move pleroma to SP module

2023-12-03 03:26:29 +04:00
parent b458458c30
commit c7419b3255
11 changed files with 135 additions and 90 deletions
--- a/sp-modules/pleroma/cleanup-module.nix
+++ b/sp-modules/pleroma/cleanup-module.nix
@@ -0,0 +1,17 @@
+{ config, lib, ... }:
+let
+  inherit (import ./common.nix config) secrets-exs sp;
+in
+# FIXME do we really want to delete passwords on module deactivation!?
+{
+  config = lib.mkIf (!sp.modules.pleroma.enable) {
+    system.activationScripts.pleroma =
+      lib.trivial.warn
+        (
+          "pleroma service is disabled, ${secrets-exs} will be removed!"
+        )
+        ''
+          rm -f -v ${secrets-exs}
+        '';
+  };
+}
--- a/sp-modules/pleroma/common.nix
+++ b/sp-modules/pleroma/common.nix
@@ -0,0 +1,5 @@
+config:
+{
+  sp = config.selfprivacy;
+  secrets-exs = "/var/lib/pleroma/secrets.exs";
+}
--- a/sp-modules/pleroma/config-paths-needed.json
+++ b/sp-modules/pleroma/config-paths-needed.json
@@ -0,0 +1,6 @@
+[
+  [ "selfprivacy", "domain" ],
+  [ "selfprivacy", "username" ],
+  [ "selfprivacy", "useBinds" ],
+  [ "selfprivacy", "modules", "pleroma" ]
+]
--- a/sp-modules/pleroma/config.exs.in
+++ b/sp-modules/pleroma/config.exs.in
@@ -0,0 +1,43 @@
+import Config
+
+config :pleroma, Pleroma.Web.Endpoint,
+   url: [host: "social.$DOMAIN", scheme: "https", port: 443],
+   http: [ip: {127, 0, 0, 1}, port: 4000]
+   #secret_key_base: "",
+   #signing_salt: ""
+
+config :pleroma, :instance,
+  name: "social.$DOMAIN",
+  email: "$LUSER@$DOMAIN",
+  notify_email: "$LUSER@$DOMAIN",
+  limit: 5000,
+  upload_limit: 1073741824,
+  registrations_open: true
+
+config :pleroma, :media_proxy,
+  enabled: false,
+  redirect_on_failure: true
+  #base_url: "https://cache.pleroma.social"
+
+config :pleroma, Pleroma.Repo,
+  adapter: Ecto.Adapters.Postgres,
+  username: "pleroma",
+  database: "pleroma",
+  socket_dir: "/run/postgresql",
+  pool_size: 10
+
+#config :web_push_encryption, :vapid_details,
+  #subject: "",
+  #public_key: "",
+  #private_key: ""
+
+config :pleroma, :database, rum_enabled: false
+config :pleroma, :instance, static_dir: "/var/lib/pleroma/static"
+config :pleroma, Pleroma.Uploaders.Local, uploads: "/var/lib/pleroma/uploads"
+
+config :pleroma, :http_security,
+  sts: true
+
+#config :joken, default_signer: ""
+
+config :pleroma, configurable_from_database: true
--- a/sp-modules/pleroma/flake.nix
+++ b/sp-modules/pleroma/flake.nix
@@ -0,0 +1,9 @@
+{
+  description = "PoC SP module for Pleroma lightweight fediverse server";
+
+  outputs = { self }: {
+    nixosModules.default = import ./module.nix;
+    configPathsNeeded =
+      builtins.fromJSON (builtins.readFile ./config-paths-needed.json);
+  };
+}
--- a/sp-modules/pleroma/module.nix
+++ b/sp-modules/pleroma/module.nix
@@ -0,0 +1,98 @@
+{ config, lib, pkgs, ... }:
+let
+  secrets-filepath = "/etc/selfprivacy/secrets.json";
+  inherit (import ./common.nix config) secrets-exs sp;
+in
+{
+  options.selfprivacy.modules.pleroma = {
+    enable = lib.mkOption {
+      default = false;
+      type = with lib; types.nullOr types.bool;
+    };
+    location = lib.mkOption {
+      default = "sda1";
+      type = with lib; types.nullOr types.str;
+    };
+  };
+  config = lib.mkIf config.selfprivacy.modules.pleroma.enable {
+    fileSystems = lib.mkIf sp.useBinds {
+      "/var/lib/pleroma" = {
+        device = "/volumes/${sp.modules.pleroma.location}/pleroma";
+        options = [ "bind" ];
+      };
+      "/var/lib/postgresql" = {
+        device = "/volumes/${sp.modules.pleroma.location}/postgresql";
+        options = [ "bind" ];
+      };
+    };
+    services = {
+      pleroma = {
+        enable = true;
+        user = "pleroma";
+        group = "pleroma";
+        configs = [
+          (builtins.replaceStrings
+            [ "$DOMAIN" "$LUSER" ]
+            [ sp.domain sp.username ]
+            (builtins.readFile ./config.exs.in))
+        ];
+      };
+      postgresql = {
+        enable = true;
+        package = pkgs.postgresql_12;
+        initialScript = "/etc/setup.psql";
+        ensureDatabases = [
+          "pleroma"
+        ];
+        ensureUsers = [
+          {
+            name = "pleroma";
+            ensurePermissions = {
+              "DATABASE pleroma" = "ALL PRIVILEGES";
+            };
+          }
+        ];
+      };
+    };
+    systemd.services.pleroma-secrets = {
+      before = [ "pleroma.service" ];
+      requiredBy = [ "pleroma.service" ];
+      serviceConfig.Type = "oneshot";
+      path = with pkgs; [ coreutils jq ];
+      script = ''
+        set -o nounset
+        password=$(jq -r '.databasePassword' ${secrets-filepath})
+        filecontents=$(cat <<- EOF
+        import Config
+        config :pleroma, Pleroma.Repo,
+          password: "$password"
+        EOF
+        )
+
+        install -m 0750 -o pleroma -g pleroma -DT \
+        <(printf "%s" "$filecontents") ${secrets-exs}
+      '';
+    };
+    systemd.tmpfiles.rules = [
+      "d /var/lib/pleroma 0700 pleroma pleroma - -"
+      "f ${secrets-exs} 0755 pleroma pleroma - -"
+    ];
+    environment.etc."setup.psql".text = ''
+      CREATE USER pleroma;
+      CREATE DATABASE pleroma OWNER pleroma;
+      \c pleroma;
+      --Extensions made by ecto.migrate that need superuser access
+      CREATE EXTENSION IF NOT EXISTS citext;
+      CREATE EXTENSION IF NOT EXISTS pg_trgm;
+      CREATE EXTENSION IF NOT EXISTS "uuid-ossp";
+    '';
+    users.users.pleroma = {
+      extraGroups = [ "postgres" ];
+      isNormalUser = false;
+      isSystemUser = true;
+      group = "pleroma";
+    };
+    # seems to be an upstream nixpkgs/nixos bug (missing hexdump)
+    systemd.services.pleroma.path = [ pkgs.util-linux ];
+  };
+}