modules/bookwyrm: use environmentFile for secrets

this allows setting options via an environment file that is passed to the systemd units, in addition to the ones set during build time of the package. For now this is tailored to SECRET_KEY, but it may be useful for other settings as well (e.g. EMAIL_HOST_PASSWORD), and I'm not sure if it takes priority over the build-time settings ...
author: stuebinm 2024-02-15 17:57:19 +0100
committer: stuebinm 2024-02-15 17:57:19 +0100
commit: ed53fa3cf4b9c00064c89e75df68a2fe1e965275 (patch)
tree: da566f39b14a618fb199c837b8798dac604f6fae
parent: 9f230e2b7a2fb077b3405e320b56a205ce3e085e (diff)
2 files changed, 51 insertions, 10 deletions
diff --git a/modules/bookwyrm.nix b/modules/bookwyrm.nix
index a55d115..9f48ab3 100644
--- a/modules/bookwyrm.nix
+++ b/modules/bookwyrm.nix
@@ -78,6 +78,24 @@ in
         The name of the nginx virtual host to set up.
       '';
     };
+
+    installWrapper = mkOption {
+      default = true;
+      type = types.bool;
+      description = mdDoc ''
+        Whether to install a wrapper script `bookworm-manage.py` into the system environmnt,
+        which calls bookwyrm's `manage.py` script with the correct python path.
+      '';
+    };
+
+    environmentFile = mkOption {
+      default = null;
+      type = types.nullOr types.path;
+      description = mdDoc ''
+        An environment file containing config options which should not be set via Nix / not
+        be contained in the nix store.
+      '';
+    };
   };
 
 
@@ -91,32 +109,44 @@ in
         serviceConfig = mkMerge [
           {
             BindPaths = [
-              cfg.package.passthru.gunicorn
-              cfg.package.passthru.celery
+              cfg.package.gunicorn
+              cfg.package.celery
               cfg.stateDir
             ];
           }
           (mkIf (cfg.bindAddress != "0.0.0.0" || cfg.port != 8000 || cfg.threads != 8) {
-            ExecStart = "${lib.getExe cfg.package.passthru.gunicorn} bookwyrm.wsgi:application --threads=${toString cfg.threads} --bind ${cfg.bindAddress}:${toString cfg.port}";
-
+            ExecStart = "${lib.getExe cfg.package.gunicorn} bookwyrm.wsgi:application --threads=${toString cfg.threads} --bind ${cfg.bindAddress}:${toString cfg.port}";
+          })
+          (mkIf (cfg.environmentFile != null) {
+            EnvironmentFile = cfg.environmentFile;
           })
         ];
 
-        environment.PYTHONPATH = cfg.package.passthru.pythonPath;
+        environment.PYTHONPATH = cfg.package.pythonPath;
+
+        preStart = ''
+          ${lib.getExe cfg.package.manage} migrate
+          # will fail after the first time
+          ${lib.getExe cfg.package.manage} initdb || true
+        '';
       };
 
       bookwyrm-worker = {
         enable = true;
         wantedBy = [ "multi-user.target" ];
-        environment.PYTHONPATH = cfg.package.passthru.pythonPath;
+        environment.PYTHONPATH = cfg.package.pythonPath;
         serviceConfig.BindPaths = [
           cfg.stateDir
         ];
+        serviceConfig.EnvironmentFile =
+          mkIf (cfg.environmentFile != null) cfg.environmentFile;
       };
       bookwyrm-scheduler = {
         enable = true;
         wantedBy = [ "multi-user.target" ];
-        environment.PYTHONPATH = cfg.package.passthru.pythonPath;
+        environment.PYTHONPATH = cfg.package.pythonPath;
+        serviceConfig.EnvironmentFile =
+          mkIf (cfg.environmentFile != null) cfg.environmentFile;
       };
     };
 
@@ -146,6 +176,15 @@ in
     ];
 
     users.groups.bookwyrm = {};
-  };
 
+    environment.systemPackages = mkIf cfg.installWrapper [
+      cfg.package.manage
+    ];
+
+    warnings = mkIf (cfg.settings ? "SECRET_KEY") [ ''
+      Setting bookwyrm's SECRET_KEY via the free-form services.bookwyrm.settings.* is discouraged.
+      It's better to pass an env file containing it to servies.bookwyrm.envFile instead.
+      ''
+    ];
+  };
 }
diff --git a/pkgs/bookwyrm.nix b/pkgs/bookwyrm.nix
index 309e90b..0c9cb70 100644
--- a/pkgs/bookwyrm.nix
+++ b/pkgs/bookwyrm.nix
@@ -11,7 +11,6 @@ let
   settingsWithDefaults = {
     DOMAIN = "localhost";
     DEBUG = false;
-    SECRET_KEY = "fnord";
     USE_HTTPS = false;
     EMAIL = "your@email.here";
     PGPORT = 5432;
@@ -95,6 +94,9 @@ let
 
     postBuild = ''
       ln -s ${envfile} .env
+      # needed for the python settings.py file to not fail, but not
+      # used during the commands executed below, so this is safe
+      export SECRET_KEY=fnord
 
       substituteInPlace contrib/systemd/* \
         --replace /opt/bookwyrm/venv/bin/gunicorn ${lib.getExe python.pkgs.gunicorn} \
@@ -104,7 +106,7 @@ let
       sed -i /BindPath/d contrib/systemd/*
 
       python manage.py compile_themes
-      python manage.py collectstatic --no-input --ignore=*.scss
+      python manage.py collectstatic --no-input
     '';
 
     postInstall = ''
author	stuebinm	2024-02-15 17:57:19 +0100
committer	stuebinm	2024-02-15 17:57:19 +0100
commit	ed53fa3cf4b9c00064c89e75df68a2fe1e965275 (patch)
tree	da566f39b14a618fb199c837b8798dac604f6fae
parent	9f230e2b7a2fb077b3405e320b56a205ce3e085e (diff)