6 files changed, 73 insertions, 27 deletions
diff --git a/flora/services/akkoma.nix b/flora/services/akkoma.nix
index 756f2a7..6864a29 100644
--- a/flora/services/akkoma.nix
+++ b/flora/services/akkoma.nix
@@ -45,7 +45,7 @@ in
             ref = "stable";
           };
           admin = {
-            package = pkgs.akkoma-frontends.admin-fe;
+            package = pkgs.akkoma-admin-fe;
             name = "admin-fe";
             ref = "stable";
           };
@@ -59,7 +59,8 @@ in
         config = {
           ":pleroma"."Pleroma.Web.Endpoint" = {
             "url" = { host = "pleroma.stuebinm.eu"; scheme = "https"; port = 443; };
-            "http" = { ip = "::"; port = 4000; };
+            # below uses IPv4; IPv6 breaks the elixir format generator …
+            "http" = { ip = "0.0.0.0"; port = 4000; };
             secret_key_base._secret = "/sops/keyBase";
             signing_salt._secret = "/sops/signingSalt";
           };
@@ -97,9 +98,11 @@ in
             ":mrf".policies = map mkAtom [
               "Pleroma.Web.ActivityPub.MRF.SimplePolicy"
             ];
+            ":http".pool_timeout = 30000;
+
             "Pleroma.Upload" = {
               filters = map mkAtom [
-                "Pleroma.Upload.Filter.Exiftool"
+                "Pleroma.Upload.Filter.Exiftool.StripMetadata"
                 "Pleroma.Upload.Filter.AnonymizeFilename"
                 "Pleroma.Upload.Filter.Dedupe"
               ];
@@ -154,7 +157,7 @@ in
 
       services.postgresql = {
         enable = true;
-        package = pkgs.postgresql_12;
+        package = pkgs.postgresql_16;
 
         ensureDatabases = [ "pleroma" ];
         ensureUsers = [ {
@@ -162,6 +165,22 @@ in
           ensureDBOwnership = true;
         } ];
 
+        settings = {
+          max_connections = 20;
+          shared_buffers = "256MB";
+          effective_cache_size = "768MB";
+          maintenance_work_mem = "64MB";
+          checkpoint_completion_target = 0.9;
+          wal_buffers = "7864kB";
+          default_statistics_target = 100;
+          random_page_cost = 1.1;
+          effective_io_concurrency = 200;
+          work_mem = "6553kB";
+          huge_pages = "off";
+          min_wal_size = "2GB";
+          max_wal_size = "8GB";
+        };
+
         # give pleroma access. must be done with lib.mkForce, for some reason
         authentication = pkgs.lib.mkForce ''
           # Generated file; do not edit!
@@ -203,7 +222,7 @@ in
     enableACME = true;
 
     locations."/" = {
-      proxyPass = "http://[${config.containers.pleroma.localAddress6}]:4000";
+      proxyPass = "http://${config.containers.pleroma.localAddress}:4000";
       proxyWebsockets = true;
       # these headers are in the example config in the NixOS manual.
       # take some time to figure out what they all do, and if these
diff --git a/flora/services/cgit.nix b/flora/services/cgit.nix
index 032ec1d..b846ad4 100644
--- a/flora/services/cgit.nix
+++ b/flora/services/cgit.nix
@@ -56,10 +56,14 @@ let
   '';
 in
 {
-  services.fcgiwrap = {
+  services.fcgiwrap.instances.cgit.process = {
     user = "git";
     group = "users";
-    enable = true;
+  };
+  services.fcgiwrap.instances.cgit.socket = {
+    user = "git";
+    group = "users";
+    mode = "0622";
   };
 
   services.nginx.virtualHosts."stuebinm.eu" = {
@@ -69,7 +73,7 @@ in
     # this one should come last, behind the git-http-backend blocks
     locations."~ /git(/.*)".priority = 1100;
     locations."~ /git(/.*)".extraConfig = ''
-      fastcgi_pass  unix:${config.services.fcgiwrap.socketAddress};
+      fastcgi_pass  unix:${config.services.fcgiwrap.instances.cgit.socket.address};
       include       ${pkgs.nginx}/conf/fastcgi_params;
       fastcgi_param SCRIPT_FILENAME     ${pkgs.cgit}/cgit/cgit.cgi;
       fastcgi_param CGIT_CONFIG     ${pkgs.writeText "cgit.conf" cgitconf};
@@ -78,7 +82,7 @@ in
 
     locations."~ /git(/[^/]*/(info/refs|git-(upload|receive)-pack|objects/info/packs))" = {
       extraConfig = ''
-        fastcgi_pass  unix:${config.services.fcgiwrap.socketAddress};
+        fastcgi_pass  unix:${config.services.fcgiwrap.instances.cgit.socket.address};
         include       ${pkgs.nginx}/conf/fastcgi_params;
         fastcgi_param SCRIPT_FILENAME     ${pkgs.gitMinimal}/bin/git-http-backend;
         fastcgi_param GIT_HTTP_EXPORT_ALL "";
@@ -89,7 +93,7 @@ in
 
     locations."~ /git/forks(/.*/(info/refs|git-(upload|receive)-pack|objects/info/packs))" = {
       extraConfig = ''
-        fastcgi_pass  unix:${config.services.fcgiwrap.socketAddress};
+        fastcgi_pass  unix:${config.services.fcgiwrap.instances.cgit.socket.address};
         include       ${pkgs.nginx}/conf/fastcgi_params;
         fastcgi_param SCRIPT_FILENAME     ${pkgs.gitMinimal}/bin/git-http-backend;
         fastcgi_param GIT_HTTP_EXPORT_ALL "";
@@ -101,7 +105,8 @@ in
 
   # user for git repo administration
   users.users.git = {
-    openssh.authorizedKeys.keys = config.users.users.root.openssh.authorizedKeys.keys;
+    openssh.authorizedKeys.keys = config.users.users.root.openssh.authorizedKeys.keys
+      ++ [ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIbHG2wmMiUyvqb9oUa2KunEgv4Iab3FGCER/i2f2gKL terru@work" ];
     home = "/var/git";
     isNormalUser = true;
     packages = [ pkgs.gitMinimal ];
diff --git a/flora/services/mail.nix b/flora/services/mail.nix
index 3987a49..523c32d 100644
--- a/flora/services/mail.nix
+++ b/flora/services/mail.nix
@@ -6,7 +6,7 @@
   sops.secrets."mail/hashedPassword" = {};
 
   mailserver = {
-    enable = true;
+    enable = false;
     fqdn = "mail.stuebinm.eu";
     domains = [ "stuebinm.eu" ];
 
diff --git a/flora/services/monit.nix b/flora/services/monit.nix
index 83436e7..19e7e88 100644
--- a/flora/services/monit.nix
+++ b/flora/services/monit.nix
@@ -16,15 +16,15 @@
             if failed port 64738 of type tcp using ssl with expect "NixOS"
             then alert
 
-      check process postfix with pidfile /var/lib/postfix/queue/pid/master.pid
-            start program = "${pkgs.systemd}/bin/systemctl start postfix"
-            stop program = "${pkgs.systemd}/bin/systemctl stop postfix"
-            if failed port 25 protocol smtp for 5 cycles then restart
-
-      check process dovecot with pidfile /var/run/dovecot2/master.pid
-            start program = "${pkgs.systemd}/bin/systemctl start dovecot2"
-            stop program = "${pkgs.systemd}/bin/systemctl stop dovecot2"
-            if failed host mail.stuebinm.eu port 993 type tcpssl sslauto protocol imap for 5 cycles then restart
+      # check process postfix with pidfile /var/lib/postfix/queue/pid/master.pid
+      #       start program = "${pkgs.systemd}/bin/systemctl start postfix"
+      #       stop program = "${pkgs.systemd}/bin/systemctl stop postfix"
+      #       if failed port 25 protocol smtp for 5 cycles then restart
+
+      # check process dovecot with pidfile /var/run/dovecot2/master.pid
+      #       start program = "${pkgs.systemd}/bin/systemctl start dovecot2"
+      #       stop program = "${pkgs.systemd}/bin/systemctl stop dovecot2"
+      #       if failed host mail.stuebinm.eu port 993 type tcpssl sslauto protocol imap for 5 cycles then restart
 
       check host bahnhof.name with address bahnhof.name
             if failed port 443 with protocol https
diff --git a/flora/services/nginx.nix b/flora/services/nginx.nix
index 1d95255..c5aa45b 100644
--- a/flora/services/nginx.nix
+++ b/flora/services/nginx.nix
@@ -1,4 +1,4 @@
-{ config, lib, pkgs, ... }:
+{ config, lib, pkgs, inputs, ... }:
 
 {
   networking.firewall.allowedTCPPorts = [ 80 443 ];
@@ -14,22 +14,44 @@
       enableACME = true;
       forceSSL = true;
       locations."/".root = ../../pkgs/nomsing;
+      extraConfig = ''
+        include ${inputs."ai.robots.txt"}/nginx-block-ai-bots.conf;
+      '';
     };
     virtualHosts."meow.noms.ing" = {
       enableACME = true;
       forceSSL = true;
       locations."/".root = ../../pkgs/nomsing;
+      extraConfig = ''
+        include ${inputs."ai.robots.txt"}/nginx-block-ai-bots.conf;
+      '';
     };
     virtualHosts."webring.noms.ing" = {
       enableACME = true;
       forceSSL = true;
       locations."~ (.*)".extraConfig = ''
-        fastcgi_pass  unix:${config.services.fcgiwrap.socketAddress};
+        fastcgi_pass  unix:${config.services.fcgiwrap.instances.nomsing.socket.address};
         include       ${pkgs.nginx}/conf/fastcgi_params;
         fastcgi_param SCRIPT_FILENAME     ${lib.getExe pkgs.nomsring};
         fastcgi_param PATH_INFO           $1;
       '';
+      extraConfig = ''
+        include ${inputs."ai.robots.txt"}/nginx-block-ai-bots.conf;
+      '';
     };
+
+  };
+
+  services.fcgiwrap.instances.nomsing = {
+    socket = {
+      user = "nomsring";
+      group = "users";
+      mode = "0622";
+    };
+  };
+
+  users.users.nomsring = {
+    isSystemUser = true;
+    group = "users";
   };
-  services.fcgiwrap.enable = true;
 }
diff --git a/flora/services/ntfy.nix b/flora/services/ntfy.nix
index aa46a39..25ae8f8 100644
--- a/flora/services/ntfy.nix
+++ b/flora/services/ntfy.nix
@@ -10,8 +10,8 @@
       listen-unix = "/run/ntfy-sh/ntfy.sock";
       listen-unix-mode = 511; ## lossy nix->yaml conversion eats octal literals (equal to 0777)
 
-      smtp-server-listen = ":2525";
-      smtp-server-domain = "ping.stuebinm.eu";
+      smtp-server-listen = ":25";
+      smtp-server-domain = "mail.stuebinm.eu";
 
       auth-file = "/var/lib/ntfy-sh/user.db";
       auth-default-access = "deny-all";
@@ -21,7 +21,7 @@
     };
   };
 
-  networking.firewall.allowedTCPPorts = [ 2525 ];
+  networking.firewall.allowedTCPPorts = [ 25 ];
 
   services.mollysocket = {
     enable = true;