122 lines
3.7 KiB
Nix
122 lines
3.7 KiB
Nix
{
|
|
config,
|
|
lib,
|
|
pkgs,
|
|
namespace,
|
|
...
|
|
}:
|
|
with lib;
|
|
let
|
|
cfg = config.${namespace}.services.tabby-web;
|
|
|
|
# Build environment variables from configuration
|
|
environmentVars = {
|
|
DATABASE_URL = cfg.databaseUrl;
|
|
APP_DIST_STORAGE = cfg.appDistStorage;
|
|
PORT = toString cfg.port;
|
|
}
|
|
// optionalAttrs (cfg.socialAuth.github.key != null) {
|
|
SOCIAL_AUTH_GITHUB_KEY = cfg.socialAuth.github.key;
|
|
}
|
|
// optionalAttrs (cfg.socialAuth.github.secret != null) {
|
|
SOCIAL_AUTH_GITHUB_SECRET = cfg.socialAuth.github.secret;
|
|
}
|
|
// optionalAttrs (cfg.socialAuth.gitlab.key != null) {
|
|
SOCIAL_AUTH_GITLAB_KEY = cfg.socialAuth.gitlab.key;
|
|
}
|
|
// optionalAttrs (cfg.socialAuth.gitlab.secret != null) {
|
|
SOCIAL_AUTH_GITLAB_SECRET = cfg.socialAuth.gitlab.secret;
|
|
}
|
|
// optionalAttrs (cfg.socialAuth.microsoftGraph.key != null) {
|
|
SOCIAL_AUTH_MICROSOFT_GRAPH_KEY = cfg.socialAuth.microsoftGraph.key;
|
|
}
|
|
// optionalAttrs (cfg.socialAuth.microsoftGraph.secret != null) {
|
|
SOCIAL_AUTH_MICROSOFT_GRAPH_SECRET = cfg.socialAuth.microsoftGraph.secret;
|
|
}
|
|
// optionalAttrs (cfg.socialAuth.googleOauth2.key != null) {
|
|
SOCIAL_AUTH_GOOGLE_OAUTH2_KEY = cfg.socialAuth.googleOauth2.key;
|
|
}
|
|
// optionalAttrs (cfg.socialAuth.googleOauth2.secret != null) {
|
|
SOCIAL_AUTH_GOOGLE_OAUTH2_SECRET = cfg.socialAuth.googleOauth2.secret;
|
|
}
|
|
// cfg.extraEnvironment;
|
|
|
|
in
|
|
{
|
|
imports = [ ./options.nix ];
|
|
|
|
config = mkIf cfg.enable {
|
|
# Create user and group
|
|
users.users.${cfg.user} = {
|
|
isSystemUser = true;
|
|
group = cfg.group;
|
|
home = cfg.dataDir;
|
|
createHome = true;
|
|
description = "Tabby Web service user";
|
|
};
|
|
|
|
users.groups.${cfg.group} = { };
|
|
|
|
# Ensure data directory exists with correct permissions
|
|
systemd.tmpfiles.rules = [
|
|
"d '${cfg.dataDir}' 0750 ${cfg.user} ${cfg.group} - -"
|
|
"d '${cfg.dataDir}/dist' 0750 ${cfg.user} ${cfg.group} - -"
|
|
];
|
|
|
|
# Create the systemd service
|
|
systemd.services.tabby-web = {
|
|
description = "Tabby Web Terminal Application Server";
|
|
wantedBy = [ "multi-user.target" ];
|
|
after = [ "network.target" ] ++ optional (hasPrefix "postgresql://" cfg.databaseUrl) "postgresql.service";
|
|
|
|
environment = environmentVars;
|
|
|
|
serviceConfig = {
|
|
Type = "exec";
|
|
User = cfg.user;
|
|
Group = cfg.group;
|
|
WorkingDirectory = cfg.dataDir;
|
|
|
|
# Use the tabby-web package from our custom packages
|
|
ExecStart = "${pkgs.${namespace}.tabby-web}/bin/tabby-web --workers ${toString cfg.workers} --timeout ${toString cfg.timeout}";
|
|
|
|
# Run database migrations before starting the service
|
|
ExecStartPre = "${pkgs.${namespace}.tabby-web}/bin/tabby-web-manage migrate";
|
|
|
|
# Security settings
|
|
NoNewPrivileges = true;
|
|
ProtectSystem = "strict";
|
|
ProtectHome = true;
|
|
ReadWritePaths = [ cfg.dataDir ];
|
|
PrivateTmp = true;
|
|
ProtectKernelTunables = true;
|
|
ProtectKernelModules = true;
|
|
ProtectControlGroups = true;
|
|
RestrictSUIDSGID = true;
|
|
RestrictRealtime = true;
|
|
RestrictNamespaces = true;
|
|
LockPersonality = true;
|
|
MemoryDenyWriteExecute = true;
|
|
|
|
# Restart policy
|
|
Restart = "always";
|
|
RestartSec = "10s";
|
|
|
|
# Resource limits
|
|
LimitNOFILE = "65536";
|
|
};
|
|
|
|
# Ensure the service starts after database if using PostgreSQL
|
|
requisite = mkIf (hasPrefix "postgresql://" cfg.databaseUrl) [ "postgresql.service" ];
|
|
};
|
|
|
|
# Open firewall if requested
|
|
networking.firewall = mkIf cfg.openFirewall {
|
|
allowedTCPPorts = [ cfg.port ];
|
|
};
|
|
|
|
# Add the tabby-web package to system packages
|
|
environment.systemPackages = [ pkgs.${namespace}.tabby-web ];
|
|
};
|
|
}
|