nix: update input julm-nix

[sourcephile-nix.git] / hosts / mermet / pleroma.nix

diff --git a/hosts/mermet/pleroma.nix b/hosts/mermet/pleroma.nix
index c89eeb0d6e14ad0d6b0474d1d14eb2b999f2927d..25170880b18b587c05e1274b498a2fdb80b84d74 100644 (file)
--- a/hosts/mermet/pleroma.nix
+++ b/hosts/mermet/pleroma.nix
@@ -55,13 +55,24 @@ let
       cmd_args: ""
     ]
 
+    config :pleroma, :dangerzone,
+      override_repo_pool_size: true
+
     config :pleroma, Pleroma.Repo,
       adapter: Ecto.Adapters.Postgres,
       username: "${owner}",
       socket_dir: "/run/postgresql",
       database: "${db}",
-      pool_size: 10,
+      migration_lock: :pg_advisory_lock,
+      pool_size: 5,
+      # Database task queue timeout to avoid timeouts on the front end
+      # due to a slow postgresql, eg. because of a CPUQuota= hardening.
+      queue_target: 20_000,
+      queue_interval: 1_000,
+      ownership_timeout: 20_000,
+      timeout: 40_000,
       prepare: :named,
+      # https://docs-develop.pleroma.social/backend/configuration/postgresql/#disable-generic-query-plans
       parameters: [
         plan_cache_mode: "force_custom_plan"
       ]
@@ -95,8 +106,16 @@ in
   services = {
     pleroma = {
       enable = true;
-      configs = [ pleroma-conf ];
-      secretConfigFile = "/run/credentials/${srv}.service/config.exs";
+      configs = [
+        pleroma-conf
+        # Use $CREDENTIALS_DIRECTORY to work with both pleroma.service and pleroma-migrations.service
+        ''
+          import Config
+          cred_dir = System.get_env("CREDENTIALS_DIRECTORY")
+          import_config "#{cred_dir}/config.exs"
+        ''
+      ];
+      secretConfigFile = "/dev/null";
     };
     nginx = {
       enable = true;
@@ -168,9 +187,9 @@ in
     };
     postgresql = {
       identMap = ''
-        # MAPNAME  SYSTEM-USERNAME  PG-USERNAME
-        user       root             ${owner}
-        user       ${srv}           ${owner}
+        # MAPNAME  SYSTEM-USERNAME    PG-USERNAME
+        user       root               ${owner}
+        user       ${srv}             ${owner}
       '';
     };
     sanoid.datasets."rpool/var/lib/${srv}" = {
@@ -186,6 +205,12 @@ in
         LogsDirectory = lib.mkForce [ "nginx/${domain}/${srv}" ];
       };
     };
+    pleroma-migrations = {
+      serviceConfig = {
+        LoadCredentialEncrypted = [ "config.exs:${./pleroma/config.exs.cred}" ];
+        SupplementaryGroups = [ groups."postgres".name ];
+      };
+    };
     pleroma = {
       path = [
         pkgs.exiftool
@@ -201,10 +226,19 @@ in
         +sbwtdcpu none
         +sbwtdio none
       '';
+      unitConfig = {
+        StartLimitBurst = 5;
+        StartLimitIntervalSec = "600s";
+      };
       serviceConfig = {
         LoadCredentialEncrypted = [ "config.exs:${./pleroma/config.exs.cred}" ];
         SupplementaryGroups = [ groups."postgres".name ];
         TimeoutStopSec = "10s";
+        Restart = "on-failure";
+        RestartSec = "10s";
+        MemoryAccounting = true;
+        MemoryHigh = "500M";
+        MemoryMax = "600M";
         # For sendmail
         NoNewPrivileges = lib.mkForce false;
       };