diff options
author | stuebinm | 2024-02-15 17:57:19 +0100 |
---|---|---|
committer | stuebinm | 2024-02-15 17:57:19 +0100 |
commit | ed53fa3cf4b9c00064c89e75df68a2fe1e965275 (patch) | |
tree | da566f39b14a618fb199c837b8798dac604f6fae /modules | |
parent | 9f230e2b7a2fb077b3405e320b56a205ce3e085e (diff) |
modules/bookwyrm: use environmentFile for secrets
this allows setting options via an environment file that is passed to
the systemd units, in addition to the ones set during build time of the
package.
For now this is tailored to SECRET_KEY, but it may be useful for other
settings as well (e.g. EMAIL_HOST_PASSWORD), and I'm not sure if it
takes priority over the build-time settings ...
Diffstat (limited to '')
-rw-r--r-- | modules/bookwyrm.nix | 55 |
1 files changed, 47 insertions, 8 deletions
diff --git a/modules/bookwyrm.nix b/modules/bookwyrm.nix index a55d115..9f48ab3 100644 --- a/modules/bookwyrm.nix +++ b/modules/bookwyrm.nix @@ -78,6 +78,24 @@ in The name of the nginx virtual host to set up. ''; }; + + installWrapper = mkOption { + default = true; + type = types.bool; + description = mdDoc '' + Whether to install a wrapper script `bookworm-manage.py` into the system environmnt, + which calls bookwyrm's `manage.py` script with the correct python path. + ''; + }; + + environmentFile = mkOption { + default = null; + type = types.nullOr types.path; + description = mdDoc '' + An environment file containing config options which should not be set via Nix / not + be contained in the nix store. + ''; + }; }; @@ -91,32 +109,44 @@ in serviceConfig = mkMerge [ { BindPaths = [ - cfg.package.passthru.gunicorn - cfg.package.passthru.celery + cfg.package.gunicorn + cfg.package.celery cfg.stateDir ]; } (mkIf (cfg.bindAddress != "0.0.0.0" || cfg.port != 8000 || cfg.threads != 8) { - ExecStart = "${lib.getExe cfg.package.passthru.gunicorn} bookwyrm.wsgi:application --threads=${toString cfg.threads} --bind ${cfg.bindAddress}:${toString cfg.port}"; - + ExecStart = "${lib.getExe cfg.package.gunicorn} bookwyrm.wsgi:application --threads=${toString cfg.threads} --bind ${cfg.bindAddress}:${toString cfg.port}"; + }) + (mkIf (cfg.environmentFile != null) { + EnvironmentFile = cfg.environmentFile; }) ]; - environment.PYTHONPATH = cfg.package.passthru.pythonPath; + environment.PYTHONPATH = cfg.package.pythonPath; + + preStart = '' + ${lib.getExe cfg.package.manage} migrate + # will fail after the first time + ${lib.getExe cfg.package.manage} initdb || true + ''; }; bookwyrm-worker = { enable = true; wantedBy = [ "multi-user.target" ]; - environment.PYTHONPATH = cfg.package.passthru.pythonPath; + environment.PYTHONPATH = cfg.package.pythonPath; serviceConfig.BindPaths = [ cfg.stateDir ]; + serviceConfig.EnvironmentFile = + mkIf (cfg.environmentFile != null) cfg.environmentFile; }; bookwyrm-scheduler = { enable = true; wantedBy = [ "multi-user.target" ]; - environment.PYTHONPATH = cfg.package.passthru.pythonPath; + environment.PYTHONPATH = cfg.package.pythonPath; + serviceConfig.EnvironmentFile = + mkIf (cfg.environmentFile != null) cfg.environmentFile; }; }; @@ -146,6 +176,15 @@ in ]; users.groups.bookwyrm = {}; - }; + environment.systemPackages = mkIf cfg.installWrapper [ + cfg.package.manage + ]; + + warnings = mkIf (cfg.settings ? "SECRET_KEY") [ '' + Setting bookwyrm's SECRET_KEY via the free-form services.bookwyrm.settings.* is discouraged. + It's better to pass an env file containing it to servies.bookwyrm.envFile instead. + '' + ]; + }; } |