nixos-seafile-overlay/mod-seafile-server.nix

{ config, pkgs, lib, ...}:
with lib;
let
  cfg = config.services.seafile-server;
  # fix permissions at start
in
  {
    options.services.seafile-server = {
      enable = mkEnableOption "Seafile server";
      storagePath = mkOption {
        type = types.path;
        default = "/srv/seafile";
        description = "where to store uploaded file data";
      };
      autorun = mkOption {
        type = types.bool;
        default = true;
        description = "enable the seafile-server service to get started automatically";
      };
      db = {
        type = mkOption {
          type = types.enum ["sqlite" "mysql"];
          default = "sqlite";
          description = "database backend type";
        };
        user = mkOption {
          type = types.nullOr types.string;
          default = "seafile";
          description = "Database user name. Not required for sqlite.";
        };
        dbname = mkOption {
          type = types.nullOr types.string;
          default = "seafile";
          description = "Database name. Not required for sqlite.";
        };
        password = mkOption {
          type = types.nullOr types.string;
          default = null;
          description = ''
            Database password. Use <literal>passwordFile</literal> to avoid this
            being world-readable in the <literal>/nix/store</literal>.

            Not required for sqlite.'';
          };
          passwordFile = mkOption {
            type = types.nullOr types.str;
            default = null;
            description = ''
              The full path to a file that contains the database password.
            '';
          };
          host = mkOption {
            type = types.nullOr types.str;
            default = "localhost";
            description = "Database host.";
          };
          dbport = mkOption {
            type = with types; nullOr (either int str);
            default = null;
            description = "Database port. Not required for sqlite.";
          };
        };

        user = mkOption {
          type = types.str;
          default = "seafile";
          description = "User account under which the Seafile server runs.";
        };

        group = mkOption {
          type = types.str;
          default = "seafile";
          description = "Group account under which the Seafile server runs.";
        };

        name = mkOption {
          type = types.str;
          default = "Seafile";
          description = "name of the Seafile instance, will show up in client and web interface";
        };

        domainName = mkOption {
          type = types.str;
          description = "full domain name of the seafile instance";
        };

        ccnetPort = mkOption {
          type = types.int;
          default = 10001;
          description = "listening port for ccnet server";
        };

        seafilePort = mkOption {
          type = types.int;
          default = 12001;
          description = "listening port for Seafile server";
        };

        seahubPort = mkOption {
          type = types.int;
          default = 443;
          description = "listening http port for Seahub web interface";
        };

        openFirewall = mkEnableOption {
          default = true;
          description = "whether to open up the firewall ports for ccnet, seafile-server and seahub";
        };
      };


      config = let
        directoriesToManage = [ cfg.storagePath ];
      in
      mkIf cfg.enable {
        systemd = {
          # state directory permissions managed by systemd
          tmpfiles.rules = [
            "d ${cfg.storagePath} 0750 ${cfg.user} ${cfg.group} -"
            "d ${cfg.storagePath}/home 0710 ${cfg.user} ${cfg.group} -"
          ];
          services.seafile-server = {

          path = with pkgs; [ seafile-server.ccnet-server seafile-server.seafile-server-core ];
          script = ''
            ./seafile-server/seafile-server-latest/bin/seafile-admin start
            '';
          serviceConfig = {
            ExecStartPre = [
              ("+${pkgs.writeScript "seafile-server-preStart-privileged" ''
                #!${pkgs.runtimeShell}
                #  stuff run as root
              ''}")
              ("${pkgs.writeShellScript "seafile-server-preStart-unprivileged" ''
                # stuff run as seafile user

                # ccnet-init must only be run once per installation, as it also generates stateful key and ID
                # solution: invoke it once, use result as template
                if [ ! -e ./conf/mykey.peer ]; then
                  ${pkgs.seafile-server.ccnet-server}/bin/ccnet-init -c ./conf -n 'TEMPLATENAME' -H 'TEMPLATEHOST' -P 'TEMPLATEPORT'
                  mv ./conf/ccnet.conf{,.template}
                fi
                # substitute actual config values to template and symlink config file
                ${pkgs.gnused}/bin/sed -e 's|TEMPLATENAME|${cfg.name}|g; s|TEMPLATEHOST|${cfg.domainName}|; s|TEMPLATEPORT|${toString cfg.ccnetPort}|' ./conf/ccnet.conf.template > ./conf/ccnet.conf

                ln -s ${pkgs.seafile-server} seafile-server
                #${pkgs.seafile-server.ccnet-server}/bin/ccnet-init -c ./ccnet -H "${cfg.domainName}" -P ${toString cfg.ccnetPort} -n "${cfg.name}"
                ./seafile-server/seafile-server-latest/bin/seafile-admin setup
              ''}")
            ];
            User = cfg.user;
            Group = cfg.group;
            Type = "oneshot";
            WorkingDirectory = cfg.storagePath;
          };
          enable = cfg.autorun;
          wantedBy = [ "multi-user.target" ];
        };
      };

        users.users.${cfg.user} = {
          home = "${cfg.storagePath}/home";
          group = cfg.group;
          # don't make NixOS create the home directory as otherwise the permissions for /srv might be 0700,
          # making it impossible to cd into the storagePath
          createHome = false;
          isNormalUser = false;
        };
        users.groups.${cfg.group}.members = [ cfg.user ];

        networking.firewall.allowedTCPPorts = with cfg; if openFirewall then [ ccnetPort seafilePort seahubPort ] else [];
      };
    }
first draft of seafile-server module + test VM test vm can be built using `NIXOS_CONFIG="$(pwd)/seafile-test.nix" nixos-rebuild build-vm --show-trace` 2019-10-09 00:55:35 +02:00			`{ config, pkgs, lib, ...}:`
			`with lib;`
			`let`
			`cfg = config.services.seafile-server;`
			`# fix permissions at start`
			`in`
			`{`
			`options.services.seafile-server = {`
			`enable = mkEnableOption "Seafile server";`
			`storagePath = mkOption {`
			`type = types.path;`
			`default = "/srv/seafile";`
			`description = "where to store uploaded file data";`
			`};`
			`autorun = mkOption {`
			`type = types.bool;`
			`default = true;`
			`description = "enable the seafile-server service to get started automatically";`
			`};`
			`db = {`
			`type = mkOption {`
			`type = types.enum ["sqlite" "mysql"];`
			`default = "sqlite";`
			`description = "database backend type";`
			`};`
			`user = mkOption {`
			`type = types.nullOr types.string;`
			`default = "seafile";`
			`description = "Database user name. Not required for sqlite.";`
			`};`
			`dbname = mkOption {`
			`type = types.nullOr types.string;`
			`default = "seafile";`
			`description = "Database name. Not required for sqlite.";`
			`};`
			`password = mkOption {`
			`type = types.nullOr types.string;`
			`default = null;`
			`description = ''`
			`Database password. Use <literal>passwordFile</literal> to avoid this`
			`being world-readable in the <literal>/nix/store</literal>.`

			`Not required for sqlite.'';`
			`};`
			`passwordFile = mkOption {`
			`type = types.nullOr types.str;`
			`default = null;`
			`description = ''`
			`The full path to a file that contains the database password.`
			`'';`
			`};`
			`host = mkOption {`
			`type = types.nullOr types.str;`
			`default = "localhost";`
			`description = "Database host.";`
			`};`
			`dbport = mkOption {`
			`type = with types; nullOr (either int str);`
			`default = null;`
			`description = "Database port. Not required for sqlite.";`
			`};`
			`};`

			`user = mkOption {`
			`type = types.str;`
			`default = "seafile";`
			`description = "User account under which the Seafile server runs.";`
			`};`

			`group = mkOption {`
			`type = types.str;`
			`default = "seafile";`
			`description = "Group account under which the Seafile server runs.";`
			`};`

generate ccnet config from template 2019-10-16 17:31:52 +02:00			`name = mkOption {`
			`type = types.str;`
			`default = "Seafile";`
			`description = "name of the Seafile instance, will show up in client and web interface";`
			`};`

first draft of seafile-server module + test VM test vm can be built using `NIXOS_CONFIG="$(pwd)/seafile-test.nix" nixos-rebuild build-vm --show-trace` 2019-10-09 00:55:35 +02:00			`domainName = mkOption {`
			`type = types.str;`
			`description = "full domain name of the seafile instance";`
			`};`
generate ccnet config from template 2019-10-16 17:31:52 +02:00
			`ccnetPort = mkOption {`
			`type = types.int;`
			`default = 10001;`
			`description = "listening port for ccnet server";`
			`};`

			`seafilePort = mkOption {`
			`type = types.int;`
			`default = 12001;`
			`description = "listening port for Seafile server";`
			`};`

			`seahubPort = mkOption {`
			`type = types.int;`
			`default = 443;`
			`description = "listening http port for Seahub web interface";`
			`};`

			`openFirewall = mkEnableOption {`
			`default = true;`
			`description = "whether to open up the firewall ports for ccnet, seafile-server and seahub";`
			`};`
first draft of seafile-server module + test VM test vm can be built using `NIXOS_CONFIG="$(pwd)/seafile-test.nix" nixos-rebuild build-vm --show-trace` 2019-10-09 00:55:35 +02:00			`};`


			`config = let`
			`directoriesToManage = [ cfg.storagePath ];`
			`in`
generate ccnet config from template 2019-10-16 17:31:52 +02:00			`mkIf cfg.enable {`
fix path and directory permissions by letting systemd-tmpfiles manage the directories 2019-10-15 20:09:37 +02:00			`systemd = {`
			`# state directory permissions managed by systemd`
			`tmpfiles.rules = [`
			`"d ${cfg.storagePath} 0750 ${cfg.user} ${cfg.group} -"`
generate ccnet config from template 2019-10-16 17:31:52 +02:00			`"d ${cfg.storagePath}/home 0710 ${cfg.user} ${cfg.group} -"`
fix path and directory permissions by letting systemd-tmpfiles manage the directories 2019-10-15 20:09:37 +02:00			`];`
			`services.seafile-server = {`
first draft of seafile-server module + test VM test vm can be built using `NIXOS_CONFIG="$(pwd)/seafile-test.nix" nixos-rebuild build-vm --show-trace` 2019-10-09 00:55:35 +02:00
generate ccnet config from template 2019-10-16 17:31:52 +02:00			`path = with pkgs; [ seafile-server.ccnet-server seafile-server.seafile-server-core ];`
fix path and directory permissions by letting systemd-tmpfiles manage the directories 2019-10-15 20:09:37 +02:00			`script = ''`
generate ccnet config from template 2019-10-16 17:31:52 +02:00			`./seafile-server/seafile-server-latest/bin/seafile-admin start`
fix path and directory permissions by letting systemd-tmpfiles manage the directories 2019-10-15 20:09:37 +02:00			`'';`
first draft of seafile-server module + test VM test vm can be built using `NIXOS_CONFIG="$(pwd)/seafile-test.nix" nixos-rebuild build-vm --show-trace` 2019-10-09 00:55:35 +02:00			`serviceConfig = {`
fix path and directory permissions by letting systemd-tmpfiles manage the directories 2019-10-15 20:09:37 +02:00			`ExecStartPre = [`
			`("+${pkgs.writeScript "seafile-server-preStart-privileged" ''`
			`#!${pkgs.runtimeShell}`
			`# stuff run as root`
			`''}")`
			`("${pkgs.writeShellScript "seafile-server-preStart-unprivileged" ''`
			`# stuff run as seafile user`
generate ccnet config from template 2019-10-16 17:31:52 +02:00
			`# ccnet-init must only be run once per installation, as it also generates stateful key and ID`
			`# solution: invoke it once, use result as template`
			`if [ ! -e ./conf/mykey.peer ]; then`
			`${pkgs.seafile-server.ccnet-server}/bin/ccnet-init -c ./conf -n 'TEMPLATENAME' -H 'TEMPLATEHOST' -P 'TEMPLATEPORT'`
			`mv ./conf/ccnet.conf{,.template}`
			`fi`
			`# substitute actual config values to template and symlink config file`
			`${pkgs.gnused}/bin/sed -e 's\|TEMPLATENAME\|${cfg.name}\|g; s\|TEMPLATEHOST\|${cfg.domainName}\|; s\|TEMPLATEPORT\|${toString cfg.ccnetPort}\|' ./conf/ccnet.conf.template > ./conf/ccnet.conf`

			`ln -s ${pkgs.seafile-server} seafile-server`
			`#${pkgs.seafile-server.ccnet-server}/bin/ccnet-init -c ./ccnet -H "${cfg.domainName}" -P ${toString cfg.ccnetPort} -n "${cfg.name}"`
			`./seafile-server/seafile-server-latest/bin/seafile-admin setup`
fix path and directory permissions by letting systemd-tmpfiles manage the directories 2019-10-15 20:09:37 +02:00			`''}")`
			`];`
first draft of seafile-server module + test VM test vm can be built using `NIXOS_CONFIG="$(pwd)/seafile-test.nix" nixos-rebuild build-vm --show-trace` 2019-10-09 00:55:35 +02:00			`User = cfg.user;`
			`Group = cfg.group;`
			`Type = "oneshot";`
			`WorkingDirectory = cfg.storagePath;`
			`};`
			`enable = cfg.autorun;`
			`wantedBy = [ "multi-user.target" ];`
			`};`
fix path and directory permissions by letting systemd-tmpfiles manage the directories 2019-10-15 20:09:37 +02:00			`};`
first draft of seafile-server module + test VM test vm can be built using `NIXOS_CONFIG="$(pwd)/seafile-test.nix" nixos-rebuild build-vm --show-trace` 2019-10-09 00:55:35 +02:00
			`users.users.${cfg.user} = {`
fix path and directory permissions by letting systemd-tmpfiles manage the directories 2019-10-15 20:09:37 +02:00			`home = "${cfg.storagePath}/home";`
first draft of seafile-server module + test VM test vm can be built using `NIXOS_CONFIG="$(pwd)/seafile-test.nix" nixos-rebuild build-vm --show-trace` 2019-10-09 00:55:35 +02:00			`group = cfg.group;`
fix path and directory permissions by letting systemd-tmpfiles manage the directories 2019-10-15 20:09:37 +02:00			`# don't make NixOS create the home directory as otherwise the permissions for /srv might be 0700,`
			`# making it impossible to cd into the storagePath`
			`createHome = false;`
first draft of seafile-server module + test VM test vm can be built using `NIXOS_CONFIG="$(pwd)/seafile-test.nix" nixos-rebuild build-vm --show-trace` 2019-10-09 00:55:35 +02:00			`isNormalUser = false;`
			`};`
			`users.groups.${cfg.group}.members = [ cfg.user ];`
generate ccnet config from template 2019-10-16 17:31:52 +02:00
			`networking.firewall.allowedTCPPorts = with cfg; if openFirewall then [ ccnetPort seafilePort seahubPort ] else [];`
first draft of seafile-server module + test VM test vm can be built using `NIXOS_CONFIG="$(pwd)/seafile-test.nix" nixos-rebuild build-vm --show-trace` 2019-10-09 00:55:35 +02:00			`};`
			`}`