From a22c1eb606276a0fe45855fa210490fee74ce2ef Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?F=C3=A9lix=20Baylac-Jacqu=C3=A9?= <felix@alternativebit.fr>
Date: Sat, 26 Sep 2020 13:34:22 +0200
Subject: [PATCH] nixos/pleroma: add pleroma NixOS module

This module is not trying to configure either postgresql nor nginx.
It's is a design decision, not an omission. A webserver setup can be
highly complex.

The idea is trying not to be smarter than the user, providing him with
a simple tool. They are smart enough to figure the interaction between
the various component by themselves!

The module has one and only job: setting up a pleroma service.
---
 modules/pleroma.nix | 88 +++++++++++++++++++++++++++++++++++++++++++++
 readme.md           |  2 +-
 2 files changed, 89 insertions(+), 1 deletion(-)
 create mode 100644 modules/pleroma.nix

diff --git a/modules/pleroma.nix b/modules/pleroma.nix
new file mode 100644
index 0000000..43c328d
--- /dev/null
+++ b/modules/pleroma.nix
@@ -0,0 +1,88 @@
+{ config, lib, pkgs, stdenv }:
+let
+  cfg = config.services.pleroma;
+in {
+  options = {
+    services.pleroma = with lib; {
+      enable = mkEnableOption "pleroma";
+
+      package = mkOption {
+        type = types.package;
+        default = import ../default.nix { inherit pkgs stdenv; };
+        description = "Pleroma package to use.";
+      };
+
+      runMigrationOnStartup = mkOption {
+        type = types.bool;
+        default = true;
+        description = "Run the database migrations on the Pleroma service startup.";
+      };
+
+      dataDir = mkOption {
+        type = types.str;
+        default = "/var/lib/pleroma";
+        description = "Directory storing Pleroma's data.";
+      };
+
+      confDir = mkOption {
+        type = types.str;
+        default = "/etc/pleroma";
+        description = "Directory storing Pleroma's configuration.";
+      };
+
+      user = mkOption {
+        type = types.str;
+        default = "pleroma";
+        description = "User account under which pleroma runs.";
+      };
+
+      group = mkOption {
+        type = types.str;
+        default = "pleroma";
+        description = "Group account under which pleroma runs.";
+      };
+    };
+  };
+
+  config = lib.mkIf cfg.enable {
+    users = {
+      users."${cfg.user}" = {
+        description = "Pleroma user";
+        createHome = true;
+        home = cfg.dataDir;
+        extraGroups = [ cfg.group ];
+      };
+      groups = {
+        pleroma = {};
+      };
+    };
+
+    systemd.services.pleroma = {
+      description = "Pleroma social network";
+      after = [ "network-online.target" "postgresql.service" ];
+      wantedBy = [ "multi-user.target" ];
+      environment = {
+        MIX_ENV = "prod";
+      };
+      serviceConfig = {
+        User = cfg.user;
+        Group = cfg.group;
+        Type = "forking";
+        WorkingDirectory = cfg.dataDir;
+        ExecStart = "${cfg.package}/bin/pleroma start";
+        ExecReload = "${pkgs.coreutils}/bin/kill -HUP $MAINPID";
+
+        # Systemd sandboxing directives.
+        # Taken from the upstream contrib systemd service at
+        # pleroma/installation/pleroma.service
+        PrivateTmp = true;
+        ProtectHome = true;
+        ProtectSystem = "full";
+        PrivateDevices = false;
+        NoNewPrivileges = true;
+        CapabilityBoundingSet = "~CAP_SYS_ADMIN";
+      };
+    };
+
+  };
+}
diff --git a/readme.md b/readme.md
index a9f5ca5..ab0cc9b 100644
--- a/readme.md
+++ b/readme.md
@@ -2,7 +2,7 @@
 
 ## TODO
 
-- Add NixOS module.
+- Add nginx config in NixOS module.
 
 ## Minor Annoyances