summaryrefslogtreecommitdiff
path: root/flora
diff options
context:
space:
mode:
Diffstat (limited to 'flora')
-rw-r--r--flora/services/akkoma.nix29
-rw-r--r--flora/services/cgit.nix7
-rw-r--r--flora/services/mail.nix2
-rw-r--r--flora/services/monit.nix18
-rw-r--r--flora/services/nginx.nix12
-rw-r--r--flora/services/ntfy.nix6
6 files changed, 52 insertions, 22 deletions
diff --git a/flora/services/akkoma.nix b/flora/services/akkoma.nix
index 756f2a7..6864a29 100644
--- a/flora/services/akkoma.nix
+++ b/flora/services/akkoma.nix
@@ -45,7 +45,7 @@ in
ref = "stable";
};
admin = {
- package = pkgs.akkoma-frontends.admin-fe;
+ package = pkgs.akkoma-admin-fe;
name = "admin-fe";
ref = "stable";
};
@@ -59,7 +59,8 @@ in
config = {
":pleroma"."Pleroma.Web.Endpoint" = {
"url" = { host = "pleroma.stuebinm.eu"; scheme = "https"; port = 443; };
- "http" = { ip = "::"; port = 4000; };
+ # below uses IPv4; IPv6 breaks the elixir format generator …
+ "http" = { ip = "0.0.0.0"; port = 4000; };
secret_key_base._secret = "/sops/keyBase";
signing_salt._secret = "/sops/signingSalt";
};
@@ -97,9 +98,11 @@ in
":mrf".policies = map mkAtom [
"Pleroma.Web.ActivityPub.MRF.SimplePolicy"
];
+ ":http".pool_timeout = 30000;
+
"Pleroma.Upload" = {
filters = map mkAtom [
- "Pleroma.Upload.Filter.Exiftool"
+ "Pleroma.Upload.Filter.Exiftool.StripMetadata"
"Pleroma.Upload.Filter.AnonymizeFilename"
"Pleroma.Upload.Filter.Dedupe"
];
@@ -154,7 +157,7 @@ in
services.postgresql = {
enable = true;
- package = pkgs.postgresql_12;
+ package = pkgs.postgresql_16;
ensureDatabases = [ "pleroma" ];
ensureUsers = [ {
@@ -162,6 +165,22 @@ in
ensureDBOwnership = true;
} ];
+ settings = {
+ max_connections = 20;
+ shared_buffers = "256MB";
+ effective_cache_size = "768MB";
+ maintenance_work_mem = "64MB";
+ checkpoint_completion_target = 0.9;
+ wal_buffers = "7864kB";
+ default_statistics_target = 100;
+ random_page_cost = 1.1;
+ effective_io_concurrency = 200;
+ work_mem = "6553kB";
+ huge_pages = "off";
+ min_wal_size = "2GB";
+ max_wal_size = "8GB";
+ };
+
# give pleroma access. must be done with lib.mkForce, for some reason
authentication = pkgs.lib.mkForce ''
# Generated file; do not edit!
@@ -203,7 +222,7 @@ in
enableACME = true;
locations."/" = {
- proxyPass = "http://[${config.containers.pleroma.localAddress6}]:4000";
+ proxyPass = "http://${config.containers.pleroma.localAddress}:4000";
proxyWebsockets = true;
# these headers are in the example config in the NixOS manual.
# take some time to figure out what they all do, and if these
diff --git a/flora/services/cgit.nix b/flora/services/cgit.nix
index 1d307e3..b846ad4 100644
--- a/flora/services/cgit.nix
+++ b/flora/services/cgit.nix
@@ -82,7 +82,7 @@ in
locations."~ /git(/[^/]*/(info/refs|git-(upload|receive)-pack|objects/info/packs))" = {
extraConfig = ''
- fastcgi_pass unix:${config.services.fcgiwrap.socketAddress};
+ fastcgi_pass unix:${config.services.fcgiwrap.instances.cgit.socket.address};
include ${pkgs.nginx}/conf/fastcgi_params;
fastcgi_param SCRIPT_FILENAME ${pkgs.gitMinimal}/bin/git-http-backend;
fastcgi_param GIT_HTTP_EXPORT_ALL "";
@@ -93,7 +93,7 @@ in
locations."~ /git/forks(/.*/(info/refs|git-(upload|receive)-pack|objects/info/packs))" = {
extraConfig = ''
- fastcgi_pass unix:${config.services.fcgiwrap.socketAddress};
+ fastcgi_pass unix:${config.services.fcgiwrap.instances.cgit.socket.address};
include ${pkgs.nginx}/conf/fastcgi_params;
fastcgi_param SCRIPT_FILENAME ${pkgs.gitMinimal}/bin/git-http-backend;
fastcgi_param GIT_HTTP_EXPORT_ALL "";
@@ -105,7 +105,8 @@ in
# user for git repo administration
users.users.git = {
- openssh.authorizedKeys.keys = config.users.users.root.openssh.authorizedKeys.keys;
+ openssh.authorizedKeys.keys = config.users.users.root.openssh.authorizedKeys.keys
+ ++ [ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIbHG2wmMiUyvqb9oUa2KunEgv4Iab3FGCER/i2f2gKL terru@work" ];
home = "/var/git";
isNormalUser = true;
packages = [ pkgs.gitMinimal ];
diff --git a/flora/services/mail.nix b/flora/services/mail.nix
index 3987a49..523c32d 100644
--- a/flora/services/mail.nix
+++ b/flora/services/mail.nix
@@ -6,7 +6,7 @@
sops.secrets."mail/hashedPassword" = {};
mailserver = {
- enable = true;
+ enable = false;
fqdn = "mail.stuebinm.eu";
domains = [ "stuebinm.eu" ];
diff --git a/flora/services/monit.nix b/flora/services/monit.nix
index 83436e7..19e7e88 100644
--- a/flora/services/monit.nix
+++ b/flora/services/monit.nix
@@ -16,15 +16,15 @@
if failed port 64738 of type tcp using ssl with expect "NixOS"
then alert
- check process postfix with pidfile /var/lib/postfix/queue/pid/master.pid
- start program = "${pkgs.systemd}/bin/systemctl start postfix"
- stop program = "${pkgs.systemd}/bin/systemctl stop postfix"
- if failed port 25 protocol smtp for 5 cycles then restart
-
- check process dovecot with pidfile /var/run/dovecot2/master.pid
- start program = "${pkgs.systemd}/bin/systemctl start dovecot2"
- stop program = "${pkgs.systemd}/bin/systemctl stop dovecot2"
- if failed host mail.stuebinm.eu port 993 type tcpssl sslauto protocol imap for 5 cycles then restart
+ # check process postfix with pidfile /var/lib/postfix/queue/pid/master.pid
+ # start program = "${pkgs.systemd}/bin/systemctl start postfix"
+ # stop program = "${pkgs.systemd}/bin/systemctl stop postfix"
+ # if failed port 25 protocol smtp for 5 cycles then restart
+
+ # check process dovecot with pidfile /var/run/dovecot2/master.pid
+ # start program = "${pkgs.systemd}/bin/systemctl start dovecot2"
+ # stop program = "${pkgs.systemd}/bin/systemctl stop dovecot2"
+ # if failed host mail.stuebinm.eu port 993 type tcpssl sslauto protocol imap for 5 cycles then restart
check host bahnhof.name with address bahnhof.name
if failed port 443 with protocol https
diff --git a/flora/services/nginx.nix b/flora/services/nginx.nix
index 4a9bf33..c5aa45b 100644
--- a/flora/services/nginx.nix
+++ b/flora/services/nginx.nix
@@ -1,4 +1,4 @@
-{ config, lib, pkgs, ... }:
+{ config, lib, pkgs, inputs, ... }:
{
networking.firewall.allowedTCPPorts = [ 80 443 ];
@@ -14,11 +14,17 @@
enableACME = true;
forceSSL = true;
locations."/".root = ../../pkgs/nomsing;
+ extraConfig = ''
+ include ${inputs."ai.robots.txt"}/nginx-block-ai-bots.conf;
+ '';
};
virtualHosts."meow.noms.ing" = {
enableACME = true;
forceSSL = true;
locations."/".root = ../../pkgs/nomsing;
+ extraConfig = ''
+ include ${inputs."ai.robots.txt"}/nginx-block-ai-bots.conf;
+ '';
};
virtualHosts."webring.noms.ing" = {
enableACME = true;
@@ -29,7 +35,11 @@
fastcgi_param SCRIPT_FILENAME ${lib.getExe pkgs.nomsring};
fastcgi_param PATH_INFO $1;
'';
+ extraConfig = ''
+ include ${inputs."ai.robots.txt"}/nginx-block-ai-bots.conf;
+ '';
};
+
};
services.fcgiwrap.instances.nomsing = {
diff --git a/flora/services/ntfy.nix b/flora/services/ntfy.nix
index aa46a39..25ae8f8 100644
--- a/flora/services/ntfy.nix
+++ b/flora/services/ntfy.nix
@@ -10,8 +10,8 @@
listen-unix = "/run/ntfy-sh/ntfy.sock";
listen-unix-mode = 511; ## lossy nix->yaml conversion eats octal literals (equal to 0777)
- smtp-server-listen = ":2525";
- smtp-server-domain = "ping.stuebinm.eu";
+ smtp-server-listen = ":25";
+ smtp-server-domain = "mail.stuebinm.eu";
auth-file = "/var/lib/ntfy-sh/user.db";
auth-default-access = "deny-all";
@@ -21,7 +21,7 @@
};
};
- networking.firewall.allowedTCPPorts = [ 2525 ];
+ networking.firewall.allowedTCPPorts = [ 25 ];
services.mollysocket = {
enable = true;
generated by cgit v1.2.3 (git 2.25.1) at 2025-07-05 06:04:13 +0000