selfprivacy-nixos-config/sp-modules/pleroma/module.nix
2024-07-30 19:19:06 +03:00

142 lines
4.2 KiB
Nix

{ config, lib, pkgs, ... }:
let
secrets-filepath = "/etc/selfprivacy/secrets.json";
cfg = config.selfprivacy.modules.pleroma;
inherit (import ./common.nix config) secrets-exs sp;
in
{
options.selfprivacy.modules.pleroma = {
enable = lib.mkOption {
default = false;
type = lib.types.bool;
};
location = lib.mkOption {
type = lib.types.str;
};
subdomain = lib.mkOption {
default = "social";
type = lib.types.strMatching "[A-Za-z0-9][A-Za-z0-9\-]{0,61}[A-Za-z0-9]";
};
};
config = lib.mkIf cfg.enable {
fileSystems = lib.mkIf sp.useBinds {
"/var/lib/pleroma" = {
device = "/volumes/${cfg.location}/pleroma";
options = [
"bind"
"x-systemd.required-by=pleroma-secrets.service"
"x-systemd.required-by=pleroma.service"
"x-systemd.before=pleroma.service"
"x-systemd.before=pleroma-secrets.service"
];
};
"/var/lib/postgresql" = {
device = "/volumes/${cfg.location}/postgresql";
options = [
"bind"
"x-systemd.required-by=pleroma-secrets.service"
"x-systemd.required-by=pleroma.service"
"x-systemd.before=pleroma-secrets.service"
"x-systemd.before=pleroma.service"
];
};
};
services = {
pleroma = {
enable = true;
user = "pleroma";
group = "pleroma";
configs = [
(builtins.replaceStrings
[ "$DOMAIN" "$LUSER" ]
[ sp.domain sp.username ]
(builtins.readFile ./config.exs.in))
];
};
postgresql = {
enable = true;
package = pkgs.postgresql_12;
initialScript = "/etc/setup.psql";
ensureDatabases = [
"pleroma"
];
ensureUsers = [
{
name = "pleroma";
ensureDBOwnership = true;
}
];
};
};
environment.etc."setup.psql".text = ''
CREATE USER pleroma;
CREATE DATABASE pleroma OWNER pleroma;
\c pleroma;
--Extensions made by ecto.migrate that need superuser access
CREATE EXTENSION IF NOT EXISTS citext;
CREATE EXTENSION IF NOT EXISTS pg_trgm;
CREATE EXTENSION IF NOT EXISTS "uuid-ossp";
'';
users.users.pleroma = {
extraGroups = [ "postgres" ];
isNormalUser = false;
isSystemUser = true;
group = "pleroma";
};
systemd = {
services = {
pleroma-secrets = {
before = [ "pleroma.service" ];
requiredBy = [ "pleroma.service" ];
serviceConfig.Type = "oneshot";
path = with pkgs; [ coreutils jq ];
script = ''
set -o nounset
password="$(jq -re '.databasePassword' ${secrets-filepath})"
filecontents=$(cat <<- EOF
import Config
config :pleroma, Pleroma.Repo,
password: "$password"
EOF
)
install -C -m 0700 -o pleroma -g pleroma -d /var/lib/pleroma
install -C -m 0600 -o pleroma -g pleroma -DT \
<(printf "%s" "$filecontents") ${secrets-exs}
'';
};
pleroma = {
# seems to be an upstream nixpkgs/nixos bug (missing hexdump)
path = [ pkgs.util-linux ];
serviceConfig.Slice = "pleroma.slice";
};
};
slices.pleroma = {
description = "Pleroma service slice";
};
};
services.nginx.virtualHosts."${cfg.subdomain}.${sp.domain}" = {
useACMEHost = sp.domain;
root = "/var/www/${cfg.subdomain}.${sp.domain}";
forceSSL = true;
extraConfig = ''
add_header Strict-Transport-Security $hsts_header;
#add_header Content-Security-Policy "script-src 'self'; object-src 'none'; base-uri 'none';" always;
add_header 'Referrer-Policy' 'origin-when-cross-origin';
add_header X-Frame-Options DENY;
add_header X-Content-Type-Options nosniff;
add_header X-XSS-Protection "1; mode=block";
proxy_cookie_path / "/; secure; HttpOnly; SameSite=strict";
'';
locations = {
"/" = {
proxyPass = "http://127.0.0.1:4000";
};
};
};
};
}