nixos/modules/services/misc/sourcehut/meta.nix

   1 { config, lib, pkgs, ... }:
   2
   3 with lib;
   4 let
   5   cfg = config.services.sourcehut;
   6   cfgIni = cfg.settings;
   7   scfg = cfg.meta;
   8   iniKey = "meta.sr.ht";
   9
  10   drv = pkgs.sourcehut.metasrht;
  11 in
  12 {
  13   options.services.sourcehut.meta = {
  14     user = mkOption {
  15       type = types.str;
  16       default = "metasrht";
  17       description = ''
  18         User for meta.sr.ht.
  19       '';
  20     };
  21
  22     port = mkOption {
  23       type = types.port;
  24       default = 5000;
  25       description = ''
  26         Port on which the "meta" module should listen.
  27       '';
  28     };
  29
  30     database = mkOption {
  31       type = types.str;
  32       default = "meta.sr.ht";
  33       description = ''
  34         PostgreSQL database name for meta.sr.ht.
  35       '';
  36     };
  37
  38     statePath = mkOption {
  39       type = types.path;
  40       default = "${cfg.statePath}/metasrht";
  41       description = ''
  42         State path for meta.sr.ht.
  43       '';
  44     };
  45   };
  46
  47   config = with scfg; lib.mkIf (cfg.enable && elem "meta" cfg.services) {
  48     assertions =
  49       [
  50         {
  51           assertion = with cfgIni."meta.sr.ht::billing"; enabled == "yes" -> (stripe-public-key != null && stripe-secret-key != null);
  52           message = "If meta.sr.ht::billing is enabled, the keys should be defined.";
  53         }
  54       ];
  55
  56     users = {
  57       users = {
  58         ${user} = {
  59           isSystemUser = true;
  60           group = user;
  61           description = "meta.sr.ht user";
  62         };
  63       };
  64
  65       groups = {
  66         "${user}" = { };
  67       };
  68     };
  69
  70     services.cron.systemCronJobs = [ "0 0 * * * ${cfg.python}/bin/metasrht-daily" ];
  71     services.postgresql = {
  72       authentication = ''
  73         local ${database} ${user} trust
  74       '';
  75       ensureDatabases = [ database ];
  76       ensureUsers = [
  77         {
  78           name = user;
  79           ensurePermissions = { "DATABASE \"${database}\"" = "ALL PRIVILEGES"; };
  80         }
  81       ];
  82     };
  83
  84     systemd = {
  85       tmpfiles.rules = [
  86         "d ${statePath} 0750 ${user} ${user} -"
  87       ];
  88
  89       services = let
  90         commonPreStart = ''
  91           # Configure client(s) as "preauthorized"
  92           ${concatMapStringsSep "\n\n"
  93             (attr: ''
  94               if ! test -e "${statePath}/${attr}.oauth" || [ "$(cat ${statePath}/${attr}.oauth)" != "${cfgIni."${attr}".oauth-client-id}" ]; then
  95                 # Configure ${attr}'s OAuth client as "preauthorized"
  96                 psql ${database} \
  97                   -c "UPDATE oauthclient SET preauthorized = true WHERE client_id = '${cfgIni."${attr}".oauth-client-id}'"
  98
  99                 printf "%s" "${cfgIni."${attr}".oauth-client-id}" > "${statePath}/${attr}.oauth"
 100               fi
 101             '')
 102             (builtins.attrNames (filterAttrs
 103               (k: v: !(hasInfix "::" k) && (v.oauth-client-id or null) != null)
 104               cfg.settings))}
 105         '';
 106         in {
 107         metasrht = import ./service.nix { inherit config pkgs lib; } scfg drv iniKey {
 108           after = [ "postgresql.service" "network.target" ];
 109           requires = [ "postgresql.service" ];
 110           wantedBy = [ "multi-user.target" ];
 111
 112           description = "meta.sr.ht website service";
 113
 114           preStart = commonPreStart;
 115
 116           serviceConfig.ExecStart = "${cfg.python}/bin/gunicorn ${drv.pname}.app:app -b ${cfg.address}:${toString port}";
 117         };
 118
 119         metasrht-api = import ./service.nix { inherit config pkgs lib; } scfg drv iniKey {
 120           after = [ "postgresql.service" "network.target" ];
 121           requires = [ "postgresql.service" ];
 122           wantedBy = [ "multi-user.target" ];
 123
 124           description = "meta.sr.ht api service";
 125
 126           preStart = commonPreStart;
 127
 128           serviceConfig.ExecStart = "${pkgs.sourcehut.metasrht}/bin/metasrht-api -b :${toString (port + 100)}";
 129         };
 130
 131         metasrht-webhooks = {
 132           after = [ "postgresql.service" "network.target" ];
 133           requires = [ "postgresql.service" ];
 134           wantedBy = [ "multi-user.target" ];
 135
 136           description = "meta.sr.ht webhooks service";
 137           serviceConfig = {
 138             Type = "simple";
 139             User = user;
 140             Restart = "always";
 141             ExecStart = "${cfg.python}/bin/celery -A ${drv.pname}.webhooks worker --loglevel INFO --pool eventlet";
 142           };
 143
 144         };
 145       };
 146     };
 147
 148     services.nginx.virtualHosts."meta.${cfg.originBase}" = {
 149       forceSSL = true;
 150       locations."/".proxyPass = "http://${cfg.address}:${toString port}";
 151       locations."/query".proxyPass = "http://${cfg.address}:${toString (port + 100)}";
 152       locations."/static".root = "${pkgs.sourcehut.metasrht}/${pkgs.sourcehut.python.sitePackages}/metasrht";
 153     };
 154   };
 155 }