malpercio.dev / ezpds
An easy-to-host PDS on the ATProtocol, iPhone and MacOS. Maintain control of your keys and data, always.
1
fork

Configure Feed

Select the types of activity you want to include in your feed.

feat(MM-135): add NixOS module nix/module.nix

authored by

Malpercio and committed by
Tangled 0385ffa4 85bacbd7

+111
+111
nix/module.nix
··· 1 + { lib, pkgs, config, ... }: 2 + 3 + let 4 + cfg = config.services.ezpds; 5 + 6 + # Build the TOML attrset, omitting database_url when null. 7 + # When null, the relay binary derives the database path from data_dir. 8 + settingsToml = lib.filterAttrs (_: v: v != null) { 9 + inherit (cfg.settings) bind_address port data_dir public_url database_url; 10 + }; 11 + 12 + generatedConfigFile = (pkgs.formats.toml { }).generate "relay.toml" settingsToml; 13 + 14 + # When configFile is set, bypass the Nix-store-generated TOML entirely. 15 + # This is the escape hatch for secret injection via agenix or sops-nix. 16 + activeConfigFile = 17 + if cfg.configFile != null then cfg.configFile else generatedConfigFile; 18 + 19 + in 20 + { 21 + options.services.ezpds = { 22 + enable = lib.mkEnableOption "ezpds relay server"; 23 + 24 + package = lib.mkOption { 25 + type = lib.types.package; 26 + description = "The ezpds relay package to use."; 27 + }; 28 + 29 + configFile = lib.mkOption { 30 + type = lib.types.nullOr lib.types.str; 31 + default = null; 32 + description = '' 33 + Path to a relay.toml configuration file. 34 + When set, all settings.* options are ignored and this path is 35 + passed directly to --config. Use with agenix or sops-nix to 36 + keep secrets outside the world-readable Nix store. 37 + ''; 38 + }; 39 + 40 + settings = { 41 + bind_address = lib.mkOption { 42 + type = lib.types.str; 43 + default = "0.0.0.0"; 44 + description = "IP address to bind the relay HTTP server to."; 45 + }; 46 + 47 + port = lib.mkOption { 48 + type = lib.types.port; 49 + default = 8080; 50 + description = "TCP port to bind the relay HTTP server to."; 51 + }; 52 + 53 + data_dir = lib.mkOption { 54 + type = lib.types.str; 55 + default = "/var/lib/ezpds"; 56 + description = '' 57 + Path to the relay data directory. Must be writable by the ezpds user. 58 + Uses lib.types.str (not lib.types.path) to preserve the value as a 59 + literal string and avoid Nix store coercion of runtime paths. 60 + ''; 61 + }; 62 + 63 + public_url = lib.mkOption { 64 + type = lib.types.str; 65 + description = '' 66 + Public URL where this relay is reachable (e.g. https://relay.example.com). 67 + Required — Nix evaluation fails if this option is not set. 68 + ''; 69 + }; 70 + 71 + database_url = lib.mkOption { 72 + type = lib.types.nullOr lib.types.str; 73 + default = null; 74 + description = '' 75 + SQLite database URL. When null (the default), the relay derives 76 + the database path from data_dir. Omitted from the generated 77 + relay.toml when null. 78 + ''; 79 + }; 80 + }; 81 + }; 82 + 83 + config = lib.mkIf cfg.enable { 84 + users.users.ezpds = { 85 + isSystemUser = true; 86 + group = "ezpds"; 87 + description = "ezpds relay service user"; 88 + }; 89 + 90 + users.groups.ezpds = { }; 91 + 92 + systemd.services.ezpds = { 93 + description = "ezpds relay server"; 94 + wantedBy = [ "multi-user.target" ]; 95 + after = [ "network.target" ]; 96 + 97 + serviceConfig = { 98 + User = "ezpds"; 99 + Group = "ezpds"; 100 + ExecStart = "${cfg.package}/bin/relay --config ${activeConfigFile}"; 101 + StateDirectory = "ezpds"; 102 + StateDirectoryMode = "0750"; 103 + Restart = "on-failure"; 104 + PrivateTmp = true; 105 + ProtectSystem = "strict"; 106 + ProtectHome = true; 107 + NoNewPrivileges = true; 108 + }; 109 + }; 110 + }; 111 + }