git.alternativebit.fr/NinjaTrappeur/pleroma-otp-nixos/src/branch/master/readme.md#user-content-pleroma-configuration-management ?" + exit 1 + fi + ${cfg.package}/bin/pleroma_ctl migrate''; + in "${preScript}/bin/pleromaStartPre"; + + ExecStart = "${cfg.package}/bin/pleroma daemon"; + ExecStop = "${cfg.package}/bin/pleroma stop"; + ExecReload = "${pkgs.coreutils}/bin/kill -HUP $MAINPID"; + + # Systemd sandboxing directives. + # Taken from the upstream contrib systemd service at + # pleroma/installation/pleroma.service + PrivateTmp = true; + ProtectHome = true; + ProtectSystem = "full"; + PrivateDevices = false; + NoNewPrivileges = true; + CapabilityBoundingSet = "~CAP_SYS_ADMIN"; + }; + }; + + }; + meta.maintainers = with lib.maintainers; [ ninjatrappeur ]; +}