lemmy-container/lemmy-container.nix

{ config, lib, pkgs, ... }@toplevel:

with lib;
let cfg = config.services.lemmyContainer;

in {
  options.services.lemmyContainer = with types; {
    enable = mkEnableOption "Enable Lemmy server in a Podman container.";

    hostname = mkOption {
      type = str;
      description = "Host of the Lemmy server.";
    };

    port = mkOption {
      type = port;
      description = "Port on which to listen for requests.";
      default = 1234;
    };

    site-name = mkOption {
      type = str;
      description = "Name of the Lemmy site.";
    };

    # admin-password-file = mkOption {
    #   type = str;
    #   description = "Path to a file containing the administrator password.";
    # };

    smtp = {
      host = mkOption {
        type = str;
        description = "SMTP server hostname.";
      };

      port = mkOption {
        type = port;
        description = "SMTP server port.";
        default = 25;
      };
    };

    server-package = mkOption {
      type = package;
      description = "Package to use for the server.";
      default = pkgs.lemmy-server;
    };

    state-directory = mkOption {
      type = str;
      description = "Path at which to store server state.";
    };
  };

  config = mkIf cfg.enable {
    systemd.tmpfiles.rules = [
      "d ${cfg.state-directory}/postgres 0700 root root - -"
      "d ${cfg.state-directory}/pictrs 0700 root root - -"
    ];

    containers.lemmy = {
      autoStart = true;
      privateNetwork = true;
      forwardPorts = [{
        protocol = "tcp";
        hostPort = cfg.port;
        containerPort = 80;
      }];
      ephemeral = true;
      bindMounts = {
        "/var/lib/postgres/data" = {
          hostPath = "${cfg.state-directory}/postgres";
          isReadOnly = false;
        };
        "/var/lib/private" = {
          hostPath = "${cfg.state-directory}/pictrs";
          isReadOnly = false;
        };
        # "/run/lemmy-container/admin.passwd" = {
        #   isReadOnly = true;
        #   hostPath = cfg.admin-password-file;
        # };
      };
      additionalCapabilities = [ "CAP_SYS_ADMIN" ];
      config = {
        boot.tmp.useTmpfs = true;
        system.nssModules = mkForce [ ];
        systemd.services.postgresPasswdGenerator = {
          requiredBy = [ "lemmy.service" "postgresql.service" ];
          before = [ "lemmy.service" ];
          after = [ "postgresql.service" ];
          path = with pkgs; [ sudo pwgen config.services.postgresql.package ];
          script = ''
            PASSWD=$(pwgen 25)
            mkdir -p /run/lemmy
            echo "postgresql://lemmy:$PASSWD@lemmy&host=/var/run/postgresql" > /run/lemmy/postgresql.passwd
            sudo -u postgres psql -c "ALTER USER lemmy ENCRYPTED PASSWORD '$PASSWD';"
          '';
        };
        services = {
          nscd.enable = false;
          postgresql = {
            enable = true;
            ensureUsers = [{
              name = "lemmy";
              ensureDBOwnership = true;
            }];
            ensureDatabases = [ "lemmy" ];
          };
          pict-rs.enable = true;
          lemmy = {
            enable = true;
            database.uriFile = "/run/lemmy/postgresql.passwd";
            # adminPasswordFile = "/run/lemmy-container/admin.passwd";
            nginx.enable = true;
            server.package = cfg.server-package;
            settings = {
              email = {
                smtp_server = "${cfg.smtp.host}:${toString cfg.smtp.port}";
                smtp_from_address = "noreply@${cfg.hostname}";
                tls_type = "starttls";
              };
              hostname = cfg.hostname;
              setup = {
                admin_username = "admin";
                site_name = cfg.site-name;
              };
            };
          };
          nginx = {
            recommendedGzipSettings = true;
            recommendedOptimisation = true;
            recommendedProxySettings = true;
            commonHttpConfig = ''
              log_format with_response_time '$remote_addr - $remote_user [$time_local] '
                           '"$request" $status $body_bytes_sent '
                           '"$http_referer" "$http_user_agent" '
                           '"$request_time" "$upstream_response_time"';
              access_log /var/log/nginx/access.log with_response_time;
            '';
          };
        };
      };
    };

    services.nginx = {
      enable = true;
      virtualHosts."${cfg.hostname}" = {
        enableACME = true;
        forceSSL = true;
        locations."/" = {
          proxyPass = "http://127.0.0.1:${toString cfg.port}/";
          proxyWebsockets = true;
          recommendedProxySettings = true;
        };
      };
    };
  };
}
Iniital checkin 2024-01-20 11:25:09 -08:00			`{ config, lib, pkgs, ... }@toplevel:`

			`with lib;`
podman -> container 2024-01-24 19:33:59 -08:00			`let cfg = config.services.lemmyContainer;`
Iniital checkin 2024-01-20 11:25:09 -08:00
			`in {`
Been using camelCase for config... 2024-01-20 11:37:14 -08:00			`options.services.lemmyContainer = with types; {`
Iniital checkin 2024-01-20 11:25:09 -08:00			`enable = mkEnableOption "Enable Lemmy server in a Podman container.";`

			`hostname = mkOption {`
			`type = str;`
			`description = "Host of the Lemmy server.";`
			`};`

			`port = mkOption {`
			`type = port;`
			`description = "Port on which to listen for requests.";`
			`default = 1234;`
			`};`

			`site-name = mkOption {`
			`type = str;`
			`description = "Name of the Lemmy site.";`
			`};`

Just fuck the admin passwd 2024-01-26 15:06:19 -08:00			`# admin-password-file = mkOption {`
			`# type = str;`
			`# description = "Path to a file containing the administrator password.";`
			`# };`
Add smtp port, and mount admin passwd file vol 2024-01-20 11:34:58 -08:00
			`smtp = {`
			`host = mkOption {`
			`type = str;`
			`description = "SMTP server hostname.";`
			`};`

			`port = mkOption {`
str -> port 2024-01-20 11:56:19 -08:00			`type = port;`
Add smtp port, and mount admin passwd file vol 2024-01-20 11:34:58 -08:00			`description = "SMTP server port.";`
			`default = 25;`
			`};`
			`};`
Add server package. 2024-01-22 15:07:40 -08:00
			`server-package = mkOption {`
			`type = package;`
			`description = "Package to use for the server.";`
			`default = pkgs.lemmy-server;`
			`};`
podman -> container 2024-01-24 19:33:59 -08:00
			`state-directory = mkOption {`
			`type = str;`
			`description = "Path at which to store server state.";`
			`};`
Iniital checkin 2024-01-20 11:25:09 -08:00			`};`

			`config = mkIf cfg.enable {`
Ensure directories 2024-01-24 19:40:27 -08:00			`systemd.tmpfiles.rules = [`
state-directory -> cfg.state-directory 2024-01-24 22:14:06 -08:00			`"d ${cfg.state-directory}/postgres 0700 root root - -"`
			`"d ${cfg.state-directory}/pictrs 0700 root root - -"`
Ensure directories 2024-01-24 19:40:27 -08:00			`];`

podman -> container 2024-01-24 19:33:59 -08:00			`containers.lemmy = {`
			`autoStart = true;`
			`privateNetwork = true;`
			`forwardPorts = [{`
			`protocol = "tcp";`
			`hostPort = cfg.port;`
			`containerPort = 80;`
			`}];`
Make things not readonly 2024-01-25 09:57:04 -08:00			`ephemeral = true;`
podman -> container 2024-01-24 19:33:59 -08:00			`bindMounts = {`
			`"/var/lib/postgres/data" = {`
			`hostPath = "${cfg.state-directory}/postgres";`
Make things not readonly 2024-01-25 09:57:04 -08:00			`isReadOnly = false;`
podman -> container 2024-01-24 19:33:59 -08:00			`};`
Make things not readonly 2024-01-25 09:57:04 -08:00			`"/var/lib/private" = {`
			`hostPath = "${cfg.state-directory}/pictrs";`
			`isReadOnly = false;`
			`};`
Just fuck the admin passwd 2024-01-26 15:06:19 -08:00			`# "/run/lemmy-container/admin.passwd" = {`
			`# isReadOnly = true;`
			`# hostPath = cfg.admin-password-file;`
			`# };`
podman -> container 2024-01-24 19:33:59 -08:00			`};`
extra -> additional 2024-01-24 23:08:30 -08:00			`additionalCapabilities = [ "CAP_SYS_ADMIN" ];`
podman -> container 2024-01-24 19:33:59 -08:00			`config = {`
			`boot.tmp.useTmpfs = true;`
Add nssModules 2024-01-24 22:04:18 -08:00			`system.nssModules = mkForce [ ];`
Generate a fuckin pw 2024-01-25 22:16:59 -08:00			`systemd.services.postgresPasswdGenerator = {`
			`requiredBy = [ "lemmy.service" "postgresql.service" ];`
			`before = [ "lemmy.service" ];`
			`after = [ "postgresql.service" ];`
Include sudo...hrrrm.... 2024-01-25 22:50:22 -08:00			`path = with pkgs; [ sudo pwgen config.services.postgresql.package ];`
Generate a fuckin pw 2024-01-25 22:16:59 -08:00			`script = ''`
			`PASSWD=$(pwgen 25)`
Make the directory 2024-01-25 22:49:28 -08:00			`mkdir -p /run/lemmy`
Generate a fuckin pw 2024-01-25 22:16:59 -08:00			`echo "postgresql://lemmy:$PASSWD@lemmy&host=/var/run/postgresql" > /run/lemmy/postgresql.passwd`
			`sudo -u postgres psql -c "ALTER USER lemmy ENCRYPTED PASSWORD '$PASSWD';"`
			`'';`
			`};`
podman -> container 2024-01-24 19:33:59 -08:00			`services = {`
			`nscd.enable = false;`
Make sure lemmy user/db exist 2024-01-25 23:25:17 -08:00			`postgresql = {`
			`enable = true;`
			`ensureUsers = [{`
			`name = "lemmy";`
			`ensureDBOwnership = true;`
			`}];`
			`ensureDatabases = [ "lemmy" ];`
			`};`
podman -> container 2024-01-24 19:33:59 -08:00			`pict-rs.enable = true;`
			`lemmy = {`
			`enable = true;`
urlFile -> uriFile 2024-01-25 22:20:59 -08:00			`database.uriFile = "/run/lemmy/postgresql.passwd";`
Just fuck the admin passwd 2024-01-26 15:06:19 -08:00			`# adminPasswordFile = "/run/lemmy-container/admin.passwd";`
podman -> container 2024-01-24 19:33:59 -08:00			`nginx.enable = true;`
			`server.package = cfg.server-package;`
			`settings = {`
			`email = {`
...And toString the port 2024-01-25 11:44:53 -08:00			`smtp_server = "${cfg.smtp.host}:${toString cfg.smtp.port}";`
podman -> container 2024-01-24 19:33:59 -08:00			`smtp_from_address = "noreply@${cfg.hostname}";`
Add tls_type, apparently required 2024-01-25 11:59:40 -08:00			`tls_type = "starttls";`
podman -> container 2024-01-24 19:33:59 -08:00			`};`
			`hostname = cfg.hostname;`
Move admin_username to setup 2024-01-25 14:31:47 -08:00			`setup = {`
			`admin_username = "admin";`
			`site_name = cfg.site-name;`
			`};`
podman -> container 2024-01-24 19:33:59 -08:00			`};`
			`};`
			`nginx = {`
			`recommendedGzipSettings = true;`
			`recommendedOptimisation = true;`
			`recommendedProxySettings = true;`
			`commonHttpConfig = ''`
			`log_format with_response_time '$remote_addr - $remote_user [$time_local] '`
			`'"$request" $status $body_bytes_sent '`
			`'"$http_referer" "$http_user_agent" '`
			`'"$request_time" "$upstream_response_time"';`
			`access_log /var/log/nginx/access.log with_response_time;`
			`'';`
			`};`
			`};`
			`};`
			`};`
Iniital checkin 2024-01-20 11:25:09 -08:00
			`services.nginx = {`
			`enable = true;`
			`virtualHosts."${cfg.hostname}" = {`
			`enableACME = true;`
			`forceSSL = true;`
			`locations."/" = {`
			`proxyPass = "http://127.0.0.1:${toString cfg.port}/";`
			`proxyWebsockets = true;`
			`recommendedProxySettings = true;`
			`};`
			`};`
			`};`
			`};`
			`}`