35 lines
968 B
Nix
35 lines
968 B
Nix
{
|
|
config,
|
|
lib,
|
|
...
|
|
}:
|
|
with lib;
|
|
let
|
|
mediaRoot = "/var/www/tandoor-recipes/media/";
|
|
in
|
|
mkIf (elem "tandoor" config.machine.services) {
|
|
services.tandoor-recipes = {
|
|
enable = true;
|
|
extraConfig = {
|
|
# https://docs.tandoor.dev/system/configuration/
|
|
# Set explicitly so it can be referenced by web-server
|
|
MEDIA_ROOT = mediaRoot;
|
|
# Upstream likes to break stuff and apparently make it less insecure...
|
|
GUNICORN_MEDIA = "0";
|
|
SECRET_KEY_FILE = config.sops.secrets."services/tandoor/secretKey".path;
|
|
# Useful settings
|
|
# ENABLE_SIGNUP = "1";
|
|
# DEBUG = "1";
|
|
# DEBUG_TOOLBAR = "1";
|
|
# GUNICORN_LOG_LEVEL="debug";
|
|
};
|
|
};
|
|
systemd.services.tandoor-recipes.serviceConfig = {
|
|
ReadWritePaths = [ mediaRoot ];
|
|
WorkingDirectory = lib.mkForce "/var/lib/tandoor-recipes";
|
|
};
|
|
sops.secrets."services/tandoor/secretKey" = {
|
|
owner = "tandoor_recipes";
|
|
group = "tandoor_recipes";
|
|
};
|
|
}
|