]> Git — Sourcephile - sourcephile-nix.git/blob - hosts/mermet/pleroma.nix
sourcephile / git / sourcephile-nix.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
history | raw | HEAD
mermet: pleroma: add comments
[sourcephile-nix.git] / hosts / mermet / pleroma.nix
1 { pkgs, lib, config, ... }:
2 let
3 domain = "autogeree.net";
4 srv = "pleroma";
5 owner = "${srv}-${domain}";
6 db = "${srv}-${domain}";
7 port = 4000;
8 inherit (config.services) postgresql;
9 inherit (config.users) groups;
10
11 # pleroma_ctl instance gen
12 # https://git.pleroma.social/pleroma/pleroma/blob/develop/config/config.exs
13 # config :pleroma, :dangerzone,
14 # override_repo_pool_size: true
15 pleroma-conf = ''
16 import Config
17
18 config :pleroma, Pleroma.Web.Endpoint,
19 url: [host: "${srv}.${domain}", scheme: "https", port: 443],
20 http: [ip: {127, 0, 0, 1}, port: ${toString port}]
21
22 config :pleroma, :http_security,
23 sts: true
24
25 config :pleroma, Pleroma.Web.WebFinger, domain: "${domain}"
26
27 # RELEASE_COOKIE="/var/lib/pleroma/.cookie" \
28 # pleroma_ctl user new $user $user+pleroma@autogeree.net --password "$password" --moderator --admin -y
29 config :pleroma, :instance,
30 name: "${domain}",
31 email: "root+${srv}@${domain}",
32 notify_email: "root+${srv}@${domain}",
33 limit: 5000,
34 registrations_open: false,
35 invites_enabled: true,
36 description: "Pleroma: An efficient and flexible fediverse server",
37 short_description: "",
38 background_image: "/images/city.jpg",
39 instance_thumbnail: "/instance/thumbnail.jpeg",
40 max_pinned_statuses: 4
41
42 config :pleroma, :media_proxy,
43 enabled: false,
44 redirect_on_failure: true
45 #base_url: "https://cache.pleroma.social"
46
47 config :pleroma, :markup,
48 allow_inline_images: true,
49 allow_headings: true,
50 allow_tables: true
51
52 # pleroma_ctl email test --to julm+pleroma@autogeree.net
53 config :pleroma, Pleroma.Emails.Mailer, [
54 adapter: Swoosh.Adapters.Sendmail,
55 enabled: true,
56 cmd_path: "/run/wrappers/bin/sendmail",
57 cmd_args: ""
58 ]
59
60 config :pleroma, Pleroma.Repo,
61 adapter: Ecto.Adapters.Postgres,
62 username: "${owner}",
63 socket_dir: "/run/postgresql",
64 database: "${db}",
65 pool_size: 10,
66 prepare: :named,
67 # https://docs-develop.pleroma.social/backend/configuration/postgresql/#disable-generic-query-plans
68 parameters: [
69 plan_cache_mode: "force_custom_plan"
70 ]
71
72 config :pleroma, :database, rum_enabled: false
73 config :pleroma, :instance, static_dir: "/var/lib/${srv}/static"
74 config :pleroma, Pleroma.Uploaders.Local, uploads: "/var/lib/${srv}/uploads"
75 config :pleroma, configurable_from_database: false
76 config :pleroma, Pleroma.Upload, filters: [
77 Pleroma.Upload.Filter.Exiftool.StripLocation,
78 Pleroma.Upload.Filter.Exiftool.ReadDescription
79 ]
80
81 # https://docs-develop.pleroma.social/backend/configuration/howto_proxy/
82 #config :pleroma, :http, proxy_url: {:socks5, :localhost, 9050}
83 config :pleroma, :mrf,
84 policies: [
85 Pleroma.Web.ActivityPub.MRF.ObjectAgePolicy,
86 Pleroma.Web.ActivityPub.MRF.TagPolicy,
87 Pleroma.Web.ActivityPub.MRF.SimplePolicy
88 ]
89
90 config :pleroma, :media_proxy,
91 enabled: true,
92 proxy_opts: [
93 redirect_on_failure: true
94 ];
95 '';
96 in
97 {
98 services = {
99 pleroma = {
100 enable = true;
101 configs = [ pleroma-conf ];
102 secretConfigFile = "/run/credentials/${srv}.service/config.exs";
103 };
104 nginx = {
105 enable = true;
106 upstreams.${srv} = {
107 servers."127.0.0.1:${toString port}" = {
108 max_fails = 5;
109 fail_timeout = "60s";
110 };
111 extraConfig = ''
112 '';
113 };
114 proxyCachePath."${domain}/${srv}/proxy" = {
115 enable = true;
116 inactive = "720m";
117 keysZoneName = "${domain}/${srv}/proxy";
118 keysZoneSize = "10m";
119 levels = "1:2";
120 maxSize = "10g";
121 useTempPath = false;
122 };
123
124 virtualHosts.${domain} = {
125 locations."/.well-known/host-meta" = {
126 return = "301 https://${srv}.${domain}$request_uri";
127 };
128 };
129 virtualHosts."${srv}.${domain}" = {
130 forceSSL = true;
131 useACMEHost = domain;
132 extraConfig = ''
133 access_log /var/log/nginx/${domain}/${srv}/access.log json buffer=32k;
134 error_log /var/log/nginx/${domain}/${srv}/error.log;
135 '';
136 locations."/" = {
137 proxyPass = "http://${srv}";
138 extraConfig = ''
139 add_header 'Access-Control-Allow-Origin' '*' always;
140 add_header 'Access-Control-Allow-Methods' 'POST, PUT, DELETE, GET, PATCH, OPTIONS' always;
141 add_header 'Access-Control-Allow-Headers' 'Authorization, Content-Type, Idempotency-Key' always;
142 add_header 'Access-Control-Expose-Headers' 'Link, X-RateLimit-Reset, X-RateLimit-Limit, X-RateLimit-Remaining, X-Request-Id' always;
143 if ($request_method = OPTIONS) {
144 return 204;
145 }
146 add_header Referrer-Policy same-origin;
147 add_header X-Content-Type-Options nosniff;
148 add_header X-Download-Options noopen;
149 add_header X-Frame-Options DENY;
150 add_header X-Permitted-Cross-Domain-Policies none;
151 add_header X-XSS-Protection "1; mode=block";
152 client_max_body_size 16m;
153 proxy_connect_timeout 90;
154 proxy_http_version 1.1;
155 proxy_read_timeout 90;
156 proxy_redirect off;
157 proxy_send_timeout 90;
158 proxy_set_header Connection "upgrade";
159 proxy_set_header Upgrade $http_upgrade;
160 '';
161 };
162 locations."/proxy" = {
163 proxyPass = "http://${srv}";
164 extraConfig = ''
165 proxy_cache ${domain}/${srv}/proxy;
166 proxy_cache_lock on;
167 proxy_ignore_client_abort on;
168 '';
169 };
170 };
171 };
172 postgresql = {
173 identMap = ''
174 # MAPNAME SYSTEM-USERNAME PG-USERNAME
175 user root ${owner}
176 user ${srv} ${owner}
177 '';
178 };
179 sanoid.datasets."rpool/var/lib/${srv}" = {
180 use_template = [ "snap" ];
181 daily = 31;
182 monthly = 3;
183 recursive = true;
184 };
185 };
186 systemd.services = {
187 nginx = {
188 serviceConfig = {
189 LogsDirectory = lib.mkForce [ "nginx/${domain}/${srv}" ];
190 };
191 };
192 pleroma = {
193 path = [
194 pkgs.exiftool
195 # For RELEASE_COOKIE
196 pkgs.hexdump
197 # For rand()
198 pkgs.gawk
199 ];
200 environment.RELEASE_VM_ARGS = pkgs.writeText "vm.args" ''
201 # Disable the busy-waiting.
202 # https://docs-develop.pleroma.social/backend/configuration/optimizing_beam/#virtual-machine-andor-few-cpu-cores
203 +sbwt none
204 +sbwtdcpu none
205 +sbwtdio none
206 '';
207 unitConfig = {
208 StartLimitBurst = 5;
209 StartLimitIntervalSec = "600s";
210 };
211 serviceConfig = {
212 LoadCredentialEncrypted = [ "config.exs:${./pleroma/config.exs.cred}" ];
213 SupplementaryGroups = [ groups."postgres".name ];
214 TimeoutStopSec = "10s";
215 Restart = "on-failure";
216 RestartSec = "10s";
217 # For sendmail
218 NoNewPrivileges = lib.mkForce false;
219 };
220 };
221 postgresql = {
222 postStart = lib.mkAfter ''
223 connection_limit=64 \
224 encoding=UTF8 \
225 lc_collate=fr_FR.UTF-8 \
226 lc_type=fr_FR.UTF-8 \
227 owner="${owner}" \
228 pass="" \
229 pg_createdb "${db}" >/dev/null
230 pg_adduser "${db}" "${owner}" >/dev/null
231
232 $PSQL -d "${db}" -AqtX --set ON_ERROR_STOP=1 -f - <<EOF
233 --Extensions made by ecto.migrate that need superuser access
234 CREATE EXTENSION IF NOT EXISTS citext;
235 CREATE EXTENSION IF NOT EXISTS pg_trgm;
236 CREATE EXTENSION IF NOT EXISTS "uuid-ossp";
237 EOF
238 '';
239 };
240 };
241 }
NixOS configurations for Sourcephile's infrastructure