From a8ec7eca6cdfd1f9119897f4fe0bda261ae8dc72 Mon Sep 17 00:00:00 2001 From: stuebinm Date: Thu, 16 Feb 2023 21:00:51 +0100 Subject: more akkoma stuff --- flora/configuration.nix | 2 +- flora/services/akkoma.nix | 201 +++++++++++++++++++++++++++++++++++++++++++++ flora/services/pleroma.nix | 193 ------------------------------------------- 3 files changed, 202 insertions(+), 194 deletions(-) create mode 100644 flora/services/akkoma.nix delete mode 100644 flora/services/pleroma.nix diff --git a/flora/configuration.nix b/flora/configuration.nix index 7e733e2..750268e 100644 --- a/flora/configuration.nix +++ b/flora/configuration.nix @@ -4,7 +4,7 @@ imports = [ ./hardware-configuration.nix ./services/nginx.nix - ./services/pleroma.nix + ./services/akkoma.nix ./services/cgit.nix #./services/picarones.nix ./services/dockerhub.nix diff --git a/flora/services/akkoma.nix b/flora/services/akkoma.nix new file mode 100644 index 0000000..244351f --- /dev/null +++ b/flora/services/akkoma.nix @@ -0,0 +1,201 @@ +{config, pkgs, inputs, system, ...}: + + +let + unstable = import inputs.nixpkgs-unstable { inherit system; }; + staticDir = "/var/lib/akkoma/static"; +in +{ + + containers.pleroma = { + autoStart = true; + privateNetwork = true; + + hostAddress = "192.168.42.30"; + localAddress = "192.168.42.31"; + hostAddress6 = "fd00::42:30"; + localAddress6 = "fd00::42:31"; + + config = {pkgs, config, ...}: { + + # generating the manual will fail when mixing nixos channels, + # so disable it here or this won't build at all. + documentation.enable = false; + + imports = [ + ("${inputs.nixpkgs-unstable}/nixos/modules/services/web-apps/akkoma.nix") + ]; + + system.stateVersion = "22.11"; + + services.akkoma = { + enable = true; + + package = unstable.akkoma; + frontends = { + primary = { + package = unstable.akkoma-frontends.pleroma-fe; + name = "pleroma-fe"; + ref = "stable"; + }; + admin = { + package = unstable.akkoma-frontends.admin-fe; + name = "admin-fe"; + ref = "stable"; + }; + }; + + config = { + ":pleroma"."Pleroma.Web.Endpoint" = { + "url" = { host = "pleroma.stuebinm.eu"; scheme = "https"; port = 443; }; + "http" = { ip = "::"; port = 4000; }; + secret_key_base._secret = "/secret/secret_key_base"; + signing_salt._secret = "/secret/signing_salt"; + }; + ":joken".":default_signer"._secret = "/secret/joken_default_signer"; + + ":pleroma" = { + ":instance" = { + name = "Pleroma"; + limit = 5000; + registrations_open = false; + federating = true; + healthcheck = true; + allow_relay = true; + description = "a test instance"; + email = "dings@dings"; + }; + ":media_proxy" = { + enabled = false; + redirect_on_failure = true; + }; + "Pleroma.Upload" = { + filters = [ + "Pleroma.Upload.Filter.Exiftool" + "Pleroma.Upload.Filter.AnonymizeFilename" + "Pleroma.Upload.Filter.Dedupe" + ]; + }; + "Pleroma.Uploaders.Local".uploads = "/var/lib/akkoma/uploads"; + "Pleroma.Repo" = { + adapter = "Ecto.Adapters.Postgres"; + username = "pleroma"; + database = "pleroma"; + socket_dir = "/run/postgresql"; + pool_size = 10; + # prepare = ":named"; + show_sensitive_data_on_connection_error = true; + parameters = { plan_cache_mode = "force_custom_plan"; }; + }; + ":database".run_enabled = false; + ":configurable_from_database" = false; + ":instance".static_dir = "/var/lib/akkoma/static"; + }; + }; + }; + + systemd.services.akkoma = { + path = [ pkgs.exiftool ]; + bindsTo = [ "akkoma-static.service" ]; + after = [ "akkoma-static.service" ]; + }; + + # symlink the parts of the static dir that are inside the nix store, + # so I can still have imperatively defined emojis etc. + # (for some reason the module doesn't do that) + systemd.services.akkoma-static = { + description = "Akkoma static dir wrangling"; + unitConfig.PropagatesReloadTo = [ "akkoma.service" ]; + path = [ pkgs.coreutils ]; + serviceConfig = { + Type = "oneshot"; + RemainAfterExit = true; + }; + script = with pkgs.lib; '' + ${concatStringsSep "\n" (mapAttrsToList (key: val: '' + mkdir -p ${staticDir}/frontends/${escapeShellArg val.name}/ + ln -sfT ${escapeShellArg val.package} ${staticDir}/frontends/${escapeShellArg val.name}/${escapeShellArg val.ref} + '') config.services.akkoma.frontends)} + ${optionalString (config.services.akkoma.extraStatic != null) + (concatStringsSep "\n" (mapAttrsToList (key: val: '' + mkdir -p "${staticDir}/$(dirname ${escapeShellArg key})" + ln -sfT ${escapeShellArg val} ${staticDir}/${escapeShellArg key} + '') config.services.akkoma.extraStatic))} + ''; + }; + + services.postgresql = { + enable = true; + package = pkgs.postgresql_12; + + ensureDatabases = [ "pleroma" ]; + ensureUsers = [ { + name = "pleroma"; + ensurePermissions."DATABASE pleroma" = "ALL PRIVILEGES"; + } ]; + + # give pleroma access. must be done with lib.mkForce, for some reason + authentication = pkgs.lib.mkForce '' + # Generated file; do not edit! + local all all trust + host pleroma akkoma ::1/128 trust + ''; + + # this is basically legacy. even if I ever reset the database, + # the initDb option of the akkoma module probably does about this. + initialScript = pkgs.writeScript "postgres-pleroma-initial" '' + CREATE USER pleroma; + CREATE DATABASE pleroma OWNER pleroma; + \c pleroma; + --Extensions made by ecto.migrate that need superuser access + CREATE EXTENSION IF NOT EXISTS citext; + CREATE EXTENSION IF NOT EXISTS pg_trgm; + CREATE EXTENSION IF NOT EXISTS "uuid-ossp"; + ''; + }; + + networking.firewall.allowedTCPPorts = [ 4000 ]; + + environment.etc."resolv.conf".text = + "nameserver 1.1.1.1"; + }; + }; + + # give the container access to the external internet (necessary for + # fetching content from other instances). Doesn't appear to work with + # IPv6, though ... + networking.nat = { + enable = true; + internalInterfaces = [ "ve-pleroma" ]; + externalInterface = "ens3"; + }; + + services.nginx.virtualHosts."pleroma.stuebinm.eu" = { + forceSSL = true; + enableACME = true; + + locations."/" = { + proxyPass = "http://[${config.containers.pleroma.localAddress6}]:4000"; + proxyWebsockets = true; + # these headers are in the example config in the NixOS manual. + # take some time to figure out what they all do, and if these + # are necessary + extraConfig = '' + add_header 'Access-Control-Allow-Origin' '*' always; + add_header 'Access-Control-Allow-Methods' 'POST, PUT, DELETE, GET, PATCH, OPTIONS' always; + add_header 'Access-Control-Allow-Headers' 'Authorization, Content-Type, Idempotency-Key' always; + add_header 'Access-Control-Expose-Headers' 'Link, X-RateLimit-Reset, X-RateLimit-Limit, X-RateLimit-Remaining, X-Request-Id' always; + if ($request_method = OPTIONS) { + return 204; + } + add_header X-XSS-Protection "1; mode=block"; + add_header X-Permitted-Cross-Domain-Policies none; + add_header X-Frame-Options DENY; + add_header X-Content-Type-Options nosniff; + add_header Referrer-Policy same-origin; + add_header X-Download-Options noopen; + client_max_body_size 16m; + ''; + }; + }; +} diff --git a/flora/services/pleroma.nix b/flora/services/pleroma.nix deleted file mode 100644 index dd75b43..0000000 --- a/flora/services/pleroma.nix +++ /dev/null @@ -1,193 +0,0 @@ -{config, pkgs, inputs, system, ...}: - - -let - unstable = import inputs.nixpkgs-unstable { inherit system; }; -in -{ - - containers.pleroma = { - autoStart = true; - privateNetwork = true; - - hostAddress = "192.168.42.30"; - localAddress = "192.168.42.31"; - hostAddress6 = "fd00::42:30"; - localAddress6 = "fd00::42:31"; - - config = {pkgs, config, ...}: { - - # generating the manual will fail when mixing nixos channels, - # so disable it here or this won't build at all. - documentation.enable = false; - - imports = [ - ("${inputs.nixpkgs-unstable}/nixos/modules/services/web-apps/akkoma.nix") - ]; - - system.stateVersion = "22.11"; - - services.akkoma = { - enable = true; - - # this is barely necessary at this point — all that's - # set in here is the default_signer for joken, and the - # secret_key_base and signing_salt for phoenix. - # secretConfigFile = "/var/lib/pleroma/secrets.exs"; - - package = unstable.akkoma; - frontends = { - primary = { - package = unstable.akkoma-frontends.pleroma-fe; - name = "pleroma-fe"; - ref = "stable"; - }; - admin = { - package = unstable.akkoma-frontends.admin-fe; - name = "admin-fe"; - ref = "stable"; - }; - }; - - config = { - ":pleroma"."Pleroma.Web.Endpoint" = { - "url" = { host = "pleroma.stuebinm.eu"; scheme = "https"; port = 443; }; - "http" = {ip = "0.0.0.0"; port = 4000; }; - secret_key_base._secret = "/secret/secret_key_base"; - signing_salt._secret = "/secret/signing_salt"; - }; - ":joken".":default_signer"._secret = "/secret/joken_default_signer"; - - ":pleroma" = { - ":instance" = { - name = "Pleroma"; - limit = 5000; - registrations_open = false; - federating = true; - healthcheck = true; - allow_relay = true; - description = "a test instance"; - email = "dings@dings"; - }; - ":media_proxy" = { - enabled = false; - redirect_on_failure = true; - }; - "Pleroma.Upload" = { - filters = [ - "Pleroma.Upload.Filter.Exiftool" - "Pleroma.Upload.Filter.AnonymizeFilename" - "Pleroma.Upload.Filter.Dedupe" - ]; - }; - "Pleroma.Uploaders.Local".uploads = "/var/lib/pleroma/uploads"; - "Pleroma.Repo" = { - adapter = "Ecto.Adapters.Postgres"; - username = "pleroma"; - database = "pleroma"; - socket_dir = "/run/postgresql"; - pool_size = 10; - # prepare = ":named"; - show_sensitive_data_on_connection_error = true; - parameters = { plan_cache_mode = "force_custom_plan"; }; - }; - ":database".run_enabled = false; - ":configurable_from_database" = false; - # ":instance".static_dir = "/var/lib/pleroma/static"; - - }; - }; - }; - - # otherwise, the exiftool will fail to run - systemd.services.akkoma.path = [ pkgs.exiftool ]; - - services.postgresql = { - enable = true; - package = pkgs.postgresql_12; - - ensureDatabases = [ "pleroma" ]; - ensureUsers = [ { - name = "pleroma"; - ensurePermissions."DATABASE pleroma" = "ALL PRIVILEGES"; - } ]; - - # give pleroma access. must be done with lib.mkForce, for some reason - authentication = pkgs.lib.mkForce '' - # Generated file; do not edit! - local all all trust - host pleroma akkoma ::1/128 trust - ''; - - # pleroma wants to do some initial config on startup, which it - # can't do by itself since those needs superuser access - # - # unfortunatly, this is executed /before/ the database is created, - # i.e. we have to create user and database by hand, even though - # they would otherwise created by ensureUsers / ensureDatabse. - # Using those does still prevent us from accidentally deleting - # them, though (but not from deleting the database's content!) - initialScript = pkgs.writeScript "postgres-pleroma-initial" '' - CREATE USER pleroma; - CREATE DATABASE pleroma OWNER pleroma; - \c pleroma; - --Extensions made by ecto.migrate that need superuser access - CREATE EXTENSION IF NOT EXISTS citext; - CREATE EXTENSION IF NOT EXISTS pg_trgm; - CREATE EXTENSION IF NOT EXISTS "uuid-ossp"; - ''; - }; - - networking.firewall.allowedTCPPorts = [ 4000 10022 ]; - - services.coredns = { - enable = true; - config = '' - .:53 { - forward . 1.1.1.1 - } - ''; - }; - }; - }; - - # give the container access to the external internet (necessary for - # fetching content from other instances). Doesn't appear to work with - # IPv6, though ... - networking.nat = { - enable = true; - internalInterfaces = [ "ve-pleroma" ]; - externalInterface = "ens3"; - - }; - networking.firewall.allowedTCPPorts = [ 10022 ]; - - services.nginx.virtualHosts."pleroma.stuebinm.eu" = { - forceSSL = true; - enableACME = true; - - locations."/" = { - proxyPass = "http://${config.containers.pleroma.localAddress}:4000"; - proxyWebsockets = true; - # these headers are in the example config in the NixOS manual. - # take some time to figure out what they all do, and if these - # are necessary - extraConfig = '' - add_header 'Access-Control-Allow-Origin' '*' always; - add_header 'Access-Control-Allow-Methods' 'POST, PUT, DELETE, GET, PATCH, OPTIONS' always; - add_header 'Access-Control-Allow-Headers' 'Authorization, Content-Type, Idempotency-Key' always; - add_header 'Access-Control-Expose-Headers' 'Link, X-RateLimit-Reset, X-RateLimit-Limit, X-RateLimit-Remaining, X-Request-Id' always; - if ($request_method = OPTIONS) { - return 204; - } - add_header X-XSS-Protection "1; mode=block"; - add_header X-Permitted-Cross-Domain-Policies none; - add_header X-Frame-Options DENY; - add_header X-Content-Type-Options nosniff; - add_header Referrer-Policy same-origin; - add_header X-Download-Options noopen; - client_max_body_size 16m; - ''; - }; - }; -} -- cgit v1.2.3