From c7419b325559b9430465e265aaeea5b3dfeeac97 Mon Sep 17 00:00:00 2001 From: Alexander Tomokhov Date: Sun, 3 Dec 2023 03:26:29 +0400 Subject: [PATCH] move pleroma to SP module --- configuration.nix | 1 - files.nix | 15 --- social/pleroma.nix | 60 ------------ sp-modules/pleroma/cleanup-module.nix | 17 ++++ sp-modules/pleroma/common.nix | 5 + sp-modules/pleroma/config-paths-needed.json | 6 ++ .../pleroma/config.exs.in | 0 sp-modules/pleroma/flake.nix | 9 ++ sp-modules/pleroma/module.nix | 98 +++++++++++++++++++ userdata-variables.nix | 4 - variables-module.nix | 10 -- 11 files changed, 135 insertions(+), 90 deletions(-) delete mode 100644 social/pleroma.nix create mode 100644 sp-modules/pleroma/cleanup-module.nix create mode 100644 sp-modules/pleroma/common.nix create mode 100644 sp-modules/pleroma/config-paths-needed.json rename social/config.exs => sp-modules/pleroma/config.exs.in (100%) create mode 100644 sp-modules/pleroma/flake.nix create mode 100644 sp-modules/pleroma/module.nix diff --git a/configuration.nix b/configuration.nix index cde5e67..cfc35c1 100644 --- a/configuration.nix +++ b/configuration.nix @@ -5,7 +5,6 @@ ./files.nix ./volumes.nix ./users.nix - ./social/pleroma.nix ./letsencrypt/acme.nix ./letsencrypt/resolve.nix ./backup/restic.nix diff --git a/files.nix b/files.nix index 38a6ada..afcc715 100644 --- a/files.nix +++ b/files.nix @@ -20,9 +20,7 @@ in [ (if cfg.bitwarden.enable then "d /var/lib/bitwarden 0777 vaultwarden vaultwarden -" else "") (if cfg.bitwarden.enable then "d /var/lib/bitwarden/backup 0777 vaultwarden vaultwarden -" else "") - (if cfg.pleroma.enable then "d /var/lib/pleroma 0700 pleroma pleroma - -" else "") "d /var/lib/restic 0600 restic - - -" - (if cfg.pleroma.enable then "f /var/lib/pleroma/secrets.exs 0755 pleroma pleroma - -" else "") "f+ /var/domain 0444 selfprivacy-api selfprivacy-api - ${domain}" (if cfg.bitwarden.enable then "f /var/lib/bitwarden/.env 0640 vaultwarden vaultwarden - -" else "") ]; @@ -63,19 +61,6 @@ in chmod 0400 /var/lib/restic/pass chown restic /var/lib/restic/pass ''; - pleromaCredentials = - if cfg.pleroma.enable then '' - echo 'import Config' > /var/lib/pleroma/secrets.exs - echo 'config :pleroma, Pleroma.Repo,' >> /var/lib/pleroma/secrets.exs - echo ' password: "REPLACEME"' >> /var/lib/pleroma/secrets.exs - - ${sed} -i "s/REPLACEME/$(cat /etc/selfprivacy/secrets.json | ${jq} -r '.databasePassword')/g" /var/lib/pleroma/secrets.exs - - chmod 0750 /var/lib/pleroma/secrets.exs - chown pleroma:pleroma /var/lib/pleroma/secrets.exs - '' else '' - rm -f /var/lib/pleroma/secrets.exs - ''; bitwardenCredentials = if cfg.bitwarden.enable then '' mkdir -p /var/lib/bitwarden diff --git a/social/pleroma.nix b/social/pleroma.nix deleted file mode 100644 index c975ae7..0000000 --- a/social/pleroma.nix +++ /dev/null @@ -1,60 +0,0 @@ -{ pkgs, lib, config, ... }: -let - cfg = config.selfprivacy; -in -{ - fileSystems = lib.mkIf cfg.useBinds { - "/var/lib/pleroma" = { - device = "/volumes/${cfg.pleroma.location}/pleroma"; - options = [ "bind" ]; - }; - "/var/lib/postgresql" = { - device = "/volumes/${cfg.pleroma.location}/postgresql"; - options = [ "bind" ]; - }; - }; - services = { - pleroma = { - enable = cfg.pleroma.enable; - user = "pleroma"; - group = "pleroma"; - configs = [ - (builtins.replaceStrings - [ "$DOMAIN" "$LUSER" ] - [ cfg.domain cfg.username ] - (builtins.readFile ./config.exs)) - ]; - }; - postgresql = { - enable = true; - package = pkgs.postgresql_12; - initialScript = "/etc/setup.psql"; - ensureDatabases = [ - "pleroma" - ]; - ensureUsers = [ - { - name = "pleroma"; - ensurePermissions = { - "DATABASE pleroma" = "ALL PRIVILEGES"; - }; - } - ]; - }; - }; - environment.etc."setup.psql".text = '' - CREATE USER pleroma; - CREATE DATABASE pleroma OWNER pleroma; - \c pleroma; - --Extensions made by ecto.migrate that need superuser access - CREATE EXTENSION IF NOT EXISTS citext; - CREATE EXTENSION IF NOT EXISTS pg_trgm; - CREATE EXTENSION IF NOT EXISTS "uuid-ossp"; - ''; - users.users.pleroma = { - extraGroups = [ "postgres" ]; - isNormalUser = false; - isSystemUser = true; - group = "pleroma"; - }; -} diff --git a/sp-modules/pleroma/cleanup-module.nix b/sp-modules/pleroma/cleanup-module.nix new file mode 100644 index 0000000..52839b8 --- /dev/null +++ b/sp-modules/pleroma/cleanup-module.nix @@ -0,0 +1,17 @@ +{ config, lib, ... }: +let + inherit (import ./common.nix config) secrets-exs sp; +in +# FIXME do we really want to delete passwords on module deactivation!? +{ + config = lib.mkIf (!sp.modules.pleroma.enable) { + system.activationScripts.pleroma = + lib.trivial.warn + ( + "pleroma service is disabled, ${secrets-exs} will be removed!" + ) + '' + rm -f -v ${secrets-exs} + ''; + }; +} diff --git a/sp-modules/pleroma/common.nix b/sp-modules/pleroma/common.nix new file mode 100644 index 0000000..fb29361 --- /dev/null +++ b/sp-modules/pleroma/common.nix @@ -0,0 +1,5 @@ +config: +{ + sp = config.selfprivacy; + secrets-exs = "/var/lib/pleroma/secrets.exs"; +} diff --git a/sp-modules/pleroma/config-paths-needed.json b/sp-modules/pleroma/config-paths-needed.json new file mode 100644 index 0000000..994dc52 --- /dev/null +++ b/sp-modules/pleroma/config-paths-needed.json @@ -0,0 +1,6 @@ +[ + [ "selfprivacy", "domain" ], + [ "selfprivacy", "username" ], + [ "selfprivacy", "useBinds" ], + [ "selfprivacy", "modules", "pleroma" ] +] diff --git a/social/config.exs b/sp-modules/pleroma/config.exs.in similarity index 100% rename from social/config.exs rename to sp-modules/pleroma/config.exs.in diff --git a/sp-modules/pleroma/flake.nix b/sp-modules/pleroma/flake.nix new file mode 100644 index 0000000..a524458 --- /dev/null +++ b/sp-modules/pleroma/flake.nix @@ -0,0 +1,9 @@ +{ + description = "PoC SP module for Pleroma lightweight fediverse server"; + + outputs = { self }: { + nixosModules.default = import ./module.nix; + configPathsNeeded = + builtins.fromJSON (builtins.readFile ./config-paths-needed.json); + }; +} diff --git a/sp-modules/pleroma/module.nix b/sp-modules/pleroma/module.nix new file mode 100644 index 0000000..8e132b5 --- /dev/null +++ b/sp-modules/pleroma/module.nix @@ -0,0 +1,98 @@ +{ config, lib, pkgs, ... }: +let + secrets-filepath = "/etc/selfprivacy/secrets.json"; + inherit (import ./common.nix config) secrets-exs sp; +in +{ + options.selfprivacy.modules.pleroma = { + enable = lib.mkOption { + default = false; + type = with lib; types.nullOr types.bool; + }; + location = lib.mkOption { + default = "sda1"; + type = with lib; types.nullOr types.str; + }; + }; + config = lib.mkIf config.selfprivacy.modules.pleroma.enable { + fileSystems = lib.mkIf sp.useBinds { + "/var/lib/pleroma" = { + device = "/volumes/${sp.modules.pleroma.location}/pleroma"; + options = [ "bind" ]; + }; + "/var/lib/postgresql" = { + device = "/volumes/${sp.modules.pleroma.location}/postgresql"; + options = [ "bind" ]; + }; + }; + services = { + pleroma = { + enable = true; + user = "pleroma"; + group = "pleroma"; + configs = [ + (builtins.replaceStrings + [ "$DOMAIN" "$LUSER" ] + [ sp.domain sp.username ] + (builtins.readFile ./config.exs.in)) + ]; + }; + postgresql = { + enable = true; + package = pkgs.postgresql_12; + initialScript = "/etc/setup.psql"; + ensureDatabases = [ + "pleroma" + ]; + ensureUsers = [ + { + name = "pleroma"; + ensurePermissions = { + "DATABASE pleroma" = "ALL PRIVILEGES"; + }; + } + ]; + }; + }; + systemd.services.pleroma-secrets = { + before = [ "pleroma.service" ]; + requiredBy = [ "pleroma.service" ]; + serviceConfig.Type = "oneshot"; + path = with pkgs; [ coreutils jq ]; + script = '' + set -o nounset + password=$(jq -r '.databasePassword' ${secrets-filepath}) + filecontents=$(cat <<- EOF + import Config + config :pleroma, Pleroma.Repo, + password: "$password" + EOF + ) + + install -m 0750 -o pleroma -g pleroma -DT \ + <(printf "%s" "$filecontents") ${secrets-exs} + ''; + }; + systemd.tmpfiles.rules = [ + "d /var/lib/pleroma 0700 pleroma pleroma - -" + "f ${secrets-exs} 0755 pleroma pleroma - -" + ]; + environment.etc."setup.psql".text = '' + CREATE USER pleroma; + CREATE DATABASE pleroma OWNER pleroma; + \c pleroma; + --Extensions made by ecto.migrate that need superuser access + CREATE EXTENSION IF NOT EXISTS citext; + CREATE EXTENSION IF NOT EXISTS pg_trgm; + CREATE EXTENSION IF NOT EXISTS "uuid-ossp"; + ''; + users.users.pleroma = { + extraGroups = [ "postgres" ]; + isNormalUser = false; + isSystemUser = true; + group = "pleroma"; + }; + # seems to be an upstream nixpkgs/nixos bug (missing hexdump) + systemd.services.pleroma.path = [ pkgs.util-linux ]; + }; +} diff --git a/userdata-variables.nix b/userdata-variables.nix index 764f0c1..59f8d3c 100644 --- a/userdata-variables.nix +++ b/userdata-variables.nix @@ -26,10 +26,6 @@ jsonData: { lib, ... }: enable = lib.attrsets.attrByPath [ "gitea" "enable" ] false jsonData; location = lib.attrsets.attrByPath [ "gitea" "location" ] "sda1" jsonData; }; - pleroma = { - enable = lib.attrsets.attrByPath [ "pleroma" "enable" ] false jsonData; - location = lib.attrsets.attrByPath [ "pleroma" "location" ] "sda1" jsonData; - }; jitsi = { enable = lib.attrsets.attrByPath [ "jitsi" "enable" ] false jsonData; }; diff --git a/variables-module.nix b/variables-module.nix index 0044b58..fa3cd54 100644 --- a/variables-module.nix +++ b/variables-module.nix @@ -135,16 +135,6 @@ with lib; type = types.nullOr types.str; }; }; - pleroma = { - enable = mkOption { - default = false; - type = types.nullOr types.bool; - }; - location = mkOption { - default = "sda1"; - type = types.nullOr types.str; - }; - }; jitsi = { enable = mkOption { default = false;