diff options
Diffstat (limited to 'hosts/flora')
| -rw-r--r-- | hosts/flora/configuration.nix | 23 | ||||
| -rw-r--r-- | hosts/flora/services/hedgedoc.nix | 8 | ||||
| -rw-r--r-- | hosts/flora/services/pleroma.nix | 175 | 
3 files changed, 192 insertions, 14 deletions
| diff --git a/hosts/flora/configuration.nix b/hosts/flora/configuration.nix index 43f7f8e..0d1788d 100644 --- a/hosts/flora/configuration.nix +++ b/hosts/flora/configuration.nix @@ -7,7 +7,8 @@      ./services/daemoniones.nix      ./services/nginx.nix      ./services/workadventure.nix -    # ./services/pleroma +    #./../../../nginx/vod.nix +    ./services/pleroma.nix    ];    # Use the GRUB 2 boot loader. @@ -22,21 +23,23 @@    networking = {      hostName = "flora"; -    #enableIPv6 = true; -    #defaultGateway6 = { -    #  address = "fe80::1"; -    #  interface = "ens3"; -    #}; +    enableIPv6 = true; +    defaultGateway6 = { +      address = "fe80::1"; +      interface = "ens3"; +    }; -    #interfaces.ens3.ipv6.addresses = [ { -    #  address = "2a01:4f9:c010:d319::1"; -    #  prefixLength = 64; -    #} ];  +    interfaces.ens3.ipv6.addresses = [ { +      address = "2a01:4f9:c010:df15::1"; +      prefixLength = 64; +    } ];       useDHCP = false;      interfaces.ens3.useDHCP = true;      firewall.logRefusedConnections = false; +     +    };    services.fail2ban = { diff --git a/hosts/flora/services/hedgedoc.nix b/hosts/flora/services/hedgedoc.nix index 4ce2256..c7b5379 100644 --- a/hosts/flora/services/hedgedoc.nix +++ b/hosts/flora/services/hedgedoc.nix @@ -26,10 +26,10 @@          # ugly workaround to allow CodiMD to login without password — this service has lots of options,          # but apparently not for authentification, which even needs to be forced …          authentication = pkgs.lib.mkForce '' -            # Generated file; do not edit! -            local all all              trust -            host  codimd codimd ::1/128      trust -          ''; +          # Generated file; do not edit! +          local all all              trust +          host  codimd codimd ::1/128      trust +        '';        };        # CodiMD itself        services.hedgedoc = { diff --git a/hosts/flora/services/pleroma.nix b/hosts/flora/services/pleroma.nix new file mode 100644 index 0000000..22a70c3 --- /dev/null +++ b/hosts/flora/services/pleroma.nix @@ -0,0 +1,175 @@ +{config, pkgs, ...}: + + +let +  sources = import ../../../nix/sources.nix; +  domain = "pleroma.stuebinm.eu"; +in +{ + +  containers.pleroma = { +    autoStart = true; +    privateNetwork = true; +     +    hostAddress = "192.168.42.30"; +    localAddress = "192.168.42.31"; +    hostAddress6 = "fd00::42:30"; +    localAddress6 = "fd00::42:31"; +     +     +    config = {pkgs, config, ...}: { +       +      # pleroma is only on unstable for now, so import it here +      imports = [ "${sources.nixpkgs-unstable}/nixos/modules/services/networking/pleroma.nix" ]; +      # generating the manual will fail when mixing nixos channels, +      # so disable it here or this won't build at all. +    	documentation.enable = false; +       +      # pleroma has a cli tool for configuration +      environment.systemPackages = [ pkgs.pleroma-otp pkgs.dnsutils ]; +     +      services.pleroma = { +        enable = true; +         +        # this is barely necessary at this point — all that's +        # set in here is the default_signer for joken, and the +        # secret_key_base and signing_salt for phoenix. +        secretConfigFile = "/var/lib/pleroma/secrets.exs"; +         +        # for a list of available config options, see +        # https://docs-develop.pleroma.social/backend/configuration/cheatsheet/ +        #  +        # Additionally, some parts of pleroma's config (e.g. Pleroma.Repo) +        # are better documented in their respective libraries (in this +        # case, see the documentation for Ecto on Adapters). +        configs = [ '' +          import Config + +          config :pleroma, Pleroma.Web.Endpoint, +            url: [host: "${domain}", scheme: "https", port: 443], +            http: [ip: {0, 0, 0, 0, 0, 0, 0, 0}, port: 4000] + +          config :pleroma, :instance, +            name: "Pleroma", +            limit: 5000, +            registrations_open: false, +            federating: true, +            healthcheck: true, +            allow_relay: true + +          config :pleroma, :media_proxy, +            enabled: false, +            redirect_on_failure: true + +          config :pleroma, Pleroma.Upload, +            filters: [ +                Pleroma.Upload.Filter.Exiftool, +                Pleroma.Upload.Filter.AnonymizeFilename, +                Pleroma.Upload.Filter.Dedupe +            ] +             +          config :pleroma, Pleroma.Uploaders.Local, +            uploads: "/var/lib/pleroma/uploads" + +          config :pleroma, Pleroma.Repo, +            adapter: Ecto.Adapters.Postgres, +            username: "pleroma", +            database: "pleroma", +            socket_dir: "/run/postgresql", +            pool_size: 10, +            prepare: :named, +            parameters: [ +                plan_cache_mode: "force_custom_plan" +            ] + + + +          config :pleroma, :database, rum_enabled: false +          config :pleroma, configurable_from_database: false + +          config :pleroma, :instance, static_dir: "/var/lib/pleroma/static" +           +        '' ]; +      }; +           +      services.postgresql = { +        enable = true; +        package = pkgs.postgresql_12; +         +        ensureDatabases = [ "pleroma" ]; +        ensureUsers = [ { +          name = "pleroma"; +          ensurePermissions."DATABASE pleroma" = "ALL PRIVILEGES"; +        } ]; +         +        # give pleroma access. must be done with lib.mkForce, for some reason +        authentication = pkgs.lib.mkForce '' +          # Generated file; do not edit! +          local all all              trust +          host  pleroma pleroma ::1/128      trust +        ''; +         +        # pleroma wants to do some initial config on startup, which it +        # can't do by itself since those needs superuser access +        # +        # unfortunatly, this is executed /before/ the database is created, +        # i.e. we have to create user and database by hand, even though +        # they would otherwise created by ensureUsers / ensureDatabse. +        # Using those does still prevent us from accidentally deleting +        # them, though (but not from deleting the database's content!) +        initialScript = pkgs.writeScript "postgres-pleroma-initial" '' +          CREATE USER pleroma; +          CREATE DATABASE pleroma OWNER pleroma; +          \c pleroma; +          --Extensions made by ecto.migrate that need superuser access +          CREATE EXTENSION IF NOT EXISTS citext; +          CREATE EXTENSION IF NOT EXISTS pg_trgm; +          CREATE EXTENSION IF NOT EXISTS "uuid-ossp"; +        ''; +      }; +         +      networking.firewall.allowedTCPPorts = [ 4000 10022 ]; +    }; +  }; +   +  # give the container access to the external internet (necessary for +  # fetching content from other instances). Doesn't appear to work with +  # IPv6, though ... +  networking.nat = { +    enable = true; +    internalInterfaces = [ "ve-pleroma" ]; +    externalInterface = "ens3"; +     +  }; +  networking.firewall.allowedTCPPorts = [ 10022 ]; +   +  services.nginx.virtualHosts."${domain}" = { +    forceSSL = true; +    enableACME = true; +     +    locations."/" = { +      proxyPass = "http://[${config.containers.pleroma.localAddress6}]:4000"; +      proxyWebsockets = true; +      # these headers are in the example config in the NixOS manual. +      # take some time to figure out what they all do, and if these +      # are necessary +      extraConfig = '' +        add_header 'Access-Control-Allow-Origin' '*' always; +        add_header 'Access-Control-Allow-Methods' 'POST, PUT, DELETE, GET, PATCH, OPTIONS' always; +        add_header 'Access-Control-Allow-Headers' 'Authorization, Content-Type, Idempotency-Key' always; +        add_header 'Access-Control-Expose-Headers' 'Link, X-RateLimit-Reset, X-RateLimit-Limit, X-RateLimit-Remaining, X-Request-Id' always; +        if ($request_method = OPTIONS) { +            return 204; +        } +        add_header X-XSS-Protection "1; mode=block"; +        add_header X-Permitted-Cross-Domain-Policies none; +        add_header X-Frame-Options DENY; +        add_header X-Content-Type-Options nosniff; +        add_header Referrer-Policy same-origin; +        add_header X-Download-Options noopen; +        client_max_body_size 16m; +      ''; +    }; +  }; +} + | 
