0a6e6cf7e6
this converts meta.doc into an md pointer, not an xml pointer. since we no longer need xml for manual chapters we can also remove support for manual chapters from md-to-db.sh since pandoc converts smart quotes to docbook quote elements and our nixos-render-docs does not we lose this distinction in the rendered output. that's probably not that bad, our stylesheet didn't make use of this anyway (and pre-23.05 versions of the chapters didn't use quote elements either). also updates the nixpkgs manual to clarify that option docs support all extensions (although it doesn't support headings at all, so heading anchors don't work by extension).
1086 lines
37 KiB
Nix
1086 lines
37 KiB
Nix
{ config, lib, pkgs, ... }:
|
||
|
||
with lib;
|
||
let
|
||
cfg = config.services.akkoma;
|
||
ex = cfg.config;
|
||
db = ex.":pleroma"."Pleroma.Repo";
|
||
web = ex.":pleroma"."Pleroma.Web.Endpoint";
|
||
|
||
isConfined = config.systemd.services.akkoma.confinement.enable;
|
||
hasSmtp = (attrByPath [ ":pleroma" "Pleroma.Emails.Mailer" "adapter" "value" ] null ex) == "Swoosh.Adapters.SMTP";
|
||
|
||
isAbsolutePath = v: isString v && substring 0 1 v == "/";
|
||
isSecret = v: isAttrs v && v ? _secret && isAbsolutePath v._secret;
|
||
|
||
absolutePath = with types; mkOptionType {
|
||
name = "absolutePath";
|
||
description = "absolute path";
|
||
descriptionClass = "noun";
|
||
check = isAbsolutePath;
|
||
inherit (str) merge;
|
||
};
|
||
|
||
secret = mkOptionType {
|
||
name = "secret";
|
||
description = "secret value";
|
||
descriptionClass = "noun";
|
||
check = isSecret;
|
||
nestedTypes = {
|
||
_secret = absolutePath;
|
||
};
|
||
};
|
||
|
||
ipAddress = with types; mkOptionType {
|
||
name = "ipAddress";
|
||
description = "IPv4 or IPv6 address";
|
||
descriptionClass = "conjunction";
|
||
check = x: str.check x && builtins.match "[.0-9:A-Fa-f]+" x != null;
|
||
inherit (str) merge;
|
||
};
|
||
|
||
elixirValue = let
|
||
elixirValue' = with types;
|
||
nullOr (oneOf [ bool int float str (attrsOf elixirValue') (listOf elixirValue') ]) // {
|
||
description = "Elixir value";
|
||
};
|
||
in elixirValue';
|
||
|
||
frontend = {
|
||
options = {
|
||
package = mkOption {
|
||
type = types.package;
|
||
description = mdDoc "Akkoma frontend package.";
|
||
example = literalExpression "pkgs.akkoma-frontends.pleroma-fe";
|
||
};
|
||
|
||
name = mkOption {
|
||
type = types.nonEmptyStr;
|
||
description = mdDoc "Akkoma frontend name.";
|
||
example = "pleroma-fe";
|
||
};
|
||
|
||
ref = mkOption {
|
||
type = types.nonEmptyStr;
|
||
description = mdDoc "Akkoma frontend reference.";
|
||
example = "stable";
|
||
};
|
||
};
|
||
};
|
||
|
||
sha256 = builtins.hashString "sha256";
|
||
|
||
replaceSec = let
|
||
replaceSec' = { }@args: v:
|
||
if isAttrs v
|
||
then if v ? _secret
|
||
then if isAbsolutePath v._secret
|
||
then sha256 v._secret
|
||
else abort "Invalid secret path (_secret = ${v._secret})"
|
||
else mapAttrs (_: val: replaceSec' args val) v
|
||
else if isList v
|
||
then map (replaceSec' args) v
|
||
else v;
|
||
in replaceSec' { };
|
||
|
||
# Erlang/Elixir uses a somewhat special format for IP addresses
|
||
erlAddr = addr: fileContents
|
||
(pkgs.runCommand addr {
|
||
nativeBuildInputs = with pkgs; [ elixir ];
|
||
code = ''
|
||
case :inet.parse_address('${addr}') do
|
||
{:ok, addr} -> IO.inspect addr
|
||
{:error, _} -> System.halt(65)
|
||
end
|
||
'';
|
||
passAsFile = [ "code" ];
|
||
} ''elixir "$codePath" >"$out"'');
|
||
|
||
format = pkgs.formats.elixirConf { };
|
||
configFile = format.generate "config.exs"
|
||
(replaceSec
|
||
(attrsets.updateManyAttrsByPath [{
|
||
path = [ ":pleroma" "Pleroma.Web.Endpoint" "http" "ip" ];
|
||
update = addr:
|
||
if isAbsolutePath addr
|
||
then format.lib.mkTuple
|
||
[ (format.lib.mkAtom ":local") addr ]
|
||
else format.lib.mkRaw (erlAddr addr);
|
||
}] cfg.config));
|
||
|
||
writeShell = { name, text, runtimeInputs ? [ ] }:
|
||
pkgs.writeShellApplication { inherit name text runtimeInputs; } + "/bin/${name}";
|
||
|
||
genScript = writeShell {
|
||
name = "akkoma-gen-cookie";
|
||
runtimeInputs = with pkgs; [ coreutils util-linux ];
|
||
text = ''
|
||
install -m 0400 \
|
||
-o ${escapeShellArg cfg.user } \
|
||
-g ${escapeShellArg cfg.group} \
|
||
<(hexdump -n 16 -e '"%02x"' /dev/urandom) \
|
||
"$RUNTIME_DIRECTORY/cookie"
|
||
'';
|
||
};
|
||
|
||
copyScript = writeShell {
|
||
name = "akkoma-copy-cookie";
|
||
runtimeInputs = with pkgs; [ coreutils ];
|
||
text = ''
|
||
install -m 0400 \
|
||
-o ${escapeShellArg cfg.user} \
|
||
-g ${escapeShellArg cfg.group} \
|
||
${escapeShellArg cfg.dist.cookie._secret} \
|
||
"$RUNTIME_DIRECTORY/cookie"
|
||
'';
|
||
};
|
||
|
||
secretPaths = catAttrs "_secret" (collect isSecret cfg.config);
|
||
|
||
vapidKeygen = pkgs.writeText "vapidKeygen.exs" ''
|
||
[public_path, private_path] = System.argv()
|
||
{public_key, private_key} = :crypto.generate_key :ecdh, :prime256v1
|
||
File.write! public_path, Base.url_encode64(public_key, padding: false)
|
||
File.write! private_path, Base.url_encode64(private_key, padding: false)
|
||
'';
|
||
|
||
initSecretsScript = writeShell {
|
||
name = "akkoma-init-secrets";
|
||
runtimeInputs = with pkgs; [ coreutils elixir ];
|
||
text = let
|
||
key-base = web.secret_key_base;
|
||
jwt-signer = ex.":joken".":default_signer";
|
||
signing-salt = web.signing_salt;
|
||
liveview-salt = web.live_view.signing_salt;
|
||
vapid-private = ex.":web_push_encryption".":vapid_details".private_key;
|
||
vapid-public = ex.":web_push_encryption".":vapid_details".public_key;
|
||
in ''
|
||
secret() {
|
||
# Generate default secret if non‐existent
|
||
test -e "$2" || install -D -m 0600 <(tr -dc 'A-Za-z-._~' </dev/urandom | head -c "$1") "$2"
|
||
if [ "$(stat --dereference --format='%s' "$2")" -lt "$1" ]; then
|
||
echo "Secret '$2' is smaller than minimum size of $1 bytes." >&2
|
||
exit 65
|
||
fi
|
||
}
|
||
|
||
secret 64 ${escapeShellArg key-base._secret}
|
||
secret 64 ${escapeShellArg jwt-signer._secret}
|
||
secret 8 ${escapeShellArg signing-salt._secret}
|
||
secret 8 ${escapeShellArg liveview-salt._secret}
|
||
|
||
${optionalString (isSecret vapid-public) ''
|
||
{ test -e ${escapeShellArg vapid-private._secret} && \
|
||
test -e ${escapeShellArg vapid-public._secret}; } || \
|
||
elixir ${escapeShellArgs [ vapidKeygen vapid-public._secret vapid-private._secret ]}
|
||
''}
|
||
'';
|
||
};
|
||
|
||
configScript = writeShell {
|
||
name = "akkoma-config";
|
||
runtimeInputs = with pkgs; [ coreutils replace-secret ];
|
||
text = ''
|
||
cd "$RUNTIME_DIRECTORY"
|
||
tmp="$(mktemp config.exs.XXXXXXXXXX)"
|
||
trap 'rm -f "$tmp"' EXIT TERM
|
||
|
||
cat ${escapeShellArg configFile} >"$tmp"
|
||
${concatMapStrings (file: ''
|
||
replace-secret ${escapeShellArgs [ (sha256 file) file ]} "$tmp"
|
||
'') secretPaths}
|
||
|
||
chown ${escapeShellArg cfg.user}:${escapeShellArg cfg.group} "$tmp"
|
||
chmod 0400 "$tmp"
|
||
mv -f "$tmp" config.exs
|
||
'';
|
||
};
|
||
|
||
pgpass = let
|
||
esc = escape [ ":" ''\'' ];
|
||
in if (cfg.initDb.password != null)
|
||
then pkgs.writeText "pgpass.conf" ''
|
||
*:*:*${esc cfg.initDb.username}:${esc (sha256 cfg.initDb.password._secret)}
|
||
''
|
||
else null;
|
||
|
||
escapeSqlId = x: ''"${replaceStrings [ ''"'' ] [ ''""'' ] x}"'';
|
||
escapeSqlStr = x: "'${replaceStrings [ "'" ] [ "''" ] x}'";
|
||
|
||
setupSql = pkgs.writeText "setup.psql" ''
|
||
\set ON_ERROR_STOP on
|
||
|
||
ALTER ROLE ${escapeSqlId db.username}
|
||
LOGIN PASSWORD ${if db ? password
|
||
then "${escapeSqlStr (sha256 db.password._secret)}"
|
||
else "NULL"};
|
||
|
||
ALTER DATABASE ${escapeSqlId db.database}
|
||
OWNER TO ${escapeSqlId db.username};
|
||
|
||
\connect ${escapeSqlId db.database}
|
||
CREATE EXTENSION IF NOT EXISTS citext;
|
||
CREATE EXTENSION IF NOT EXISTS pg_trgm;
|
||
CREATE EXTENSION IF NOT EXISTS "uuid-ossp";
|
||
'';
|
||
|
||
dbHost = if db ? socket_dir then db.socket_dir
|
||
else if db ? socket then db.socket
|
||
else if db ? hostname then db.hostname
|
||
else null;
|
||
|
||
initDbScript = writeShell {
|
||
name = "akkoma-initdb";
|
||
runtimeInputs = with pkgs; [ coreutils replace-secret config.services.postgresql.package ];
|
||
text = ''
|
||
pgpass="$(mktemp -t pgpass-XXXXXXXXXX.conf)"
|
||
setupSql="$(mktemp -t setup-XXXXXXXXXX.psql)"
|
||
trap 'rm -f "$pgpass $setupSql"' EXIT TERM
|
||
|
||
${optionalString (dbHost != null) ''
|
||
export PGHOST=${escapeShellArg dbHost}
|
||
''}
|
||
export PGUSER=${escapeShellArg cfg.initDb.username}
|
||
${optionalString (pgpass != null) ''
|
||
cat ${escapeShellArg pgpass} >"$pgpass"
|
||
replace-secret ${escapeShellArgs [
|
||
(sha256 cfg.initDb.password._secret) cfg.initDb.password._secret ]} "$pgpass"
|
||
export PGPASSFILE="$pgpass"
|
||
''}
|
||
|
||
cat ${escapeShellArg setupSql} >"$setupSql"
|
||
${optionalString (db ? password) ''
|
||
replace-secret ${escapeShellArgs [
|
||
(sha256 db.password._secret) db.password._secret ]} "$setupSql"
|
||
''}
|
||
|
||
# Create role if non‐existent
|
||
psql -tAc "SELECT 1 FROM pg_roles
|
||
WHERE rolname = "${escapeShellArg (escapeSqlStr db.username)} | grep -F -q 1 || \
|
||
psql -tAc "CREATE ROLE "${escapeShellArg (escapeSqlId db.username)}
|
||
|
||
# Create database if non‐existent
|
||
psql -tAc "SELECT 1 FROM pg_database
|
||
WHERE datname = "${escapeShellArg (escapeSqlStr db.database)} | grep -F -q 1 || \
|
||
psql -tAc "CREATE DATABASE "${escapeShellArg (escapeSqlId db.database)}"
|
||
OWNER "${escapeShellArg (escapeSqlId db.username)}"
|
||
TEMPLATE template0
|
||
ENCODING 'utf8'
|
||
LOCALE 'C'"
|
||
|
||
psql -f "$setupSql"
|
||
'';
|
||
};
|
||
|
||
envWrapper = let
|
||
script = writeShell {
|
||
name = "akkoma-env";
|
||
text = ''
|
||
cd "${cfg.package}"
|
||
|
||
RUNTIME_DIRECTORY="''${RUNTIME_DIRECTORY:-/run/akkoma}"
|
||
AKKOMA_CONFIG_PATH="$RUNTIME_DIRECTORY/config.exs" \
|
||
ERL_EPMD_ADDRESS="${cfg.dist.address}" \
|
||
ERL_EPMD_PORT="${toString cfg.dist.epmdPort}" \
|
||
ERL_FLAGS="${concatStringsSep " " [
|
||
"-kernel inet_dist_use_interface '${erlAddr cfg.dist.address}'"
|
||
"-kernel inet_dist_listen_min ${toString cfg.dist.portMin}"
|
||
"-kernel inet_dist_listen_max ${toString cfg.dist.portMax}"
|
||
]}" \
|
||
RELEASE_COOKIE="$(<"$RUNTIME_DIRECTORY/cookie")" \
|
||
RELEASE_NAME="akkoma" \
|
||
exec "${cfg.package}/bin/$(basename "$0")" "$@"
|
||
'';
|
||
};
|
||
in pkgs.runCommandLocal "akkoma-env" { } ''
|
||
mkdir -p "$out/bin"
|
||
|
||
ln -r -s ${escapeShellArg script} "$out/bin/pleroma"
|
||
ln -r -s ${escapeShellArg script} "$out/bin/pleroma_ctl"
|
||
'';
|
||
|
||
userWrapper = pkgs.writeShellApplication {
|
||
name = "pleroma_ctl";
|
||
text = ''
|
||
if [ "''${1-}" == "update" ]; then
|
||
echo "OTP releases are not supported on NixOS." >&2
|
||
exit 64
|
||
fi
|
||
|
||
exec sudo -u ${escapeShellArg cfg.user} \
|
||
"${envWrapper}/bin/pleroma_ctl" "$@"
|
||
'';
|
||
};
|
||
|
||
socketScript = if isAbsolutePath web.http.ip
|
||
then writeShell {
|
||
name = "akkoma-socket";
|
||
runtimeInputs = with pkgs; [ coreutils inotify-tools ];
|
||
text = ''
|
||
coproc {
|
||
inotifywait -q -m -e create ${escapeShellArg (dirOf web.http.ip)}
|
||
}
|
||
|
||
trap 'kill "$COPROC_PID"' EXIT TERM
|
||
|
||
until test -S ${escapeShellArg web.http.ip}
|
||
do read -r -u "''${COPROC[0]}"
|
||
done
|
||
|
||
chmod 0666 ${escapeShellArg web.http.ip}
|
||
'';
|
||
}
|
||
else null;
|
||
|
||
staticDir = ex.":pleroma".":instance".static_dir;
|
||
uploadDir = ex.":pleroma".":instance".upload_dir;
|
||
|
||
staticFiles = pkgs.runCommandLocal "akkoma-static" { } ''
|
||
${concatStringsSep "\n" (mapAttrsToList (key: val: ''
|
||
mkdir -p $out/frontends/${escapeShellArg val.name}/
|
||
ln -s ${escapeShellArg val.package} $out/frontends/${escapeShellArg val.name}/${escapeShellArg val.ref}
|
||
'') cfg.frontends)}
|
||
|
||
${optionalString (cfg.extraStatic != null)
|
||
(concatStringsSep "\n" (mapAttrsToList (key: val: ''
|
||
mkdir -p "$out/$(dirname ${escapeShellArg key})"
|
||
ln -s ${escapeShellArg val} $out/${escapeShellArg key}
|
||
'') cfg.extraStatic))}
|
||
'';
|
||
in {
|
||
options = {
|
||
services.akkoma = {
|
||
enable = mkEnableOption (mdDoc "Akkoma");
|
||
|
||
package = mkOption {
|
||
type = types.package;
|
||
default = pkgs.akkoma;
|
||
defaultText = literalExpression "pkgs.akkoma";
|
||
description = mdDoc "Akkoma package to use.";
|
||
};
|
||
|
||
user = mkOption {
|
||
type = types.nonEmptyStr;
|
||
default = "akkoma";
|
||
description = mdDoc "User account under which Akkoma runs.";
|
||
};
|
||
|
||
group = mkOption {
|
||
type = types.nonEmptyStr;
|
||
default = "akkoma";
|
||
description = mdDoc "Group account under which Akkoma runs.";
|
||
};
|
||
|
||
initDb = {
|
||
enable = mkOption {
|
||
type = types.bool;
|
||
default = true;
|
||
description = mdDoc ''
|
||
Whether to automatically initialise the database on startup. This will create a
|
||
database role and database if they do not already exist, and (re)set the role password
|
||
and the ownership of the database.
|
||
|
||
This setting can be used safely even if the database already exists and contains data.
|
||
|
||
The database settings are configured through
|
||
[{option}`config.services.akkoma.config.":pleroma"."Pleroma.Repo"`](#opt-services.akkoma.config.__pleroma_._Pleroma.Repo_).
|
||
|
||
If disabled, the database has to be set up manually:
|
||
|
||
```SQL
|
||
CREATE ROLE akkoma LOGIN;
|
||
|
||
CREATE DATABASE akkoma
|
||
OWNER akkoma
|
||
TEMPLATE template0
|
||
ENCODING 'utf8'
|
||
LOCALE 'C';
|
||
|
||
\connect akkoma
|
||
CREATE EXTENSION IF NOT EXISTS citext;
|
||
CREATE EXTENSION IF NOT EXISTS pg_trgm;
|
||
CREATE EXTENSION IF NOT EXISTS "uuid-ossp";
|
||
```
|
||
'';
|
||
};
|
||
|
||
username = mkOption {
|
||
type = types.nonEmptyStr;
|
||
default = config.services.postgresql.superUser;
|
||
defaultText = literalExpression "config.services.postgresql.superUser";
|
||
description = mdDoc ''
|
||
Name of the database user to initialise the database with.
|
||
|
||
This user is required to have the `CREATEROLE` and `CREATEDB` capabilities.
|
||
'';
|
||
};
|
||
|
||
password = mkOption {
|
||
type = types.nullOr secret;
|
||
default = null;
|
||
description = mdDoc ''
|
||
Password of the database user to initialise the database with.
|
||
|
||
If set to `null`, no password will be used.
|
||
|
||
The attribute `_secret` should point to a file containing the secret.
|
||
'';
|
||
};
|
||
};
|
||
|
||
initSecrets = mkOption {
|
||
type = types.bool;
|
||
default = true;
|
||
description = mdDoc ''
|
||
Whether to initialise non‐existent secrets with random values.
|
||
|
||
If enabled, appropriate secrets for the following options will be created automatically
|
||
if the files referenced in the `_secrets` attribute do not exist during startup.
|
||
|
||
- {option}`config.":pleroma"."Pleroma.Web.Endpoint".secret_key_base`
|
||
- {option}`config.":pleroma"."Pleroma.Web.Endpoint".signing_salt`
|
||
- {option}`config.":pleroma"."Pleroma.Web.Endpoint".live_view.signing_salt`
|
||
- {option}`config.":web_push_encryption".":vapid_details".private_key`
|
||
- {option}`config.":web_push_encryption".":vapid_details".public_key`
|
||
- {option}`config.":joken".":default_signer"`
|
||
'';
|
||
};
|
||
|
||
installWrapper = mkOption {
|
||
type = types.bool;
|
||
default = true;
|
||
description = mdDoc ''
|
||
Whether to install a wrapper around `pleroma_ctl` to simplify administration of the
|
||
Akkoma instance.
|
||
'';
|
||
};
|
||
|
||
extraPackages = mkOption {
|
||
type = with types; listOf package;
|
||
default = with pkgs; [ exiftool ffmpeg_5-headless graphicsmagick-imagemagick-compat ];
|
||
defaultText = literalExpression "with pkgs; [ exiftool graphicsmagick-imagemagick-compat ffmpeg_5-headless ]";
|
||
example = literalExpression "with pkgs; [ exiftool imagemagick ffmpeg_5-full ]";
|
||
description = mdDoc ''
|
||
List of extra packages to include in the executable search path of the service unit.
|
||
These are needed by various configurable components such as:
|
||
|
||
- ExifTool for the `Pleroma.Upload.Filter.Exiftool` upload filter,
|
||
- ImageMagick for still image previews in the media proxy as well as for the
|
||
`Pleroma.Upload.Filters.Mogrify` upload filter, and
|
||
- ffmpeg for video previews in the media proxy.
|
||
'';
|
||
};
|
||
|
||
frontends = mkOption {
|
||
description = mdDoc "Akkoma frontends.";
|
||
type = with types; attrsOf (submodule frontend);
|
||
default = {
|
||
primary = {
|
||
package = pkgs.akkoma-frontends.pleroma-fe;
|
||
name = "pleroma-fe";
|
||
ref = "stable";
|
||
};
|
||
admin = {
|
||
package = pkgs.akkoma-frontends.admin-fe;
|
||
name = "admin-fe";
|
||
ref = "stable";
|
||
};
|
||
};
|
||
defaultText = literalExpression ''
|
||
{
|
||
primary = {
|
||
package = pkgs.akkoma-frontends.pleroma-fe;
|
||
name = "pleroma-fe";
|
||
ref = "stable";
|
||
};
|
||
admin = {
|
||
package = pkgs.akkoma-frontends.admin-fe;
|
||
name = "admin-fe";
|
||
ref = "stable";
|
||
};
|
||
}
|
||
'';
|
||
};
|
||
|
||
extraStatic = mkOption {
|
||
type = with types; nullOr (attrsOf package);
|
||
description = mdDoc ''
|
||
Attribute set of extra packages to add to the static files directory.
|
||
|
||
Do not add frontends here. These should be configured through
|
||
[{option}`services.akkoma.frontends`](#opt-services.akkoma.frontends).
|
||
'';
|
||
default = null;
|
||
example = literalExpression ''
|
||
{
|
||
"emoji/blobs.gg" = pkgs.akkoma-emoji.blobs_gg;
|
||
"static/terms-of-service.html" = pkgs.writeText "terms-of-service.html" '''
|
||
…
|
||
''';
|
||
"favicon.png" = let
|
||
rev = "697a8211b0f427a921e7935a35d14bb3e32d0a2c";
|
||
in pkgs.stdenvNoCC.mkDerivation {
|
||
name = "favicon.png";
|
||
|
||
src = pkgs.fetchurl {
|
||
url = "https://raw.githubusercontent.com/TilCreator/NixOwO/''${rev}/NixOwO_plain.svg";
|
||
hash = "sha256-tWhHMfJ3Od58N9H5yOKPMfM56hYWSOnr/TGCBi8bo9E=";
|
||
};
|
||
|
||
nativeBuildInputs = with pkgs; [ librsvg ];
|
||
|
||
dontUnpack = true;
|
||
installPhase = '''
|
||
rsvg-convert -o $out -w 96 -h 96 $src
|
||
''';
|
||
};
|
||
}
|
||
'';
|
||
};
|
||
|
||
dist = {
|
||
address = mkOption {
|
||
type = ipAddress;
|
||
default = "127.0.0.1";
|
||
description = mdDoc ''
|
||
Listen address for Erlang distribution protocol and Port Mapper Daemon (epmd).
|
||
'';
|
||
};
|
||
|
||
epmdPort = mkOption {
|
||
type = types.port;
|
||
default = 4369;
|
||
description = mdDoc "TCP port to bind Erlang Port Mapper Daemon to.";
|
||
};
|
||
|
||
portMin = mkOption {
|
||
type = types.port;
|
||
default = 49152;
|
||
description = mdDoc "Lower bound for Erlang distribution protocol TCP port.";
|
||
};
|
||
|
||
portMax = mkOption {
|
||
type = types.port;
|
||
default = 65535;
|
||
description = mdDoc "Upper bound for Erlang distribution protocol TCP port.";
|
||
};
|
||
|
||
cookie = mkOption {
|
||
type = types.nullOr secret;
|
||
default = null;
|
||
example = { _secret = "/var/lib/secrets/akkoma/releaseCookie"; };
|
||
description = mdDoc ''
|
||
Erlang release cookie.
|
||
|
||
If set to `null`, a temporary random cookie will be generated.
|
||
'';
|
||
};
|
||
};
|
||
|
||
config = mkOption {
|
||
description = mdDoc ''
|
||
Configuration for Akkoma. The attributes are serialised to Elixir DSL.
|
||
|
||
Refer to <https://docs.akkoma.dev/stable/configuration/cheatsheet/> for
|
||
configuration options.
|
||
|
||
Settings containing secret data should be set to an attribute set containing the
|
||
attribute `_secret` - a string pointing to a file containing the value the option
|
||
should be set to.
|
||
'';
|
||
type = types.submodule {
|
||
freeformType = format.type;
|
||
options = {
|
||
":pleroma" = {
|
||
":instance" = {
|
||
name = mkOption {
|
||
type = types.nonEmptyStr;
|
||
description = mdDoc "Instance name.";
|
||
};
|
||
|
||
email = mkOption {
|
||
type = types.nonEmptyStr;
|
||
description = mdDoc "Instance administrator email.";
|
||
};
|
||
|
||
description = mkOption {
|
||
type = types.nonEmptyStr;
|
||
description = mdDoc "Instance description.";
|
||
};
|
||
|
||
static_dir = mkOption {
|
||
type = types.path;
|
||
default = toString staticFiles;
|
||
defaultText = literalMD ''
|
||
Derivation gathering the following paths into a directory:
|
||
|
||
- [{option}`services.akkoma.frontends`](#opt-services.akkoma.frontends)
|
||
- [{option}`services.akkoma.extraStatic`](#opt-services.akkoma.extraStatic)
|
||
'';
|
||
description = mdDoc ''
|
||
Directory of static files.
|
||
|
||
This directory can be built using a derivation, or it can be managed as mutable
|
||
state by setting the option to an absolute path.
|
||
'';
|
||
};
|
||
|
||
upload_dir = mkOption {
|
||
type = absolutePath;
|
||
default = "/var/lib/akkoma/uploads";
|
||
description = mdDoc ''
|
||
Directory where Akkoma will put uploaded files.
|
||
'';
|
||
};
|
||
};
|
||
|
||
"Pleroma.Repo" = mkOption {
|
||
type = elixirValue;
|
||
default = {
|
||
adapter = format.lib.mkRaw "Ecto.Adapters.Postgres";
|
||
socket_dir = "/run/postgresql";
|
||
username = cfg.user;
|
||
database = "akkoma";
|
||
};
|
||
defaultText = literalExpression ''
|
||
{
|
||
adapter = (pkgs.formats.elixirConf { }).lib.mkRaw "Ecto.Adapters.Postgres";
|
||
socket_dir = "/run/postgresql";
|
||
username = config.services.akkoma.user;
|
||
database = "akkoma";
|
||
}
|
||
'';
|
||
description = mdDoc ''
|
||
Database configuration.
|
||
|
||
Refer to
|
||
<https://hexdocs.pm/ecto_sql/Ecto.Adapters.Postgres.html#module-connection-options>
|
||
for options.
|
||
'';
|
||
};
|
||
|
||
"Pleroma.Web.Endpoint" = {
|
||
url = {
|
||
host = mkOption {
|
||
type = types.nonEmptyStr;
|
||
default = config.networking.fqdn;
|
||
defaultText = literalExpression "config.networking.fqdn";
|
||
description = mdDoc "Domain name of the instance.";
|
||
};
|
||
|
||
scheme = mkOption {
|
||
type = types.nonEmptyStr;
|
||
default = "https";
|
||
description = mdDoc "URL scheme.";
|
||
};
|
||
|
||
port = mkOption {
|
||
type = types.port;
|
||
default = 443;
|
||
description = mdDoc "External port number.";
|
||
};
|
||
};
|
||
|
||
http = {
|
||
ip = mkOption {
|
||
type = types.either absolutePath ipAddress;
|
||
default = "/run/akkoma/socket";
|
||
example = "::1";
|
||
description = mdDoc ''
|
||
Listener IP address or Unix socket path.
|
||
|
||
The value is automatically converted to Elixir’s internal address
|
||
representation during serialisation.
|
||
'';
|
||
};
|
||
|
||
port = mkOption {
|
||
type = types.port;
|
||
default = if isAbsolutePath web.http.ip then 0 else 4000;
|
||
defaultText = literalExpression ''
|
||
if isAbsolutePath config.services.akkoma.config.:pleroma"."Pleroma.Web.Endpoint".http.ip
|
||
then 0
|
||
else 4000;
|
||
'';
|
||
description = mdDoc ''
|
||
Listener port number.
|
||
|
||
Must be 0 if using a Unix socket.
|
||
'';
|
||
};
|
||
};
|
||
|
||
secret_key_base = mkOption {
|
||
type = secret;
|
||
default = { _secret = "/var/lib/secrets/akkoma/key-base"; };
|
||
description = mdDoc ''
|
||
Secret key used as a base to generate further secrets for encrypting and
|
||
signing data.
|
||
|
||
The attribute `_secret` should point to a file containing the secret.
|
||
|
||
This key can generated can be generated as follows:
|
||
|
||
```ShellSession
|
||
$ tr -dc 'A-Za-z-._~' </dev/urandom | head -c 64
|
||
```
|
||
'';
|
||
};
|
||
|
||
live_view = {
|
||
signing_salt = mkOption {
|
||
type = secret;
|
||
default = { _secret = "/var/lib/secrets/akkoma/liveview-salt"; };
|
||
description = mdDoc ''
|
||
LiveView signing salt.
|
||
|
||
The attribute `_secret` should point to a file containing the secret.
|
||
|
||
This salt can be generated as follows:
|
||
|
||
```ShellSession
|
||
$ tr -dc 'A-Za-z0-9-._~' </dev/urandom | head -c 8
|
||
```
|
||
'';
|
||
};
|
||
};
|
||
|
||
signing_salt = mkOption {
|
||
type = secret;
|
||
default = { _secret = "/var/lib/secrets/akkoma/signing-salt"; };
|
||
description = mdDoc ''
|
||
Signing salt.
|
||
|
||
The attribute `_secret` should point to a file containing the secret.
|
||
|
||
This salt can be generated as follows:
|
||
|
||
```ShellSession
|
||
$ tr -dc 'A-Za-z0-9-._~' </dev/urandom | head -c 8
|
||
```
|
||
'';
|
||
};
|
||
};
|
||
|
||
":frontends" = mkOption {
|
||
type = elixirValue;
|
||
default = mapAttrs
|
||
(key: val: format.lib.mkMap { name = val.name; ref = val.ref; })
|
||
cfg.frontends;
|
||
defaultText = literalExpression ''
|
||
lib.mapAttrs (key: val:
|
||
(pkgs.formats.elixirConf { }).lib.mkMap { name = val.name; ref = val.ref; })
|
||
config.services.akkoma.frontends;
|
||
'';
|
||
description = mdDoc ''
|
||
Frontend configuration.
|
||
|
||
Users should rely on the default value and prefer to configure frontends through
|
||
[{option}`config.services.akkoma.frontends`](#opt-services.akkoma.frontends).
|
||
'';
|
||
};
|
||
};
|
||
|
||
":web_push_encryption" = mkOption {
|
||
default = { };
|
||
description = mdDoc ''
|
||
Web Push Notifications configuration.
|
||
|
||
The necessary key pair can be generated as follows:
|
||
|
||
```ShellSession
|
||
$ nix-shell -p nodejs --run 'npx web-push generate-vapid-keys'
|
||
```
|
||
'';
|
||
type = types.submodule {
|
||
freeformType = elixirValue;
|
||
options = {
|
||
":vapid_details" = {
|
||
subject = mkOption {
|
||
type = types.nonEmptyStr;
|
||
default = "mailto:${ex.":pleroma".":instance".email}";
|
||
defaultText = literalExpression ''
|
||
"mailto:''${config.services.akkoma.config.":pleroma".":instance".email}"
|
||
'';
|
||
description = mdDoc "mailto URI for administrative contact.";
|
||
};
|
||
|
||
public_key = mkOption {
|
||
type = with types; either nonEmptyStr secret;
|
||
default = { _secret = "/var/lib/secrets/akkoma/vapid-public"; };
|
||
description = mdDoc "base64-encoded public ECDH key.";
|
||
};
|
||
|
||
private_key = mkOption {
|
||
type = secret;
|
||
default = { _secret = "/var/lib/secrets/akkoma/vapid-private"; };
|
||
description = mdDoc ''
|
||
base64-encoded private ECDH key.
|
||
|
||
The attribute `_secret` should point to a file containing the secret.
|
||
'';
|
||
};
|
||
};
|
||
};
|
||
};
|
||
};
|
||
|
||
":joken" = {
|
||
":default_signer" = mkOption {
|
||
type = secret;
|
||
default = { _secret = "/var/lib/secrets/akkoma/jwt-signer"; };
|
||
description = mdDoc ''
|
||
JWT signing secret.
|
||
|
||
The attribute `_secret` should point to a file containing the secret.
|
||
|
||
This secret can be generated as follows:
|
||
|
||
```ShellSession
|
||
$ tr -dc 'A-Za-z0-9-._~' </dev/urandom | head -c 64
|
||
```
|
||
'';
|
||
};
|
||
};
|
||
|
||
":logger" = {
|
||
":backends" = mkOption {
|
||
type = types.listOf elixirValue;
|
||
visible = false;
|
||
default = with format.lib; [
|
||
(mkTuple [ (mkRaw "ExSyslogger") (mkAtom ":ex_syslogger") ])
|
||
];
|
||
};
|
||
|
||
":ex_syslogger" = {
|
||
ident = mkOption {
|
||
type = types.str;
|
||
visible = false;
|
||
default = "akkoma";
|
||
};
|
||
|
||
level = mkOption {
|
||
type = types.nonEmptyStr;
|
||
apply = format.lib.mkAtom;
|
||
default = ":info";
|
||
example = ":warning";
|
||
description = mdDoc ''
|
||
Log level.
|
||
|
||
Refer to
|
||
<https://hexdocs.pm/logger/Logger.html#module-levels>
|
||
for options.
|
||
'';
|
||
};
|
||
};
|
||
};
|
||
|
||
":tzdata" = {
|
||
":data_dir" = mkOption {
|
||
type = elixirValue;
|
||
internal = true;
|
||
default = format.lib.mkRaw ''
|
||
Path.join(System.fetch_env!("CACHE_DIRECTORY"), "tzdata")
|
||
'';
|
||
};
|
||
};
|
||
};
|
||
};
|
||
};
|
||
|
||
nginx = mkOption {
|
||
type = with types; nullOr (submodule
|
||
(import ../web-servers/nginx/vhost-options.nix { inherit config lib; }));
|
||
default = null;
|
||
description = mdDoc ''
|
||
Extra configuration for the nginx virtual host of Akkoma.
|
||
|
||
If set to `null`, no virtual host will be added to the nginx configuration.
|
||
'';
|
||
};
|
||
};
|
||
};
|
||
|
||
config = mkIf cfg.enable {
|
||
warnings = optionals (!config.security.sudo.enable) [''
|
||
The pleroma_ctl wrapper enabled by the installWrapper option relies on
|
||
sudo, which appears to have been disabled through security.sudo.enable.
|
||
''];
|
||
|
||
users = {
|
||
users."${cfg.user}" = {
|
||
description = "Akkoma user";
|
||
group = cfg.group;
|
||
isSystemUser = true;
|
||
};
|
||
groups."${cfg.group}" = { };
|
||
};
|
||
|
||
# Confinement of the main service unit requires separation of the
|
||
# configuration generation into a separate unit to permit access to secrets
|
||
# residing outside of the chroot.
|
||
systemd.services.akkoma-config = {
|
||
description = "Akkoma social network configuration";
|
||
reloadTriggers = [ configFile ] ++ secretPaths;
|
||
|
||
unitConfig.PropagatesReloadTo = [ "akkoma.service" ];
|
||
serviceConfig = {
|
||
Type = "oneshot";
|
||
RemainAfterExit = true;
|
||
UMask = "0077";
|
||
|
||
RuntimeDirectory = "akkoma";
|
||
|
||
ExecStart = mkMerge [
|
||
(mkIf (cfg.dist.cookie == null) [ genScript ])
|
||
(mkIf (cfg.dist.cookie != null) [ copyScript ])
|
||
(mkIf cfg.initSecrets [ initSecretsScript ])
|
||
[ configScript ]
|
||
];
|
||
|
||
ExecReload = mkMerge [
|
||
(mkIf cfg.initSecrets [ initSecretsScript ])
|
||
[ configScript ]
|
||
];
|
||
};
|
||
};
|
||
|
||
systemd.services.akkoma-initdb = mkIf cfg.initDb.enable {
|
||
description = "Akkoma social network database setup";
|
||
requires = [ "akkoma-config.service" ];
|
||
requiredBy = [ "akkoma.service" ];
|
||
after = [ "akkoma-config.service" "postgresql.service" ];
|
||
before = [ "akkoma.service" ];
|
||
|
||
serviceConfig = {
|
||
Type = "oneshot";
|
||
User = mkIf (db ? socket_dir || db ? socket)
|
||
cfg.initDb.username;
|
||
RemainAfterExit = true;
|
||
UMask = "0077";
|
||
ExecStart = initDbScript;
|
||
PrivateTmp = true;
|
||
};
|
||
};
|
||
|
||
systemd.services.akkoma = let
|
||
runtimeInputs = with pkgs; [ coreutils gawk gnused ] ++ cfg.extraPackages;
|
||
in {
|
||
description = "Akkoma social network";
|
||
documentation = [ "https://docs.akkoma.dev/stable/" ];
|
||
|
||
# This service depends on network-online.target and is sequenced after
|
||
# it because it requires access to the Internet to function properly.
|
||
bindsTo = [ "akkoma-config.service" ];
|
||
wants = [ "network-online.service" ];
|
||
wantedBy = [ "multi-user.target" ];
|
||
after = [
|
||
"akkoma-config.target"
|
||
"network.target"
|
||
"network-online.target"
|
||
"postgresql.service"
|
||
];
|
||
|
||
confinement.packages = mkIf isConfined runtimeInputs;
|
||
path = runtimeInputs;
|
||
|
||
serviceConfig = {
|
||
Type = "exec";
|
||
User = cfg.user;
|
||
Group = cfg.group;
|
||
UMask = "0077";
|
||
|
||
# The run‐time directory is preserved as it is managed by the akkoma-config.service unit.
|
||
RuntimeDirectory = "akkoma";
|
||
RuntimeDirectoryPreserve = true;
|
||
|
||
CacheDirectory = "akkoma";
|
||
|
||
BindPaths = [ "${uploadDir}:${uploadDir}:norbind" ];
|
||
BindReadOnlyPaths = mkMerge [
|
||
(mkIf (!isStorePath staticDir) [ "${staticDir}:${staticDir}:norbind" ])
|
||
(mkIf isConfined (mkMerge [
|
||
[ "/etc/hosts" "/etc/resolv.conf" ]
|
||
(mkIf (isStorePath staticDir) (map (dir: "${dir}:${dir}:norbind")
|
||
(splitString "\n" (readFile ((pkgs.closureInfo { rootPaths = staticDir; }) + "/store-paths")))))
|
||
(mkIf (db ? socket_dir) [ "${db.socket_dir}:${db.socket_dir}:norbind" ])
|
||
(mkIf (db ? socket) [ "${db.socket}:${db.socket}:norbind" ])
|
||
]))
|
||
];
|
||
|
||
ExecStartPre = "${envWrapper}/bin/pleroma_ctl migrate";
|
||
ExecStart = "${envWrapper}/bin/pleroma start";
|
||
ExecStartPost = socketScript;
|
||
ExecStop = "${envWrapper}/bin/pleroma stop";
|
||
ExecStopPost = mkIf (isAbsolutePath web.http.ip)
|
||
"${pkgs.coreutils}/bin/rm -f '${web.http.ip}'";
|
||
|
||
ProtectProc = "noaccess";
|
||
ProcSubset = "pid";
|
||
ProtectSystem = mkIf (!isConfined) "strict";
|
||
ProtectHome = true;
|
||
PrivateTmp = true;
|
||
PrivateDevices = true;
|
||
PrivateIPC = true;
|
||
ProtectHostname = true;
|
||
ProtectClock = true;
|
||
ProtectKernelTunables = true;
|
||
ProtectKernelModules = true;
|
||
ProtectKernelLogs = true;
|
||
ProtectControlGroups = true;
|
||
|
||
RestrictAddressFamilies = [ "AF_UNIX" "AF_INET" "AF_INET6" ];
|
||
RestrictNamespaces = true;
|
||
LockPersonality = true;
|
||
RestrictRealtime = true;
|
||
RestrictSUIDSGID = true;
|
||
RemoveIPC = true;
|
||
|
||
CapabilityBoundingSet = mkIf
|
||
(any (port: port > 0 && port < 1024)
|
||
[ web.http.port cfg.dist.epmdPort cfg.dist.portMin ])
|
||
[ "CAP_NET_BIND_SERVICE" ];
|
||
|
||
NoNewPrivileges = true;
|
||
SystemCallFilter = [ "@system-service" "~@privileged" "@chown" ];
|
||
SystemCallArchitectures = "native";
|
||
|
||
DeviceAllow = null;
|
||
DevicePolicy = "closed";
|
||
|
||
# SMTP adapter uses dynamic port 0 binding, which is incompatible with bind address filtering
|
||
SocketBindAllow = mkIf (!hasSmtp) (mkMerge [
|
||
[ "tcp:${toString cfg.dist.epmdPort}" "tcp:${toString cfg.dist.portMin}-${toString cfg.dist.portMax}" ]
|
||
(mkIf (web.http.port != 0) [ "tcp:${toString web.http.port}" ])
|
||
]);
|
||
SocketBindDeny = mkIf (!hasSmtp) "any";
|
||
};
|
||
};
|
||
|
||
systemd.tmpfiles.rules = [
|
||
"d ${uploadDir} 0700 ${cfg.user} ${cfg.group} - -"
|
||
"Z ${uploadDir} ~0700 ${cfg.user} ${cfg.group} - -"
|
||
];
|
||
|
||
environment.systemPackages = mkIf (cfg.installWrapper) [ userWrapper ];
|
||
|
||
services.nginx.virtualHosts = mkIf (cfg.nginx != null) {
|
||
${web.url.host} = mkMerge [ cfg.nginx {
|
||
locations."/" = {
|
||
proxyPass =
|
||
if isAbsolutePath web.http.ip
|
||
then "http://unix:${web.http.ip}"
|
||
else if hasInfix ":" web.http.ip
|
||
then "http://[${web.http.ip}]:${toString web.http.port}"
|
||
else "http://${web.http.ip}:${toString web.http.port}";
|
||
|
||
proxyWebsockets = true;
|
||
recommendedProxySettings = true;
|
||
};
|
||
}];
|
||
};
|
||
};
|
||
|
||
meta.maintainers = with maintainers; [ mvs ];
|
||
meta.doc = ./akkoma.md;
|
||
}
|