Added Pleroma

This pleroma config should be able to set itself up without any
manual intervention (modulo the secrets file, which is almost empty).

Annoyingly, the pleroma nixpkg is built from the pipeline artifacts
of the pleroma gitlab and does not have support for pleroma's ssh/bbs
mode.

6 files changed, 209 insertions, 27 deletions

diff --git a/hosts/flora/configuration.nix b/hosts/flora/configuration.nix
index 43f7f8e..0d1788d 100644
--- a/hosts/flora/configuration.nix
+++ b/hosts/flora/configuration.nix
@@ -7,7 +7,8 @@
     ./services/daemoniones.nix
     ./services/nginx.nix
     ./services/workadventure.nix
-    # ./services/pleroma
+    #./../../../nginx/vod.nix
+    ./services/pleroma.nix
   ];
   
   # Use the GRUB 2 boot loader.
@@ -22,21 +23,23 @@
   networking = {
     hostName = "flora";
     
-    #enableIPv6 = true;
-    #defaultGateway6 = {
-    #  address = "fe80::1";
-    #  interface = "ens3";
-    #};
+    enableIPv6 = true;
+    defaultGateway6 = {
+      address = "fe80::1";
+      interface = "ens3";
+    };
     
-    #interfaces.ens3.ipv6.addresses = [ {
-    #  address = "2a01:4f9:c010:d319::1";
-    #  prefixLength = 64;
-    #} ]; 
+    interfaces.ens3.ipv6.addresses = [ {
+      address = "2a01:4f9:c010:df15::1";
+      prefixLength = 64;
+    } ]; 
     
     useDHCP = false;
     interfaces.ens3.useDHCP = true;
 
     firewall.logRefusedConnections = false;
+    
+
   };
 
   services.fail2ban = {
diff --git a/hosts/flora/services/hedgedoc.nix b/hosts/flora/services/hedgedoc.nix
index 4ce2256..c7b5379 100644
--- a/hosts/flora/services/hedgedoc.nix
+++ b/hosts/flora/services/hedgedoc.nix
@@ -26,10 +26,10 @@
         # ugly workaround to allow CodiMD to login without password — this service has lots of options,
         # but apparently not for authentification, which even needs to be forced …
         authentication = pkgs.lib.mkForce ''
-            # Generated file; do not edit!
-            local all all              trust
-            host  codimd codimd ::1/128      trust
-          '';
+          # Generated file; do not edit!
+          local all all              trust
+          host  codimd codimd ::1/128      trust
+        '';
       };
       # CodiMD itself
       services.hedgedoc = {
diff --git a/hosts/flora/services/pleroma.nix b/hosts/flora/services/pleroma.nix
new file mode 100644
index 0000000..22a70c3
--- /dev/null
+++ b/hosts/flora/services/pleroma.nix
@@ -0,0 +1,175 @@
+{config, pkgs, ...}:
+
+
+let
+  sources = import ../../../nix/sources.nix;
+  domain = "pleroma.stuebinm.eu";
+in
+{
+
+  containers.pleroma = {
+    autoStart = true;
+    privateNetwork = true;
+    
+    hostAddress = "192.168.42.30";
+    localAddress = "192.168.42.31";
+    hostAddress6 = "fd00::42:30";
+    localAddress6 = "fd00::42:31";
+    
+    
+    config = {pkgs, config, ...}: {
+      
+      # pleroma is only on unstable for now, so import it here
+      imports = [ "${sources.nixpkgs-unstable}/nixos/modules/services/networking/pleroma.nix" ];
+      # generating the manual will fail when mixing nixos channels,
+      # so disable it here or this won't build at all.
+    	documentation.enable = false;
+      
+      # pleroma has a cli tool for configuration
+      environment.systemPackages = [ pkgs.pleroma-otp pkgs.dnsutils ];
+    
+      services.pleroma = {
+        enable = true;
+        
+        # this is barely necessary at this point — all that's
+        # set in here is the default_signer for joken, and the
+        # secret_key_base and signing_salt for phoenix.
+        secretConfigFile = "/var/lib/pleroma/secrets.exs";
+        
+        # for a list of available config options, see
+        # https://docs-develop.pleroma.social/backend/configuration/cheatsheet/
+        # 
+        # Additionally, some parts of pleroma's config (e.g. Pleroma.Repo)
+        # are better documented in their respective libraries (in this
+        # case, see the documentation for Ecto on Adapters).
+        configs = [ ''
+          import Config
+
+          config :pleroma, Pleroma.Web.Endpoint,
+            url: [host: "${domain}", scheme: "https", port: 443],
+            http: [ip: {0, 0, 0, 0, 0, 0, 0, 0}, port: 4000]
+
+          config :pleroma, :instance,
+            name: "Pleroma",
+            limit: 5000,
+            registrations_open: false,
+            federating: true,
+            healthcheck: true,
+            allow_relay: true
+
+          config :pleroma, :media_proxy,
+            enabled: false,
+            redirect_on_failure: true
+
+          config :pleroma, Pleroma.Upload,
+            filters: [
+                Pleroma.Upload.Filter.Exiftool,
+                Pleroma.Upload.Filter.AnonymizeFilename,
+                Pleroma.Upload.Filter.Dedupe
+            ]
+            
+          config :pleroma, Pleroma.Uploaders.Local,
+            uploads: "/var/lib/pleroma/uploads"
+
+          config :pleroma, Pleroma.Repo,
+            adapter: Ecto.Adapters.Postgres,
+            username: "pleroma",
+            database: "pleroma",
+            socket_dir: "/run/postgresql",
+            pool_size: 10,
+            prepare: :named,
+            parameters: [
+                plan_cache_mode: "force_custom_plan"
+            ]
+
+
+
+          config :pleroma, :database, rum_enabled: false
+          config :pleroma, configurable_from_database: false
+
+          config :pleroma, :instance, static_dir: "/var/lib/pleroma/static"
+          
+        '' ];
+      };
+          
+      services.postgresql = {
+        enable = true;
+        package = pkgs.postgresql_12;
+        
+        ensureDatabases = [ "pleroma" ];
+        ensureUsers = [ {
+          name = "pleroma";
+          ensurePermissions."DATABASE pleroma" = "ALL PRIVILEGES";
+        } ];
+        
+        # give pleroma access. must be done with lib.mkForce, for some reason
+        authentication = pkgs.lib.mkForce ''
+          # Generated file; do not edit!
+          local all all              trust
+          host  pleroma pleroma ::1/128      trust
+        '';
+        
+        # pleroma wants to do some initial config on startup, which it
+        # can't do by itself since those needs superuser access
+        #
+        # unfortunatly, this is executed /before/ the database is created,
+        # i.e. we have to create user and database by hand, even though
+        # they would otherwise created by ensureUsers / ensureDatabse.
+        # Using those does still prevent us from accidentally deleting
+        # them, though (but not from deleting the database's content!)
+        initialScript = pkgs.writeScript "postgres-pleroma-initial" ''
+          CREATE USER pleroma;
+          CREATE DATABASE pleroma OWNER pleroma;
+          \c pleroma;
+          --Extensions made by ecto.migrate that need superuser access
+          CREATE EXTENSION IF NOT EXISTS citext;
+          CREATE EXTENSION IF NOT EXISTS pg_trgm;
+          CREATE EXTENSION IF NOT EXISTS "uuid-ossp";
+        '';
+      };
+        
+      networking.firewall.allowedTCPPorts = [ 4000 10022 ];
+    };
+  };
+  
+  # give the container access to the external internet (necessary for
+  # fetching content from other instances). Doesn't appear to work with
+  # IPv6, though ...
+  networking.nat = {
+    enable = true;
+    internalInterfaces = [ "ve-pleroma" ];
+    externalInterface = "ens3";
+    
+  };
+  networking.firewall.allowedTCPPorts = [ 10022 ];
+  
+  services.nginx.virtualHosts."${domain}" = {
+    forceSSL = true;
+    enableACME = true;
+    
+    locations."/" = {
+      proxyPass = "http://[${config.containers.pleroma.localAddress6}]:4000";
+      proxyWebsockets = true;
+      # these headers are in the example config in the NixOS manual.
+      # take some time to figure out what they all do, and if these
+      # are necessary
+      extraConfig = ''
+        add_header 'Access-Control-Allow-Origin' '*' always;
+        add_header 'Access-Control-Allow-Methods' 'POST, PUT, DELETE, GET, PATCH, OPTIONS' always;
+        add_header 'Access-Control-Allow-Headers' 'Authorization, Content-Type, Idempotency-Key' always;
+        add_header 'Access-Control-Expose-Headers' 'Link, X-RateLimit-Reset, X-RateLimit-Limit, X-RateLimit-Remaining, X-Request-Id' always;
+        if ($request_method = OPTIONS) {
+            return 204;
+        }
+        add_header X-XSS-Protection "1; mode=block";
+        add_header X-Permitted-Cross-Domain-Policies none;
+        add_header X-Frame-Options DENY;
+        add_header X-Content-Type-Options nosniff;
+        add_header Referrer-Policy same-origin;
+        add_header X-Download-Options noopen;
+        client_max_body_size 16m;
+      '';
+    };
+  };
+}
+
diff --git a/modules/default.nix b/modules/default.nix
index 23a8abc..e512563 100644
--- a/modules/default.nix
+++ b/modules/default.nix
@@ -1,5 +1,9 @@
 {...}:
-
+let
+  sources = import ../nix/sources.nix {};
+in
 {
-	imports = [ ];
+	#imports = [ "${sources.nixpkgs-unstable}/nixos/modules/services/networking/pleroma.nix" ];
+	
+	# to stop the manual breaking from the stable / unstable mix
 }
diff --git a/nix/sources.json b/nix/sources.json
index 9bff238..9408daf 100644
--- a/nix/sources.json
+++ b/nix/sources.json
@@ -17,10 +17,10 @@
         "homepage": "",
         "owner": "NixOS",
         "repo": "nixpkgs",
-        "rev": "70646d6578be464fe81c3fbc891baa7066a43ad1",
-        "sha256": "1cvjrdi38l78yan3jspidw34m27cpkwyvw1a5k9zqfccb4hp8abs",
+        "rev": "c14bb3039f25d463cd24a47d88b4a86b33561788",
+        "sha256": "1mjq4bb8hg890fh39z9hpdndql3571dh8af5civh8qiif34jwpzs",
         "type": "tarball",
-        "url": "https://github.com/NixOS/nixpkgs/archive/70646d6578be464fe81c3fbc891baa7066a43ad1.tar.gz",
+        "url": "https://github.com/NixOS/nixpkgs/archive/c14bb3039f25d463cd24a47d88b4a86b33561788.tar.gz",
         "url_template": "https://github.com/<owner>/<repo>/archive/<rev>.tar.gz"
     },
     "nixpkgs-unstable": {
@@ -29,10 +29,10 @@
         "homepage": "",
         "owner": "NixOS",
         "repo": "nixpkgs",
-        "rev": "04ac9dcd311956d1756d77f4baf9258392ee7bdd",
-        "sha256": "10r7s2bimvijq1znhiypc99zvzzfqilzyzzg62q5xk2cr4gs03g9",
+        "rev": "5df05c902cde398e056eb6271d5fe13e418db4c6",
+        "sha256": "12plc7k251z1dmmrd29lyrpw0xmjvmf79yj568aapzrcki5mrw74",
         "type": "tarball",
-        "url": "https://github.com/NixOS/nixpkgs/archive/04ac9dcd311956d1756d77f4baf9258392ee7bdd.tar.gz",
+        "url": "https://github.com/NixOS/nixpkgs/archive/5df05c902cde398e056eb6271d5fe13e418db4c6.tar.gz",
         "url_template": "https://github.com/<owner>/<repo>/archive/<rev>.tar.gz"
     }
 }
diff --git a/pkgs/default.nix b/pkgs/default.nix
index 94d012a..fb2cc3d 100644
--- a/pkgs/default.nix
+++ b/pkgs/default.nix
@@ -6,12 +6,12 @@ let
 
   callPackage = pkgs.lib.callPackageWith (pkgs // newpkgs);
 
-	newpkgs = { 
-#		pleroma = callPackage "${sources.pbb-nixfiles}/pkgs/pleroma" {};
-#		dendrite = callPackage "${sources.nixchen}/pkgs/dendrite" {};
+  newpkgs = { 
+    pleroma-otp = callPackage "${sources.nixpkgs-unstable}/pkgs/servers/pleroma-otp" {};
+#    dendrite = callPackage "${sources.nixchen}/pkgs/dendrite" {};
 
-		inherit callPackage;
-		appendOverlays = overlays: (pkgs.appendOverlays overlays) // newpkgs;
+    inherit callPackage;
+    appendOverlays = overlays: (pkgs.appendOverlays overlays) // newpkgs;
   };
 
 in pkgs // newpkgs