move pleroma to SP module

2023-12-03 03:26:29 +04:00
parent b458458c30
commit c7419b3255
11 changed files with 135 additions and 90 deletions
--- a/sp-modules/pleroma/module.nix
+++ b/sp-modules/pleroma/module.nix
@@ -0,0 +1,98 @@
+{ config, lib, pkgs, ... }:
+let
+  secrets-filepath = "/etc/selfprivacy/secrets.json";
+  inherit (import ./common.nix config) secrets-exs sp;
+in
+{
+  options.selfprivacy.modules.pleroma = {
+    enable = lib.mkOption {
+      default = false;
+      type = with lib; types.nullOr types.bool;
+    };
+    location = lib.mkOption {
+      default = "sda1";
+      type = with lib; types.nullOr types.str;
+    };
+  };
+  config = lib.mkIf config.selfprivacy.modules.pleroma.enable {
+    fileSystems = lib.mkIf sp.useBinds {
+      "/var/lib/pleroma" = {
+        device = "/volumes/${sp.modules.pleroma.location}/pleroma";
+        options = [ "bind" ];
+      };
+      "/var/lib/postgresql" = {
+        device = "/volumes/${sp.modules.pleroma.location}/postgresql";
+        options = [ "bind" ];
+      };
+    };
+    services = {
+      pleroma = {
+        enable = true;
+        user = "pleroma";
+        group = "pleroma";
+        configs = [
+          (builtins.replaceStrings
+            [ "$DOMAIN" "$LUSER" ]
+            [ sp.domain sp.username ]
+            (builtins.readFile ./config.exs.in))
+        ];
+      };
+      postgresql = {
+        enable = true;
+        package = pkgs.postgresql_12;
+        initialScript = "/etc/setup.psql";
+        ensureDatabases = [
+          "pleroma"
+        ];
+        ensureUsers = [
+          {
+            name = "pleroma";
+            ensurePermissions = {
+              "DATABASE pleroma" = "ALL PRIVILEGES";
+            };
+          }
+        ];
+      };
+    };
+    systemd.services.pleroma-secrets = {
+      before = [ "pleroma.service" ];
+      requiredBy = [ "pleroma.service" ];
+      serviceConfig.Type = "oneshot";
+      path = with pkgs; [ coreutils jq ];
+      script = ''
+        set -o nounset
+        password=$(jq -r '.databasePassword' ${secrets-filepath})
+        filecontents=$(cat <<- EOF
+        import Config
+        config :pleroma, Pleroma.Repo,
+          password: "$password"
+        EOF
+        )
+
+        install -m 0750 -o pleroma -g pleroma -DT \
+        <(printf "%s" "$filecontents") ${secrets-exs}
+      '';
+    };
+    systemd.tmpfiles.rules = [
+      "d /var/lib/pleroma 0700 pleroma pleroma - -"
+      "f ${secrets-exs} 0755 pleroma pleroma - -"
+    ];
+    environment.etc."setup.psql".text = ''
+      CREATE USER pleroma;
+      CREATE DATABASE pleroma OWNER pleroma;
+      \c pleroma;
+      --Extensions made by ecto.migrate that need superuser access
+      CREATE EXTENSION IF NOT EXISTS citext;
+      CREATE EXTENSION IF NOT EXISTS pg_trgm;
+      CREATE EXTENSION IF NOT EXISTS "uuid-ossp";
+    '';
+    users.users.pleroma = {
+      extraGroups = [ "postgres" ];
+      isNormalUser = false;
+      isSystemUser = true;
+      group = "pleroma";
+    };
+    # seems to be an upstream nixpkgs/nixos bug (missing hexdump)
+    systemd.services.pleroma.path = [ pkgs.util-linux ];
+  };
+}