nix: update input julm-nix

[sourcephile-nix.git] / hosts / mermet / pleroma.nix

diff --git a/hosts/mermet/pleroma.nix b/hosts/mermet/pleroma.nix
index 78437aa39cfb0da083d851e0a2facab85cda8040..25170880b18b587c05e1274b498a2fdb80b84d74 100644 (file)
--- a/hosts/mermet/pleroma.nix
+++ b/hosts/mermet/pleroma.nix
@@ -10,8 +10,6 @@ let
 
   # pleroma_ctl instance gen
   # https://git.pleroma.social/pleroma/pleroma/blob/develop/config/config.exs
-  # config :pleroma, :dangerzone,
-  #   override_repo_pool_size: true
   pleroma-conf = ''
     import Config
 
@@ -57,12 +55,22 @@ let
       cmd_args: ""
     ]
 
+    config :pleroma, :dangerzone,
+      override_repo_pool_size: true
+
     config :pleroma, Pleroma.Repo,
       adapter: Ecto.Adapters.Postgres,
       username: "${owner}",
       socket_dir: "/run/postgresql",
       database: "${db}",
-      pool_size: 10,
+      migration_lock: :pg_advisory_lock,
+      pool_size: 5,
+      # Database task queue timeout to avoid timeouts on the front end
+      # due to a slow postgresql, eg. because of a CPUQuota= hardening.
+      queue_target: 20_000,
+      queue_interval: 1_000,
+      ownership_timeout: 20_000,
+      timeout: 40_000,
       prepare: :named,
       # https://docs-develop.pleroma.social/backend/configuration/postgresql/#disable-generic-query-plans
       parameters: [
@@ -98,8 +106,16 @@ in
   services = {
     pleroma = {
       enable = true;
-      configs = [ pleroma-conf ];
-      secretConfigFile = "/run/credentials/${srv}.service/config.exs";
+      configs = [
+        pleroma-conf
+        # Use $CREDENTIALS_DIRECTORY to work with both pleroma.service and pleroma-migrations.service
+        ''
+          import Config
+          cred_dir = System.get_env("CREDENTIALS_DIRECTORY")
+          import_config "#{cred_dir}/config.exs"
+        ''
+      ];
+      secretConfigFile = "/dev/null";
     };
     nginx = {
       enable = true;
@@ -171,9 +187,9 @@ in
     };
     postgresql = {
       identMap = ''
-        # MAPNAME  SYSTEM-USERNAME  PG-USERNAME
-        user       root             ${owner}
-        user       ${srv}           ${owner}
+        # MAPNAME  SYSTEM-USERNAME    PG-USERNAME
+        user       root               ${owner}
+        user       ${srv}             ${owner}
       '';
     };
     sanoid.datasets."rpool/var/lib/${srv}" = {
@@ -189,6 +205,12 @@ in
         LogsDirectory = lib.mkForce [ "nginx/${domain}/${srv}" ];
       };
     };
+    pleroma-migrations = {
+      serviceConfig = {
+        LoadCredentialEncrypted = [ "config.exs:${./pleroma/config.exs.cred}" ];
+        SupplementaryGroups = [ groups."postgres".name ];
+      };
+    };
     pleroma = {
       path = [
         pkgs.exiftool
@@ -214,6 +236,9 @@ in
         TimeoutStopSec = "10s";
         Restart = "on-failure";
         RestartSec = "10s";
+        MemoryAccounting = true;
+        MemoryHigh = "500M";
+        MemoryMax = "600M";
         # For sendmail
         NoNewPrivileges = lib.mkForce false;
       };