nordic-dev.net/nixpkgs
nordic-dev.net/nixpkgs
2
0
Fork 0
mirror of https://github.com/NixOS/nixpkgs.git synced 2025-02-23 04:25:14 +00:00
Code Issues Packages Projects Releases Wiki Activity

Merge pull request #206746 from georgyo/mastodon-secretenv

Browse Source
This commit is contained in:
Sandro 2023-01-23 23:07:57 +01:00 committed by GitHub
commit 9cf61a285c
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
1 changed files with 18 additions and 6 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

24
nixos/modules/services/web-apps/mastodon.nix
View File

@ -94,11 +94,14 @@ let
] else [] ] else []
) env)))); ) env))));
mastodonTootctl = pkgs.writeShellScriptBin "mastodon-tootctl" '' mastodonTootctl = let
sourceExtraEnv = lib.concatMapStrings (p: "source ${p}\n") cfg.extraEnvFiles;
in pkgs.writeShellScriptBin "mastodon-tootctl" ''
set -a set -a
export RAILS_ROOT="${cfg.package}" export RAILS_ROOT="${cfg.package}"
source "${envFile}" source "${envFile}"
source /var/lib/mastodon/.secrets_env source /var/lib/mastodon/.secrets_env
${sourceExtraEnv}
sudo=exec sudo=exec
if [[ "$USER" != ${cfg.user} ]]; then if [[ "$USER" != ${cfg.user} ]]; then
@ -427,6 +430,15 @@ in {
''; '';
}; };
extraEnvFiles = lib.mkOption {
type = with lib.types; listOf path;
default = [];
description = lib.mdDoc ''
Extra environment files to pass to all mastodon services. Useful for passing down environemntal secrets.
'';
example = [ "/etc/mastodon/s3config.env" ];
};
automaticMigrations = lib.mkOption { automaticMigrations = lib.mkOption {
type = lib.types.bool; type = lib.types.bool;
default = true; default = true;
@ -579,7 +591,7 @@ in {
}; };
serviceConfig = { serviceConfig = {
Type = "oneshot"; Type = "oneshot";
EnvironmentFile = [ "/var/lib/mastodon/.secrets_env" ]; EnvironmentFile = [ "/var/lib/mastodon/.secrets_env" ] ++ cfg.extraEnvFiles;
WorkingDirectory = cfg.package; WorkingDirectory = cfg.package;
# System Call Filtering # System Call Filtering
SystemCallFilter = [ ("~" + lib.concatStringsSep " " (systemCallsList ++ [ "@resources" ])) "@chown" "pipe" "pipe2" ]; SystemCallFilter = [ ("~" + lib.concatStringsSep " " (systemCallsList ++ [ "@resources" ])) "@chown" "pipe" "pipe2" ];
@ -607,7 +619,7 @@ in {
ExecStart = "${cfg.package}/run-streaming.sh"; ExecStart = "${cfg.package}/run-streaming.sh";
Restart = "always"; Restart = "always";
RestartSec = 20; RestartSec = 20;
EnvironmentFile = [ "/var/lib/mastodon/.secrets_env" ]; EnvironmentFile = [ "/var/lib/mastodon/.secrets_env" ] ++ cfg.extraEnvFiles;
WorkingDirectory = cfg.package; WorkingDirectory = cfg.package;
# Runtime directory and mode # Runtime directory and mode
RuntimeDirectory = "mastodon-streaming"; RuntimeDirectory = "mastodon-streaming";
@ -634,7 +646,7 @@ in {
ExecStart = "${cfg.package}/bin/puma -C config/puma.rb"; ExecStart = "${cfg.package}/bin/puma -C config/puma.rb";
Restart = "always"; Restart = "always";
RestartSec = 20; RestartSec = 20;
EnvironmentFile = [ "/var/lib/mastodon/.secrets_env" ]; EnvironmentFile = [ "/var/lib/mastodon/.secrets_env" ] ++ cfg.extraEnvFiles;
WorkingDirectory = cfg.package; WorkingDirectory = cfg.package;
# Runtime directory and mode # Runtime directory and mode
RuntimeDirectory = "mastodon-web"; RuntimeDirectory = "mastodon-web";
@ -662,7 +674,7 @@ in {
ExecStart = "${cfg.package}/bin/sidekiq -c ${toString cfg.sidekiqThreads} -r ${cfg.package}"; ExecStart = "${cfg.package}/bin/sidekiq -c ${toString cfg.sidekiqThreads} -r ${cfg.package}";
Restart = "always"; Restart = "always";
RestartSec = 20; RestartSec = 20;
EnvironmentFile = [ "/var/lib/mastodon/.secrets_env" ]; EnvironmentFile = [ "/var/lib/mastodon/.secrets_env" ] ++ cfg.extraEnvFiles;
WorkingDirectory = cfg.package; WorkingDirectory = cfg.package;
# System Call Filtering # System Call Filtering
SystemCallFilter = [ ("~" + lib.concatStringsSep " " systemCallsList) "@chown" "pipe" "pipe2" ]; SystemCallFilter = [ ("~" + lib.concatStringsSep " " systemCallsList) "@chown" "pipe" "pipe2" ];
@ -675,7 +687,7 @@ in {
environment = env; environment = env;
serviceConfig = { serviceConfig = {
Type = "oneshot"; Type = "oneshot";
EnvironmentFile = [ "/var/lib/mastodon/.secrets_env" ]; EnvironmentFile = [ "/var/lib/mastodon/.secrets_env" ] ++ cfg.extraEnvFiles;
} // cfgService; } // cfgService;
script = let script = let
olderThanDays = toString cfg.mediaAutoRemove.olderThanDays; olderThanDays = toString cfg.mediaAutoRemove.olderThanDays;