78 lines
1.6 KiB
Nix
78 lines
1.6 KiB
Nix
{ pkgs , ... } :
|
|
|
|
with pkgs ;
|
|
with pkgs . kernelmaft ;
|
|
|
|
{
|
|
systemd = {
|
|
units = {
|
|
"bookwyrm.service" = {
|
|
text = ''
|
|
[Unit]
|
|
|
|
After=network.target
|
|
|
|
[Service]
|
|
|
|
ExecStartPre=${coreutils-full}/bin/ln -sf ${bookwyrm}/var/lib/bookwyrm/VERSION /var/lib/bookwyrm/
|
|
ExecStartPre=${bookwyrm}/bin/bookwyrm-env ${python311}/bin/python ${bookwyrm}/lib/python3.11/manage.py migrate
|
|
ExecStartPre=${bookwyrm}/bin/bookwyrm-env ${python311}/bin/python ${bookwyrm}/lib/python3.11/manage.py initdb
|
|
ExecStart=${bookwyrm}/bin/bookwyrm-env ${bookwyrm}/bin/bookwyrm
|
|
|
|
WorkingDirectory=/var/lib/bookwyrm
|
|
|
|
# Creates /var/lib/bookwyrm directory
|
|
StateDirectory=bookwyrm
|
|
|
|
# Creates /run/bookwyrm directory
|
|
RuntimeDirectory=bookwyrm
|
|
|
|
User=bookwyrm
|
|
Group=bookwyrm
|
|
|
|
ProtectSystem=strict
|
|
ProtectHome=tmpfs
|
|
PrivateTmp=true
|
|
PrivateDevices=true
|
|
PrivateIPC=true
|
|
ProtectHostname=true
|
|
ProtectClock=true
|
|
ProtectKernelTunables=true
|
|
ProtectKernelModules=true
|
|
ProtectControlGroups=true
|
|
RestrictNamespaces=true
|
|
LockPersonality=true
|
|
RestrictRealtime=true
|
|
RestrictSUIDSGID=true
|
|
'' ;
|
|
wantedBy = [ "network-online.target" ] ;
|
|
} ;
|
|
} ;
|
|
} ;
|
|
|
|
users = {
|
|
groups = {
|
|
bookwyrm = {} ;
|
|
} ;
|
|
users = {
|
|
bookwyrm = {
|
|
group = "bookwyrm" ;
|
|
home = "/var/lib/bookwyrm" ;
|
|
isSystemUser = true ;
|
|
} ;
|
|
} ;
|
|
} ;
|
|
|
|
services = {
|
|
postgresql = {
|
|
enable = true ;
|
|
ensureUsers = [
|
|
{
|
|
name = "bookwyrm" ;
|
|
ensureDBOwnership = true ;
|
|
}
|
|
] ;
|
|
ensureDatabases = [ "bookwyrm" ] ;
|
|
} ;
|
|
} ;
|
|
}
|