username: "${owner}",
socket_dir: "/run/postgresql",
database: "${db}",
+ migration_lock: :pg_advisory_lock,
pool_size: 5,
+ # Database task queue timeout to avoid timeouts on the front end
+ # due to a slow postgresql, eg. because of a CPUQuota= hardening.
+ queue_target: 20_000,
+ queue_interval: 1_000,
+ ownership_timeout: 20_000,
+ timeout: 40_000,
prepare: :named,
# https://docs-develop.pleroma.social/backend/configuration/postgresql/#disable-generic-query-plans
parameters: [
services = {
pleroma = {
enable = true;
- configs = [ pleroma-conf ];
- secretConfigFile = "/run/credentials/${srv}.service/config.exs";
+ configs = [
+ pleroma-conf
+ # Use $CREDENTIALS_DIRECTORY to work with both pleroma.service and pleroma-migrations.service
+ ''
+ import Config
+ cred_dir = System.get_env("CREDENTIALS_DIRECTORY")
+ import_config "#{cred_dir}/config.exs"
+ ''
+ ];
+ secretConfigFile = "/dev/null";
};
nginx = {
enable = true;
};
postgresql = {
identMap = ''
- # MAPNAME SYSTEM-USERNAME PG-USERNAME
- user root ${owner}
- user ${srv} ${owner}
+ # MAPNAME SYSTEM-USERNAME PG-USERNAME
+ user root ${owner}
+ user ${srv} ${owner}
'';
};
sanoid.datasets."rpool/var/lib/${srv}" = {
LogsDirectory = lib.mkForce [ "nginx/${domain}/${srv}" ];
};
};
+ pleroma-migrations = {
+ serviceConfig = {
+ LoadCredentialEncrypted = [ "config.exs:${./pleroma/config.exs.cred}" ];
+ SupplementaryGroups = [ groups."postgres".name ];
+ };
+ };
pleroma = {
path = [
pkgs.exiftool
RestartSec = "10s";
# For sendmail
NoNewPrivileges = lib.mkForce false;
+ MemoryAccounting = true;
+ MemoryHigh = "500M";
+ MemoryMax = "600M";
+ CPUAccounting = true;
+ CPUWeight = "idle";
+ CPUQuota = "50%";
+ CPUSchedulingPolicy = "idle";
+ IOSchedulingClass = "idle";
+ # 0: high priority, 7: low priority
+ IOSchedulingPriority = 7;
+ Nice = 16;
};
};
postgresql = {
sourcephile / git / sourcephile-nix.git / blobdiff