repo init: contains the current uninsane.org definition

configuration.nix

@@ -0,0 +1,122 @@
+# Edit this configuration file to define what should be installed on
+# your system.  Help is available in the configuration.nix(5) man page
+# and in the NixOS manual (accessible by running ‘nixos-help’).
+
+{ config, pkgs, ... }:
+
+{
+  imports =
+    [ # Include the results of the hardware scan.
+      ./hardware-configuration.nix
+      ./fs-configuration.nix
+      ./services-conf/gitea-configuration.nix
+      ./services-conf/jellyfin-configuration.nix
+      ./services-conf/matrix-configuration.nix
+      ./services-conf/nginx-configuration.nix
+      ./services-conf/pleroma-configuration.nix
+      ./services-conf/postgres-configuration.nix
+      ./user-configuration.nix
+    ];
+
+  nixpkgs.overlays = [
+    (self: super: {
+      pleroma = super.callPackage ./pkgs/pleroma { };
+    })
+  ];
+
+  # TODO colin: re-enable the firewall
+  networking.firewall.enable = false;
+
+  # XXX colin: UNMODIFIED DEFAULTS BELOW
+
+  # Use the extlinux boot loader. (NixOS wants to enable GRUB by default)
+  boot.loader.grub.enable = false;
+  # Enables the generation of /boot/extlinux/extlinux.conf
+  boot.loader.generic-extlinux-compatible.enable = true;
+
+  # networking.hostName = "nixos"; # Define your hostname.
+  # networking.wireless.enable = true;  # Enables wireless support via wpa_supplicant.
+
+  # Set your time zone.
+  # time.timeZone = "Europe/Amsterdam";
+
+  # The global useDHCP flag is deprecated, therefore explicitly set to false here.
+  # Per-interface useDHCP will be mandatory in the future, so this generated config
+  # replicates the default behaviour.
+  networking.useDHCP = false;
+  networking.interfaces.eth0.useDHCP = true;
+  networking.interfaces.wlan0.useDHCP = true;
+
+  # Configure network proxy if necessary
+  # networking.proxy.default = "http://user:password@proxy:port/";
+  # networking.proxy.noProxy = "127.0.0.1,localhost,internal.domain";
+
+  # Select internationalisation properties.
+  # i18n.defaultLocale = "en_US.UTF-8";
+  # console = {
+  #   font = "Lat2-Terminus16";
+  #   keyMap = "us";
+  # };
+
+  # Enable the X11 windowing system.
+  # services.xserver.enable = true;
+
+  
+
+  # Configure keymap in X11
+  # services.xserver.layout = "us";
+  # services.xserver.xkbOptions = "eurosign:e";
+
+  # Enable CUPS to print documents.
+  # services.printing.enable = true;
+
+  # Enable sound.
+  # sound.enable = true;
+  # hardware.pulseaudio.enable = true;
+
+  # Enable touchpad support (enabled default in most desktopManager).
+  # services.xserver.libinput.enable = true;
+
+  # Define a user account. Don't forget to set a password with ‘passwd’.
+  # users.users.jane = {
+  #   isNormalUser = true;
+  #   extraGroups = [ "wheel" ]; # Enable ‘sudo’ for the user.
+  # };
+
+  # List packages installed in system profile. To search, run:
+  # $ nix search wget
+  # environment.systemPackages = with pkgs; [
+  #   vim # Do not forget to add an editor to edit configuration.nix! The Nano editor is also installed by default.
+  #   wget
+  #   firefox
+  # ];
+
+  # Some programs need SUID wrappers, can be configured further or are
+  # started in user sessions.
+  # programs.mtr.enable = true;
+  # programs.gnupg.agent = {
+  #   enable = true;
+  #   enableSSHSupport = true;
+  # };
+
+  # List services that you want to enable:
+
+  # Enable the OpenSSH daemon.
+  # services.openssh.enable = true;
+
+  # Open ports in the firewall.
+  # networking.firewall.allowedTCPPorts = [ ... ];
+  # networking.firewall.allowedUDPPorts = [ ... ];
+  # Or disable the firewall altogether.
+  # networking.firewall.enable = false;
+
+  # This value determines the NixOS release from which the default
+  # settings for stateful data, like file locations and database versions
+  # on your system were taken. It‘s perfectly fine and recommended to leave
+  # this value at the release version of the first install of this system.
+  # Before changing this value read the documentation for this option
+  # (e.g. man configuration.nix or on https://nixos.org/nixos/options.html).
+  system.stateVersion = "21.11"; # Did you read the comment?
+
+}
+

fs-configuration.nix

@@ -0,0 +1,18 @@
+{ config, pkgs, lib, ... }:
+
+{
+  fileSystems."/mnt/storage" = {
+    device = "/dev/disk/by-uuid/2be70d38-79f4-41b6-bee2-bce5a25f8f7b";
+    fsType = "ext4";
+  };
+
+  fileSystems."/var/lib/pleroma" = {
+    device = "/mnt/storage/opt/pleroma.nix";
+    options = [ "bind" ];
+  };
+
+  # swapDevices = [ 
+  #   { device = "/swapfile"; size = 4096; }
+  # ];
+}
+

hardware-configuration.nix

@@ -0,0 +1,22 @@
+# Do not modify this file!  It was generated by ‘nixos-generate-config’
+# and may be overwritten by future invocations.  Please make changes
+# to /etc/nixos/configuration.nix instead.
+{ config, lib, pkgs, modulesPath, ... }:
+
+{
+  imports =
+    [ (modulesPath + "/installer/scan/not-detected.nix")
+    ];
+
+  boot.initrd.availableKernelModules = [ "xhci_pci" "usbhid" "usb_storage" ];
+  boot.initrd.kernelModules = [ ];
+  boot.kernelModules = [ ];
+  boot.extraModulePackages = [ ];
+
+  fileSystems."/" =
+    { device = "/dev/disk/by-uuid/44444444-4444-4444-8888-888888888888";
+      fsType = "ext4";
+    };
+
+  powerManagement.cpuFreqGovernor = lib.mkDefault "ondemand";
+}

pkgs/pleroma/default.nix

@@ -0,0 +1,236 @@
+{ lib, beamPackages
+, fetchFromGitHub, fetchFromGitLab
+, file, cmake, bash
+, nixosTests, writeText
+, cookieFile ? "/var/lib/pleroma/.cookie"
+, ...
+}:
+
+beamPackages.mixRelease rec {
+  pname = "pleroma";
+  version = "2.4.51";
+
+  src = fetchFromGitLab {
+    domain = "git.pleroma.social";
+    owner = "pleroma";
+    repo = "pleroma";
+    rev = "a5d7e98de0ed7989d80e4698155676488afbb423";
+    # compute with `nix to-sri sha256:<output from failed nix build>`
+    sha256 = "sha256-CvhqlpCxmEIYTtGqCMCUCVq8Y71J95l6W6FRJMXvSL8=";
+  };
+
+  preFixup = if (cookieFile != null) then ''
+    # There's no way to use a subprocess to cat the content of the
+    # file cookie using wrapProgram: it gets escaped (by design) with
+    # a pair of backticks :(
+    # We have to come up with our own custom wrapper to do this.
+    function wrapWithCookie () {
+        local hidden
+        hidden="$(dirname "$1")/.$(basename "$1")"-wrapped
+        while [ -e "$hidden" ]; do
+            hidden="''${hidden}_"
+        done
+        mv "$1" "''${hidden}"
+
+        cat > "$1" << EOF
+    #!${bash}/bin/bash
+    export RELEASE_COOKIE="\$(cat "${cookieFile}")"
+    exec -a "\$0" "''${hidden}" "\$@"
+    EOF
+        chmod +x "$1"
+    }
+
+    for f in "$out"/bin/*; do
+        if [[ -x "$f" ]]; then
+            wrapWithCookie "$f"
+        fi
+    done
+  '' else "";
+
+  mixNixDeps = import ./mix.nix {
+    inherit beamPackages lib;
+    overrides = (final: prev: {
+      # mix2nix does not support git dependencies yet,
+      # so we need to add them manually
+      gettext = beamPackages.buildMix rec {
+        name = "gettext";
+        version = "0.19.1";
+
+        src = fetchFromGitHub {
+          owner = "tusooa";
+          repo = "gettext";
+          rev = "72fb2496b6c5280ed911bdc3756890e7f38a4808";
+          sha256 = "V0qmE+LcAbVoWsJmWE4fwrduYFIZ5BzK/sGzgLY3eH0=";
+        };
+        beamDeps = with final; [ ];
+      };
+      crypt = beamPackages.buildRebar3 rec {
+        name = "crypt";
+        version = "0.4.3";
+
+        src = fetchFromGitHub {
+          owner = "msantos";
+          repo = "crypt";
+          rev = "f75cd55325e33cbea198fb41fe41871392f8fb76";
+          sha256 = "sha256-ZYhZTe7cTITkl8DZ4z2IOlxTX5gnbJImu/lVJ2ZjR1o=";
+        };
+
+        postInstall = "mv $out/lib/erlang/lib/crypt-${version}/priv/{source,crypt}.so";
+
+        beamDeps = with final; [ elixir_make ];
+      };
+      prometheus_ex = beamPackages.buildMix rec {
+        name = "prometheus_ex";
+        version = "3.0.5";
+
+        src = fetchFromGitLab {
+          domain = "git.pleroma.social";
+          group = "pleroma";
+          owner = "elixir-libraries";
+          repo = "prometheus.ex";
+          rev = "a4e9beb3c1c479d14b352fd9d6dd7b1f6d7deee5";
+          sha256 = "1v0q4bi7sb253i8q016l7gwlv5562wk5zy3l2sa446csvsacnpjk";
+        };
+        beamDeps = with final; [ prometheus ];
+      };
+      prometheus_phx = beamPackages.buildMix rec {
+        name = "prometheus_phx";
+        version = "0.1.1";
+
+        preBuild = ''
+          touch config/prod.exs
+       '';
+        src = fetchFromGitLab {
+          domain = "git.pleroma.social";
+          group = "pleroma";
+          owner = "elixir-libraries";
+          repo = "prometheus-phx";
+          rev = "9cd8f248c9381ffedc799905050abce194a97514";
+          sha256 = "0211z4bxb0bc0zcrhnph9kbbvvi1f2v95madpr96pqzr60y21cam";
+        };
+        beamDeps = with final; [ prometheus_ex ];
+      };
+      remote_ip = beamPackages.buildMix rec {
+        name = "remote_ip";
+        version = "0.1.5";
+
+        src = fetchFromGitLab {
+          domain = "git.pleroma.social";
+          group = "pleroma";
+          owner = "elixir-libraries";
+          repo = "remote_ip";
+          rev = "b647d0deecaa3acb140854fe4bda5b7e1dc6d1c8";
+          sha256 = "0c7vmakcxlcs3j040018i7bfd6z0yq6fjfig02g5fgakx398s0x6";
+        };
+        beamDeps = with final; [ combine plug inet_cidr ];
+      };
+      captcha = beamPackages.buildMix rec {
+        name = "captcha";
+        version = "0.1.0";
+
+        src = fetchFromGitLab {
+          domain = "git.pleroma.social";
+          group = "pleroma";
+          owner = "elixir-libraries";
+          repo = "elixir-captcha";
+          rev = "e0f16822d578866e186a0974d65ad58cddc1e2ab";
+          sha256 = "0qbf86l59kmpf1nd82v4141ba9ba75xwmnqzpgbm23fa1hh8pi9c";
+        };
+        beamDeps = with final; [ ];
+      };
+
+      # majic needs a patch to build
+      majic = beamPackages.buildMix rec {
+        name = "majic";
+        version = "1.0.0";
+
+        src = beamPackages.fetchHex {
+          pkg = "${name}";
+          version = "${version}";
+          sha256 = "17hab8kmqc6gsiqicfgsaik0rvmakb6mbshlbxllj3b5fs7qa1br";
+        };
+
+        # src = fetchFromGitLab {
+        #   domain = "git.pleroma.social";
+        #   group = "pleroma";
+        #   owner = "elixir-libraries";
+        #   repo = "majic";
+        #   rev = "289cda1b6d0d70ccb2ba508a2b0bd24638db2880";
+        #   sha256 = "15605lsdd74bmsp5z96f76ihn7m2g3p1hjbhs2x7v7309n1k108n";
+        # };
+        # patchPhase = ''
+        #   substituteInPlace lib/majic/server.ex --replace "erlang.now" "erlang.time"
+        # '';
+        buildInputs = [ file ];
+
+        beamDeps = with final; [ nimble_pool mime plug elixir_make ];
+      };
+
+
+      # Some additional build inputs and build fixes
+      http_signatures = prev.http_signatures.override {
+        patchPhase = ''
+          substituteInPlace mix.exs --replace ":logger" ":logger, :public_key"
+        '';
+      };
+      fast_html = prev.fast_html.override {
+        nativeBuildInputs = [ cmake ];
+        dontUseCmakeConfigure = true;
+      };
+      syslog = prev.syslog.override {
+        buildPlugins = with beamPackages; [ pc ];
+      };
+
+      # This needs a different version (1.0.14 -> 1.0.18) to build properly with
+      # our Erlang/OTP version.
+      eimp = beamPackages.buildRebar3 rec {
+        name = "eimp";
+        version = "1.0.18";
+
+        src = beamPackages.fetchHex {
+          pkg = name;
+          inherit version;
+          sha256 = "0fnx2pm1n2m0zs2skivv43s42hrgpq9i143p9mngw9f3swjqpxvx";
+        };
+
+        patchPhase = ''
+          echo '{plugins, [pc]}.' >> rebar.config
+        '';
+        buildPlugins = with beamPackages; [ pc ];
+
+        beamDeps = with final; [ p1_utils ];
+      };
+
+      mime = prev.mime.override {
+        patchPhase = let
+          cfgFile = writeText "config.exs" ''
+            use Mix.Config
+            config :mime, :types, %{
+              "application/activity+json" => ["activity+json"],
+              "application/jrd+json" => ["jrd+json"],
+              "application/ld+json" => ["activity+json"],
+              "application/xml" => ["xml"],
+              "application/xrd+xml" => ["xrd+xml"]
+            }
+          '';
+        in ''
+          mkdir config
+          cp ${cfgFile} config/config.exs
+        '';
+      };
+    });
+  };
+
+  passthru = {
+    tests.pleroma = nixosTests.pleroma;
+    inherit mixNixDeps;
+  };
+
+  meta = with lib; {
+    description = "ActivityPub microblogging server";
+    homepage = "https://git.pleroma.social/pleroma/pleroma";
+    license = licenses.agpl3;
+    maintainers = with maintainers; [ petabyteboy ninjatrappeur yuka kloenk ];
+    platforms = platforms.unix;
+  };
+}

pkgs/pleroma/updating.txt

@@ -0,0 +1,10 @@
+in default.nix:
+  update `rev` and recompute sha256.
+    use nix to-sri sha256:<expected>
+
+run mix2nix inside the pleroma git root and pipe the output into mix.nix
+  inside default.nix, update all git mix deps
+  inside mix.nix, change base64url to use buildRebar3 instead of buildMix
+
+move majic from mix.nix -> default.nix and add:
+  buildInputs = [ file ];

services-conf/gitea-configuration.nix

@@ -0,0 +1,13 @@
+{ config, pkgs, lib, ... }:
+
+{
+  services.gitea.enable = true;
+  services.gitea.user = "git";  # default is 'gitea'
+  services.gitea.database.type = "postgres";
+  services.gitea.database.user = "git";
+  services.gitea.appName = "Perfectly Sane Git";
+  services.gitea.domain = "git.uninsane.org";
+  services.gitea.rootUrl = "https://git.uninsane.org/";
+  services.gitea.cookieSecure = true;
+  # services.gitea.disableRegistration = true;
+}

services-conf/jellyfin-configuration.nix

@@ -0,0 +1,5 @@
+{ config, pkgs, lib, ... }:
+
+{
+  services.jellyfin.enable = true;
+}

services-conf/matrix-configuration.nix

@@ -0,0 +1,38 @@
+# docs: https://nixos.wiki/wiki/Matrix
+# docs: https://nixos.org/manual/nixos/stable/index.html#module-services-matrix-synapse
+{ config, pkgs, lib, ... }:
+
+{
+  services.matrix-synapse.enable = true;
+  services.matrix-synapse.server_name = "uninsane.org";
+
+  # services.matrix-synapse.enable_registration_captcha = true;
+  # services.matrix-synapse.enable_registration_without_verification = true;
+  services.matrix-synapse.enable_registration = true;
+  # services.matrix-synapse.registration_shared_secret = "<shared key goes here>";
+
+  # default for listeners is port = 8448, tls = true, x_forwarded = false.
+  # we change this because the server is situated behind nginx.
+  services.matrix-synapse.listeners = [
+    {
+      port = 8008;
+      bind_address = "127.0.0.1";
+      type = "http";
+      tls = false;
+      x_forwarded = true;
+      resources = [
+        {
+          names = [ "client" "federation" ];
+          compress = false;
+        }
+      ];
+    }
+  ];
+
+  services.matrix-synapse.extraConfig = ''
+    registration_requires_token: true
+  '';
+
+  # new users may be registered on the CLI:
+  # register_new_matrix_user -c /nix/store/8n6kcka37jhmi4qpd2r03aj71pkyh21s-homeserver.yaml http://localhost:8008
+}

services-conf/nginx-configuration.nix

@@ -0,0 +1,167 @@
+# docs: https://nixos.wiki/wiki/Nginx
+{ config, pkgs, lib, ... }:
+
+{
+  services.nginx.enable = true;
+  # services.nginx.config = pkgs.lib.readFile /etc/nixos/services/nginx.conf;
+  # services.nginx.httpConfig = ''
+  # server {
+  #   server_name uninsane.org;
+  #   listen 80;
+  #   location / {
+  #     root /home/nixos;
+  #     index index.html;
+  #   }
+  #   
+  #   location ~* \.(png|ico|gif|jpg|jpeg)$ {
+  #     expires 60m;
+  #   }
+
+  #   location /share/ {
+  #     autoindex on;
+  #   }
+  # }
+  # '';
+  services.nginx.virtualHosts."uninsane.org" = {
+    root = "/mnt/storage/opt/uninsane/root";
+    addSSL = true;
+    enableACME = true;
+
+    # allow matrix users to discover that user@uninsane.org is reachable via matrix.uninsane.org
+    locations."= /.well-known/matrix/server".extraConfig =
+      let
+        # use 443 instead of the default 8448 port to unite
+        # the client-server and server-server port for simplicity
+        server = { "m.server" = "matrix.uninsane.org:443"; };
+      in ''
+        add_header Content-Type application/json;
+        return 200 '${builtins.toJSON server}';
+      '';
+    locations."= /.well-known/matrix/client".extraConfig =
+      let
+        client = {
+          "m.homeserver" =  { "base_url" = "https://matrix.uninsane.org"; };
+          "m.identity_server" =  { "base_url" = "https://vector.im"; };
+        };
+      # ACAO required to allow element-web on any URL to request this json file
+      in ''
+        add_header Content-Type application/json;
+        add_header Access-Control-Allow-Origin *;
+        return 200 '${builtins.toJSON client}';
+      '';
+  };
+
+  services.nginx.virtualHosts."fed.uninsane.org" = {
+    addSSL = true;
+    enableACME = true;
+    locations."/" = {
+      proxyPass = "http://127.0.0.1:4000";
+      extraConfig = ''
+        # XXX colin: this block is in the nixos examples: i don't understand all of it
+        add_header 'Access-Control-Allow-Origin' '*' always;
+        add_header 'Access-Control-Allow-Methods' 'POST, PUT, DELETE, GET, PATCH, OPTIONS' always;
+        add_header 'Access-Control-Allow-Headers' 'Authorization, Content-Type, Idempotency-Key' always;
+        add_header 'Access-Control-Expose-Headers' 'Link, X-RateLimit-Reset, X-RateLimit-Limit, X-RateLimit-Remaining, X-Request-Id' always;
+        if ($request_method = OPTIONS) {
+            return 204;
+        }
+
+        add_header X-XSS-Protection "1; mode=block";
+        add_header X-Permitted-Cross-Domain-Policies none;
+        add_header X-Frame-Options DENY;
+        add_header X-Content-Type-Options nosniff;
+        add_header Referrer-Policy same-origin;
+        add_header X-Download-Options noopen;
+
+        proxy_http_version 1.1;
+        proxy_set_header Upgrade $http_upgrade;
+        proxy_set_header Connection "upgrade";
+        proxy_set_header Host $host;
+
+	# colin: added this due to Pleroma complaining in its logs
+        proxy_set_header X-Real-IP $remote_addr;
+        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+        proxy_set_header X-Forwarded-Proto $scheme;
+
+        client_max_body_size 16m;
+      '';
+    };
+  };
+
+  services.nginx.virtualHosts."matrix.uninsane.org" = {
+    addSSL = true;
+    enableACME = true;
+
+    # TODO colin: replace this with something helpful to the viewer
+    # locations."/".extraConfig = ''
+    #   return 404;
+    # '';
+
+    locations."/" = {
+      proxyPass = "http://127.0.0.1:8008";
+    };
+
+    # locations."/_matrix" = {
+    #   proxyPass = "http://127.0.0.1:8008";
+    # };
+  };
+
+  services.nginx.virtualHosts."git.uninsane.org" = {
+    addSSL = true;
+    enableACME = true;
+
+    locations."/" = {
+      proxyPass = "http://127.0.0.1:3000";
+    };
+  };
+
+  # this is mostly taken from the official jellfin.org docs
+  services.nginx.virtualHosts."jelly.uninsane.org" = {
+    addSSL = true;
+    enableACME = true;
+
+    locations."/" = {
+      proxyPass = "http://127.0.0.1:8096";
+      extraConfig = ''
+        proxy_set_header Host $host;
+        proxy_set_header X-Real-IP $remote_addr;
+        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+        proxy_set_header X-Forwarded-Proto $scheme;
+        proxy_set_header X-Forwarded-Protocol $scheme;
+        proxy_set_header X-Forwarded-Host $http_host;
+
+        # Disable buffering when the nginx proxy gets very resource heavy upon streaming
+        proxy_buffering off;
+      '';
+    };
+    # locations."/web/" = {
+    #   proxyPass = "http://127.0.0.1:8096/web/index.html";
+    #   extraConfig = ''
+    #     proxy_set_header Host $host;
+    #     proxy_set_header X-Real-IP $remote_addr;
+    #     proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+    #     proxy_set_header X-Forwarded-Proto $scheme;
+    #     proxy_set_header X-Forwarded-Protocol $scheme;
+    #     proxy_set_header X-Forwarded-Host $http_host;
+    #   '';
+    # };
+    locations."/socket" = {
+      proxyPass = "http://127.0.0.1:8096";
+      extraConfig = ''
+        proxy_http_version 1.1;
+        proxy_set_header Upgrade $http_upgrade;
+        proxy_set_header Connection "upgrade";
+
+        proxy_set_header Host $host;
+        proxy_set_header X-Real-IP $remote_addr;
+        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+        proxy_set_header X-Forwarded-Proto $scheme;
+        proxy_set_header X-Forwarded-Protocol $scheme;
+        proxy_set_header X-Forwarded-Host $http_host;
+      '';
+    };
+  };
+
+  security.acme.acceptTerms = true;
+  security.acme.email = "acme@uninsane.org";
+}

services-conf/pleroma-configuration.nix

@@ -0,0 +1,72 @@
+# docs: https://github.com/NixOS/nixpkgs/blob/master/nixos/modules/services/networking/pleroma.nix
+#
+# to run it in a oci-container: https://github.com/barrucadu/nixfiles/blob/master/services/pleroma.nix
+{ config, pkgs, lib, ... }:
+
+{
+  services.pleroma.enable = true;
+  # XXX colin: this isn't checked into git, so make sure to create it first:
+  services.pleroma.secretConfigFile = "/etc/nixos/services-conf/pleroma.secret.exs";
+  # services.pleroma.secretConfigFile = "/var/lib/pleroma/prod.secret.exs";
+  services.pleroma.configs = [
+    ''
+    import Config
+    
+    config :pleroma, Pleroma.Web.Endpoint,
+      url: [host: "fed.uninsane.org", scheme: "https", port: 443],
+      http: [ip: {127, 0, 0, 1}, port: 4000]
+    
+    config :pleroma, :instance,
+      name: "Perfectly Sane",
+      email: "dev@null",
+      notify_email: "dev@null",
+      limit: 5000,
+      registrations_open: false
+    
+    config :pleroma, :media_proxy,
+      enabled: false,
+      redirect_on_failure: true
+      #base_url: "https://cache.pleroma.social"
+    
+    config :pleroma, Pleroma.Repo,
+      adapter: Ecto.Adapters.Postgres,
+      username: "pleroma",
+      database: "pleroma",
+      hostname: "localhost",
+      pool_size: 10,
+      prepare: :named,
+      parameters: [
+          plan_cache_mode: "force_custom_plan"
+      ]
+    
+    config :pleroma, :database, rum_enabled: false
+    # config :pleroma, :instance, static_dir: "/mnt/storage/opt/pleroma.nix/instance/static"
+    # config :pleroma, Pleroma.Uploaders.Local, uploads: "/mnt/storage/opt/pleroma.nix/uploads"
+    config :pleroma, :instance, static_dir: "/var/lib/pleroma/instance/static"
+    config :pleroma, Pleroma.Uploaders.Local, uploads: "/var/lib/pleroma/uploads"
+    config :pleroma, configurable_from_database: false
+
+    config :pleroma, Pleroma.Upload, filters: [Pleroma.Upload.Filter.Exiftool]
+
+
+    # (enabled by colin)
+    # Enable Strict-Transport-Security once SSL is working:
+    config :pleroma, :http_security,
+      sts: true
+    
+    # (added by colin; based on https://docs.pleroma.social/backend/configuration/cheatsheet/#logger)
+    config :logger,
+      backends: [:console, {ExSyslogger, :ex_syslogger}]
+    
+    config :logger, :ex_syslogger,
+      level: :warn
+    ''
+  ];
+
+  systemd.services.pleroma.path = [ 
+    # something inside pleroma invokes `sh` w/o specifying it by path, so this is needed to allow pleroma to start
+    pkgs.bash 
+    # used by Pleroma to strip geo tags from uploads
+    pkgs.exiftool 
+  ];
+}

services-conf/postgres-configuration.nix

@@ -0,0 +1,15 @@
+{ config, pkgs, lib, ... }:
+
+{
+  services.postgresql.enable = true;
+  services.postgresql.dataDir = "/mnt/storage/opt/postgresql/13";
+  # XXX colin: for a proper deploy, we'd want to include something for Pleroma here too.
+  # services.postgresql.initialScript = pkgs.writeText "synapse-init.sql" ''
+  #   CREATE ROLE "matrix-synapse" WITH LOGIN PASSWORD '<password goes here>';
+  #   CREATE DATABASE "matrix-synapse" WITH OWNER "matrix-synapse"
+  #     TEMPLATE template0
+  #     ENCODING = "UTF8"
+  #     LC_COLLATE = "C"
+  #     LC_CTYPE = "C";
+  # '';
+}

user-configuration.nix

@@ -0,0 +1,66 @@
+{ config, pkgs, lib, ... }:
+
+# installer docs: https://github.com/NixOS/nixpkgs/blob/master/nixos/modules/profiles/installation-device.nix
+{
+  # Users are exactly these specified here;
+  # old ones will be deleted (from /etc/passwd, etc) upon upgrade.
+  users.mutableUsers = false;
+
+  # docs: https://nixpkgs-manual-sphinx-markedown-example.netlify.app/generated/options-db.xml.html#users-users
+  users.users.nixos = {
+    # sets group to "users" (?)
+    isNormalUser = true;
+    home = "/home/nixos";
+    uid = 1000;
+    # XXX colin: this is what the installer has, but is it necessary?
+    # group = "users";
+    extraGroups = [ "wheel" ];
+    initialHashedPassword = "";
+    shell = pkgs.bashInteractive;
+    openssh.authorizedKeys.keys = [
+      "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGSDe/y0e9PSeUwYlMPjzhW0UhNsGAGsW3lCG3apxrD5 colin@colin.desktop"
+      "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIG+MZ/l5d8g5hbxMB9ed1uyvhV85jwNrSVNVxb5ujQjw colin@colin.laptop"
+    ];
+    packages = [
+      pkgs.fd
+      pkgs.file
+      pkgs.git
+      pkgs.htop
+      pkgs.matrix-synapse
+      pkgs.mix2nix
+      pkgs.nmap
+      pkgs.ripgrep
+      pkgs.sudo
+      (pkgs.vim_configurable.customize {
+        name = "vim";
+        vimrcConfig.customRC = ''
+          " wtf vim project: NOBODY LIKES MOUSE FOR VISUAL MODE
+          set mouse-=a
+        '';
+      })
+    ];
+  };
+
+  # Automatically log in at the virtual consoles.
+  services.getty.autologinUser = "nixos";
+
+  security.sudo = {
+    enable = lib.mkDefault true;
+    wheelNeedsPassword = lib.mkForce false;
+  };
+
+  services.openssh = {
+    enable = true;
+    permitRootLogin = "no";
+    passwordAuthentication = false;
+  };
+
+  # gitea doesn't create the git user
+  users.users.git = {
+    description = "Gitea Service";
+    home = "/var/lib/gitea";
+    useDefaultShell = true;
+    group = "gitea";
+    isSystemUser = true;
+  };
+}