tabby-web testing

modules/nixos/services/tabby-web/default.nix

@@ -0,0 +1,121 @@
+{
+  config,
+  lib,
+  pkgs,
+  namespace,
+  ...
+}:
+with lib;
+let
+  cfg = config.${namespace}.services.tabby-web;
+  
+  # Build environment variables from configuration
+  environmentVars = {
+    DATABASE_URL = cfg.databaseUrl;
+    APP_DIST_STORAGE = cfg.appDistStorage;
+    PORT = toString cfg.port;
+  } 
+  // optionalAttrs (cfg.socialAuth.github.key != null) {
+    SOCIAL_AUTH_GITHUB_KEY = cfg.socialAuth.github.key;
+  }
+  // optionalAttrs (cfg.socialAuth.github.secret != null) {
+    SOCIAL_AUTH_GITHUB_SECRET = cfg.socialAuth.github.secret;
+  }
+  // optionalAttrs (cfg.socialAuth.gitlab.key != null) {
+    SOCIAL_AUTH_GITLAB_KEY = cfg.socialAuth.gitlab.key;
+  }
+  // optionalAttrs (cfg.socialAuth.gitlab.secret != null) {
+    SOCIAL_AUTH_GITLAB_SECRET = cfg.socialAuth.gitlab.secret;
+  }
+  // optionalAttrs (cfg.socialAuth.microsoftGraph.key != null) {
+    SOCIAL_AUTH_MICROSOFT_GRAPH_KEY = cfg.socialAuth.microsoftGraph.key;
+  }
+  // optionalAttrs (cfg.socialAuth.microsoftGraph.secret != null) {
+    SOCIAL_AUTH_MICROSOFT_GRAPH_SECRET = cfg.socialAuth.microsoftGraph.secret;
+  }
+  // optionalAttrs (cfg.socialAuth.googleOauth2.key != null) {
+    SOCIAL_AUTH_GOOGLE_OAUTH2_KEY = cfg.socialAuth.googleOauth2.key;
+  }
+  // optionalAttrs (cfg.socialAuth.googleOauth2.secret != null) {
+    SOCIAL_AUTH_GOOGLE_OAUTH2_SECRET = cfg.socialAuth.googleOauth2.secret;
+  }
+  // cfg.extraEnvironment;
+
+in
+{
+  imports = [ ./options.nix ];
+
+  config = mkIf cfg.enable {
+    # Create user and group
+    users.users.${cfg.user} = {
+      isSystemUser = true;
+      group = cfg.group;
+      home = cfg.dataDir;
+      createHome = true;
+      description = "Tabby Web service user";
+    };
+
+    users.groups.${cfg.group} = { };
+
+    # Ensure data directory exists with correct permissions
+    systemd.tmpfiles.rules = [
+      "d '${cfg.dataDir}' 0750 ${cfg.user} ${cfg.group} - -"
+      "d '${cfg.dataDir}/dist' 0750 ${cfg.user} ${cfg.group} - -"
+    ];
+
+    # Create the systemd service
+    systemd.services.tabby-web = {
+      description = "Tabby Web Terminal Application Server";
+      wantedBy = [ "multi-user.target" ];
+      after = [ "network.target" ] ++ optional (hasPrefix "postgresql://" cfg.databaseUrl) "postgresql.service";
+
+      environment = environmentVars;
+
+      serviceConfig = {
+        Type = "exec";
+        User = cfg.user;
+        Group = cfg.group;
+        WorkingDirectory = cfg.dataDir;
+        
+        # Use the tabby-web package from our custom packages
+        ExecStart = "${pkgs.${namespace}.tabby-web}/bin/tabby-web --workers ${toString cfg.workers} --timeout ${toString cfg.timeout}";
+        
+        # Run database migrations before starting the service
+        ExecStartPre = "${pkgs.${namespace}.tabby-web}/bin/tabby-web-manage migrate";
+        
+        # Security settings
+        NoNewPrivileges = true;
+        ProtectSystem = "strict";
+        ProtectHome = true;
+        ReadWritePaths = [ cfg.dataDir ];
+        PrivateTmp = true;
+        ProtectKernelTunables = true;
+        ProtectKernelModules = true;
+        ProtectControlGroups = true;
+        RestrictSUIDSGID = true;
+        RestrictRealtime = true;
+        RestrictNamespaces = true;
+        LockPersonality = true;
+        MemoryDenyWriteExecute = true;
+        
+        # Restart policy
+        Restart = "always";
+        RestartSec = "10s";
+        
+        # Resource limits
+        LimitNOFILE = "65536";
+      };
+
+      # Ensure the service starts after database if using PostgreSQL
+      requisite = mkIf (hasPrefix "postgresql://" cfg.databaseUrl) [ "postgresql.service" ];
+    };
+
+    # Open firewall if requested
+    networking.firewall = mkIf cfg.openFirewall {
+      allowedTCPPorts = [ cfg.port ];
+    };
+
+    # Add the tabby-web package to system packages
+    environment.systemPackages = [ pkgs.${namespace}.tabby-web ];
+  };
+}