more akkoma stuff

author: stuebinm 2023-02-16 21:00:51 +0100
committer: stuebinm 2023-02-16 21:00:51 +0100
commit: a8ec7eca6cdfd1f9119897f4fe0bda261ae8dc72 (patch)
tree: c92337d5d91763dd56db794bd88b51dcba6c78c6 /flora/services/pleroma.nix
parent: 02c7dc192e9bc9a1246edc48ec23271ea07abd45 (diff)
1 files changed, 0 insertions, 193 deletions
diff --git a/flora/services/pleroma.nix b/flora/services/pleroma.nix
deleted file mode 100644
index dd75b43..0000000
--- a/flora/services/pleroma.nix
+++ /dev/null
@@ -1,193 +0,0 @@
-{config, pkgs, inputs, system, ...}:
-
-
-let
-  unstable = import inputs.nixpkgs-unstable { inherit system; };
-in
-{
-
-  containers.pleroma = {
-    autoStart = true;
-    privateNetwork = true;
-    
-    hostAddress = "192.168.42.30";
-    localAddress = "192.168.42.31";
-    hostAddress6 = "fd00::42:30";
-    localAddress6 = "fd00::42:31";
-
-    config = {pkgs, config, ...}: {
-
-      # generating the manual will fail when mixing nixos channels,
-      # so disable it here or this won't build at all.
-      documentation.enable = false;
-
-      imports = [
-        ("${inputs.nixpkgs-unstable}/nixos/modules/services/web-apps/akkoma.nix")
-      ];
-
-      system.stateVersion = "22.11";
-
-      services.akkoma = {
-        enable = true;
-
-        # this is barely necessary at this point — all that's
-        # set in here is the default_signer for joken, and the
-        # secret_key_base and signing_salt for phoenix.
-        # secretConfigFile = "/var/lib/pleroma/secrets.exs";
-
-        package = unstable.akkoma;
-        frontends = {
-          primary = {
-            package = unstable.akkoma-frontends.pleroma-fe;
-            name = "pleroma-fe";
-            ref = "stable";
-          };
-          admin = {
-            package = unstable.akkoma-frontends.admin-fe;
-            name = "admin-fe";
-            ref = "stable";
-          };
-        };
-
-        config = {
-          ":pleroma"."Pleroma.Web.Endpoint" = {
-            "url" = { host = "pleroma.stuebinm.eu"; scheme = "https"; port = 443; };
-            "http" = {ip = "0.0.0.0"; port = 4000; };
-            secret_key_base._secret = "/secret/secret_key_base";
-            signing_salt._secret = "/secret/signing_salt";
-          };
-          ":joken".":default_signer"._secret = "/secret/joken_default_signer";
-
-          ":pleroma" = {
-            ":instance" = {
-              name = "Pleroma";
-              limit = 5000;
-              registrations_open = false;
-              federating = true;
-              healthcheck = true;
-              allow_relay = true;
-              description = "a test instance";
-              email = "dings@dings";
-            };
-            ":media_proxy" = {
-              enabled = false;
-              redirect_on_failure = true;
-            };
-            "Pleroma.Upload" = {
-              filters = [
-                "Pleroma.Upload.Filter.Exiftool"
-                "Pleroma.Upload.Filter.AnonymizeFilename"
-                "Pleroma.Upload.Filter.Dedupe"
-              ];
-            };
-            "Pleroma.Uploaders.Local".uploads = "/var/lib/pleroma/uploads";
-            "Pleroma.Repo" = {
-              adapter = "Ecto.Adapters.Postgres";
-              username = "pleroma";
-              database = "pleroma";
-              socket_dir = "/run/postgresql";
-              pool_size = 10;
-              # prepare = ":named";
-              show_sensitive_data_on_connection_error = true;
-              parameters = { plan_cache_mode = "force_custom_plan"; };
-            };
-            ":database".run_enabled = false;
-            ":configurable_from_database" = false;
-            # ":instance".static_dir = "/var/lib/pleroma/static";
-
-          };
-        };
-      };
-
-      # otherwise, the exiftool will fail to run
-      systemd.services.akkoma.path = [ pkgs.exiftool ];
-
-      services.postgresql = {
-        enable = true;
-        package = pkgs.postgresql_12;
-
-        ensureDatabases = [ "pleroma" ];
-        ensureUsers = [ {
-          name = "pleroma";
-          ensurePermissions."DATABASE pleroma" = "ALL PRIVILEGES";
-        } ];
-
-        # give pleroma access. must be done with lib.mkForce, for some reason
-        authentication = pkgs.lib.mkForce ''
-          # Generated file; do not edit!
-          local all all              trust
-          host  pleroma akkoma ::1/128      trust
-        '';
-
-        # pleroma wants to do some initial config on startup, which it
-        # can't do by itself since those needs superuser access
-        #
-        # unfortunatly, this is executed /before/ the database is created,
-        # i.e. we have to create user and database by hand, even though
-        # they would otherwise created by ensureUsers / ensureDatabse.
-        # Using those does still prevent us from accidentally deleting
-        # them, though (but not from deleting the database's content!)
-        initialScript = pkgs.writeScript "postgres-pleroma-initial" ''
-          CREATE USER pleroma;
-          CREATE DATABASE pleroma OWNER pleroma;
-          \c pleroma;
-          --Extensions made by ecto.migrate that need superuser access
-          CREATE EXTENSION IF NOT EXISTS citext;
-          CREATE EXTENSION IF NOT EXISTS pg_trgm;
-          CREATE EXTENSION IF NOT EXISTS "uuid-ossp";
-        '';
-      };
-
-      networking.firewall.allowedTCPPorts = [ 4000 10022 ];
-
-      services.coredns = {
-        enable = true;
-        config = ''
-          .:53 {
-          forward . 1.1.1.1
-          }
-        '';
-      };
-    };
-  };
-
-  # give the container access to the external internet (necessary for
-  # fetching content from other instances). Doesn't appear to work with
-  # IPv6, though ...
-  networking.nat = {
-    enable = true;
-    internalInterfaces = [ "ve-pleroma" ];
-    externalInterface = "ens3";
-    
-  };
-  networking.firewall.allowedTCPPorts = [ 10022 ];
-
-  services.nginx.virtualHosts."pleroma.stuebinm.eu" = {
-    forceSSL = true;
-    enableACME = true;
-
-    locations."/" = {
-      proxyPass = "http://${config.containers.pleroma.localAddress}:4000";
-      proxyWebsockets = true;
-      # these headers are in the example config in the NixOS manual.
-      # take some time to figure out what they all do, and if these
-      # are necessary
-      extraConfig = ''
-        add_header 'Access-Control-Allow-Origin' '*' always;
-        add_header 'Access-Control-Allow-Methods' 'POST, PUT, DELETE, GET, PATCH, OPTIONS' always;
-        add_header 'Access-Control-Allow-Headers' 'Authorization, Content-Type, Idempotency-Key' always;
-        add_header 'Access-Control-Expose-Headers' 'Link, X-RateLimit-Reset, X-RateLimit-Limit, X-RateLimit-Remaining, X-Request-Id' always;
-        if ($request_method = OPTIONS) {
-            return 204;
-        }
-        add_header X-XSS-Protection "1; mode=block";
-        add_header X-Permitted-Cross-Domain-Policies none;
-        add_header X-Frame-Options DENY;
-        add_header X-Content-Type-Options nosniff;
-        add_header Referrer-Policy same-origin;
-        add_header X-Download-Options noopen;
-        client_max_body_size 16m;
-      '';
-    };
-  };
-}
author	stuebinm	2023-02-16 21:00:51 +0100
committer	stuebinm	2023-02-16 21:00:51 +0100
commit	a8ec7eca6cdfd1f9119897f4fe0bda261ae8dc72 (patch)
tree	c92337d5d91763dd56db794bd88b51dcba6c78c6 /flora/services/pleroma.nix
parent	02c7dc192e9bc9a1246edc48ec23271ea07abd45 (diff)