{ config, lib, pkgs, ... }:
with lib;
let
cfg = config.services.akkoma;
ex = cfg.config;
db = ex.":pleroma"."Pleroma.Repo";
web = ex.":pleroma"."Pleroma.Web.Endpoint";
isConfined = config.systemd.services.akkoma.confinement.enable;
hasSmtp = (attrByPath [ ":pleroma" "Pleroma.Emails.Mailer" "adapter" "value" ] null ex) == "Swoosh.Adapters.SMTP";
isAbsolutePath = v: isString v && substring 0 1 v == "/";
isSecret = v: isAttrs v && v ? _secret && isAbsolutePath v._secret;
absolutePath = with types; mkOptionType {
name = "absolutePath";
description = "absolute path";
descriptionClass = "noun";
check = isAbsolutePath;
inherit (str) merge;
};
secret = mkOptionType {
name = "secret";
description = "secret value";
descriptionClass = "noun";
check = isSecret;
nestedTypes = {
_secret = absolutePath;
};
};
ipAddress = with types; mkOptionType {
name = "ipAddress";
description = "IPv4 or IPv6 address";
descriptionClass = "conjunction";
check = x: str.check x && builtins.match "[.0-9:A-Fa-f]+" x != null;
inherit (str) merge;
};
elixirValue = let
elixirValue' = with types;
nullOr (oneOf [ bool int float str (attrsOf elixirValue') (listOf elixirValue') ]) // {
description = "Elixir value";
};
in elixirValue';
frontend = {
options = {
package = mkOption {
type = types.package;
description = mdDoc "Akkoma frontend package.";
example = literalExpression "pkgs.akkoma-frontends.akkoma-fe";
};
name = mkOption {
type = types.nonEmptyStr;
description = mdDoc "Akkoma frontend name.";
example = "akkoma-fe";
};
ref = mkOption {
type = types.nonEmptyStr;
description = mdDoc "Akkoma frontend reference.";
example = "stable";
};
};
};
sha256 = builtins.hashString "sha256";
replaceSec = let
replaceSec' = { }@args: v:
if isAttrs v
then if v ? _secret
then if isAbsolutePath v._secret
then sha256 v._secret
else abort "Invalid secret path (_secret = ${v._secret})"
else mapAttrs (_: val: replaceSec' args val) v
else if isList v
then map (replaceSec' args) v
else v;
in replaceSec' { };
# Erlang/Elixir uses a somewhat special format for IP addresses
erlAddr = addr: fileContents
(pkgs.runCommand addr {
nativeBuildInputs = with pkgs; [ elixir ];
code = ''
case :inet.parse_address('${addr}') do
{:ok, addr} -> IO.inspect addr
{:error, _} -> System.halt(65)
end
'';
passAsFile = [ "code" ];
} ''elixir "$codePath" >"$out"'');
format = pkgs.formats.elixirConf { };
configFile = format.generate "config.exs"
(replaceSec
(attrsets.updateManyAttrsByPath [{
path = [ ":pleroma" "Pleroma.Web.Endpoint" "http" "ip" ];
update = addr:
if isAbsolutePath addr
then format.lib.mkTuple
[ (format.lib.mkAtom ":local") addr ]
else format.lib.mkRaw (erlAddr addr);
}] cfg.config));
writeShell = { name, text, runtimeInputs ? [ ] }:
pkgs.writeShellApplication { inherit name text runtimeInputs; } + "/bin/${name}";
genScript = writeShell {
name = "akkoma-gen-cookie";
runtimeInputs = with pkgs; [ coreutils util-linux ];
text = ''
install -m 0400 \
-o ${escapeShellArg cfg.user } \
-g ${escapeShellArg cfg.group} \
<(hexdump -n 16 -e '"%02x"' /dev/urandom) \
"$RUNTIME_DIRECTORY/cookie"
'';
};
copyScript = writeShell {
name = "akkoma-copy-cookie";
runtimeInputs = with pkgs; [ coreutils ];
text = ''
install -m 0400 \
-o ${escapeShellArg cfg.user} \
-g ${escapeShellArg cfg.group} \
${escapeShellArg cfg.dist.cookie._secret} \
"$RUNTIME_DIRECTORY/cookie"
'';
};
secretPaths = catAttrs "_secret" (collect isSecret cfg.config);
vapidKeygen = pkgs.writeText "vapidKeygen.exs" ''
[public_path, private_path] = System.argv()
{public_key, private_key} = :crypto.generate_key :ecdh, :prime256v1
File.write! public_path, Base.url_encode64(public_key, padding: false)
File.write! private_path, Base.url_encode64(private_key, padding: false)
'';
initSecretsScript = writeShell {
name = "akkoma-init-secrets";
runtimeInputs = with pkgs; [ coreutils elixir ];
text = let
key-base = web.secret_key_base;
jwt-signer = ex.":joken".":default_signer";
signing-salt = web.signing_salt;
liveview-salt = web.live_view.signing_salt;
vapid-private = ex.":web_push_encryption".":vapid_details".private_key;
vapid-public = ex.":web_push_encryption".":vapid_details".public_key;
in ''
secret() {
# Generate default secret if non‐existent
test -e "$2" || install -D -m 0600 <(tr -dc 'A-Za-z-._~' &2
exit 65
fi
}
secret 64 ${escapeShellArg key-base._secret}
secret 64 ${escapeShellArg jwt-signer._secret}
secret 8 ${escapeShellArg signing-salt._secret}
secret 8 ${escapeShellArg liveview-salt._secret}
${optionalString (isSecret vapid-public) ''
{ test -e ${escapeShellArg vapid-private._secret} && \
test -e ${escapeShellArg vapid-public._secret}; } || \
elixir ${escapeShellArgs [ vapidKeygen vapid-public._secret vapid-private._secret ]}
''}
'';
};
configScript = writeShell {
name = "akkoma-config";
runtimeInputs = with pkgs; [ coreutils replace-secret ];
text = ''
cd "$RUNTIME_DIRECTORY"
tmp="$(mktemp config.exs.XXXXXXXXXX)"
trap 'rm -f "$tmp"' EXIT TERM
cat ${escapeShellArg configFile} >"$tmp"
${concatMapStrings (file: ''
replace-secret ${escapeShellArgs [ (sha256 file) file ]} "$tmp"
'') secretPaths}
chown ${escapeShellArg cfg.user}:${escapeShellArg cfg.group} "$tmp"
chmod 0400 "$tmp"
mv -f "$tmp" config.exs
'';
};
pgpass = let
esc = escape [ ":" ''\'' ];
in if (cfg.initDb.password != null)
then pkgs.writeText "pgpass.conf" ''
*:*:*${esc cfg.initDb.username}:${esc (sha256 cfg.initDb.password._secret)}
''
else null;
escapeSqlId = x: ''"${replaceStrings [ ''"'' ] [ ''""'' ] x}"'';
escapeSqlStr = x: "'${replaceStrings [ "'" ] [ "''" ] x}'";
setupSql = pkgs.writeText "setup.psql" ''
\set ON_ERROR_STOP on
ALTER ROLE ${escapeSqlId db.username}
LOGIN PASSWORD ${if db ? password
then "${escapeSqlStr (sha256 db.password._secret)}"
else "NULL"};
ALTER DATABASE ${escapeSqlId db.database}
OWNER TO ${escapeSqlId db.username};
\connect ${escapeSqlId db.database}
CREATE EXTENSION IF NOT EXISTS citext;
CREATE EXTENSION IF NOT EXISTS pg_trgm;
CREATE EXTENSION IF NOT EXISTS "uuid-ossp";
'';
dbHost = if db ? socket_dir then db.socket_dir
else if db ? socket then db.socket
else if db ? hostname then db.hostname
else null;
initDbScript = writeShell {
name = "akkoma-initdb";
runtimeInputs = with pkgs; [ coreutils replace-secret config.services.postgresql.package ];
text = ''
pgpass="$(mktemp -t pgpass-XXXXXXXXXX.conf)"
setupSql="$(mktemp -t setup-XXXXXXXXXX.psql)"
trap 'rm -f "$pgpass $setupSql"' EXIT TERM
${optionalString (dbHost != null) ''
export PGHOST=${escapeShellArg dbHost}
''}
export PGUSER=${escapeShellArg cfg.initDb.username}
${optionalString (pgpass != null) ''
cat ${escapeShellArg pgpass} >"$pgpass"
replace-secret ${escapeShellArgs [
(sha256 cfg.initDb.password._secret) cfg.initDb.password._secret ]} "$pgpass"
export PGPASSFILE="$pgpass"
''}
cat ${escapeShellArg setupSql} >"$setupSql"
${optionalString (db ? password) ''
replace-secret ${escapeShellArgs [
(sha256 db.password._secret) db.password._secret ]} "$setupSql"
''}
# Create role if non‐existent
psql -tAc "SELECT 1 FROM pg_roles
WHERE rolname = "${escapeShellArg (escapeSqlStr db.username)} | grep -F -q 1 || \
psql -tAc "CREATE ROLE "${escapeShellArg (escapeSqlId db.username)}
# Create database if non‐existent
psql -tAc "SELECT 1 FROM pg_database
WHERE datname = "${escapeShellArg (escapeSqlStr db.database)} | grep -F -q 1 || \
psql -tAc "CREATE DATABASE "${escapeShellArg (escapeSqlId db.database)}"
OWNER "${escapeShellArg (escapeSqlId db.username)}"
TEMPLATE template0
ENCODING 'utf8'
LOCALE 'C'"
psql -f "$setupSql"
'';
};
envWrapper = let
script = writeShell {
name = "akkoma-env";
text = ''
cd "${cfg.package}"
RUNTIME_DIRECTORY="''${RUNTIME_DIRECTORY:-/run/akkoma}"
AKKOMA_CONFIG_PATH="$RUNTIME_DIRECTORY/config.exs" \
ERL_EPMD_ADDRESS="${cfg.dist.address}" \
ERL_EPMD_PORT="${toString cfg.dist.epmdPort}" \
ERL_FLAGS="${concatStringsSep " " [
"-kernel inet_dist_use_interface '${erlAddr cfg.dist.address}'"
"-kernel inet_dist_listen_min ${toString cfg.dist.portMin}"
"-kernel inet_dist_listen_max ${toString cfg.dist.portMax}"
]}" \
RELEASE_COOKIE="$(<"$RUNTIME_DIRECTORY/cookie")" \
RELEASE_NAME="akkoma" \
exec "${cfg.package}/bin/$(basename "$0")" "$@"
'';
};
in pkgs.runCommandLocal "akkoma-env" { } ''
mkdir -p "$out/bin"
ln -r -s ${escapeShellArg script} "$out/bin/pleroma"
ln -r -s ${escapeShellArg script} "$out/bin/pleroma_ctl"
'';
userWrapper = pkgs.writeShellApplication {
name = "pleroma_ctl";
text = ''
if [ "''${1-}" == "update" ]; then
echo "OTP releases are not supported on NixOS." >&2
exit 64
fi
exec sudo -u ${escapeShellArg cfg.user} \
"${envWrapper}/bin/pleroma_ctl" "$@"
'';
};
socketScript = if isAbsolutePath web.http.ip
then writeShell {
name = "akkoma-socket";
runtimeInputs = with pkgs; [ coreutils inotify-tools ];
text = ''
coproc {
inotifywait -q -m -e create ${escapeShellArg (dirOf web.http.ip)}
}
trap 'kill "$COPROC_PID"' EXIT TERM
until test -S ${escapeShellArg web.http.ip}
do read -r -u "''${COPROC[0]}"
done
chmod 0666 ${escapeShellArg web.http.ip}
'';
}
else null;
staticDir = ex.":pleroma".":instance".static_dir;
uploadDir = ex.":pleroma".":instance".upload_dir;
staticFiles = pkgs.runCommandLocal "akkoma-static" { } ''
${concatStringsSep "\n" (mapAttrsToList (key: val: ''
mkdir -p $out/frontends/${escapeShellArg val.name}/
ln -s ${escapeShellArg val.package} $out/frontends/${escapeShellArg val.name}/${escapeShellArg val.ref}
'') cfg.frontends)}
${optionalString (cfg.extraStatic != null)
(concatStringsSep "\n" (mapAttrsToList (key: val: ''
mkdir -p "$out/$(dirname ${escapeShellArg key})"
ln -s ${escapeShellArg val} $out/${escapeShellArg key}
'') cfg.extraStatic))}
'';
in {
options = {
services.akkoma = {
enable = mkEnableOption (mdDoc "Akkoma");
package = mkOption {
type = types.package;
default = pkgs.akkoma;
defaultText = literalExpression "pkgs.akkoma";
description = mdDoc "Akkoma package to use.";
};
user = mkOption {
type = types.nonEmptyStr;
default = "akkoma";
description = mdDoc "User account under which Akkoma runs.";
};
group = mkOption {
type = types.nonEmptyStr;
default = "akkoma";
description = mdDoc "Group account under which Akkoma runs.";
};
initDb = {
enable = mkOption {
type = types.bool;
default = true;
description = mdDoc ''
Whether to automatically initialise the database on startup. This will create a
database role and database if they do not already exist, and (re)set the role password
and the ownership of the database.
This setting can be used safely even if the database already exists and contains data.
The database settings are configured through
[{option}`config.services.akkoma.config.":pleroma"."Pleroma.Repo"`](#opt-services.akkoma.config.__pleroma_._Pleroma.Repo_).
If disabled, the database has to be set up manually:
```SQL
CREATE ROLE akkoma LOGIN;
CREATE DATABASE akkoma
OWNER akkoma
TEMPLATE template0
ENCODING 'utf8'
LOCALE 'C';
\connect akkoma
CREATE EXTENSION IF NOT EXISTS citext;
CREATE EXTENSION IF NOT EXISTS pg_trgm;
CREATE EXTENSION IF NOT EXISTS "uuid-ossp";
```
'';
};
username = mkOption {
type = types.nonEmptyStr;
default = config.services.postgresql.superUser;
defaultText = literalExpression "config.services.postgresql.superUser";
description = mdDoc ''
Name of the database user to initialise the database with.
This user is required to have the `CREATEROLE` and `CREATEDB` capabilities.
'';
};
password = mkOption {
type = types.nullOr secret;
default = null;
description = mdDoc ''
Password of the database user to initialise the database with.
If set to `null`, no password will be used.
The attribute `_secret` should point to a file containing the secret.
'';
};
};
initSecrets = mkOption {
type = types.bool;
default = true;
description = mdDoc ''
Whether to initialise non‐existent secrets with random values.
If enabled, appropriate secrets for the following options will be created automatically
if the files referenced in the `_secrets` attribute do not exist during startup.
- {option}`config.":pleroma"."Pleroma.Web.Endpoint".secret_key_base`
- {option}`config.":pleroma"."Pleroma.Web.Endpoint".signing_salt`
- {option}`config.":pleroma"."Pleroma.Web.Endpoint".live_view.signing_salt`
- {option}`config.":web_push_encryption".":vapid_details".private_key`
- {option}`config.":web_push_encryption".":vapid_details".public_key`
- {option}`config.":joken".":default_signer"`
'';
};
installWrapper = mkOption {
type = types.bool;
default = true;
description = mdDoc ''
Whether to install a wrapper around `pleroma_ctl` to simplify administration of the
Akkoma instance.
'';
};
extraPackages = mkOption {
type = with types; listOf package;
default = with pkgs; [ exiftool ffmpeg_5-headless graphicsmagick-imagemagick-compat ];
defaultText = literalExpression "with pkgs; [ exiftool graphicsmagick-imagemagick-compat ffmpeg_5-headless ]";
example = literalExpression "with pkgs; [ exiftool imagemagick ffmpeg_5-full ]";
description = mdDoc ''
List of extra packages to include in the executable search path of the service unit.
These are needed by various configurable components such as:
- ExifTool for the `Pleroma.Upload.Filter.Exiftool` upload filter,
- ImageMagick for still image previews in the media proxy as well as for the
`Pleroma.Upload.Filters.Mogrify` upload filter, and
- ffmpeg for video previews in the media proxy.
'';
};
frontends = mkOption {
description = mdDoc "Akkoma frontends.";
type = with types; attrsOf (submodule frontend);
default = {
primary = {
package = pkgs.akkoma-frontends.akkoma-fe;
name = "akkoma-fe";
ref = "stable";
};
admin = {
package = pkgs.akkoma-frontends.admin-fe;
name = "admin-fe";
ref = "stable";
};
};
defaultText = literalExpression ''
{
primary = {
package = pkgs.akkoma-frontends.akkoma-fe;
name = "akkoma-fe";
ref = "stable";
};
admin = {
package = pkgs.akkoma-frontends.admin-fe;
name = "admin-fe";
ref = "stable";
};
}
'';
};
extraStatic = mkOption {
type = with types; nullOr (attrsOf package);
description = mdDoc ''
Attribute set of extra packages to add to the static files directory.
Do not add frontends here. These should be configured through
[{option}`services.akkoma.frontends`](#opt-services.akkoma.frontends).
'';
default = null;
example = literalExpression ''
{
"emoji/blobs.gg" = pkgs.akkoma-emoji.blobs_gg;
"static/terms-of-service.html" = pkgs.writeText "terms-of-service.html" '''
…
''';
"favicon.png" = let
rev = "697a8211b0f427a921e7935a35d14bb3e32d0a2c";
in pkgs.stdenvNoCC.mkDerivation {
name = "favicon.png";
src = pkgs.fetchurl {
url = "https://raw.githubusercontent.com/TilCreator/NixOwO/''${rev}/NixOwO_plain.svg";
hash = "sha256-tWhHMfJ3Od58N9H5yOKPMfM56hYWSOnr/TGCBi8bo9E=";
};
nativeBuildInputs = with pkgs; [ librsvg ];
dontUnpack = true;
installPhase = '''
rsvg-convert -o $out -w 96 -h 96 $src
''';
};
}
'';
};
dist = {
address = mkOption {
type = ipAddress;
default = "127.0.0.1";
description = mdDoc ''
Listen address for Erlang distribution protocol and Port Mapper Daemon (epmd).
'';
};
epmdPort = mkOption {
type = types.port;
default = 4369;
description = mdDoc "TCP port to bind Erlang Port Mapper Daemon to.";
};
portMin = mkOption {
type = types.port;
default = 49152;
description = mdDoc "Lower bound for Erlang distribution protocol TCP port.";
};
portMax = mkOption {
type = types.port;
default = 65535;
description = mdDoc "Upper bound for Erlang distribution protocol TCP port.";
};
cookie = mkOption {
type = types.nullOr secret;
default = null;
example = { _secret = "/var/lib/secrets/akkoma/releaseCookie"; };
description = mdDoc ''
Erlang release cookie.
If set to `null`, a temporary random cookie will be generated.
'';
};
};
config = mkOption {
description = mdDoc ''
Configuration for Akkoma. The attributes are serialised to Elixir DSL.
Refer to for
configuration options.
Settings containing secret data should be set to an attribute set containing the
attribute `_secret` - a string pointing to a file containing the value the option
should be set to.
'';
type = types.submodule {
freeformType = format.type;
options = {
":pleroma" = {
":instance" = {
name = mkOption {
type = types.nonEmptyStr;
description = mdDoc "Instance name.";
};
email = mkOption {
type = types.nonEmptyStr;
description = mdDoc "Instance administrator email.";
};
description = mkOption {
type = types.nonEmptyStr;
description = mdDoc "Instance description.";
};
static_dir = mkOption {
type = types.path;
default = toString staticFiles;
defaultText = literalMD ''
Derivation gathering the following paths into a directory:
- [{option}`services.akkoma.frontends`](#opt-services.akkoma.frontends)
- [{option}`services.akkoma.extraStatic`](#opt-services.akkoma.extraStatic)
'';
description = mdDoc ''
Directory of static files.
This directory can be built using a derivation, or it can be managed as mutable
state by setting the option to an absolute path.
'';
};
upload_dir = mkOption {
type = absolutePath;
default = "/var/lib/akkoma/uploads";
description = mdDoc ''
Directory where Akkoma will put uploaded files.
'';
};
};
"Pleroma.Repo" = mkOption {
type = elixirValue;
default = {
adapter = format.lib.mkRaw "Ecto.Adapters.Postgres";
socket_dir = "/run/postgresql";
username = cfg.user;
database = "akkoma";
};
defaultText = literalExpression ''
{
adapter = (pkgs.formats.elixirConf { }).lib.mkRaw "Ecto.Adapters.Postgres";
socket_dir = "/run/postgresql";
username = config.services.akkoma.user;
database = "akkoma";
}
'';
description = mdDoc ''
Database configuration.
Refer to
for options.
'';
};
"Pleroma.Web.Endpoint" = {
url = {
host = mkOption {
type = types.nonEmptyStr;
default = config.networking.fqdn;
defaultText = literalExpression "config.networking.fqdn";
description = mdDoc "Domain name of the instance.";
};
scheme = mkOption {
type = types.nonEmptyStr;
default = "https";
description = mdDoc "URL scheme.";
};
port = mkOption {
type = types.port;
default = 443;
description = mdDoc "External port number.";
};
};
http = {
ip = mkOption {
type = types.either absolutePath ipAddress;
default = "/run/akkoma/socket";
example = "::1";
description = mdDoc ''
Listener IP address or Unix socket path.
The value is automatically converted to Elixir’s internal address
representation during serialisation.
'';
};
port = mkOption {
type = types.port;
default = if isAbsolutePath web.http.ip then 0 else 4000;
defaultText = literalExpression ''
if isAbsolutePath config.services.akkoma.config.:pleroma"."Pleroma.Web.Endpoint".http.ip
then 0
else 4000;
'';
description = mdDoc ''
Listener port number.
Must be 0 if using a Unix socket.
'';
};
};
secret_key_base = mkOption {
type = secret;
default = { _secret = "/var/lib/secrets/akkoma/key-base"; };
description = mdDoc ''
Secret key used as a base to generate further secrets for encrypting and
signing data.
The attribute `_secret` should point to a file containing the secret.
This key can generated can be generated as follows:
```ShellSession
$ tr -dc 'A-Za-z-._~'
for options.
'';
};
};
};
":tzdata" = {
":data_dir" = mkOption {
type = elixirValue;
internal = true;
default = format.lib.mkRaw ''
Path.join(System.fetch_env!("CACHE_DIRECTORY"), "tzdata")
'';
};
};
};
};
};
nginx = mkOption {
type = with types; nullOr (submodule
(import ../web-servers/nginx/vhost-options.nix { inherit config lib; }));
default = null;
description = mdDoc ''
Extra configuration for the nginx virtual host of Akkoma.
If set to `null`, no virtual host will be added to the nginx configuration.
'';
};
};
};
config = mkIf cfg.enable {
warnings = optionals (!config.security.sudo.enable) [''
The pleroma_ctl wrapper enabled by the installWrapper option relies on
sudo, which appears to have been disabled through security.sudo.enable.
''];
users = {
users."${cfg.user}" = {
description = "Akkoma user";
group = cfg.group;
isSystemUser = true;
};
groups."${cfg.group}" = { };
};
# Confinement of the main service unit requires separation of the
# configuration generation into a separate unit to permit access to secrets
# residing outside of the chroot.
systemd.services.akkoma-config = {
description = "Akkoma social network configuration";
reloadTriggers = [ configFile ] ++ secretPaths;
unitConfig.PropagatesReloadTo = [ "akkoma.service" ];
serviceConfig = {
Type = "oneshot";
RemainAfterExit = true;
UMask = "0077";
RuntimeDirectory = "akkoma";
ExecStart = mkMerge [
(mkIf (cfg.dist.cookie == null) [ genScript ])
(mkIf (cfg.dist.cookie != null) [ copyScript ])
(mkIf cfg.initSecrets [ initSecretsScript ])
[ configScript ]
];
ExecReload = mkMerge [
(mkIf cfg.initSecrets [ initSecretsScript ])
[ configScript ]
];
};
};
systemd.services.akkoma-initdb = mkIf cfg.initDb.enable {
description = "Akkoma social network database setup";
requires = [ "akkoma-config.service" ];
requiredBy = [ "akkoma.service" ];
after = [ "akkoma-config.service" "postgresql.service" ];
before = [ "akkoma.service" ];
serviceConfig = {
Type = "oneshot";
User = mkIf (db ? socket_dir || db ? socket)
cfg.initDb.username;
RemainAfterExit = true;
UMask = "0077";
ExecStart = initDbScript;
PrivateTmp = true;
};
};
systemd.services.akkoma = let
runtimeInputs = with pkgs; [ coreutils gawk gnused ] ++ cfg.extraPackages;
in {
description = "Akkoma social network";
documentation = [ "https://docs.akkoma.dev/stable/" ];
# This service depends on network-online.target and is sequenced after
# it because it requires access to the Internet to function properly.
bindsTo = [ "akkoma-config.service" ];
wants = [ "network-online.service" ];
wantedBy = [ "multi-user.target" ];
after = [
"akkoma-config.target"
"network.target"
"network-online.target"
"postgresql.service"
];
confinement.packages = mkIf isConfined runtimeInputs;
path = runtimeInputs;
serviceConfig = {
Type = "exec";
User = cfg.user;
Group = cfg.group;
UMask = "0077";
# The run‐time directory is preserved as it is managed by the akkoma-config.service unit.
RuntimeDirectory = "akkoma";
RuntimeDirectoryPreserve = true;
CacheDirectory = "akkoma";
BindPaths = [ "${uploadDir}:${uploadDir}:norbind" ];
BindReadOnlyPaths = mkMerge [
(mkIf (!isStorePath staticDir) [ "${staticDir}:${staticDir}:norbind" ])
(mkIf isConfined (mkMerge [
[ "/etc/hosts" "/etc/resolv.conf" ]
(mkIf (isStorePath staticDir) (map (dir: "${dir}:${dir}:norbind")
(splitString "\n" (readFile ((pkgs.closureInfo { rootPaths = staticDir; }) + "/store-paths")))))
(mkIf (db ? socket_dir) [ "${db.socket_dir}:${db.socket_dir}:norbind" ])
(mkIf (db ? socket) [ "${db.socket}:${db.socket}:norbind" ])
]))
];
ExecStartPre = "${envWrapper}/bin/pleroma_ctl migrate";
ExecStart = "${envWrapper}/bin/pleroma start";
ExecStartPost = socketScript;
ExecStop = "${envWrapper}/bin/pleroma stop";
ExecStopPost = mkIf (isAbsolutePath web.http.ip)
"${pkgs.coreutils}/bin/rm -f '${web.http.ip}'";
ProtectProc = "noaccess";
ProcSubset = "pid";
ProtectSystem = mkIf (!isConfined) "strict";
ProtectHome = true;
PrivateTmp = true;
PrivateDevices = true;
PrivateIPC = true;
ProtectHostname = true;
ProtectClock = true;
ProtectKernelTunables = true;
ProtectKernelModules = true;
ProtectKernelLogs = true;
ProtectControlGroups = true;
RestrictAddressFamilies = [ "AF_UNIX" "AF_INET" "AF_INET6" ];
RestrictNamespaces = true;
LockPersonality = true;
RestrictRealtime = true;
RestrictSUIDSGID = true;
RemoveIPC = true;
CapabilityBoundingSet = mkIf
(any (port: port > 0 && port < 1024)
[ web.http.port cfg.dist.epmdPort cfg.dist.portMin ])
[ "CAP_NET_BIND_SERVICE" ];
NoNewPrivileges = true;
SystemCallFilter = [ "@system-service" "~@privileged" "@chown" ];
SystemCallArchitectures = "native";
DeviceAllow = null;
DevicePolicy = "closed";
# SMTP adapter uses dynamic port 0 binding, which is incompatible with bind address filtering
SocketBindAllow = mkIf (!hasSmtp) (mkMerge [
[ "tcp:${toString cfg.dist.epmdPort}" "tcp:${toString cfg.dist.portMin}-${toString cfg.dist.portMax}" ]
(mkIf (web.http.port != 0) [ "tcp:${toString web.http.port}" ])
]);
SocketBindDeny = mkIf (!hasSmtp) "any";
};
};
systemd.tmpfiles.rules = [
"d ${uploadDir} 0700 ${cfg.user} ${cfg.group} - -"
"Z ${uploadDir} ~0700 ${cfg.user} ${cfg.group} - -"
];
environment.systemPackages = mkIf (cfg.installWrapper) [ userWrapper ];
services.nginx.virtualHosts = mkIf (cfg.nginx != null) {
${web.url.host} = mkMerge [ cfg.nginx {
locations."/" = {
proxyPass =
if isAbsolutePath web.http.ip
then "http://unix:${web.http.ip}"
else if hasInfix ":" web.http.ip
then "http://[${web.http.ip}]:${toString web.http.port}"
else "http://${web.http.ip}:${toString web.http.port}";
proxyWebsockets = true;
recommendedProxySettings = true;
};
}];
};
};
meta.maintainers = with maintainers; [ mvs ];
meta.doc = ./akkoma.md;
}