109 lines
3.0 KiB
Nix
109 lines
3.0 KiB
Nix
{ config, lib, pkgs, ... }:
|
|
|
|
with lib;
|
|
let
|
|
lemmyDbPasswd = pkgs.lib.passwd.stablerandom-passwd-file "lemmy-server-passwd"
|
|
"lemmy-server-${config.instance.build-seed}";
|
|
|
|
cfg = config.fudo.services.lemmy;
|
|
|
|
hostname = config.instance.hostname;
|
|
|
|
domainName = config.fudo.hosts."${hostname}".domain;
|
|
|
|
postgresqlServer = config.fudo.domains."${domainName}".postgresql-server;
|
|
postgresqlFqdn = pkgs.lib.getHostFqdn postgresqlServer;
|
|
|
|
isPostgresServer = hostname == postgresqlServer;
|
|
|
|
hostSecrets = config.fudo.secrets.host-secrets."${hostname}";
|
|
|
|
in {
|
|
options.fudo.services.lemmy = with types; {
|
|
enable = mkEnableOption "Enable lemmy server.";
|
|
|
|
hostname = mkOption {
|
|
type = str;
|
|
description = "Hostname at which this server will be reachable.";
|
|
};
|
|
|
|
port = mkOption {
|
|
type = port;
|
|
description = "Port on which to listen for requests";
|
|
default = 8536;
|
|
};
|
|
|
|
listen-ip = mkOption {
|
|
type = str;
|
|
description = "IP on which to listen for incoming requests.";
|
|
default = "0.0.0.0";
|
|
};
|
|
};
|
|
|
|
config = mkIf cfg.enable {
|
|
fudo = {
|
|
secrets.host-secrets."${hostname}" = {
|
|
dbLemmyPasswd = mkIf isPostgresServer {
|
|
source-file = lemmyDbPasswd;
|
|
target-file = "/run/postgres/lemmy.passwd";
|
|
user = config.systemd.services.postgresql.serviceConfig.User;
|
|
};
|
|
lemmyEnv = mkIf cfg.enable {
|
|
source-file = pkgs.writeText "lemmy.env" ''
|
|
LEMMY_DATABASE_URL=postgres:///lemmy:${
|
|
readFile lemmyDbPasswd
|
|
}@${postgresqlFqdn}:5432/lemmy
|
|
'';
|
|
target-file = "/run/lemmy/env";
|
|
};
|
|
};
|
|
|
|
postgresql = mkIf isPostgresServer {
|
|
databases.lemmy.users = config.instance.local-admins;
|
|
users.lemmy = {
|
|
password-file = hostSecrets.dbLemmyPasswd.target-file;
|
|
databases.lemmy = {
|
|
access = "CONNECT";
|
|
entity-access = {
|
|
"ALL TABLES IN SCHEMA public" = "ALL PRIVILEGES";
|
|
"ALL SEQUENCES IN SCHEMA public" = "ALL PRIVILEGES";
|
|
};
|
|
};
|
|
};
|
|
};
|
|
};
|
|
|
|
systemd.services.lemmy = {
|
|
requires = [ "fudo-secret-lemmyEnv.service" ];
|
|
after = [ "fudo-secret-lemmyEnv.service" ];
|
|
environment.LEMMY_DATABASE_URL = mkForce null;
|
|
serviceConfig = mkIf cfg.enable {
|
|
LoadCredential = [ "env:${hostSecrets.lemmyEnv.target-file}" ];
|
|
EnvironmentFile = "$$CREDENTIALS_DIRECTORY/env";
|
|
};
|
|
};
|
|
|
|
services.lemmy = mkIf cfg.enable {
|
|
enable = true;
|
|
settings = {
|
|
hostname = cfg.hostname;
|
|
federation.enabled = true;
|
|
captcha.enabled = true;
|
|
database = {
|
|
user = "lemmy";
|
|
host = pkgs.lib.getHostFqdn postgresqlServer;
|
|
database = "lemmy";
|
|
password = readFile lemmyDbPasswd;
|
|
};
|
|
bind = cfg.listen-ip;
|
|
port = cfg.port;
|
|
};
|
|
};
|
|
|
|
networking.firewall = {
|
|
allowedTCPPorts = [ cfg.port ];
|
|
allowedUDPPorts = [ cfg.port ];
|
|
};
|
|
};
|
|
}
|