48459567ae
Closes #216989 First of all, a bit of context: in PostgreSQL, newly created users don't have the CREATE privilege on the public schema of a database even with `ALL PRIVILEGES` granted via `ensurePermissions` which is how most of the DB users are currently set up "declaratively"[1]. This means e.g. a freshly deployed Nextcloud service will break early because Nextcloud itself cannot CREATE any tables in the public schema anymore. The other issue here is that `ensurePermissions` is a mere hack. It's effectively a mixture of SQL code (e.g. `DATABASE foo` is relying on how a value is substituted in a query. You'd have to parse a subset of SQL to actually know which object are permissions granted to for a user). After analyzing the existing modules I realized that in every case with a single exception[2] the UNIX system user is equal to the db user is equal to the db name and I don't see a compelling reason why people would change that in 99% of the cases. In fact, some modules would even break if you'd change that because the declarations of the system user & the db user are mixed up[3]. So I decided to go with something new which restricts the ways to use `ensure*` options rather than expanding those[4]. Effectively this means that * The DB user _must_ be equal to the DB name. * Permissions are granted via `ensureDBOwnerhip` for an attribute-set in `ensureUsers`. That way, the user is actually the owner and can perform `CREATE`. * For such a postgres user, a database must be declared in `ensureDatabases`. For anything else, a custom state management should be implemented. This can either be `initialScript`, doing it manual, outside of the module or by implementing proper state management for postgresql[5], but the current state of `ensure*` isn't even declarative, but a convergent tool which is what Nix actually claims to _not_ do. Regarding existing setups: there are effectively two options: * Leave everything as-is (assuming that system user == db user == db name): then the DB user will automatically become the DB owner and everything else stays the same. * Drop the `createDatabase = true;` declarations: nothing will change because a removal of `ensure*` statements is ignored, so it doesn't matter at all whether this option is kept after the first deploy (and later on you'd usually restore from backups anyways). The DB user isn't the owner of the DB then, but for an existing setup this is irrelevant because CREATE on the public schema isn't revoked from existing users (only not granted for new users). [1] not really declarative though because removals of these statements are simply ignored for instance: https://github.com/NixOS/nixpkgs/issues/206467 [2] `services.invidious`: I removed the `ensure*` part temporarily because it IMHO falls into the category "manage the state on your own" (see the commit message). See also https://github.com/NixOS/nixpkgs/pull/265857 [3] e.g. roundcube had `"DATABASE ${cfg.database.username}" = "ALL PRIVILEGES";` [4] As opposed to other changes that are considered a potential fix, but also add more things like collation for DBs or passwords that are _never_ touched again when changing those. [5] As suggested in e.g. https://github.com/NixOS/nixpkgs/issues/206467
758 lines
27 KiB
Nix
758 lines
27 KiB
Nix
{ config, lib, pkgs, ...}:
|
|
|
|
let
|
|
defaultUser = "outline";
|
|
cfg = config.services.outline;
|
|
inherit (lib) mkRemovedOptionModule;
|
|
in
|
|
{
|
|
imports = [
|
|
(mkRemovedOptionModule [ "services" "outline" "sequelizeArguments" ] "Database migration are run agains configurated database by outline directly")
|
|
];
|
|
# See here for a reference of all the options:
|
|
# https://github.com/outline/outline/blob/v0.67.0/.env.sample
|
|
# https://github.com/outline/outline/blob/v0.67.0/app.json
|
|
# https://github.com/outline/outline/blob/v0.67.0/server/env.ts
|
|
# https://github.com/outline/outline/blob/v0.67.0/shared/types.ts
|
|
# The order is kept the same here to make updating easier.
|
|
options.services.outline = {
|
|
enable = lib.mkEnableOption (lib.mdDoc "outline");
|
|
|
|
package = lib.mkOption {
|
|
default = pkgs.outline;
|
|
defaultText = lib.literalExpression "pkgs.outline";
|
|
type = lib.types.package;
|
|
example = lib.literalExpression ''
|
|
pkgs.outline.overrideAttrs (super: {
|
|
# Ignore the domain part in emails that come from OIDC. This is might
|
|
# be helpful if you want multiple users with different email providers
|
|
# to still land in the same team. Note that this effectively makes
|
|
# Outline a single-team instance.
|
|
patchPhase = ${"''"}
|
|
sed -i 's/const domain = parts\.length && parts\[1\];/const domain = "example.com";/g' plugins/oidc/server/auth/oidc.ts
|
|
${"''"};
|
|
})
|
|
'';
|
|
description = lib.mdDoc "Outline package to use.";
|
|
};
|
|
|
|
user = lib.mkOption {
|
|
type = lib.types.str;
|
|
default = defaultUser;
|
|
description = lib.mdDoc ''
|
|
User under which the service should run. If this is the default value,
|
|
the user will be created, with the specified group as the primary
|
|
group.
|
|
'';
|
|
};
|
|
|
|
group = lib.mkOption {
|
|
type = lib.types.str;
|
|
default = defaultUser;
|
|
description = lib.mdDoc ''
|
|
Group under which the service should run. If this is the default value,
|
|
the group will be created.
|
|
'';
|
|
};
|
|
|
|
#
|
|
# Required options
|
|
#
|
|
|
|
secretKeyFile = lib.mkOption {
|
|
type = lib.types.str;
|
|
default = "/var/lib/outline/secret_key";
|
|
description = lib.mdDoc ''
|
|
File path that contains the application secret key. It must be 32
|
|
bytes long and hex-encoded. If the file does not exist, a new key will
|
|
be generated and saved here.
|
|
'';
|
|
};
|
|
|
|
utilsSecretFile = lib.mkOption {
|
|
type = lib.types.str;
|
|
default = "/var/lib/outline/utils_secret";
|
|
description = lib.mdDoc ''
|
|
File path that contains the utility secret key. If the file does not
|
|
exist, a new key will be generated and saved here.
|
|
'';
|
|
};
|
|
|
|
databaseUrl = lib.mkOption {
|
|
type = lib.types.str;
|
|
default = "local";
|
|
description = lib.mdDoc ''
|
|
URI to use for the main PostgreSQL database. If this needs to include
|
|
credentials that shouldn't be world-readable in the Nix store, set an
|
|
environment file on the systemd service and override the
|
|
`DATABASE_URL` entry. Pass the string
|
|
`local` to setup a database on the local server.
|
|
'';
|
|
};
|
|
|
|
redisUrl = lib.mkOption {
|
|
type = lib.types.str;
|
|
default = "local";
|
|
description = lib.mdDoc ''
|
|
Connection to a redis server. If this needs to include credentials
|
|
that shouldn't be world-readable in the Nix store, set an environment
|
|
file on the systemd service and override the
|
|
`REDIS_URL` entry. Pass the string
|
|
`local` to setup a local Redis database.
|
|
'';
|
|
};
|
|
|
|
publicUrl = lib.mkOption {
|
|
type = lib.types.str;
|
|
default = "http://localhost:3000";
|
|
description = lib.mdDoc "The fully qualified, publicly accessible URL";
|
|
};
|
|
|
|
port = lib.mkOption {
|
|
type = lib.types.port;
|
|
default = 3000;
|
|
description = lib.mdDoc "Listening port.";
|
|
};
|
|
|
|
storage = lib.mkOption {
|
|
description = lib.mdDoc ''
|
|
To support uploading of images for avatars and document attachments an
|
|
s3-compatible storage can be provided. AWS S3 is recommended for
|
|
redundancy however if you want to keep all file storage local an
|
|
alternative such as [minio](https://github.com/minio/minio)
|
|
can be used.
|
|
Local filesystem storage can also be used.
|
|
|
|
A more detailed guide on setting up storage is available
|
|
[here](https://docs.getoutline.com/s/hosting/doc/file-storage-N4M0T6Ypu7).
|
|
'';
|
|
example = lib.literalExpression ''
|
|
{
|
|
accessKey = "...";
|
|
secretKeyFile = "/somewhere";
|
|
uploadBucketUrl = "https://minio.example.com";
|
|
uploadBucketName = "outline";
|
|
region = "us-east-1";
|
|
}
|
|
'';
|
|
type = lib.types.submodule {
|
|
options = {
|
|
storageType = lib.mkOption {
|
|
type = lib.types.enum [ "local" "s3" ];
|
|
description = lib.mdDoc "File storage type, it can be local or s3.";
|
|
default = "s3";
|
|
};
|
|
localRootDir = lib.mkOption {
|
|
type = lib.types.str;
|
|
description = lib.mdDoc ''
|
|
If `storageType` is `local`, this sets the parent directory
|
|
under which all attachments/images go.
|
|
'';
|
|
default = "/var/lib/outline/data";
|
|
};
|
|
accessKey = lib.mkOption {
|
|
type = lib.types.str;
|
|
description = lib.mdDoc "S3 access key.";
|
|
};
|
|
secretKeyFile = lib.mkOption {
|
|
type = lib.types.path;
|
|
description = lib.mdDoc "File path that contains the S3 secret key.";
|
|
};
|
|
region = lib.mkOption {
|
|
type = lib.types.str;
|
|
default = "xx-xxxx-x";
|
|
description = lib.mdDoc "AWS S3 region name.";
|
|
};
|
|
uploadBucketUrl = lib.mkOption {
|
|
type = lib.types.str;
|
|
description = lib.mdDoc ''
|
|
URL endpoint of an S3-compatible API where uploads should be
|
|
stored.
|
|
'';
|
|
};
|
|
uploadBucketName = lib.mkOption {
|
|
type = lib.types.str;
|
|
description = lib.mdDoc "Name of the bucket where uploads should be stored.";
|
|
};
|
|
uploadMaxSize = lib.mkOption {
|
|
type = lib.types.int;
|
|
default = 26214400;
|
|
description = lib.mdDoc "Maxmium file size for uploads.";
|
|
};
|
|
forcePathStyle = lib.mkOption {
|
|
type = lib.types.bool;
|
|
default = true;
|
|
description = lib.mdDoc "Force S3 path style.";
|
|
};
|
|
acl = lib.mkOption {
|
|
type = lib.types.str;
|
|
default = "private";
|
|
description = lib.mdDoc "ACL setting.";
|
|
};
|
|
};
|
|
};
|
|
};
|
|
|
|
#
|
|
# Authentication
|
|
#
|
|
|
|
slackAuthentication = lib.mkOption {
|
|
description = lib.mdDoc ''
|
|
To configure Slack auth, you'll need to create an Application at
|
|
https://api.slack.com/apps
|
|
|
|
When configuring the Client ID, add a redirect URL under "OAuth & Permissions"
|
|
to `https://[publicUrl]/auth/slack.callback`.
|
|
'';
|
|
default = null;
|
|
type = lib.types.nullOr (lib.types.submodule {
|
|
options = {
|
|
clientId = lib.mkOption {
|
|
type = lib.types.str;
|
|
description = lib.mdDoc "Authentication key.";
|
|
};
|
|
secretFile = lib.mkOption {
|
|
type = lib.types.str;
|
|
description = lib.mdDoc "File path containing the authentication secret.";
|
|
};
|
|
};
|
|
});
|
|
};
|
|
|
|
googleAuthentication = lib.mkOption {
|
|
description = lib.mdDoc ''
|
|
To configure Google auth, you'll need to create an OAuth Client ID at
|
|
https://console.cloud.google.com/apis/credentials
|
|
|
|
When configuring the Client ID, add an Authorized redirect URI to
|
|
`https://[publicUrl]/auth/google.callback`.
|
|
'';
|
|
default = null;
|
|
type = lib.types.nullOr (lib.types.submodule {
|
|
options = {
|
|
clientId = lib.mkOption {
|
|
type = lib.types.str;
|
|
description = lib.mdDoc "Authentication client identifier.";
|
|
};
|
|
clientSecretFile = lib.mkOption {
|
|
type = lib.types.str;
|
|
description = lib.mdDoc "File path containing the authentication secret.";
|
|
};
|
|
};
|
|
});
|
|
};
|
|
|
|
azureAuthentication = lib.mkOption {
|
|
description = lib.mdDoc ''
|
|
To configure Microsoft/Azure auth, you'll need to create an OAuth
|
|
Client. See
|
|
[the guide](https://wiki.generaloutline.com/share/dfa77e56-d4d2-4b51-8ff8-84ea6608faa4)
|
|
for details on setting up your Azure App.
|
|
'';
|
|
default = null;
|
|
type = lib.types.nullOr (lib.types.submodule {
|
|
options = {
|
|
clientId = lib.mkOption {
|
|
type = lib.types.str;
|
|
description = lib.mdDoc "Authentication client identifier.";
|
|
};
|
|
clientSecretFile = lib.mkOption {
|
|
type = lib.types.str;
|
|
description = lib.mdDoc "File path containing the authentication secret.";
|
|
};
|
|
resourceAppId = lib.mkOption {
|
|
type = lib.types.str;
|
|
description = lib.mdDoc "Authentication application resource ID.";
|
|
};
|
|
};
|
|
});
|
|
};
|
|
|
|
oidcAuthentication = lib.mkOption {
|
|
description = lib.mdDoc ''
|
|
To configure generic OIDC auth, you'll need some kind of identity
|
|
provider. See the documentation for whichever IdP you use to fill out
|
|
all the fields. The redirect URL is
|
|
`https://[publicUrl]/auth/oidc.callback`.
|
|
'';
|
|
default = null;
|
|
type = lib.types.nullOr (lib.types.submodule {
|
|
options = {
|
|
clientId = lib.mkOption {
|
|
type = lib.types.str;
|
|
description = lib.mdDoc "Authentication client identifier.";
|
|
};
|
|
clientSecretFile = lib.mkOption {
|
|
type = lib.types.str;
|
|
description = lib.mdDoc "File path containing the authentication secret.";
|
|
};
|
|
authUrl = lib.mkOption {
|
|
type = lib.types.str;
|
|
description = lib.mdDoc "OIDC authentication URL endpoint.";
|
|
};
|
|
tokenUrl = lib.mkOption {
|
|
type = lib.types.str;
|
|
description = lib.mdDoc "OIDC token URL endpoint.";
|
|
};
|
|
userinfoUrl = lib.mkOption {
|
|
type = lib.types.str;
|
|
description = lib.mdDoc "OIDC userinfo URL endpoint.";
|
|
};
|
|
usernameClaim = lib.mkOption {
|
|
type = lib.types.str;
|
|
description = lib.mdDoc ''
|
|
Specify which claims to derive user information from. Supports any
|
|
valid JSON path with the JWT payload
|
|
'';
|
|
default = "preferred_username";
|
|
};
|
|
displayName = lib.mkOption {
|
|
type = lib.types.str;
|
|
description = lib.mdDoc "Display name for OIDC authentication.";
|
|
default = "OpenID";
|
|
};
|
|
scopes = lib.mkOption {
|
|
type = lib.types.listOf lib.types.str;
|
|
description = lib.mdDoc "OpenID authentication scopes.";
|
|
default = [ "openid" "profile" "email" ];
|
|
};
|
|
};
|
|
});
|
|
};
|
|
|
|
#
|
|
# Optional configuration
|
|
#
|
|
|
|
sslKeyFile = lib.mkOption {
|
|
type = lib.types.nullOr lib.types.str;
|
|
default = null;
|
|
description = lib.mdDoc ''
|
|
File path that contains the Base64-encoded private key for HTTPS
|
|
termination. This is only required if you do not use an external reverse
|
|
proxy. See
|
|
[the documentation](https://wiki.generaloutline.com/share/dfa77e56-d4d2-4b51-8ff8-84ea6608faa4).
|
|
'';
|
|
};
|
|
sslCertFile = lib.mkOption {
|
|
type = lib.types.nullOr lib.types.str;
|
|
default = null;
|
|
description = lib.mdDoc ''
|
|
File path that contains the Base64-encoded certificate for HTTPS
|
|
termination. This is only required if you do not use an external reverse
|
|
proxy. See
|
|
[the documentation](https://wiki.generaloutline.com/share/dfa77e56-d4d2-4b51-8ff8-84ea6608faa4).
|
|
'';
|
|
};
|
|
|
|
cdnUrl = lib.mkOption {
|
|
type = lib.types.str;
|
|
default = "";
|
|
description = lib.mdDoc ''
|
|
If using a Cloudfront/Cloudflare distribution or similar it can be set
|
|
using this option. This will cause paths to JavaScript files,
|
|
stylesheets and images to be updated to the hostname defined here. In
|
|
your CDN configuration the origin server should be set to public URL.
|
|
'';
|
|
};
|
|
|
|
forceHttps = lib.mkOption {
|
|
type = lib.types.bool;
|
|
default = true;
|
|
description = lib.mdDoc ''
|
|
Auto-redirect to HTTPS in production. The default is
|
|
`true` but you may set this to `false`
|
|
if you can be sure that SSL is terminated at an external loadbalancer.
|
|
'';
|
|
};
|
|
|
|
enableUpdateCheck = lib.mkOption {
|
|
type = lib.types.bool;
|
|
default = false;
|
|
description = lib.mdDoc ''
|
|
Have the installation check for updates by sending anonymized statistics
|
|
to the maintainers.
|
|
'';
|
|
};
|
|
|
|
concurrency = lib.mkOption {
|
|
type = lib.types.int;
|
|
default = 1;
|
|
description = lib.mdDoc ''
|
|
How many processes should be spawned. For a rough estimate, divide your
|
|
server's available memory by 512.
|
|
'';
|
|
};
|
|
|
|
maximumImportSize = lib.mkOption {
|
|
type = lib.types.int;
|
|
default = 5120000;
|
|
description = lib.mdDoc ''
|
|
The maximum size of document imports. Overriding this could be required
|
|
if you have especially large Word documents with embedded imagery.
|
|
'';
|
|
};
|
|
|
|
debugOutput = lib.mkOption {
|
|
type = lib.types.nullOr (lib.types.enum [ "http" ]);
|
|
default = null;
|
|
description = lib.mdDoc "Set this to `http` log HTTP requests.";
|
|
};
|
|
|
|
slackIntegration = lib.mkOption {
|
|
description = lib.mdDoc ''
|
|
For a complete Slack integration with search and posting to channels
|
|
this configuration is also needed. See here for details:
|
|
https://wiki.generaloutline.com/share/be25efd1-b3ef-4450-b8e5-c4a4fc11e02a
|
|
'';
|
|
default = null;
|
|
type = lib.types.nullOr (lib.types.submodule {
|
|
options = {
|
|
verificationTokenFile = lib.mkOption {
|
|
type = lib.types.str;
|
|
description = lib.mdDoc "File path containing the verification token.";
|
|
};
|
|
appId = lib.mkOption {
|
|
type = lib.types.str;
|
|
description = lib.mdDoc "Application ID.";
|
|
};
|
|
messageActions = lib.mkOption {
|
|
type = lib.types.bool;
|
|
default = true;
|
|
description = lib.mdDoc "Whether to enable message actions.";
|
|
};
|
|
};
|
|
});
|
|
};
|
|
|
|
googleAnalyticsId = lib.mkOption {
|
|
type = lib.types.nullOr lib.types.str;
|
|
default = null;
|
|
description = lib.mdDoc ''
|
|
Optionally enable Google Analytics to track page views in the knowledge
|
|
base.
|
|
'';
|
|
};
|
|
|
|
sentryDsn = lib.mkOption {
|
|
type = lib.types.nullOr lib.types.str;
|
|
default = null;
|
|
description = lib.mdDoc ''
|
|
Optionally enable [Sentry](https://sentry.io/) to
|
|
track errors and performance.
|
|
'';
|
|
};
|
|
|
|
sentryTunnel = lib.mkOption {
|
|
type = lib.types.nullOr lib.types.str;
|
|
default = null;
|
|
description = lib.mdDoc ''
|
|
Optionally add a
|
|
[Sentry proxy tunnel](https://docs.sentry.io/platforms/javascript/troubleshooting/#using-the-tunnel-option)
|
|
for bypassing ad blockers in the UI.
|
|
'';
|
|
};
|
|
|
|
logo = lib.mkOption {
|
|
type = lib.types.nullOr lib.types.str;
|
|
default = null;
|
|
description = lib.mdDoc ''
|
|
Custom logo displayed on the authentication screen. This will be scaled
|
|
to a height of 60px.
|
|
'';
|
|
};
|
|
|
|
smtp = lib.mkOption {
|
|
description = lib.mdDoc ''
|
|
To support sending outgoing transactional emails such as
|
|
"document updated" or "you've been invited" you'll need to provide
|
|
authentication for an SMTP server.
|
|
'';
|
|
default = null;
|
|
type = lib.types.nullOr (lib.types.submodule {
|
|
options = {
|
|
host = lib.mkOption {
|
|
type = lib.types.str;
|
|
description = lib.mdDoc "Host name or IP address of the SMTP server.";
|
|
};
|
|
port = lib.mkOption {
|
|
type = lib.types.port;
|
|
description = lib.mdDoc "TCP port of the SMTP server.";
|
|
};
|
|
username = lib.mkOption {
|
|
type = lib.types.str;
|
|
description = lib.mdDoc "Username to authenticate with.";
|
|
};
|
|
passwordFile = lib.mkOption {
|
|
type = lib.types.str;
|
|
description = lib.mdDoc ''
|
|
File path containing the password to authenticate with.
|
|
'';
|
|
};
|
|
fromEmail = lib.mkOption {
|
|
type = lib.types.str;
|
|
description = lib.mdDoc "Sender email in outgoing mail.";
|
|
};
|
|
replyEmail = lib.mkOption {
|
|
type = lib.types.str;
|
|
description = lib.mdDoc "Reply address in outgoing mail.";
|
|
};
|
|
tlsCiphers = lib.mkOption {
|
|
type = lib.types.str;
|
|
default = "";
|
|
description = lib.mdDoc "Override SMTP cipher configuration.";
|
|
};
|
|
secure = lib.mkOption {
|
|
type = lib.types.bool;
|
|
default = true;
|
|
description = lib.mdDoc "Use a secure SMTP connection.";
|
|
};
|
|
};
|
|
});
|
|
};
|
|
|
|
defaultLanguage = lib.mkOption {
|
|
type = lib.types.enum [
|
|
"da_DK"
|
|
"de_DE"
|
|
"en_US"
|
|
"es_ES"
|
|
"fa_IR"
|
|
"fr_FR"
|
|
"it_IT"
|
|
"ja_JP"
|
|
"ko_KR"
|
|
"nl_NL"
|
|
"pl_PL"
|
|
"pt_BR"
|
|
"pt_PT"
|
|
"ru_RU"
|
|
"sv_SE"
|
|
"th_TH"
|
|
"vi_VN"
|
|
"zh_CN"
|
|
"zh_TW"
|
|
];
|
|
default = "en_US";
|
|
description = lib.mdDoc ''
|
|
The default interface language. See
|
|
[translate.getoutline.com](https://translate.getoutline.com/)
|
|
for a list of available language codes and their rough percentage
|
|
translated.
|
|
'';
|
|
};
|
|
|
|
rateLimiter.enable = lib.mkEnableOption (lib.mdDoc "rate limiter for the application web server");
|
|
rateLimiter.requests = lib.mkOption {
|
|
type = lib.types.int;
|
|
default = 5000;
|
|
description = lib.mdDoc "Maximum number of requests in a throttling window.";
|
|
};
|
|
rateLimiter.durationWindow = lib.mkOption {
|
|
type = lib.types.int;
|
|
default = 60;
|
|
description = lib.mdDoc "Length of a throttling window.";
|
|
};
|
|
};
|
|
|
|
config = lib.mkIf cfg.enable {
|
|
users.users = lib.optionalAttrs (cfg.user == defaultUser) {
|
|
${defaultUser} = {
|
|
isSystemUser = true;
|
|
group = cfg.group;
|
|
};
|
|
};
|
|
|
|
users.groups = lib.optionalAttrs (cfg.group == defaultUser) {
|
|
${defaultUser} = { };
|
|
};
|
|
|
|
systemd.tmpfiles.rules = [
|
|
"f ${cfg.secretKeyFile} 0600 ${cfg.user} ${cfg.group} -"
|
|
"f ${cfg.utilsSecretFile} 0600 ${cfg.user} ${cfg.group} -"
|
|
(if (cfg.storage.storageType == "s3") then
|
|
"f ${cfg.storage.secretKeyFile} 0600 ${cfg.user} ${cfg.group} -"
|
|
else
|
|
"d ${cfg.storage.localRootDir} 0700 ${cfg.user} ${cfg.group} - -")
|
|
];
|
|
|
|
services.postgresql = lib.mkIf (cfg.databaseUrl == "local") {
|
|
enable = true;
|
|
ensureUsers = [{
|
|
name = "outline";
|
|
ensureDBOwnership = true;
|
|
}];
|
|
ensureDatabases = [ "outline" ];
|
|
};
|
|
|
|
services.redis.servers.outline = lib.mkIf (cfg.redisUrl == "local") {
|
|
enable = true;
|
|
user = config.services.outline.user;
|
|
port = 0; # Disable the TCP listener
|
|
};
|
|
|
|
systemd.services.outline = let
|
|
localRedisUrl = "redis+unix:///run/redis-outline/redis.sock";
|
|
localPostgresqlUrl = "postgres://localhost/outline?host=/run/postgresql";
|
|
in {
|
|
description = "Outline wiki and knowledge base";
|
|
wantedBy = [ "multi-user.target" ];
|
|
after = [ "networking.target" ]
|
|
++ lib.optional (cfg.databaseUrl == "local") "postgresql.service"
|
|
++ lib.optional (cfg.redisUrl == "local") "redis-outline.service";
|
|
requires = lib.optional (cfg.databaseUrl == "local") "postgresql.service"
|
|
++ lib.optional (cfg.redisUrl == "local") "redis-outline.service";
|
|
path = [
|
|
pkgs.openssl # Required by the preStart script
|
|
];
|
|
|
|
|
|
environment = lib.mkMerge [
|
|
{
|
|
NODE_ENV = "production";
|
|
|
|
REDIS_URL = if cfg.redisUrl == "local" then localRedisUrl else cfg.redisUrl;
|
|
URL = cfg.publicUrl;
|
|
PORT = builtins.toString cfg.port;
|
|
|
|
CDN_URL = cfg.cdnUrl;
|
|
FORCE_HTTPS = builtins.toString cfg.forceHttps;
|
|
ENABLE_UPDATES = builtins.toString cfg.enableUpdateCheck;
|
|
WEB_CONCURRENCY = builtins.toString cfg.concurrency;
|
|
MAXIMUM_IMPORT_SIZE = builtins.toString cfg.maximumImportSize;
|
|
DEBUG = cfg.debugOutput;
|
|
GOOGLE_ANALYTICS_ID = lib.optionalString (cfg.googleAnalyticsId != null) cfg.googleAnalyticsId;
|
|
SENTRY_DSN = lib.optionalString (cfg.sentryDsn != null) cfg.sentryDsn;
|
|
SENTRY_TUNNEL = lib.optionalString (cfg.sentryTunnel != null) cfg.sentryTunnel;
|
|
TEAM_LOGO = lib.optionalString (cfg.logo != null) cfg.logo;
|
|
DEFAULT_LANGUAGE = cfg.defaultLanguage;
|
|
|
|
RATE_LIMITER_ENABLED = builtins.toString cfg.rateLimiter.enable;
|
|
RATE_LIMITER_REQUESTS = builtins.toString cfg.rateLimiter.requests;
|
|
RATE_LIMITER_DURATION_WINDOW = builtins.toString cfg.rateLimiter.durationWindow;
|
|
|
|
FILE_STORAGE = cfg.storage.storageType;
|
|
FILE_STORAGE_UPLOAD_MAX_SIZE = builtins.toString cfg.storage.uploadMaxSize;
|
|
FILE_STORAGE_LOCAL_ROOT_DIR = cfg.storage.localRootDir;
|
|
}
|
|
|
|
(lib.mkIf (cfg.storage.storageType == "s3") {
|
|
AWS_ACCESS_KEY_ID = cfg.storage.accessKey;
|
|
AWS_REGION = cfg.storage.region;
|
|
AWS_S3_UPLOAD_BUCKET_URL = cfg.storage.uploadBucketUrl;
|
|
AWS_S3_UPLOAD_BUCKET_NAME = cfg.storage.uploadBucketName;
|
|
AWS_S3_FORCE_PATH_STYLE = builtins.toString cfg.storage.forcePathStyle;
|
|
AWS_S3_ACL = cfg.storage.acl;
|
|
})
|
|
|
|
(lib.mkIf (cfg.slackAuthentication != null) {
|
|
SLACK_CLIENT_ID = cfg.slackAuthentication.clientId;
|
|
})
|
|
|
|
(lib.mkIf (cfg.googleAuthentication != null) {
|
|
GOOGLE_CLIENT_ID = cfg.googleAuthentication.clientId;
|
|
})
|
|
|
|
(lib.mkIf (cfg.azureAuthentication != null) {
|
|
AZURE_CLIENT_ID = cfg.azureAuthentication.clientId;
|
|
AZURE_RESOURCE_APP_ID = cfg.azureAuthentication.resourceAppId;
|
|
})
|
|
|
|
(lib.mkIf (cfg.oidcAuthentication != null) {
|
|
OIDC_CLIENT_ID = cfg.oidcAuthentication.clientId;
|
|
OIDC_AUTH_URI = cfg.oidcAuthentication.authUrl;
|
|
OIDC_TOKEN_URI = cfg.oidcAuthentication.tokenUrl;
|
|
OIDC_USERINFO_URI = cfg.oidcAuthentication.userinfoUrl;
|
|
OIDC_USERNAME_CLAIM = cfg.oidcAuthentication.usernameClaim;
|
|
OIDC_DISPLAY_NAME = cfg.oidcAuthentication.displayName;
|
|
OIDC_SCOPES = lib.concatStringsSep " " cfg.oidcAuthentication.scopes;
|
|
})
|
|
|
|
(lib.mkIf (cfg.slackIntegration != null) {
|
|
SLACK_APP_ID = cfg.slackIntegration.appId;
|
|
SLACK_MESSAGE_ACTIONS = builtins.toString cfg.slackIntegration.messageActions;
|
|
})
|
|
|
|
(lib.mkIf (cfg.smtp != null) {
|
|
SMTP_HOST = cfg.smtp.host;
|
|
SMTP_PORT = builtins.toString cfg.smtp.port;
|
|
SMTP_USERNAME = cfg.smtp.username;
|
|
SMTP_FROM_EMAIL = cfg.smtp.fromEmail;
|
|
SMTP_REPLY_EMAIL = cfg.smtp.replyEmail;
|
|
SMTP_TLS_CIPHERS = cfg.smtp.tlsCiphers;
|
|
SMTP_SECURE = builtins.toString cfg.smtp.secure;
|
|
})
|
|
];
|
|
|
|
preStart = ''
|
|
if [ ! -s ${lib.escapeShellArg cfg.secretKeyFile} ]; then
|
|
openssl rand -hex 32 > ${lib.escapeShellArg cfg.secretKeyFile}
|
|
fi
|
|
if [ ! -s ${lib.escapeShellArg cfg.utilsSecretFile} ]; then
|
|
openssl rand -hex 32 > ${lib.escapeShellArg cfg.utilsSecretFile}
|
|
fi
|
|
|
|
'';
|
|
|
|
script = ''
|
|
export SECRET_KEY="$(head -n1 ${lib.escapeShellArg cfg.secretKeyFile})"
|
|
export UTILS_SECRET="$(head -n1 ${lib.escapeShellArg cfg.utilsSecretFile})"
|
|
${lib.optionalString (cfg.storage.storageType == "s3") ''
|
|
export AWS_SECRET_ACCESS_KEY="$(head -n1 ${lib.escapeShellArg cfg.storage.secretKeyFile})"
|
|
''}
|
|
${lib.optionalString (cfg.slackAuthentication != null) ''
|
|
export SLACK_CLIENT_SECRET="$(head -n1 ${lib.escapeShellArg cfg.slackAuthentication.secretFile})"
|
|
''}
|
|
${lib.optionalString (cfg.googleAuthentication != null) ''
|
|
export GOOGLE_CLIENT_SECRET="$(head -n1 ${lib.escapeShellArg cfg.googleAuthentication.clientSecretFile})"
|
|
''}
|
|
${lib.optionalString (cfg.azureAuthentication != null) ''
|
|
export AZURE_CLIENT_SECRET="$(head -n1 ${lib.escapeShellArg cfg.azureAuthentication.clientSecretFile})"
|
|
''}
|
|
${lib.optionalString (cfg.oidcAuthentication != null) ''
|
|
export OIDC_CLIENT_SECRET="$(head -n1 ${lib.escapeShellArg cfg.oidcAuthentication.clientSecretFile})"
|
|
''}
|
|
${lib.optionalString (cfg.sslKeyFile != null) ''
|
|
export SSL_KEY="$(head -n1 ${lib.escapeShellArg cfg.sslKeyFile})"
|
|
''}
|
|
${lib.optionalString (cfg.sslCertFile != null) ''
|
|
export SSL_CERT="$(head -n1 ${lib.escapeShellArg cfg.sslCertFile})"
|
|
''}
|
|
${lib.optionalString (cfg.slackIntegration != null) ''
|
|
export SLACK_VERIFICATION_TOKEN="$(head -n1 ${lib.escapeShellArg cfg.slackIntegration.verificationTokenFile})"
|
|
''}
|
|
${lib.optionalString (cfg.smtp != null) ''
|
|
export SMTP_PASSWORD="$(head -n1 ${lib.escapeShellArg cfg.smtp.passwordFile})"
|
|
''}
|
|
|
|
${if (cfg.databaseUrl == "local") then ''
|
|
export DATABASE_URL=${lib.escapeShellArg localPostgresqlUrl}
|
|
export PGSSLMODE=disable
|
|
'' else ''
|
|
export DATABASE_URL=${lib.escapeShellArg cfg.databaseUrl}
|
|
''}
|
|
|
|
${cfg.package}/bin/outline-server
|
|
'';
|
|
|
|
serviceConfig = {
|
|
User = cfg.user;
|
|
Group = cfg.group;
|
|
Restart = "always";
|
|
ProtectSystem = "strict";
|
|
PrivateHome = true;
|
|
PrivateTmp = true;
|
|
UMask = "0007";
|
|
|
|
StateDirectory = "outline";
|
|
StateDirectoryMode = "0750";
|
|
RuntimeDirectory = "outline";
|
|
RuntimeDirectoryMode = "0750";
|
|
# This working directory is required to find stuff like the set of
|
|
# onboarding files:
|
|
WorkingDirectory = "${cfg.package}/share/outline";
|
|
};
|
|
};
|
|
};
|
|
}
|