nix-packages/packages/bookwyrm/nixos-module.nix

{ pkgs  , ... } :

with pkgs ;
with pkgs . kernelmaft ;

{
	systemd = {
		units = {
			"bookwyrm.service" = {
				text = ''
					[Unit]

					After=network.target

					[Service]

					# 'initdb' fails harmlessly if it has been run on the database before
					ExecStartPre=${coreutils-full}/bin/ln -sf ${bookwyrm}/var/lib/bookwyrm/.env /etc/bookwyrm/config.env
					ExecStartPre=${coreutils-full}/bin/ln -sf ${bookwyrm}/var/lib/bookwyrm/VERSION /var/lib/bookwyrm/
					ExecStartPre=${bookwyrm}/bin/bookwyrm-env ${python311}/bin/python ${bookwyrm}/lib/python3.11/manage.py migrate
					ExecStartPre=-${bookwyrm}/bin/bookwyrm-env ${python311}/bin/python ${bookwyrm}/lib/python3.11/manage.py initdb
					ExecStart=${bookwyrm}/bin/bookwyrm-env ${bookwyrm}/bin/bookwyrm

					WorkingDirectory=/var/lib/bookwyrm

					# Creates /var/lib/bookwyrm directory
					StateDirectory=bookwyrm

					# Creates /run/bookwyrm directory
					RuntimeDirectory=bookwyrm

					User=bookwyrm
					Group=bookwyrm

					ProtectSystem=strict
					ProtectHome=tmpfs
					PrivateTmp=true
					PrivateDevices=true
					PrivateIPC=true
					ProtectHostname=true
					ProtectClock=true
					ProtectKernelTunables=true
					ProtectKernelModules=true
					ProtectControlGroups=true
					RestrictNamespaces=true
					LockPersonality=true
					RestrictRealtime=true
					RestrictSUIDSGID=true
				'' ;
				wantedBy = [ "network-online.target" ] ;
			} ;
		} ;
	} ;

	users = {
		groups = {
			bookwyrm = {} ;
		} ;
		users = {
			bookwyrm = {
				group = "bookwyrm" ;
				home = "/var/lib/bookwyrm" ;
				isSystemUser = true ;
			} ;
		} ;
	} ;

	services = {
		postgresql = {
			enable = true ;
			ensureUsers = [
				{
					name = "bookwyrm" ;
					ensureDBOwnership = true ;
				}
			] ;
			ensureDatabases = [ "bookwyrm" ] ;
		} ;
	} ;
}