diff options
-rw-r--r-- | flora/configuration.nix | 2 | ||||
-rw-r--r-- | flora/services/akkoma.nix (renamed from flora/services/pleroma.nix) | 70 |
2 files changed, 40 insertions, 32 deletions
diff --git a/flora/configuration.nix b/flora/configuration.nix index 7e733e2..750268e 100644 --- a/flora/configuration.nix +++ b/flora/configuration.nix @@ -4,7 +4,7 @@ imports = [ ./hardware-configuration.nix ./services/nginx.nix - ./services/pleroma.nix + ./services/akkoma.nix ./services/cgit.nix #./services/picarones.nix ./services/dockerhub.nix diff --git a/flora/services/pleroma.nix b/flora/services/akkoma.nix index dd75b43..244351f 100644 --- a/flora/services/pleroma.nix +++ b/flora/services/akkoma.nix @@ -3,6 +3,7 @@ let unstable = import inputs.nixpkgs-unstable { inherit system; }; + staticDir = "/var/lib/akkoma/static"; in { @@ -30,11 +31,6 @@ in services.akkoma = { enable = true; - # this is barely necessary at this point — all that's - # set in here is the default_signer for joken, and the - # secret_key_base and signing_salt for phoenix. - # secretConfigFile = "/var/lib/pleroma/secrets.exs"; - package = unstable.akkoma; frontends = { primary = { @@ -52,7 +48,7 @@ in config = { ":pleroma"."Pleroma.Web.Endpoint" = { "url" = { host = "pleroma.stuebinm.eu"; scheme = "https"; port = 443; }; - "http" = {ip = "0.0.0.0"; port = 4000; }; + "http" = { ip = "::"; port = 4000; }; secret_key_base._secret = "/secret/secret_key_base"; signing_salt._secret = "/secret/signing_salt"; }; @@ -80,7 +76,7 @@ in "Pleroma.Upload.Filter.Dedupe" ]; }; - "Pleroma.Uploaders.Local".uploads = "/var/lib/pleroma/uploads"; + "Pleroma.Uploaders.Local".uploads = "/var/lib/akkoma/uploads"; "Pleroma.Repo" = { adapter = "Ecto.Adapters.Postgres"; username = "pleroma"; @@ -93,14 +89,40 @@ in }; ":database".run_enabled = false; ":configurable_from_database" = false; - # ":instance".static_dir = "/var/lib/pleroma/static"; - + ":instance".static_dir = "/var/lib/akkoma/static"; }; }; }; - # otherwise, the exiftool will fail to run - systemd.services.akkoma.path = [ pkgs.exiftool ]; + systemd.services.akkoma = { + path = [ pkgs.exiftool ]; + bindsTo = [ "akkoma-static.service" ]; + after = [ "akkoma-static.service" ]; + }; + + # symlink the parts of the static dir that are inside the nix store, + # so I can still have imperatively defined emojis etc. + # (for some reason the module doesn't do that) + systemd.services.akkoma-static = { + description = "Akkoma static dir wrangling"; + unitConfig.PropagatesReloadTo = [ "akkoma.service" ]; + path = [ pkgs.coreutils ]; + serviceConfig = { + Type = "oneshot"; + RemainAfterExit = true; + }; + script = with pkgs.lib; '' + ${concatStringsSep "\n" (mapAttrsToList (key: val: '' + mkdir -p ${staticDir}/frontends/${escapeShellArg val.name}/ + ln -sfT ${escapeShellArg val.package} ${staticDir}/frontends/${escapeShellArg val.name}/${escapeShellArg val.ref} + '') config.services.akkoma.frontends)} + ${optionalString (config.services.akkoma.extraStatic != null) + (concatStringsSep "\n" (mapAttrsToList (key: val: '' + mkdir -p "${staticDir}/$(dirname ${escapeShellArg key})" + ln -sfT ${escapeShellArg val} ${staticDir}/${escapeShellArg key} + '') config.services.akkoma.extraStatic))} + ''; + }; services.postgresql = { enable = true; @@ -119,14 +141,8 @@ in host pleroma akkoma ::1/128 trust ''; - # pleroma wants to do some initial config on startup, which it - # can't do by itself since those needs superuser access - # - # unfortunatly, this is executed /before/ the database is created, - # i.e. we have to create user and database by hand, even though - # they would otherwise created by ensureUsers / ensureDatabse. - # Using those does still prevent us from accidentally deleting - # them, though (but not from deleting the database's content!) + # this is basically legacy. even if I ever reset the database, + # the initDb option of the akkoma module probably does about this. initialScript = pkgs.writeScript "postgres-pleroma-initial" '' CREATE USER pleroma; CREATE DATABASE pleroma OWNER pleroma; @@ -138,16 +154,10 @@ in ''; }; - networking.firewall.allowedTCPPorts = [ 4000 10022 ]; + networking.firewall.allowedTCPPorts = [ 4000 ]; - services.coredns = { - enable = true; - config = '' - .:53 { - forward . 1.1.1.1 - } - ''; - }; + environment.etc."resolv.conf".text = + "nameserver 1.1.1.1"; }; }; @@ -158,16 +168,14 @@ in enable = true; internalInterfaces = [ "ve-pleroma" ]; externalInterface = "ens3"; - }; - networking.firewall.allowedTCPPorts = [ 10022 ]; services.nginx.virtualHosts."pleroma.stuebinm.eu" = { forceSSL = true; enableACME = true; locations."/" = { - proxyPass = "http://${config.containers.pleroma.localAddress}:4000"; + proxyPass = "http://[${config.containers.pleroma.localAddress6}]:4000"; proxyWebsockets = true; # these headers are in the example config in the NixOS manual. # take some time to figure out what they all do, and if these |