this repo has no description
1
fork

Configure Feed

Select the types of activity you want to include in your feed.

Tranquil setup

Ben C d35299fe aaa67419

+139
+139
nixosModules/tranquil.nix
··· 1 + {inputs, ...}: { 2 + config, 3 + lib, 4 + pkgs, 5 + ... 6 + }: { 7 + options.cow.cocoon = { 8 + enable = lib.mkEnableOption "Cocoon PDS with postgresql"; 9 + port = lib.mkOption { 10 + type = lib.types.port; 11 + description = "Port to bind to"; 12 + default = 3000; 13 + }; 14 + userName = lib.mkOption { 15 + type = lib.types.str; 16 + description = "User name to create and use for the service. ALSO used as the database name!"; 17 + default = "cocoon"; 18 + }; 19 + dataDir = lib.mkOption { 20 + type = lib.types.str; 21 + description = "Runtime path to store data at"; 22 + default = "/var/lib/cocoon"; 23 + }; 24 + secretsDir = { 25 + type = lib.types.str; 26 + description = '' 27 + Runtime path with secret keys in files. Files map to env vars as follows: 28 + 29 + - jwt.key -> JWT_SECRET 30 + - dpop.key -> DPOP_SECRET 31 + - master.key -> MASTER_KEY 32 + 33 + This will not implicitly persist this directory 34 + ''; 35 + example = "/var/lib/cocoon/keys"; 36 + }; 37 + metadata.email = lib.mkOption { 38 + type = lib.types.str; 39 + description = "Contact email for this PDS' administrator"; 40 + }; 41 + ageAssuranceOverride = lib.mkEnableOption "override age assurance on the app view"; 42 + acceptRepoImports = lib.mkEnableOption "accepting repository imports"; 43 + inviteCodeRequired = lib.mkEnableOption "requiring invite codes to register"; 44 + hostname = lib.mkOption { 45 + type = lib.types.str; 46 + description = "Public facing hostname for the server"; 47 + }; 48 + }; 49 + 50 + config = let 51 + conf = config.cow.cocoon; 52 + in 53 + lib.mkIf conf.enable { 54 + cow.imperm.keep = [config.services.postgresql.dataDir conf.dataDir]; 55 + 56 + users.users.${conf.userName} = { 57 + isSystemUser = true; 58 + useDefaultShell = true; 59 + home = conf.dataDir; 60 + createHome = true; 61 + group = conf.userName; 62 + }; 63 + 64 + users.groups.${conf.userName} = {}; 65 + 66 + services.postgresql = { 67 + enable = true; 68 + ensureDatabases = [conf.userName]; 69 + ensureUsers.${conf.userName} = { 70 + name = conf.userName; 71 + ensureDBOwnsership = true; 72 + }; 73 + }; 74 + 75 + systemd.services.cocoon = let 76 + blobPath = "${conf.dataDir}/blobs"; 77 + backupPath = "${conf.dataDir}/backups"; 78 + dbUrl = "postgres:///${conf.userName}?host=/var/run/postgresql"; 79 + in { 80 + description = "Tranquil PDS"; 81 + after = ["network.target"]; 82 + wantedBy = ["multi-user.target"]; 83 + enableStrictShellChecks = true; 84 + 85 + preStart = '' 86 + mkdir -p "${conf.dataDir}" "${blobPath}" "${backupPath}" 87 + echo "Running Migrations..." 88 + ${lib.getExe pkgs.sqlx-cli} migrate run --source "${inputs.cocoon.outPath}/migrations" -D ${dbUrl} 89 + echo "Complete." 90 + chown -R ${conf.userName}:${conf.userName} "${conf.dataDir}" 91 + ''; 92 + 93 + script = '' 94 + JWT_SECRET=$(cat $CREDENTIALS_DIRECTORY/jtw.key) \ 95 + DPOP_SECRET=$(cat $CREDENTIALS_DIRECTORY/dpop.key) \ 96 + MASTER_KEY=$(cat $CREDENTIALS_DIRECTORY/master.key) \ 97 + ${lib.getExe pkgs.cocoon} 98 + ''; 99 + 100 + serviceConfig = { 101 + User = conf.userName; 102 + PermissionsStartOnly = true; 103 + WorkingDirectory = conf.dataDir; 104 + Restart = "always"; 105 + RestartSec = "5s"; 106 + ProtectSystem = true; 107 + ProtectHome = true; 108 + PrivateTmp = true; 109 + ReadWritePaths = conf.dataDir; 110 + LoadCredential = builtins.map (v: "${v}:${conf.secretsDir}/${v}.key") [ 111 + "jwt" 112 + "dpop" 113 + "master" 114 + ]; 115 + Environment = let 116 + boolToEnv = b: 117 + if b 118 + then "1" 119 + else "0"; 120 + in 121 + lib.mapAttrsToList (k: v: "${k}=${v}") { 122 + SERVER_HOST = "127.0.0.1"; 123 + SERVER_PORT = builtins.toString conf.port; 124 + 125 + PDS_HOSTNAME = conf.hostname; 126 + DATABASE_URL = dbUrl; 127 + 128 + BLOB_STORAGE_PATH = blobPath; 129 + BACKUP_STORAGE_PATH = backupPath; 130 + 131 + ACCEPTING_REPO_IMPORTS = boolToEnv conf.acceptRepoImports; 132 + INVITE_CODE_REQUIRED = boolToEnv conf.inviteCodeRequired; 133 + CONTACT_EMAIL = conf.metadata.email; 134 + PDS_AGE_ASSURANCE_OVERRIDE = boolToEnv conf.ageAssuranceOverride; 135 + }; 136 + }; 137 + }; 138 + }; 139 + }