{
pkgs,
config,
lib,
...
}:
let
cfg = config.services.firefly-iii;
user = cfg.user;
group = cfg.group;
defaultUser = "firefly-iii";
defaultGroup = "firefly-iii";
artisan = "${cfg.package}/artisan";
env-file-values = lib.attrsets.mapAttrs' (
n: v: lib.attrsets.nameValuePair (lib.strings.removeSuffix "_FILE" n) v
) (lib.attrsets.filterAttrs (n: v: lib.strings.hasSuffix "_FILE" n) cfg.settings);
env-nonfile-values = lib.attrsets.filterAttrs (n: v: !lib.strings.hasSuffix "_FILE" n) cfg.settings;
firefly-iii-maintenance = pkgs.writeShellScript "firefly-iii-maintenance.sh" ''
set -a
${lib.strings.toShellVars env-nonfile-values}
${lib.strings.concatLines (
lib.attrsets.mapAttrsToList (n: v: "${n}=\"$(< ${v})\"") env-file-values
)}
set +a
${lib.optionalString (
cfg.settings.DB_CONNECTION == "sqlite"
) "touch ${cfg.dataDir}/storage/database/database.sqlite"}
rm ${cfg.dataDir}/cache/*.php
${artisan} package:discover
${artisan} firefly-iii:upgrade-database
${artisan} firefly-iii:laravel-passport-keys
${artisan} view:cache
${artisan} route:cache
${artisan} config:cache
'';
commonServiceConfig = {
Type = "oneshot";
User = user;
Group = group;
StateDirectory = "firefly-iii";
ReadWritePaths = [ cfg.dataDir ];
WorkingDirectory = cfg.package;
PrivateTmp = true;
PrivateDevices = true;
CapabilityBoundingSet = "";
AmbientCapabilities = "";
ProtectSystem = "strict";
ProtectKernelTunables = true;
ProtectKernelModules = true;
ProtectControlGroups = true;
ProtectClock = true;
ProtectHostname = true;
ProtectHome = "tmpfs";
ProtectKernelLogs = true;
ProtectProc = "invisible";
ProcSubset = "pid";
PrivateNetwork = false;
RestrictAddressFamilies = "AF_INET AF_INET6 AF_UNIX";
SystemCallArchitectures = "native";
SystemCallFilter = [
"@system-service @resources"
"~@obsolete @privileged"
];
RestrictSUIDSGID = true;
RemoveIPC = true;
NoNewPrivileges = true;
RestrictRealtime = true;
RestrictNamespaces = true;
LockPersonality = true;
PrivateUsers = true;
};
in
{
options.services.firefly-iii = {
enable = lib.mkEnableOption "Firefly III: A free and open source personal finance manager";
user = lib.mkOption {
type = lib.types.str;
default = defaultUser;
description = "User account under which firefly-iii runs.";
};
group = lib.mkOption {
type = lib.types.str;
default = if cfg.enableNginx then "nginx" else defaultGroup;
defaultText = "If `services.firefly-iii.enableNginx` is true then `nginx` else ${defaultGroup}";
description = ''
Group under which firefly-iii runs. It is best to set this to the group
of whatever webserver is being used as the frontend.
'';
};
dataDir = lib.mkOption {
type = lib.types.path;
default = "/var/lib/firefly-iii";
description = ''
The place where firefly-iii stores its state.
'';
};
package =
lib.mkPackageOption pkgs "firefly-iii" { }
// lib.mkOption {
apply =
firefly-iii:
firefly-iii.override (prev: {
dataDir = cfg.dataDir;
});
};
enableNginx = lib.mkOption {
type = lib.types.bool;
default = false;
description = ''
Whether to enable nginx or not. If enabled, an nginx virtual host will
be created for access to firefly-iii. If not enabled, then you may use
`''${config.services.firefly-iii.package}` as your document root in
whichever webserver you wish to setup.
'';
};
virtualHost = lib.mkOption {
type = lib.types.str;
default = "localhost";
description = ''
The hostname at which you wish firefly-iii to be served. If you have
enabled nginx using `services.firefly-iii.enableNginx` then this will
be used.
'';
};
poolConfig = lib.mkOption {
type = lib.types.attrsOf (
lib.types.oneOf [
lib.types.str
lib.types.int
lib.types.bool
]
);
default = { };
defaultText = ''
{
"pm" = "dynamic";
"pm.max_children" = 32;
"pm.start_servers" = 2;
"pm.min_spare_servers" = 2;
"pm.max_spare_servers" = 4;
"pm.max_requests" = 500;
}
'';
description = ''
Options for the Firefly III PHP pool. See the documentation on php-fpm.conf
for details on configuration directives.
'';
};
settings = lib.mkOption {
default = { };
description = ''
Options for firefly-iii configuration. Refer to
for
details on supported values. All