summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorstuebinm2021-03-08 00:22:48 +0100
committerstuebinm2021-03-08 00:22:48 +0100
commit6b79492de7467e44733d2644273185af548dc20b (patch)
treee8b7c217dd30aba20fbebac44b71dcbfd7eb1482
parentd96fbd63510048bf56d3d600a65f7983096c1bb1 (diff)
Added Pleroma
This pleroma config should be able to set itself up without any manual intervention (modulo the secrets file, which is almost empty). Annoyingly, the pleroma nixpkg is built from the pipeline artifacts of the pleroma gitlab and does not have support for pleroma's ssh/bbs mode.
-rw-r--r--hosts/flora/configuration.nix23
-rw-r--r--hosts/flora/services/hedgedoc.nix8
-rw-r--r--hosts/flora/services/pleroma.nix175
-rw-r--r--modules/default.nix8
-rw-r--r--nix/sources.json12
-rw-r--r--pkgs/default.nix10
6 files changed, 209 insertions, 27 deletions
diff --git a/hosts/flora/configuration.nix b/hosts/flora/configuration.nix
index 43f7f8e..0d1788d 100644
--- a/hosts/flora/configuration.nix
+++ b/hosts/flora/configuration.nix
@@ -7,7 +7,8 @@
./services/daemoniones.nix
./services/nginx.nix
./services/workadventure.nix
- # ./services/pleroma
+ #./../../../nginx/vod.nix
+ ./services/pleroma.nix
];
# Use the GRUB 2 boot loader.
@@ -22,21 +23,23 @@
networking = {
hostName = "flora";
- #enableIPv6 = true;
- #defaultGateway6 = {
- # address = "fe80::1";
- # interface = "ens3";
- #};
+ enableIPv6 = true;
+ defaultGateway6 = {
+ address = "fe80::1";
+ interface = "ens3";
+ };
- #interfaces.ens3.ipv6.addresses = [ {
- # address = "2a01:4f9:c010:d319::1";
- # prefixLength = 64;
- #} ];
+ interfaces.ens3.ipv6.addresses = [ {
+ address = "2a01:4f9:c010:df15::1";
+ prefixLength = 64;
+ } ];
useDHCP = false;
interfaces.ens3.useDHCP = true;
firewall.logRefusedConnections = false;
+
+
};
services.fail2ban = {
diff --git a/hosts/flora/services/hedgedoc.nix b/hosts/flora/services/hedgedoc.nix
index 4ce2256..c7b5379 100644
--- a/hosts/flora/services/hedgedoc.nix
+++ b/hosts/flora/services/hedgedoc.nix
@@ -26,10 +26,10 @@
# ugly workaround to allow CodiMD to login without password — this service has lots of options,
# but apparently not for authentification, which even needs to be forced …
authentication = pkgs.lib.mkForce ''
- # Generated file; do not edit!
- local all all trust
- host codimd codimd ::1/128 trust
- '';
+ # Generated file; do not edit!
+ local all all trust
+ host codimd codimd ::1/128 trust
+ '';
};
# CodiMD itself
services.hedgedoc = {
diff --git a/hosts/flora/services/pleroma.nix b/hosts/flora/services/pleroma.nix
new file mode 100644
index 0000000..22a70c3
--- /dev/null
+++ b/hosts/flora/services/pleroma.nix
@@ -0,0 +1,175 @@
+{config, pkgs, ...}:
+
+
+let
+ sources = import ../../../nix/sources.nix;
+ domain = "pleroma.stuebinm.eu";
+in
+{
+
+ containers.pleroma = {
+ autoStart = true;
+ privateNetwork = true;
+
+ hostAddress = "192.168.42.30";
+ localAddress = "192.168.42.31";
+ hostAddress6 = "fd00::42:30";
+ localAddress6 = "fd00::42:31";
+
+
+ config = {pkgs, config, ...}: {
+
+ # pleroma is only on unstable for now, so import it here
+ imports = [ "${sources.nixpkgs-unstable}/nixos/modules/services/networking/pleroma.nix" ];
+ # generating the manual will fail when mixing nixos channels,
+ # so disable it here or this won't build at all.
+ documentation.enable = false;
+
+ # pleroma has a cli tool for configuration
+ environment.systemPackages = [ pkgs.pleroma-otp pkgs.dnsutils ];
+
+ services.pleroma = {
+ enable = true;
+
+ # this is barely necessary at this point — all that's
+ # set in here is the default_signer for joken, and the
+ # secret_key_base and signing_salt for phoenix.
+ secretConfigFile = "/var/lib/pleroma/secrets.exs";
+
+ # for a list of available config options, see
+ # https://docs-develop.pleroma.social/backend/configuration/cheatsheet/
+ #
+ # Additionally, some parts of pleroma's config (e.g. Pleroma.Repo)
+ # are better documented in their respective libraries (in this
+ # case, see the documentation for Ecto on Adapters).
+ configs = [ ''
+ import Config
+
+ config :pleroma, Pleroma.Web.Endpoint,
+ url: [host: "${domain}", scheme: "https", port: 443],
+ http: [ip: {0, 0, 0, 0, 0, 0, 0, 0}, port: 4000]
+
+ config :pleroma, :instance,
+ name: "Pleroma",
+ limit: 5000,
+ registrations_open: false,
+ federating: true,
+ healthcheck: true,
+ allow_relay: true
+
+ config :pleroma, :media_proxy,
+ enabled: false,
+ redirect_on_failure: true
+
+ config :pleroma, Pleroma.Upload,
+ filters: [
+ Pleroma.Upload.Filter.Exiftool,
+ Pleroma.Upload.Filter.AnonymizeFilename,
+ Pleroma.Upload.Filter.Dedupe
+ ]
+
+ config :pleroma, Pleroma.Uploaders.Local,
+ uploads: "/var/lib/pleroma/uploads"
+
+ config :pleroma, Pleroma.Repo,
+ adapter: Ecto.Adapters.Postgres,
+ username: "pleroma",
+ database: "pleroma",
+ socket_dir: "/run/postgresql",
+ pool_size: 10,
+ prepare: :named,
+ parameters: [
+ plan_cache_mode: "force_custom_plan"
+ ]
+
+
+
+ config :pleroma, :database, rum_enabled: false
+ config :pleroma, configurable_from_database: false
+
+ config :pleroma, :instance, static_dir: "/var/lib/pleroma/static"
+
+ '' ];
+ };
+
+ services.postgresql = {
+ enable = true;
+ package = pkgs.postgresql_12;
+
+ ensureDatabases = [ "pleroma" ];
+ ensureUsers = [ {
+ name = "pleroma";
+ ensurePermissions."DATABASE pleroma" = "ALL PRIVILEGES";
+ } ];
+
+ # give pleroma access. must be done with lib.mkForce, for some reason
+ authentication = pkgs.lib.mkForce ''
+ # Generated file; do not edit!
+ local all all trust
+ host pleroma pleroma ::1/128 trust
+ '';
+
+ # pleroma wants to do some initial config on startup, which it
+ # can't do by itself since those needs superuser access
+ #
+ # unfortunatly, this is executed /before/ the database is created,
+ # i.e. we have to create user and database by hand, even though
+ # they would otherwise created by ensureUsers / ensureDatabse.
+ # Using those does still prevent us from accidentally deleting
+ # them, though (but not from deleting the database's content!)
+ initialScript = pkgs.writeScript "postgres-pleroma-initial" ''
+ CREATE USER pleroma;
+ CREATE DATABASE pleroma OWNER pleroma;
+ \c pleroma;
+ --Extensions made by ecto.migrate that need superuser access
+ CREATE EXTENSION IF NOT EXISTS citext;
+ CREATE EXTENSION IF NOT EXISTS pg_trgm;
+ CREATE EXTENSION IF NOT EXISTS "uuid-ossp";
+ '';
+ };
+
+ networking.firewall.allowedTCPPorts = [ 4000 10022 ];
+ };
+ };
+
+ # give the container access to the external internet (necessary for
+ # fetching content from other instances). Doesn't appear to work with
+ # IPv6, though ...
+ networking.nat = {
+ enable = true;
+ internalInterfaces = [ "ve-pleroma" ];
+ externalInterface = "ens3";
+
+ };
+ networking.firewall.allowedTCPPorts = [ 10022 ];
+
+ services.nginx.virtualHosts."${domain}" = {
+ forceSSL = true;
+ enableACME = true;
+
+ locations."/" = {
+ proxyPass = "http://[${config.containers.pleroma.localAddress6}]:4000";
+ proxyWebsockets = true;
+ # these headers are in the example config in the NixOS manual.
+ # take some time to figure out what they all do, and if these
+ # are necessary
+ extraConfig = ''
+ add_header 'Access-Control-Allow-Origin' '*' always;
+ add_header 'Access-Control-Allow-Methods' 'POST, PUT, DELETE, GET, PATCH, OPTIONS' always;
+ add_header 'Access-Control-Allow-Headers' 'Authorization, Content-Type, Idempotency-Key' always;
+ add_header 'Access-Control-Expose-Headers' 'Link, X-RateLimit-Reset, X-RateLimit-Limit, X-RateLimit-Remaining, X-Request-Id' always;
+ if ($request_method = OPTIONS) {
+ return 204;
+ }
+ add_header X-XSS-Protection "1; mode=block";
+ add_header X-Permitted-Cross-Domain-Policies none;
+ add_header X-Frame-Options DENY;
+ add_header X-Content-Type-Options nosniff;
+ add_header Referrer-Policy same-origin;
+ add_header X-Download-Options noopen;
+ client_max_body_size 16m;
+ '';
+ };
+ };
+}
+
diff --git a/modules/default.nix b/modules/default.nix
index 23a8abc..e512563 100644
--- a/modules/default.nix
+++ b/modules/default.nix
@@ -1,5 +1,9 @@
{...}:
-
+let
+ sources = import ../nix/sources.nix {};
+in
{
- imports = [ ];
+ #imports = [ "${sources.nixpkgs-unstable}/nixos/modules/services/networking/pleroma.nix" ];
+
+ # to stop the manual breaking from the stable / unstable mix
}
diff --git a/nix/sources.json b/nix/sources.json
index 9bff238..9408daf 100644
--- a/nix/sources.json
+++ b/nix/sources.json
@@ -17,10 +17,10 @@
"homepage": "",
"owner": "NixOS",
"repo": "nixpkgs",
- "rev": "70646d6578be464fe81c3fbc891baa7066a43ad1",
- "sha256": "1cvjrdi38l78yan3jspidw34m27cpkwyvw1a5k9zqfccb4hp8abs",
+ "rev": "c14bb3039f25d463cd24a47d88b4a86b33561788",
+ "sha256": "1mjq4bb8hg890fh39z9hpdndql3571dh8af5civh8qiif34jwpzs",
"type": "tarball",
- "url": "https://github.com/NixOS/nixpkgs/archive/70646d6578be464fe81c3fbc891baa7066a43ad1.tar.gz",
+ "url": "https://github.com/NixOS/nixpkgs/archive/c14bb3039f25d463cd24a47d88b4a86b33561788.tar.gz",
"url_template": "https://github.com/<owner>/<repo>/archive/<rev>.tar.gz"
},
"nixpkgs-unstable": {
@@ -29,10 +29,10 @@
"homepage": "",
"owner": "NixOS",
"repo": "nixpkgs",
- "rev": "04ac9dcd311956d1756d77f4baf9258392ee7bdd",
- "sha256": "10r7s2bimvijq1znhiypc99zvzzfqilzyzzg62q5xk2cr4gs03g9",
+ "rev": "5df05c902cde398e056eb6271d5fe13e418db4c6",
+ "sha256": "12plc7k251z1dmmrd29lyrpw0xmjvmf79yj568aapzrcki5mrw74",
"type": "tarball",
- "url": "https://github.com/NixOS/nixpkgs/archive/04ac9dcd311956d1756d77f4baf9258392ee7bdd.tar.gz",
+ "url": "https://github.com/NixOS/nixpkgs/archive/5df05c902cde398e056eb6271d5fe13e418db4c6.tar.gz",
"url_template": "https://github.com/<owner>/<repo>/archive/<rev>.tar.gz"
}
}
diff --git a/pkgs/default.nix b/pkgs/default.nix
index 94d012a..fb2cc3d 100644
--- a/pkgs/default.nix
+++ b/pkgs/default.nix
@@ -6,12 +6,12 @@ let
callPackage = pkgs.lib.callPackageWith (pkgs // newpkgs);
- newpkgs = {
-# pleroma = callPackage "${sources.pbb-nixfiles}/pkgs/pleroma" {};
-# dendrite = callPackage "${sources.nixchen}/pkgs/dendrite" {};
+ newpkgs = {
+ pleroma-otp = callPackage "${sources.nixpkgs-unstable}/pkgs/servers/pleroma-otp" {};
+# dendrite = callPackage "${sources.nixchen}/pkgs/dendrite" {};
- inherit callPackage;
- appendOverlays = overlays: (pkgs.appendOverlays overlays) // newpkgs;
+ inherit callPackage;
+ appendOverlays = overlays: (pkgs.appendOverlays overlays) // newpkgs;
};
in pkgs // newpkgs