{config, pkgs, inputs, system, ...}: let unstable = import inputs.nixpkgs-unstable { inherit system; }; in { containers.pleroma = { autoStart = true; privateNetwork = true; hostAddress = "192.168.42.30"; localAddress = "192.168.42.31"; hostAddress6 = "fd00::42:30"; localAddress6 = "fd00::42:31"; config = {pkgs, config, ...}: { # generating the manual will fail when mixing nixos channels, # so disable it here or this won't build at all. documentation.enable = false; imports = [ ("${inputs.nixpkgs-unstable}/nixos/modules/services/web-apps/akkoma.nix") ]; system.stateVersion = "22.11"; services.akkoma = { enable = true; # this is barely necessary at this point — all that's # set in here is the default_signer for joken, and the # secret_key_base and signing_salt for phoenix. # secretConfigFile = "/var/lib/pleroma/secrets.exs"; package = unstable.akkoma; frontends = { primary = { package = unstable.akkoma-frontends.pleroma-fe; name = "pleroma-fe"; ref = "stable"; }; admin = { package = unstable.akkoma-frontends.admin-fe; name = "admin-fe"; ref = "stable"; }; }; config = { ":pleroma"."Pleroma.Web.Endpoint" = { "url" = { host = "pleroma.stuebinm.eu"; scheme = "https"; port = 443; }; "http" = {ip = "0.0.0.0"; port = 4000; }; secret_key_base._secret = "/secret/secret_key_base"; signing_salt._secret = "/secret/signing_salt"; }; ":joken".":default_signer"._secret = "/secret/joken_default_signer"; ":pleroma" = { ":instance" = { name = "Pleroma"; limit = 5000; registrations_open = false; federating = true; healthcheck = true; allow_relay = true; description = "a test instance"; email = "dings@dings"; }; ":media_proxy" = { enabled = false; redirect_on_failure = true; }; "Pleroma.Upload" = { filters = [ "Pleroma.Upload.Filter.Exiftool" "Pleroma.Upload.Filter.AnonymizeFilename" "Pleroma.Upload.Filter.Dedupe" ]; }; "Pleroma.Uploaders.Local".uploads = "/var/lib/pleroma/uploads"; "Pleroma.Repo" = { adapter = "Ecto.Adapters.Postgres"; username = "pleroma"; database = "pleroma"; socket_dir = "/run/postgresql"; pool_size = 10; # prepare = ":named"; show_sensitive_data_on_connection_error = true; parameters = { plan_cache_mode = "force_custom_plan"; }; }; ":database".run_enabled = false; ":configurable_from_database" = false; # ":instance".static_dir = "/var/lib/pleroma/static"; }; }; }; # otherwise, the exiftool will fail to run systemd.services.akkoma.path = [ pkgs.exiftool ]; services.postgresql = { enable = true; package = pkgs.postgresql_12; ensureDatabases = [ "pleroma" ]; ensureUsers = [ { name = "pleroma"; ensurePermissions."DATABASE pleroma" = "ALL PRIVILEGES"; } ]; # give pleroma access. must be done with lib.mkForce, for some reason authentication = pkgs.lib.mkForce '' # Generated file; do not edit! local all all trust host pleroma akkoma ::1/128 trust ''; # pleroma wants to do some initial config on startup, which it # can't do by itself since those needs superuser access # # unfortunatly, this is executed /before/ the database is created, # i.e. we have to create user and database by hand, even though # they would otherwise created by ensureUsers / ensureDatabse. # Using those does still prevent us from accidentally deleting # them, though (but not from deleting the database's content!) initialScript = pkgs.writeScript "postgres-pleroma-initial" '' CREATE USER pleroma; CREATE DATABASE pleroma OWNER pleroma; \c pleroma; --Extensions made by ecto.migrate that need superuser access CREATE EXTENSION IF NOT EXISTS citext; CREATE EXTENSION IF NOT EXISTS pg_trgm; CREATE EXTENSION IF NOT EXISTS "uuid-ossp"; ''; }; networking.firewall.allowedTCPPorts = [ 4000 10022 ]; services.coredns = { enable = true; config = '' .:53 { forward . 1.1.1.1 } ''; }; }; }; # give the container access to the external internet (necessary for # fetching content from other instances). Doesn't appear to work with # IPv6, though ... networking.nat = { enable = true; internalInterfaces = [ "ve-pleroma" ]; externalInterface = "ens3"; }; networking.firewall.allowedTCPPorts = [ 10022 ]; services.nginx.virtualHosts."pleroma.stuebinm.eu" = { forceSSL = true; enableACME = true; locations."/" = { proxyPass = "http://${config.containers.pleroma.localAddress}:4000"; proxyWebsockets = true; # these headers are in the example config in the NixOS manual. # take some time to figure out what they all do, and if these # are necessary extraConfig = '' add_header 'Access-Control-Allow-Origin' '*' always; add_header 'Access-Control-Allow-Methods' 'POST, PUT, DELETE, GET, PATCH, OPTIONS' always; add_header 'Access-Control-Allow-Headers' 'Authorization, Content-Type, Idempotency-Key' always; add_header 'Access-Control-Expose-Headers' 'Link, X-RateLimit-Reset, X-RateLimit-Limit, X-RateLimit-Remaining, X-Request-Id' always; if ($request_method = OPTIONS) { return 204; } add_header X-XSS-Protection "1; mode=block"; add_header X-Permitted-Cross-Domain-Policies none; add_header X-Frame-Options DENY; add_header X-Content-Type-Options nosniff; add_header Referrer-Policy same-origin; add_header X-Download-Options noopen; client_max_body_size 16m; ''; }; }; }