161 lines
4.6 KiB
Nix
161 lines
4.6 KiB
Nix
{ config, lib, pkgs, ... }@toplevel:
|
|
|
|
with lib;
|
|
let cfg = config.services.lemmyContainer;
|
|
|
|
in {
|
|
options.services.lemmyContainer = with types; {
|
|
enable = mkEnableOption "Enable Lemmy server in a Podman container.";
|
|
|
|
hostname = mkOption {
|
|
type = str;
|
|
description = "Host of the Lemmy server.";
|
|
};
|
|
|
|
port = mkOption {
|
|
type = port;
|
|
description = "Port on which to listen for requests.";
|
|
default = 1234;
|
|
};
|
|
|
|
site-name = mkOption {
|
|
type = str;
|
|
description = "Name of the Lemmy site.";
|
|
};
|
|
|
|
# admin-password-file = mkOption {
|
|
# type = str;
|
|
# description = "Path to a file containing the administrator password.";
|
|
# };
|
|
|
|
smtp = {
|
|
host = mkOption {
|
|
type = str;
|
|
description = "SMTP server hostname.";
|
|
};
|
|
|
|
port = mkOption {
|
|
type = port;
|
|
description = "SMTP server port.";
|
|
default = 25;
|
|
};
|
|
};
|
|
|
|
server-package = mkOption {
|
|
type = package;
|
|
description = "Package to use for the server.";
|
|
default = pkgs.lemmy-server;
|
|
};
|
|
|
|
state-directory = mkOption {
|
|
type = str;
|
|
description = "Path at which to store server state.";
|
|
};
|
|
};
|
|
|
|
config = mkIf cfg.enable {
|
|
systemd.tmpfiles.rules = [
|
|
"d ${cfg.state-directory}/postgres 0700 root root - -"
|
|
"d ${cfg.state-directory}/pictrs 0700 root root - -"
|
|
];
|
|
|
|
containers.lemmy = {
|
|
autoStart = true;
|
|
privateNetwork = true;
|
|
forwardPorts = [{
|
|
protocol = "tcp";
|
|
hostPort = cfg.port;
|
|
containerPort = 80;
|
|
}];
|
|
ephemeral = true;
|
|
bindMounts = {
|
|
"/var/lib/postgres/data" = {
|
|
hostPath = "${cfg.state-directory}/postgres";
|
|
isReadOnly = false;
|
|
};
|
|
"/var/lib/private" = {
|
|
hostPath = "${cfg.state-directory}/pictrs";
|
|
isReadOnly = false;
|
|
};
|
|
# "/run/lemmy-container/admin.passwd" = {
|
|
# isReadOnly = true;
|
|
# hostPath = cfg.admin-password-file;
|
|
# };
|
|
};
|
|
additionalCapabilities = [ "CAP_SYS_ADMIN" ];
|
|
config = {
|
|
boot.tmp.useTmpfs = true;
|
|
system.nssModules = mkForce [ ];
|
|
systemd.services.postgresPasswdGenerator = {
|
|
requiredBy = [ "lemmy.service" "postgresql.service" ];
|
|
before = [ "lemmy.service" ];
|
|
after = [ "postgresql.service" ];
|
|
path = with pkgs; [ sudo pwgen config.services.postgresql.package ];
|
|
script = ''
|
|
PASSWD=$(pwgen 25)
|
|
mkdir -p /run/lemmy
|
|
echo "postgresql://lemmy:$PASSWD@lemmy&host=/var/run/postgresql" > /run/lemmy/postgresql.passwd
|
|
sudo -u postgres psql -c "ALTER USER lemmy ENCRYPTED PASSWORD '$PASSWD';"
|
|
'';
|
|
};
|
|
services = {
|
|
nscd.enable = false;
|
|
postgresql = {
|
|
enable = true;
|
|
ensureUsers = [{
|
|
name = "lemmy";
|
|
ensureDBOwnership = true;
|
|
}];
|
|
ensureDatabases = [ "lemmy" ];
|
|
};
|
|
pict-rs.enable = true;
|
|
lemmy = {
|
|
enable = true;
|
|
database.uriFile = "/run/lemmy/postgresql.passwd";
|
|
# adminPasswordFile = "/run/lemmy-container/admin.passwd";
|
|
nginx.enable = true;
|
|
server.package = cfg.server-package;
|
|
settings = {
|
|
email = {
|
|
smtp_server = "${cfg.smtp.host}:${toString cfg.smtp.port}";
|
|
smtp_from_address = "noreply@${cfg.hostname}";
|
|
tls_type = "starttls";
|
|
};
|
|
hostname = cfg.hostname;
|
|
setup = {
|
|
admin_username = "admin";
|
|
site_name = cfg.site-name;
|
|
};
|
|
};
|
|
};
|
|
nginx = {
|
|
recommendedGzipSettings = true;
|
|
recommendedOptimisation = true;
|
|
recommendedProxySettings = true;
|
|
commonHttpConfig = ''
|
|
log_format with_response_time '$remote_addr - $remote_user [$time_local] '
|
|
'"$request" $status $body_bytes_sent '
|
|
'"$http_referer" "$http_user_agent" '
|
|
'"$request_time" "$upstream_response_time"';
|
|
access_log /var/log/nginx/access.log with_response_time;
|
|
'';
|
|
};
|
|
};
|
|
};
|
|
};
|
|
|
|
services.nginx = {
|
|
enable = true;
|
|
virtualHosts."${cfg.hostname}" = {
|
|
enableACME = true;
|
|
forceSSL = true;
|
|
locations."/" = {
|
|
proxyPass = "http://127.0.0.1:${toString cfg.port}/";
|
|
proxyWebsockets = true;
|
|
recommendedProxySettings = true;
|
|
};
|
|
};
|
|
};
|
|
};
|
|
}
|