{ config, lib, ... }: let cfg = config.my.services.tandoor-recipes; in { options.my.services.tandoor-recipes = with lib; { enable = mkEnableOption "Tandoor Recipes service"; port = mkOption { type = types.port; default = 4536; example = 8080; description = "Internal port for webui"; }; secretKeyFile = mkOption { type = types.str; example = "/var/lib/tandoor-recipes/secret-key.env"; description = '' Secret key as an 'EnvironmentFile' (see `systemd.exec(5)`) ''; }; }; config = lib.mkIf cfg.enable { services.tandoor-recipes = { enable = true; port = cfg.port; extraConfig = let tandoorRecipesDomain = "recipes.${config.networking.domain}"; in { # Use PostgreSQL DB_ENGINE = "django.db.backends.postgresql"; POSTGRES_HOST = "/run/postgresql"; POSTGRES_USER = "tandoor_recipes"; POSTGRES_DB = "tandoor_recipes"; # Security settings ALLOWED_HOSTS = tandoorRecipesDomain; CSRF_TRUSTED_ORIGINS = "https://${tandoorRecipesDomain}"; # Misc TIMEZONE = config.time.timeZone; }; }; systemd.services = { tandoor-recipes = { after = [ "postgresql.service" ]; requires = [ "postgresql.service" ]; serviceConfig = { EnvironmentFile = cfg.secretKeyFile; }; }; }; # Set-up database services.postgresql = { enable = true; ensureDatabases = [ "tandoor_recipes" ]; ensureUsers = [ { name = "tandoor_recipes"; ensureDBOwnership = true; } ]; }; my.services.nginx.virtualHosts = { recipes = { inherit (cfg) port; extraConfig = { # Allow bulk upload of recipes for import/export locations."/".extraConfig = '' client_max_body_size 0; ''; }; }; }; # NOTE: unfortunately tandoor-recipes does not log connection failures for fail2ban }; }