nixpkgs/nixos/modules/services/web-apps/gancio.nix

Ignoring revisions in .git-blame-ignore-revs. Click here to bypass and see the normal blame view.

288 lines
8.6 KiB
Nix
Raw Normal View History

2024-05-03 08:35:19 +00:00
{
config,
lib,
pkgs,
...
}:
let
cfg = config.services.gancio;
settingsFormat = pkgs.formats.json { };
inherit (lib)
mkEnableOption
mkPackageOption
mkOption
types
literalExpression
mkIf
optional
mapAttrsToList
concatStringsSep
concatMapStringsSep
getExe
mkMerge
mkDefault
;
in
{
options.services.gancio = {
enable = mkEnableOption "Gancio, a shared agenda for local communities";
package = mkPackageOption pkgs "gancio" { };
plugins = mkOption {
type = with types; listOf package;
default = [ ];
example = literalExpression "[ pkgs.gancioPlugins.telegram-bridge ]";
description = ''
Paths of gancio plugins to activate (linked under $WorkingDirectory/plugins/).
'';
};
user = mkOption {
type = types.str;
description = "The user (and PostgreSQL database name) used to run the gancio server";
default = "gancio";
};
settings = mkOption rec {
type = types.submodule {
freeformType = settingsFormat.type;
options = {
hostname = mkOption {
type = types.str;
description = "The domain name under which the server is reachable.";
};
baseurl = mkOption {
type = types.str;
default = "http${
lib.optionalString config.services.nginx.virtualHosts."${cfg.settings.hostname}".enableACME "s"
}://${cfg.settings.hostname}";
defaultText = lib.literalExpression ''"https://''${cfg.settings.hostname}"'';
example = "https://demo.gancio.org/gancio";
description = "The full URL under which the server is reachable.";
2024-05-03 08:35:19 +00:00
};
server = {
socket = mkOption {
type = types.path;
readOnly = true;
default = "/run/gancio/socket";
2024-05-03 08:35:19 +00:00
description = ''
The unix socket for the gancio server to listen on.
2024-05-03 08:35:19 +00:00
'';
};
};
db = {
dialect = mkOption {
type = types.enum [
"sqlite"
"postgres"
];
default = "sqlite";
description = ''
The database dialect to use
'';
};
storage = mkOption {
description = ''
Location for the SQLite database.
'';
readOnly = true;
type = types.nullOr types.str;
default = if cfg.settings.db.dialect == "sqlite" then "/var/lib/gancio/db.sqlite" else null;
defaultText = ''
if cfg.settings.db.dialect == "sqlite" then "/var/lib/gancio/db.sqlite" else null
'';
};
host = mkOption {
description = ''
Connection string for the PostgreSQL database
'';
readOnly = true;
type = types.nullOr types.str;
default = if cfg.settings.db.dialect == "postgres" then "/run/postgresql" else null;
defaultText = ''
if cfg.settings.db.dialect == "postgres" then "/run/postgresql" else null
'';
};
database = mkOption {
description = ''
Name of the PostgreSQL database
'';
readOnly = true;
type = types.nullOr types.str;
default = if cfg.settings.db.dialect == "postgres" then cfg.user else null;
defaultText = ''
if cfg.settings.db.dialect == "postgres" then cfg.user else null
'';
};
};
log_level = mkOption {
description = "Gancio log level.";
type = types.enum [
"debug"
"info"
"warning"
"error"
];
default = "info";
};
# FIXME upstream proper journald logging
log_path = mkOption {
description = "Directory Gancio logs into";
readOnly = true;
type = types.str;
default = "/var/log/gancio";
};
};
};
description = ''
Configuration for Gancio, see <https://gancio.org/install/config> for supported values.
'';
};
userLocale = mkOption {
type = with types; attrsOf (attrsOf (attrsOf str));
default = { };
example = {
en.register.description = "My new registration page description";
};
description = ''
Override default locales within gancio.
See [https://framagit.org/les/gancio/tree/master/locales](default languages and locales).
'';
};
nginx = mkOption {
type = types.submodule (
lib.recursiveUpdate (import ../web-servers/nginx/vhost-options.nix { inherit config lib; }) {
# enable encryption by default,
# as sensitive login credentials should not be transmitted in clear text.
options.forceSSL.default = true;
options.enableACME.default = true;
}
);
2024-05-03 08:35:19 +00:00
default = { };
example = {
enableACME = false;
forceSSL = false;
2024-05-03 08:35:19 +00:00
};
description = "Extra configuration for the nginx virtual host of gancio.";
};
};
config = mkIf cfg.enable {
environment.systemPackages = [ cfg.package ];
users.users.gancio = lib.mkIf (cfg.user == "gancio") {
isSystemUser = true;
group = cfg.user;
home = "/var/lib/gancio";
};
users.groups.gancio = lib.mkIf (cfg.user == "gancio") { };
systemd.tmpfiles.settings."10-gancio" =
let
rules = {
mode = "0755";
user = cfg.user;
group = config.users.users.${cfg.user}.group;
};
in
{
"/var/lib/gancio/user_locale".d = rules;
"/var/lib/gancio/plugins".d = rules;
};
systemd.services.gancio =
let
configFile = settingsFormat.generate "gancio-config.json" cfg.settings;
in
{
description = "Gancio server";
documentation = [ "https://gancio.org/" ];
wantedBy = [ "multi-user.target" ];
after = [
"network.target"
] ++ optional (cfg.settings.db.dialect == "postgres") "postgresql.service";
environment = {
NODE_ENV = "production";
};
preStart = ''
# We need this so the gancio executable run by the user finds the right settings.
ln -sf ${configFile} config.json
rm -f user_locale/*
${concatStringsSep "\n" (
mapAttrsToList (
l: c: "ln -sf ${settingsFormat.generate "gancio-${l}-locale.json" c} user_locale/${l}.json"
) cfg.userLocale
)}
rm -f plugins/*
${concatMapStringsSep "\n" (p: "ln -sf ${p} plugins/") cfg.plugins}
'';
serviceConfig = {
ExecStart = "${getExe cfg.package} start ${configFile}";
# set umask so that nginx can write to the server socket
# FIXME: upstream socket permission configuration in Nuxt
UMask = "0002";
RuntimeDirectory = "gancio";
2024-05-03 08:35:19 +00:00
StateDirectory = "gancio";
WorkingDirectory = "/var/lib/gancio";
LogsDirectory = "gancio";
User = cfg.user;
# hardening
RestrictRealtime = true;
RestrictNamespaces = true;
LockPersonality = true;
ProtectKernelModules = true;
ProtectKernelTunables = true;
ProtectKernelLogs = true;
ProtectControlGroups = true;
ProtectClock = true;
RestrictSUIDSGID = true;
SystemCallArchitectures = "native";
CapabilityBoundingSet = "";
ProtectProc = "invisible";
};
};
services.postgresql = mkIf (cfg.settings.db.dialect == "postgres") {
enable = true;
ensureDatabases = [ cfg.user ];
ensureUsers = [
{
name = cfg.user;
ensureDBOwnership = true;
}
];
};
services.nginx = {
enable = true;
virtualHosts."${cfg.settings.hostname}" = mkMerge [
cfg.nginx
{
locations = {
"/" = {
index = "index.html";
tryFiles = "$uri $uri @proxy";
};
"@proxy" = {
proxyWebsockets = true;
proxyPass = "http://unix:${cfg.settings.server.socket}";
2024-05-03 08:35:19 +00:00
recommendedProxySettings = true;
};
};
}
];
};
# for nginx to access gancio socket
users.users."${config.services.nginx.user}".extraGroups = [ config.users.users.${cfg.user}.group ];
2024-05-03 08:35:19 +00:00
};
}