mirror of
https://github.com/NixOS/nixpkgs.git
synced 2024-12-25 03:17:13 +00:00
cb80b67993
Assert that the PostgreSQL version being deployed is the one used upstream. Allow the user to override this assertion, since it's not always possible or preferable to use the recommended one.
1069 lines
36 KiB
Nix
1069 lines
36 KiB
Nix
{ config, options, lib, pkgs, utils, ... }:
|
|
|
|
let
|
|
json = pkgs.formats.json {};
|
|
|
|
cfg = config.services.discourse;
|
|
|
|
# Keep in sync with https://github.com/discourse/discourse_docker/blob/master/image/base/Dockerfile#L5
|
|
upstreamPostgresqlVersion = lib.getVersion pkgs.postgresql_13;
|
|
|
|
postgresqlPackage = if config.services.postgresql.enable then
|
|
config.services.postgresql.package
|
|
else
|
|
pkgs.postgresql;
|
|
|
|
postgresqlVersion = lib.getVersion postgresqlPackage;
|
|
|
|
# We only want to create a database if we're actually going to connect to it.
|
|
databaseActuallyCreateLocally = cfg.database.createLocally && cfg.database.host == null;
|
|
|
|
tlsEnabled = (cfg.enableACME
|
|
|| cfg.sslCertificate != null
|
|
|| cfg.sslCertificateKey != null);
|
|
in
|
|
{
|
|
options = {
|
|
services.discourse = {
|
|
enable = lib.mkEnableOption "Discourse, an open source discussion platform";
|
|
|
|
package = lib.mkOption {
|
|
type = lib.types.package;
|
|
default = pkgs.discourse;
|
|
defaultText = "pkgs.discourse";
|
|
description = ''
|
|
The discourse package to use.
|
|
'';
|
|
};
|
|
|
|
hostname = lib.mkOption {
|
|
type = lib.types.str;
|
|
default = if config.networking.domain != null then
|
|
config.networking.fqdn
|
|
else
|
|
config.networking.hostName;
|
|
defaultText = "config.networking.fqdn";
|
|
example = "discourse.example.com";
|
|
description = ''
|
|
The hostname to serve Discourse on.
|
|
'';
|
|
};
|
|
|
|
secretKeyBaseFile = lib.mkOption {
|
|
type = with lib.types; nullOr path;
|
|
default = null;
|
|
example = "/run/keys/secret_key_base";
|
|
description = ''
|
|
The path to a file containing the
|
|
<literal>secret_key_base</literal> secret.
|
|
|
|
Discourse uses <literal>secret_key_base</literal> to encrypt
|
|
the cookie store, which contains session data, and to digest
|
|
user auth tokens.
|
|
|
|
Needs to be a 64 byte long string of hexadecimal
|
|
characters. You can generate one by running
|
|
|
|
<screen>
|
|
<prompt>$ </prompt>openssl rand -hex 64 >/path/to/secret_key_base_file
|
|
</screen>
|
|
|
|
This should be a string, not a nix path, since nix paths are
|
|
copied into the world-readable nix store.
|
|
'';
|
|
};
|
|
|
|
sslCertificate = lib.mkOption {
|
|
type = with lib.types; nullOr path;
|
|
default = null;
|
|
example = "/run/keys/ssl.cert";
|
|
description = ''
|
|
The path to the server SSL certificate. Set this to enable
|
|
SSL.
|
|
'';
|
|
};
|
|
|
|
sslCertificateKey = lib.mkOption {
|
|
type = with lib.types; nullOr path;
|
|
default = null;
|
|
example = "/run/keys/ssl.key";
|
|
description = ''
|
|
The path to the server SSL certificate key. Set this to
|
|
enable SSL.
|
|
'';
|
|
};
|
|
|
|
enableACME = lib.mkOption {
|
|
type = lib.types.bool;
|
|
default = cfg.sslCertificate == null && cfg.sslCertificateKey == null;
|
|
defaultText = "true, unless services.discourse.sslCertificate and services.discourse.sslCertificateKey are set.";
|
|
description = ''
|
|
Whether an ACME certificate should be used to secure
|
|
connections to the server.
|
|
'';
|
|
};
|
|
|
|
backendSettings = lib.mkOption {
|
|
type = with lib.types; attrsOf (nullOr (oneOf [ str int bool float ]));
|
|
default = {};
|
|
example = lib.literalExample ''
|
|
{
|
|
max_reqs_per_ip_per_minute = 300;
|
|
max_reqs_per_ip_per_10_seconds = 60;
|
|
max_asset_reqs_per_ip_per_10_seconds = 250;
|
|
max_reqs_per_ip_mode = "warn+block";
|
|
};
|
|
'';
|
|
description = ''
|
|
Additional settings to put in the
|
|
<filename>discourse.conf</filename> file.
|
|
|
|
Look in the
|
|
<link xlink:href="https://github.com/discourse/discourse/blob/master/config/discourse_defaults.conf">discourse_defaults.conf</link>
|
|
file in the upstream distribution to find available options.
|
|
|
|
Setting an option to <literal>null</literal> means
|
|
<quote>define variable, but leave right-hand side
|
|
empty</quote>.
|
|
'';
|
|
};
|
|
|
|
siteSettings = lib.mkOption {
|
|
type = json.type;
|
|
default = {};
|
|
example = lib.literalExample ''
|
|
{
|
|
required = {
|
|
title = "My Cats";
|
|
site_description = "Discuss My Cats (and be nice plz)";
|
|
};
|
|
login = {
|
|
enable_github_logins = true;
|
|
github_client_id = "a2f6dfe838cb3206ce20";
|
|
github_client_secret._secret = /run/keys/discourse_github_client_secret;
|
|
};
|
|
};
|
|
'';
|
|
description = ''
|
|
Discourse site settings. These are the settings that can be
|
|
changed from the UI. This only defines their default values:
|
|
they can still be overridden from the UI.
|
|
|
|
Available settings can be found by looking in the
|
|
<link xlink:href="https://github.com/discourse/discourse/blob/master/config/site_settings.yml">site_settings.yml</link>
|
|
file of the upstream distribution. To find a setting's path,
|
|
you only need to care about the first two levels; i.e. its
|
|
category and name. See the example.
|
|
|
|
Settings containing secret data should be set to an
|
|
attribute set containing the attribute
|
|
<literal>_secret</literal> - a string pointing to a file
|
|
containing the value the option should be set to. See the
|
|
example to get a better picture of this: in the resulting
|
|
<filename>config/nixos_site_settings.json</filename> file,
|
|
the <literal>login.github_client_secret</literal> key will
|
|
be set to the contents of the
|
|
<filename>/run/keys/discourse_github_client_secret</filename>
|
|
file.
|
|
'';
|
|
};
|
|
|
|
admin = {
|
|
email = lib.mkOption {
|
|
type = lib.types.str;
|
|
example = "admin@example.com";
|
|
description = ''
|
|
The admin user email address.
|
|
'';
|
|
};
|
|
|
|
username = lib.mkOption {
|
|
type = lib.types.str;
|
|
example = "admin";
|
|
description = ''
|
|
The admin user username.
|
|
'';
|
|
};
|
|
|
|
fullName = lib.mkOption {
|
|
type = lib.types.str;
|
|
description = ''
|
|
The admin user's full name.
|
|
'';
|
|
};
|
|
|
|
passwordFile = lib.mkOption {
|
|
type = lib.types.path;
|
|
description = ''
|
|
A path to a file containing the admin user's password.
|
|
|
|
This should be a string, not a nix path, since nix paths are
|
|
copied into the world-readable nix store.
|
|
'';
|
|
};
|
|
};
|
|
|
|
nginx.enable = lib.mkOption {
|
|
type = lib.types.bool;
|
|
default = true;
|
|
description = ''
|
|
Whether an <literal>nginx</literal> virtual host should be
|
|
set up to serve Discourse. Only disable if you're planning
|
|
to use a different web server, which is not recommended.
|
|
'';
|
|
};
|
|
|
|
database = {
|
|
pool = lib.mkOption {
|
|
type = lib.types.int;
|
|
default = 8;
|
|
description = ''
|
|
Database connection pool size.
|
|
'';
|
|
};
|
|
|
|
host = lib.mkOption {
|
|
type = with lib.types; nullOr str;
|
|
default = null;
|
|
description = ''
|
|
Discourse database hostname. <literal>null</literal> means <quote>prefer
|
|
local unix socket connection</quote>.
|
|
'';
|
|
};
|
|
|
|
passwordFile = lib.mkOption {
|
|
type = with lib.types; nullOr path;
|
|
default = null;
|
|
description = ''
|
|
File containing the Discourse database user password.
|
|
|
|
This should be a string, not a nix path, since nix paths are
|
|
copied into the world-readable nix store.
|
|
'';
|
|
};
|
|
|
|
createLocally = lib.mkOption {
|
|
type = lib.types.bool;
|
|
default = true;
|
|
description = ''
|
|
Whether a database should be automatically created on the
|
|
local host. Set this to <literal>false</literal> if you plan
|
|
on provisioning a local database yourself. This has no effect
|
|
if <option>services.discourse.database.host</option> is customized.
|
|
'';
|
|
};
|
|
|
|
name = lib.mkOption {
|
|
type = lib.types.str;
|
|
default = "discourse";
|
|
description = ''
|
|
Discourse database name.
|
|
'';
|
|
};
|
|
|
|
username = lib.mkOption {
|
|
type = lib.types.str;
|
|
default = "discourse";
|
|
description = ''
|
|
Discourse database user.
|
|
'';
|
|
};
|
|
|
|
ignorePostgresqlVersion = lib.mkOption {
|
|
type = lib.types.bool;
|
|
default = false;
|
|
description = ''
|
|
Whether to allow other versions of PostgreSQL than the
|
|
recommended one. Only effective when
|
|
<option>services.discourse.database.createLocally</option>
|
|
is enabled.
|
|
'';
|
|
};
|
|
};
|
|
|
|
redis = {
|
|
host = lib.mkOption {
|
|
type = lib.types.str;
|
|
default = "localhost";
|
|
description = ''
|
|
Redis server hostname.
|
|
'';
|
|
};
|
|
|
|
passwordFile = lib.mkOption {
|
|
type = with lib.types; nullOr path;
|
|
default = null;
|
|
description = ''
|
|
File containing the Redis password.
|
|
|
|
This should be a string, not a nix path, since nix paths are
|
|
copied into the world-readable nix store.
|
|
'';
|
|
};
|
|
|
|
dbNumber = lib.mkOption {
|
|
type = lib.types.int;
|
|
default = 0;
|
|
description = ''
|
|
Redis database number.
|
|
'';
|
|
};
|
|
|
|
useSSL = lib.mkOption {
|
|
type = lib.types.bool;
|
|
default = cfg.redis.host != "localhost";
|
|
description = ''
|
|
Connect to Redis with SSL.
|
|
'';
|
|
};
|
|
};
|
|
|
|
mail = {
|
|
notificationEmailAddress = lib.mkOption {
|
|
type = lib.types.str;
|
|
default = "${if cfg.mail.incoming.enable then "notifications" else "noreply"}@${cfg.hostname}";
|
|
defaultText = ''
|
|
"notifications@`config.services.discourse.hostname`" if
|
|
config.services.discourse.mail.incoming.enable is "true",
|
|
otherwise "noreply`config.services.discourse.hostname`"
|
|
'';
|
|
description = ''
|
|
The <literal>from:</literal> email address used when
|
|
sending all essential system emails. The domain specified
|
|
here must have SPF, DKIM and reverse PTR records set
|
|
correctly for email to arrive.
|
|
'';
|
|
};
|
|
|
|
contactEmailAddress = lib.mkOption {
|
|
type = lib.types.str;
|
|
default = "";
|
|
description = ''
|
|
Email address of key contact responsible for this
|
|
site. Used for critical notifications, as well as on the
|
|
<literal>/about</literal> contact form for urgent matters.
|
|
'';
|
|
};
|
|
|
|
outgoing = {
|
|
serverAddress = lib.mkOption {
|
|
type = lib.types.str;
|
|
default = "localhost";
|
|
description = ''
|
|
The address of the SMTP server Discourse should use to
|
|
send email.
|
|
'';
|
|
};
|
|
|
|
port = lib.mkOption {
|
|
type = lib.types.int;
|
|
default = 25;
|
|
description = ''
|
|
The port of the SMTP server Discourse should use to
|
|
send email.
|
|
'';
|
|
};
|
|
|
|
username = lib.mkOption {
|
|
type = with lib.types; nullOr str;
|
|
default = null;
|
|
description = ''
|
|
The username of the SMTP server.
|
|
'';
|
|
};
|
|
|
|
passwordFile = lib.mkOption {
|
|
type = lib.types.nullOr lib.types.path;
|
|
default = null;
|
|
description = ''
|
|
A file containing the password of the SMTP server account.
|
|
|
|
This should be a string, not a nix path, since nix paths
|
|
are copied into the world-readable nix store.
|
|
'';
|
|
};
|
|
|
|
domain = lib.mkOption {
|
|
type = lib.types.str;
|
|
default = cfg.hostname;
|
|
description = ''
|
|
HELO domain to use for outgoing mail.
|
|
'';
|
|
};
|
|
|
|
authentication = lib.mkOption {
|
|
type = with lib.types; nullOr (enum ["plain" "login" "cram_md5"]);
|
|
default = null;
|
|
description = ''
|
|
Authentication type to use, see http://api.rubyonrails.org/classes/ActionMailer/Base.html
|
|
'';
|
|
};
|
|
|
|
enableStartTLSAuto = lib.mkOption {
|
|
type = lib.types.bool;
|
|
default = true;
|
|
description = ''
|
|
Whether to try to use StartTLS.
|
|
'';
|
|
};
|
|
|
|
opensslVerifyMode = lib.mkOption {
|
|
type = lib.types.str;
|
|
default = "peer";
|
|
description = ''
|
|
How OpenSSL checks the certificate, see http://api.rubyonrails.org/classes/ActionMailer/Base.html
|
|
'';
|
|
};
|
|
|
|
forceTLS = lib.mkOption {
|
|
type = lib.types.bool;
|
|
default = false;
|
|
description = ''
|
|
Force implicit TLS as per RFC 8314 3.3.
|
|
'';
|
|
};
|
|
};
|
|
|
|
incoming = {
|
|
enable = lib.mkOption {
|
|
type = lib.types.bool;
|
|
default = false;
|
|
description = ''
|
|
Whether to set up Postfix to receive incoming mail.
|
|
'';
|
|
};
|
|
|
|
replyEmailAddress = lib.mkOption {
|
|
type = lib.types.str;
|
|
default = "%{reply_key}@${cfg.hostname}";
|
|
defaultText = "%{reply_key}@`config.services.discourse.hostname`";
|
|
description = ''
|
|
Template for reply by email incoming email address, for
|
|
example: %{reply_key}@reply.example.com or
|
|
replies+%{reply_key}@example.com
|
|
'';
|
|
};
|
|
|
|
mailReceiverPackage = lib.mkOption {
|
|
type = lib.types.package;
|
|
default = pkgs.discourse-mail-receiver;
|
|
defaultText = "pkgs.discourse-mail-receiver";
|
|
description = ''
|
|
The discourse-mail-receiver package to use.
|
|
'';
|
|
};
|
|
|
|
apiKeyFile = lib.mkOption {
|
|
type = lib.types.nullOr lib.types.path;
|
|
default = null;
|
|
description = ''
|
|
A file containing the Discourse API key used to add
|
|
posts and messages from mail. If left at its default
|
|
value <literal>null</literal>, one will be automatically
|
|
generated.
|
|
|
|
This should be a string, not a nix path, since nix paths
|
|
are copied into the world-readable nix store.
|
|
'';
|
|
};
|
|
};
|
|
};
|
|
|
|
plugins = lib.mkOption {
|
|
type = lib.types.listOf lib.types.package;
|
|
default = [];
|
|
example = ''
|
|
[
|
|
(pkgs.fetchFromGitHub {
|
|
owner = "discourse";
|
|
repo = "discourse-spoiler-alert";
|
|
rev = "e200cfa571d252cab63f3d30d619b370986e4cee";
|
|
sha256 = "0ya69ix5g77wz4c9x9gmng6l25ghb5xxlx3icr6jam16q14dzc33";
|
|
})
|
|
];
|
|
'';
|
|
description = ''
|
|
<productname>Discourse</productname> plugins to install as a
|
|
list of derivations. As long as a plugin supports the
|
|
standard install method, packaging it should only require
|
|
fetching its source with an appropriate fetcher.
|
|
'';
|
|
};
|
|
|
|
sidekiqProcesses = lib.mkOption {
|
|
type = lib.types.int;
|
|
default = 1;
|
|
description = ''
|
|
How many Sidekiq processes should be spawned.
|
|
'';
|
|
};
|
|
|
|
unicornTimeout = lib.mkOption {
|
|
type = lib.types.int;
|
|
default = 30;
|
|
description = ''
|
|
Time in seconds before a request to Unicorn times out.
|
|
|
|
This can be raised if the system Discourse is running on is
|
|
too slow to handle many requests within 30 seconds.
|
|
'';
|
|
};
|
|
};
|
|
};
|
|
|
|
config = lib.mkIf cfg.enable {
|
|
assertions = [
|
|
{
|
|
assertion = (cfg.database.host != null) -> (cfg.database.passwordFile != null);
|
|
message = "When services.gitlab.database.host is customized, services.discourse.database.passwordFile must be set!";
|
|
}
|
|
{
|
|
assertion = cfg.hostname != "";
|
|
message = "Could not automatically determine hostname, set service.discourse.hostname manually.";
|
|
}
|
|
{
|
|
assertion = cfg.database.ignorePostgresqlVersion || (databaseActuallyCreateLocally -> upstreamPostgresqlVersion == postgresqlVersion);
|
|
message = "The PostgreSQL version recommended for use with Discourse is ${upstreamPostgresqlVersion}, you're using ${postgresqlVersion}. "
|
|
+ "Either update your PostgreSQL package to the correct version or set services.discourse.database.ignorePostgresqlVersion. "
|
|
+ "See https://nixos.org/manual/nixos/stable/index.html#module-postgresql for details on how to upgrade PostgreSQL.";
|
|
}
|
|
];
|
|
|
|
|
|
# Default config values are from `config/discourse_defaults.conf`
|
|
# upstream.
|
|
services.discourse.backendSettings = lib.mapAttrs (_: lib.mkDefault) {
|
|
db_pool = cfg.database.pool;
|
|
db_timeout = 5000;
|
|
db_connect_timeout = 5;
|
|
db_socket = null;
|
|
db_host = cfg.database.host;
|
|
db_backup_host = null;
|
|
db_port = null;
|
|
db_backup_port = 5432;
|
|
db_name = cfg.database.name;
|
|
db_username = if databaseActuallyCreateLocally then "discourse" else cfg.database.username;
|
|
db_password = cfg.database.passwordFile;
|
|
db_prepared_statements = false;
|
|
db_replica_host = null;
|
|
db_replica_port = null;
|
|
db_advisory_locks = true;
|
|
|
|
inherit (cfg) hostname;
|
|
backup_hostname = null;
|
|
|
|
smtp_address = cfg.mail.outgoing.serverAddress;
|
|
smtp_port = cfg.mail.outgoing.port;
|
|
smtp_domain = cfg.mail.outgoing.domain;
|
|
smtp_user_name = cfg.mail.outgoing.username;
|
|
smtp_password = cfg.mail.outgoing.passwordFile;
|
|
smtp_authentication = cfg.mail.outgoing.authentication;
|
|
smtp_enable_start_tls = cfg.mail.outgoing.enableStartTLSAuto;
|
|
smtp_openssl_verify_mode = cfg.mail.outgoing.opensslVerifyMode;
|
|
smtp_force_tls = cfg.mail.outgoing.forceTLS;
|
|
|
|
load_mini_profiler = true;
|
|
mini_profiler_snapshots_period = 0;
|
|
mini_profiler_snapshots_transport_url = null;
|
|
mini_profiler_snapshots_transport_auth_key = null;
|
|
|
|
cdn_url = null;
|
|
cdn_origin_hostname = null;
|
|
developer_emails = null;
|
|
|
|
redis_host = cfg.redis.host;
|
|
redis_port = 6379;
|
|
redis_replica_host = null;
|
|
redis_replica_port = 6379;
|
|
redis_db = cfg.redis.dbNumber;
|
|
redis_password = cfg.redis.passwordFile;
|
|
redis_skip_client_commands = false;
|
|
redis_use_ssl = cfg.redis.useSSL;
|
|
|
|
message_bus_redis_enabled = false;
|
|
message_bus_redis_host = "localhost";
|
|
message_bus_redis_port = 6379;
|
|
message_bus_redis_replica_host = null;
|
|
message_bus_redis_replica_port = 6379;
|
|
message_bus_redis_db = 0;
|
|
message_bus_redis_password = null;
|
|
message_bus_redis_skip_client_commands = false;
|
|
|
|
enable_cors = false;
|
|
cors_origin = "";
|
|
serve_static_assets = false;
|
|
sidekiq_workers = 5;
|
|
rtl_css = false;
|
|
connection_reaper_age = 30;
|
|
connection_reaper_interval = 30;
|
|
relative_url_root = null;
|
|
message_bus_max_backlog_size = 100;
|
|
secret_key_base = cfg.secretKeyBaseFile;
|
|
fallback_assets_path = null;
|
|
|
|
s3_bucket = null;
|
|
s3_region = null;
|
|
s3_access_key_id = null;
|
|
s3_secret_access_key = null;
|
|
s3_use_iam_profile = null;
|
|
s3_cdn_url = null;
|
|
s3_endpoint = null;
|
|
s3_http_continue_timeout = null;
|
|
s3_install_cors_rule = null;
|
|
|
|
max_user_api_reqs_per_minute = 20;
|
|
max_user_api_reqs_per_day = 2880;
|
|
max_admin_api_reqs_per_key_per_minute = 60;
|
|
max_reqs_per_ip_per_minute = 200;
|
|
max_reqs_per_ip_per_10_seconds = 50;
|
|
max_asset_reqs_per_ip_per_10_seconds = 200;
|
|
max_reqs_per_ip_mode = "block";
|
|
max_reqs_rate_limit_on_private = false;
|
|
force_anonymous_min_queue_seconds = 1;
|
|
force_anonymous_min_per_10_seconds = 3;
|
|
background_requests_max_queue_length = 0.5;
|
|
reject_message_bus_queue_seconds = 0.1;
|
|
disable_search_queue_threshold = 1;
|
|
max_old_rebakes_per_15_minutes = 300;
|
|
max_logster_logs = 1000;
|
|
refresh_maxmind_db_during_precompile_days = 2;
|
|
maxmind_backup_path = null;
|
|
maxmind_license_key = null;
|
|
enable_performance_http_headers = false;
|
|
enable_js_error_reporting = true;
|
|
mini_scheduler_workers = 5;
|
|
compress_anon_cache = false;
|
|
anon_cache_store_threshold = 2;
|
|
allowed_theme_repos = null;
|
|
enable_email_sync_demon = false;
|
|
max_digests_enqueued_per_30_mins_per_site = 10000;
|
|
cluster_name = null;
|
|
};
|
|
|
|
services.redis.enable = lib.mkDefault (cfg.redis.host == "localhost");
|
|
|
|
services.postgresql = lib.mkIf databaseActuallyCreateLocally {
|
|
enable = true;
|
|
ensureUsers = [{ name = "discourse"; }];
|
|
};
|
|
|
|
# The postgresql module doesn't currently support concepts like
|
|
# objects owners and extensions; for now we tack on what's needed
|
|
# here.
|
|
systemd.services.discourse-postgresql =
|
|
let
|
|
pgsql = config.services.postgresql;
|
|
in
|
|
lib.mkIf databaseActuallyCreateLocally {
|
|
after = [ "postgresql.service" ];
|
|
bindsTo = [ "postgresql.service" ];
|
|
wantedBy = [ "discourse.service" ];
|
|
partOf = [ "discourse.service" ];
|
|
path = [
|
|
pgsql.package
|
|
];
|
|
script = ''
|
|
set -o errexit -o pipefail -o nounset -o errtrace
|
|
shopt -s inherit_errexit
|
|
|
|
psql -tAc "SELECT 1 FROM pg_database WHERE datname = 'discourse'" | grep -q 1 || psql -tAc 'CREATE DATABASE "discourse" OWNER "discourse"'
|
|
psql '${cfg.database.name}' -tAc "CREATE EXTENSION IF NOT EXISTS pg_trgm"
|
|
psql '${cfg.database.name}' -tAc "CREATE EXTENSION IF NOT EXISTS hstore"
|
|
'';
|
|
|
|
serviceConfig = {
|
|
User = pgsql.superUser;
|
|
Type = "oneshot";
|
|
RemainAfterExit = true;
|
|
};
|
|
};
|
|
|
|
systemd.services.discourse = {
|
|
wantedBy = [ "multi-user.target" ];
|
|
after = [
|
|
"redis.service"
|
|
"postgresql.service"
|
|
"discourse-postgresql.service"
|
|
];
|
|
bindsTo = [
|
|
"redis.service"
|
|
] ++ lib.optionals (cfg.database.host == null) [
|
|
"postgresql.service"
|
|
"discourse-postgresql.service"
|
|
];
|
|
path = cfg.package.runtimeDeps ++ [
|
|
postgresqlPackage
|
|
pkgs.replace-secret
|
|
cfg.package.rake
|
|
];
|
|
environment = cfg.package.runtimeEnv // {
|
|
UNICORN_TIMEOUT = builtins.toString cfg.unicornTimeout;
|
|
UNICORN_SIDEKIQS = builtins.toString cfg.sidekiqProcesses;
|
|
MALLOC_ARENA_MAX = "2";
|
|
};
|
|
|
|
preStart =
|
|
let
|
|
discourseKeyValue = lib.generators.toKeyValue {
|
|
mkKeyValue = lib.flip lib.generators.mkKeyValueDefault " = " {
|
|
mkValueString = v: with builtins;
|
|
if isInt v then toString v
|
|
else if isString v then ''"${v}"''
|
|
else if true == v then "true"
|
|
else if false == v then "false"
|
|
else if null == v then ""
|
|
else if isFloat v then lib.strings.floatToString v
|
|
else throw "unsupported type ${typeOf v}: ${(lib.generators.toPretty {}) v}";
|
|
};
|
|
};
|
|
|
|
discourseConf = pkgs.writeText "discourse.conf" (discourseKeyValue cfg.backendSettings);
|
|
|
|
mkSecretReplacement = file:
|
|
lib.optionalString (file != null) ''
|
|
replace-secret '${file}' '${file}' /run/discourse/config/discourse.conf
|
|
'';
|
|
in ''
|
|
set -o errexit -o pipefail -o nounset -o errtrace
|
|
shopt -s inherit_errexit
|
|
|
|
umask u=rwx,g=rx,o=
|
|
|
|
cp -r ${cfg.package}/share/discourse/config.dist/* /run/discourse/config/
|
|
cp -r ${cfg.package}/share/discourse/public.dist/* /run/discourse/public/
|
|
cp -r ${cfg.package}/share/discourse/plugins.dist/* /run/discourse/plugins/
|
|
${lib.concatMapStringsSep "\n" (p: "ln -sf ${p} /run/discourse/plugins/") cfg.plugins}
|
|
ln -sf /var/lib/discourse/uploads /run/discourse/public/uploads
|
|
ln -sf /var/lib/discourse/backups /run/discourse/public/backups
|
|
|
|
(
|
|
umask u=rwx,g=,o=
|
|
|
|
${utils.genJqSecretsReplacementSnippet
|
|
cfg.siteSettings
|
|
"/run/discourse/config/nixos_site_settings.json"
|
|
}
|
|
install -T -m 0600 -o discourse ${discourseConf} /run/discourse/config/discourse.conf
|
|
${mkSecretReplacement cfg.database.passwordFile}
|
|
${mkSecretReplacement cfg.mail.outgoing.passwordFile}
|
|
${mkSecretReplacement cfg.redis.passwordFile}
|
|
${mkSecretReplacement cfg.secretKeyBaseFile}
|
|
chmod 0400 /run/discourse/config/discourse.conf
|
|
)
|
|
|
|
discourse-rake db:migrate >>/var/log/discourse/db_migration.log
|
|
chmod -R u+w /run/discourse/tmp/
|
|
|
|
export ADMIN_EMAIL="${cfg.admin.email}"
|
|
export ADMIN_NAME="${cfg.admin.fullName}"
|
|
export ADMIN_USERNAME="${cfg.admin.username}"
|
|
ADMIN_PASSWORD="$(<${cfg.admin.passwordFile})"
|
|
export ADMIN_PASSWORD
|
|
discourse-rake admin:create_noninteractively
|
|
|
|
discourse-rake themes:update
|
|
discourse-rake uploads:regenerate_missing_optimized
|
|
'';
|
|
|
|
serviceConfig = {
|
|
Type = "simple";
|
|
User = "discourse";
|
|
Group = "discourse";
|
|
RuntimeDirectory = map (p: "discourse/" + p) [
|
|
"config"
|
|
"home"
|
|
"tmp"
|
|
"assets/javascripts/plugins"
|
|
"public"
|
|
"plugins"
|
|
"sockets"
|
|
];
|
|
RuntimeDirectoryMode = 0750;
|
|
StateDirectory = map (p: "discourse/" + p) [
|
|
"uploads"
|
|
"backups"
|
|
];
|
|
StateDirectoryMode = 0750;
|
|
LogsDirectory = "discourse";
|
|
TimeoutSec = "infinity";
|
|
Restart = "on-failure";
|
|
WorkingDirectory = "${cfg.package}/share/discourse";
|
|
|
|
RemoveIPC = true;
|
|
PrivateTmp = true;
|
|
NoNewPrivileges = true;
|
|
RestrictSUIDSGID = true;
|
|
ProtectSystem = "strict";
|
|
ProtectHome = "read-only";
|
|
|
|
ExecStart = "${cfg.package.rubyEnv}/bin/bundle exec config/unicorn_launcher -E production -c config/unicorn.conf.rb";
|
|
};
|
|
};
|
|
|
|
services.nginx = lib.mkIf cfg.nginx.enable {
|
|
enable = true;
|
|
additionalModules = [ pkgs.nginxModules.brotli ];
|
|
|
|
recommendedTlsSettings = true;
|
|
recommendedOptimisation = true;
|
|
recommendedGzipSettings = true;
|
|
recommendedProxySettings = true;
|
|
|
|
upstreams.discourse.servers."unix:/run/discourse/sockets/unicorn.sock" = {};
|
|
|
|
appendHttpConfig = ''
|
|
# inactive means we keep stuff around for 1440m minutes regardless of last access (1 week)
|
|
# levels means it is a 2 deep heirarchy cause we can have lots of files
|
|
# max_size limits the size of the cache
|
|
proxy_cache_path /var/cache/nginx inactive=1440m levels=1:2 keys_zone=discourse:10m max_size=600m;
|
|
|
|
# see: https://meta.discourse.org/t/x/74060
|
|
proxy_buffer_size 8k;
|
|
'';
|
|
|
|
virtualHosts.${cfg.hostname} = {
|
|
inherit (cfg) sslCertificate sslCertificateKey enableACME;
|
|
forceSSL = lib.mkDefault tlsEnabled;
|
|
|
|
root = "/run/discourse/public";
|
|
|
|
locations =
|
|
let
|
|
proxy = { extraConfig ? "" }: {
|
|
proxyPass = "http://discourse";
|
|
extraConfig = extraConfig + ''
|
|
proxy_set_header X-Request-Start "t=''${msec}";
|
|
'';
|
|
};
|
|
cache = time: ''
|
|
expires ${time};
|
|
add_header Cache-Control public,immutable;
|
|
'';
|
|
cache_1y = cache "1y";
|
|
cache_1d = cache "1d";
|
|
in
|
|
{
|
|
"/".tryFiles = "$uri @discourse";
|
|
"@discourse" = proxy {};
|
|
"^~ /backups/".extraConfig = ''
|
|
internal;
|
|
'';
|
|
"/favicon.ico" = {
|
|
return = "204";
|
|
extraConfig = ''
|
|
access_log off;
|
|
log_not_found off;
|
|
'';
|
|
};
|
|
"~ ^/uploads/short-url/" = proxy {};
|
|
"~ ^/secure-media-uploads/" = proxy {};
|
|
"~* (fonts|assets|plugins|uploads)/.*\.(eot|ttf|woff|woff2|ico|otf)$".extraConfig = cache_1y + ''
|
|
add_header Access-Control-Allow-Origin *;
|
|
'';
|
|
"/srv/status" = proxy {
|
|
extraConfig = ''
|
|
access_log off;
|
|
log_not_found off;
|
|
'';
|
|
};
|
|
"~ ^/javascripts/".extraConfig = cache_1d;
|
|
"~ ^/assets/(?<asset_path>.+)$".extraConfig = cache_1y + ''
|
|
# asset pipeline enables this
|
|
brotli_static on;
|
|
gzip_static on;
|
|
'';
|
|
"~ ^/plugins/".extraConfig = cache_1y;
|
|
"~ /images/emoji/".extraConfig = cache_1y;
|
|
"~ ^/uploads/" = proxy {
|
|
extraConfig = cache_1y + ''
|
|
proxy_set_header X-Sendfile-Type X-Accel-Redirect;
|
|
proxy_set_header X-Accel-Mapping /run/discourse/public/=/downloads/;
|
|
|
|
# custom CSS
|
|
location ~ /stylesheet-cache/ {
|
|
try_files $uri =404;
|
|
}
|
|
# this allows us to bypass rails
|
|
location ~* \.(gif|png|jpg|jpeg|bmp|tif|tiff|ico|webp)$ {
|
|
try_files $uri =404;
|
|
}
|
|
# SVG needs an extra header attached
|
|
location ~* \.(svg)$ {
|
|
}
|
|
# thumbnails & optimized images
|
|
location ~ /_?optimized/ {
|
|
try_files $uri =404;
|
|
}
|
|
'';
|
|
};
|
|
"~ ^/admin/backups/" = proxy {
|
|
extraConfig = ''
|
|
proxy_set_header X-Sendfile-Type X-Accel-Redirect;
|
|
proxy_set_header X-Accel-Mapping /run/discourse/public/=/downloads/;
|
|
'';
|
|
};
|
|
"~ ^/(svg-sprite/|letter_avatar/|letter_avatar_proxy/|user_avatar|highlight-js|stylesheets|theme-javascripts|favicon/proxied|service-worker)" = proxy {
|
|
extraConfig = ''
|
|
# if Set-Cookie is in the response nothing gets cached
|
|
# this is double bad cause we are not passing last modified in
|
|
proxy_ignore_headers "Set-Cookie";
|
|
proxy_hide_header "Set-Cookie";
|
|
proxy_hide_header "X-Discourse-Username";
|
|
proxy_hide_header "X-Runtime";
|
|
|
|
# note x-accel-redirect can not be used with proxy_cache
|
|
proxy_cache discourse;
|
|
proxy_cache_key "$scheme,$host,$request_uri";
|
|
proxy_cache_valid 200 301 302 7d;
|
|
proxy_cache_valid any 1m;
|
|
'';
|
|
};
|
|
"/message-bus/" = proxy {
|
|
extraConfig = ''
|
|
proxy_http_version 1.1;
|
|
proxy_buffering off;
|
|
'';
|
|
};
|
|
"/downloads/".extraConfig = ''
|
|
internal;
|
|
alias /run/discourse/public/;
|
|
'';
|
|
};
|
|
};
|
|
};
|
|
|
|
systemd.services.discourse-mail-receiver-setup = lib.mkIf cfg.mail.incoming.enable (
|
|
let
|
|
mail-receiver-environment = {
|
|
MAIL_DOMAIN = cfg.hostname;
|
|
DISCOURSE_BASE_URL = "http${lib.optionalString tlsEnabled "s"}://${cfg.hostname}";
|
|
DISCOURSE_API_KEY = "@api-key@";
|
|
DISCOURSE_API_USERNAME = "system";
|
|
};
|
|
mail-receiver-json = json.generate "mail-receiver.json" mail-receiver-environment;
|
|
in
|
|
{
|
|
before = [ "postfix.service" ];
|
|
after = [ "discourse.service" ];
|
|
wantedBy = [ "discourse.service" ];
|
|
partOf = [ "discourse.service" ];
|
|
path = [
|
|
cfg.package.rake
|
|
pkgs.jq
|
|
];
|
|
preStart = lib.optionalString (cfg.mail.incoming.apiKeyFile == null) ''
|
|
set -o errexit -o pipefail -o nounset -o errtrace
|
|
shopt -s inherit_errexit
|
|
|
|
if [[ ! -e /var/lib/discourse-mail-receiver/api_key ]]; then
|
|
discourse-rake api_key:create_master[email-receiver] >/var/lib/discourse-mail-receiver/api_key
|
|
fi
|
|
'';
|
|
script =
|
|
let
|
|
apiKeyPath =
|
|
if cfg.mail.incoming.apiKeyFile == null then
|
|
"/var/lib/discourse-mail-receiver/api_key"
|
|
else
|
|
cfg.mail.incoming.apiKeyFile;
|
|
in ''
|
|
set -o errexit -o pipefail -o nounset -o errtrace
|
|
shopt -s inherit_errexit
|
|
|
|
api_key=$(<'${apiKeyPath}')
|
|
export api_key
|
|
|
|
jq <${mail-receiver-json} \
|
|
'.DISCOURSE_API_KEY = $ENV.api_key' \
|
|
>'/run/discourse-mail-receiver/mail-receiver-environment.json'
|
|
'';
|
|
|
|
serviceConfig = {
|
|
Type = "oneshot";
|
|
RemainAfterExit = true;
|
|
RuntimeDirectory = "discourse-mail-receiver";
|
|
RuntimeDirectoryMode = "0700";
|
|
StateDirectory = "discourse-mail-receiver";
|
|
User = "discourse";
|
|
Group = "discourse";
|
|
};
|
|
});
|
|
|
|
services.discourse.siteSettings = {
|
|
required = {
|
|
notification_email = cfg.mail.notificationEmailAddress;
|
|
contact_email = cfg.mail.contactEmailAddress;
|
|
};
|
|
email = {
|
|
manual_polling_enabled = cfg.mail.incoming.enable;
|
|
reply_by_email_enabled = cfg.mail.incoming.enable;
|
|
reply_by_email_address = cfg.mail.incoming.replyEmailAddress;
|
|
};
|
|
};
|
|
|
|
services.postfix = lib.mkIf cfg.mail.incoming.enable {
|
|
enable = true;
|
|
sslCert = if cfg.sslCertificate != null then cfg.sslCertificate else "";
|
|
sslKey = if cfg.sslCertificateKey != null then cfg.sslCertificateKey else "";
|
|
|
|
origin = cfg.hostname;
|
|
relayDomains = [ cfg.hostname ];
|
|
config = {
|
|
smtpd_recipient_restrictions = "check_policy_service unix:private/discourse-policy";
|
|
append_dot_mydomain = lib.mkDefault false;
|
|
compatibility_level = "2";
|
|
smtputf8_enable = false;
|
|
smtpd_banner = lib.mkDefault "ESMTP server";
|
|
myhostname = lib.mkDefault cfg.hostname;
|
|
mydestination = lib.mkDefault "localhost";
|
|
};
|
|
transport = ''
|
|
${cfg.hostname} discourse-mail-receiver:
|
|
'';
|
|
masterConfig = {
|
|
"discourse-mail-receiver" = {
|
|
type = "unix";
|
|
privileged = true;
|
|
chroot = false;
|
|
command = "pipe";
|
|
args = [
|
|
"user=discourse"
|
|
"argv=${cfg.mail.incoming.mailReceiverPackage}/bin/receive-mail"
|
|
"\${recipient}"
|
|
];
|
|
};
|
|
"discourse-policy" = {
|
|
type = "unix";
|
|
privileged = true;
|
|
chroot = false;
|
|
command = "spawn";
|
|
args = [
|
|
"user=discourse"
|
|
"argv=${cfg.mail.incoming.mailReceiverPackage}/bin/discourse-smtp-fast-rejection"
|
|
];
|
|
};
|
|
};
|
|
};
|
|
|
|
users.users = {
|
|
discourse = {
|
|
group = "discourse";
|
|
isSystemUser = true;
|
|
};
|
|
} // (lib.optionalAttrs cfg.nginx.enable {
|
|
${config.services.nginx.user}.extraGroups = [ "discourse" ];
|
|
});
|
|
|
|
users.groups = {
|
|
discourse = {};
|
|
};
|
|
|
|
environment.systemPackages = [
|
|
cfg.package.rake
|
|
];
|
|
};
|
|
|
|
meta.doc = ./discourse.xml;
|
|
meta.maintainers = [ lib.maintainers.talyz ];
|
|
}
|