corpus.nix (2529B)
1 { 2 config, 3 lib, 4 pkgs, 5 inputs, 6 ... 7 }: let 8 cfg = config.services.haravara.corpus; 9 10 users = 11 pkgs.runCommand "users" { 12 nativeBuildInputs = [pkgs.dhall-json]; 13 } '' 14 dhall-to-json --file ${./../mixins/corpus/users.dhall} > $out 15 ''; 16 in { 17 options.services.haravara.corpus = { 18 enable = lib.mkEnableOption "Corpus - listening history frontend"; 19 20 port = lib.mkOption { 21 type = lib.types.port; 22 default = 8321; 23 description = "Port for the Corpus service to listen on"; 24 }; 25 26 domain = lib.mkOption { 27 type = lib.types.str; 28 description = "Domain for the Corpus instance"; 29 }; 30 31 dataDir = lib.mkOption { 32 type = lib.types.str; 33 default = "/var/lib/corpus"; 34 description = "Directory for Corpus state data"; 35 }; 36 37 secretFile = lib.mkOption { 38 type = lib.types.path; 39 description = "Path to the Corpus environment file (decrypted secret)"; 40 }; 41 }; 42 43 config = lib.mkIf cfg.enable { 44 systemd.services.corpus = { 45 description = "Corpus - listening history frontend"; 46 wantedBy = ["multi-user.target"]; 47 after = ["network.target"]; 48 49 environment = { 50 PORT = toString cfg.port; 51 CORPUS_USERS_FILE = "${users}"; 52 DATABASE_PATH = cfg.dataDir; 53 METRICS_ENABLED = "true"; 54 }; 55 56 serviceConfig = { 57 ExecStart = "${inputs.corpus.packages.${pkgs.stdenv.hostPlatform.system}.default}/bin/corpus-server"; 58 EnvironmentFile = cfg.secretFile; 59 Restart = "always"; 60 User = "corpus"; 61 Group = "corpus"; 62 StateDirectory = "corpus"; 63 WorkingDirectory = cfg.dataDir; 64 }; 65 }; 66 67 users = { 68 users.corpus = { 69 isSystemUser = true; 70 group = "corpus"; 71 }; 72 groups.corpus = {}; 73 }; 74 75 services.caddy.virtualHosts."${cfg.domain}".extraConfig = '' 76 encode zstd gzip 77 78 header { 79 Strict-Transport-Security "max-age=31536000; includeSubDomains" 80 X-Content-Type-Options "nosniff" 81 X-Frame-Options "DENY" 82 Referrer-Policy "strict-origin-when-cross-origin" 83 Content-Security-Policy "default-src 'self'; script-src 'self' 'unsafe-inline'; style-src 'self' 'unsafe-inline' https://fonts.googleapis.com; font-src https://fonts.gstatic.com; img-src 'self' data: https: http:; connect-src 'self'; base-uri 'self'; form-action 'self'; frame-ancestors 'none'; object-src 'none'" 84 -Server 85 } 86 87 reverse_proxy 127.0.0.1:${toString cfg.port} 88 ''; 89 }; 90 }