]> Git — Sourcephile - sourcephile-nix.git/blob - hosts/mermet/pleroma.nix
sourcephile / git / sourcephile-nix.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
history | raw | HEAD
nix: update to nixos-24.11
[sourcephile-nix.git] / hosts / mermet / pleroma.nix
1 { pkgs, lib, config, ... }:
2 let
3 domain = "autogeree.net";
4 srv = "pleroma";
5 owner = "${srv}-${domain}";
6 db = "${srv}-${domain}";
7 port = 4000;
8 inherit (config.services) postgresql;
9 inherit (config.users) groups;
10
11 # pleroma_ctl instance gen
12 # https://git.pleroma.social/pleroma/pleroma/blob/develop/config/config.exs
13 pleroma-conf = ''
14 import Config
15
16 config :pleroma, Pleroma.Web.Endpoint,
17 url: [host: "${srv}.${domain}", scheme: "https", port: 443],
18 http: [ip: {127, 0, 0, 1}, port: ${toString port}]
19
20 config :pleroma, :http_security,
21 sts: true
22
23 config :pleroma, Pleroma.Web.WebFinger, domain: "${domain}"
24
25 # RELEASE_COOKIE="/var/lib/pleroma/.cookie" \
26 # pleroma_ctl user new $user $user+pleroma@autogeree.net --password "$password" --moderator --admin -y
27 config :pleroma, :instance,
28 name: "${domain}",
29 email: "root+${srv}@${domain}",
30 notify_email: "root+${srv}@${domain}",
31 limit: 5000,
32 registrations_open: false,
33 invites_enabled: true,
34 description: "Pleroma: An efficient and flexible fediverse server",
35 short_description: "",
36 background_image: "/images/city.jpg",
37 instance_thumbnail: "/instance/thumbnail.jpeg",
38 max_pinned_statuses: 4
39
40 config :pleroma, :media_proxy,
41 enabled: false,
42 redirect_on_failure: true
43 #base_url: "https://cache.pleroma.social"
44
45 config :pleroma, :markup,
46 allow_inline_images: true,
47 allow_headings: true,
48 allow_tables: true
49
50 # pleroma_ctl email test --to julm+pleroma@autogeree.net
51 config :pleroma, Pleroma.Emails.Mailer, [
52 adapter: Swoosh.Adapters.Sendmail,
53 enabled: true,
54 cmd_path: "/run/wrappers/bin/sendmail",
55 cmd_args: ""
56 ]
57
58 config :pleroma, :dangerzone,
59 override_repo_pool_size: true
60
61 config :pleroma, Pleroma.Repo,
62 adapter: Ecto.Adapters.Postgres,
63 username: "${owner}",
64 socket_dir: "/run/postgresql",
65 database: "${db}",
66 migration_lock: :pg_advisory_lock,
67 pool_size: 5,
68 # Database task queue timeout to avoid timeouts on the front end
69 # due to a slow postgresql, eg. because of a CPUQuota= hardening.
70 queue_target: 20_000,
71 queue_interval: 1_000,
72 ownership_timeout: 20_000,
73 timeout: 40_000,
74 prepare: :named,
75 # https://docs-develop.pleroma.social/backend/configuration/postgresql/#disable-generic-query-plans
76 parameters: [
77 plan_cache_mode: "force_custom_plan"
78 ]
79
80 config :pleroma, :database, rum_enabled: false
81 config :pleroma, :instance, static_dir: "/var/lib/${srv}/static"
82 config :pleroma, Pleroma.Uploaders.Local, uploads: "/var/lib/${srv}/uploads"
83 config :pleroma, configurable_from_database: false
84 config :pleroma, Pleroma.Upload, filters: [
85 Pleroma.Upload.Filter.Exiftool.StripLocation,
86 Pleroma.Upload.Filter.Exiftool.ReadDescription
87 ]
88
89 # https://docs-develop.pleroma.social/backend/configuration/howto_proxy/
90 #config :pleroma, :http, proxy_url: {:socks5, :localhost, 9050}
91 config :pleroma, :mrf,
92 policies: [
93 Pleroma.Web.ActivityPub.MRF.ObjectAgePolicy,
94 Pleroma.Web.ActivityPub.MRF.TagPolicy,
95 Pleroma.Web.ActivityPub.MRF.SimplePolicy
96 ]
97
98 config :pleroma, :media_proxy,
99 enabled: true,
100 proxy_opts: [
101 redirect_on_failure: true
102 ];
103 '';
104 in
105 {
106 services = {
107 pleroma = {
108 enable = true;
109 configs = [
110 pleroma-conf
111 # Use $CREDENTIALS_DIRECTORY to work with both pleroma.service and pleroma-migrations.service
112 ''
113 import Config
114 cred_dir = System.get_env("CREDENTIALS_DIRECTORY")
115 import_config "#{cred_dir}/config.exs"
116 ''
117 ];
118 secretConfigFile = "/dev/null";
119 };
120 nginx = {
121 enable = true;
122 upstreams.${srv} = {
123 servers."127.0.0.1:${toString port}" = {
124 max_fails = 5;
125 fail_timeout = "60s";
126 };
127 extraConfig = ''
128 '';
129 };
130 proxyCachePath."${domain}/${srv}/proxy" = {
131 enable = true;
132 inactive = "720m";
133 keysZoneName = "${domain}/${srv}/proxy";
134 keysZoneSize = "10m";
135 levels = "1:2";
136 maxSize = "10g";
137 useTempPath = false;
138 };
139
140 virtualHosts.${domain} = {
141 locations."/.well-known/host-meta" = {
142 return = "301 https://${srv}.${domain}$request_uri";
143 };
144 };
145 virtualHosts."${srv}.${domain}" = {
146 forceSSL = true;
147 useACMEHost = domain;
148 extraConfig = ''
149 access_log /var/log/nginx/${domain}/${srv}/access.log json buffer=32k;
150 error_log /var/log/nginx/${domain}/${srv}/error.log;
151 '';
152 locations."/" = {
153 proxyPass = "http://${srv}";
154 extraConfig = ''
155 add_header 'Access-Control-Allow-Origin' '*' always;
156 add_header 'Access-Control-Allow-Methods' 'POST, PUT, DELETE, GET, PATCH, OPTIONS' always;
157 add_header 'Access-Control-Allow-Headers' 'Authorization, Content-Type, Idempotency-Key' always;
158 add_header 'Access-Control-Expose-Headers' 'Link, X-RateLimit-Reset, X-RateLimit-Limit, X-RateLimit-Remaining, X-Request-Id' always;
159 if ($request_method = OPTIONS) {
160 return 204;
161 }
162 add_header Referrer-Policy same-origin;
163 add_header X-Content-Type-Options nosniff;
164 add_header X-Download-Options noopen;
165 add_header X-Frame-Options DENY;
166 add_header X-Permitted-Cross-Domain-Policies none;
167 add_header X-XSS-Protection "1; mode=block";
168 client_max_body_size 16m;
169 proxy_connect_timeout 90;
170 proxy_http_version 1.1;
171 proxy_read_timeout 90;
172 proxy_redirect off;
173 proxy_send_timeout 90;
174 proxy_set_header Connection "upgrade";
175 proxy_set_header Upgrade $http_upgrade;
176 '';
177 };
178 locations."/proxy" = {
179 proxyPass = "http://${srv}";
180 extraConfig = ''
181 proxy_cache ${domain}/${srv}/proxy;
182 proxy_cache_lock on;
183 proxy_ignore_client_abort on;
184 '';
185 };
186 };
187 };
188 postgresql = {
189 identMap = ''
190 # MAPNAME SYSTEM-USERNAME PG-USERNAME
191 user root ${owner}
192 user ${srv} ${owner}
193 '';
194 };
195 sanoid.datasets."rpool/var/lib/${srv}" = {
196 use_template = [ "snap" ];
197 daily = 31;
198 monthly = 3;
199 recursive = true;
200 };
201 };
202 systemd.services = {
203 nginx = {
204 serviceConfig = {
205 LogsDirectory = lib.mkForce [ "nginx/${domain}/${srv}" ];
206 };
207 };
208 pleroma-migrations = {
209 serviceConfig = {
210 LoadCredentialEncrypted = [ "config.exs:${./pleroma/config.exs.cred}" ];
211 SupplementaryGroups = [ groups."postgres".name ];
212 };
213 };
214 pleroma = {
215 path = [
216 pkgs.exiftool
217 # For RELEASE_COOKIE
218 pkgs.hexdump
219 # For rand()
220 pkgs.gawk
221 ];
222 environment.RELEASE_VM_ARGS = pkgs.writeText "vm.args" ''
223 # Disable the busy-waiting.
224 # https://docs-develop.pleroma.social/backend/configuration/optimizing_beam/#virtual-machine-andor-few-cpu-cores
225 +sbwt none
226 +sbwtdcpu none
227 +sbwtdio none
228 '';
229 unitConfig = {
230 StartLimitBurst = 5;
231 StartLimitIntervalSec = "600s";
232 };
233 serviceConfig = {
234 LoadCredentialEncrypted = [ "config.exs:${./pleroma/config.exs.cred}" ];
235 SupplementaryGroups = [ groups."postgres".name ];
236 TimeoutStopSec = "10s";
237 Restart = "on-failure";
238 RestartSec = "10s";
239 MemoryAccounting = true;
240 MemoryHigh = "500M";
241 MemoryMax = "600M";
242 # For sendmail
243 NoNewPrivileges = lib.mkForce false;
244 };
245 };
246 postgresql = {
247 postStart = lib.mkAfter ''
248 connection_limit=64 \
249 encoding=UTF8 \
250 lc_collate=fr_FR.UTF-8 \
251 lc_type=fr_FR.UTF-8 \
252 owner="${owner}" \
253 pass="" \
254 pg_createdb "${db}" >/dev/null
255 pg_adduser "${db}" "${owner}" >/dev/null
256
257 $PSQL -d "${db}" -AqtX --set ON_ERROR_STOP=1 -f - <<EOF
258 --Extensions made by ecto.migrate that need superuser access
259 CREATE EXTENSION IF NOT EXISTS citext;
260 CREATE EXTENSION IF NOT EXISTS pg_trgm;
261 CREATE EXTENSION IF NOT EXISTS "uuid-ossp";
262 EOF
263 '';
264 };
265 };
266 }
NixOS configurations for Sourcephile's infrastructure