213 lines
7.8 KiB
Nix
213 lines
7.8 KiB
Nix
# docs:
|
|
# - <https://github.com/NixOS/nixpkgs/blob/master/nixos/modules/services/networking/pleroma.nix>
|
|
# - <https://docs.pleroma.social/backend/configuration/cheatsheet/>
|
|
# example config:
|
|
# - <https://git.pleroma.social/pleroma/pleroma/-/blob/develop/config/config.exs>
|
|
#
|
|
# to run it in a oci-container: <https://github.com/barrucadu/nixfiles/blob/master/services/pleroma.nix>
|
|
#
|
|
# admin frontend: <https://fed.uninsane.org/pleroma/admin>
|
|
{ config, pkgs, ... }:
|
|
|
|
let
|
|
logLevel = "warn";
|
|
# logLevel = "debug";
|
|
in
|
|
{
|
|
sane.persist.sys.byStore.plaintext = [
|
|
{ user = "pleroma"; group = "pleroma"; path = "/var/lib/pleroma"; }
|
|
];
|
|
services.pleroma.enable = true;
|
|
services.pleroma.secretConfigFile = config.sops.secrets.pleroma_secrets.path;
|
|
services.pleroma.configs = [
|
|
''
|
|
import Config
|
|
|
|
config :pleroma, Pleroma.Web.Endpoint,
|
|
url: [host: "fed.uninsane.org", scheme: "https", port: 443],
|
|
http: [ip: {127, 0, 0, 1}, port: 4000]
|
|
# secret_key_base: "{secrets.pleroma.secret_key_base}",
|
|
# signing_salt: "{secrets.pleroma.signing_salt}"
|
|
|
|
config :pleroma, :instance,
|
|
name: "Perfectly Sane",
|
|
description: "Single-user Pleroma instance",
|
|
email: "admin.pleroma@uninsane.org",
|
|
notify_email: "notify.pleroma@uninsane.org",
|
|
limit: 5000,
|
|
registrations_open: true,
|
|
account_approval_required: true,
|
|
max_pinned_statuses: 5,
|
|
external_user_synchronization: true
|
|
|
|
# docs: https://hexdocs.pm/swoosh/Swoosh.Adapters.Sendmail.html
|
|
# test mail config with sudo -u pleroma ./bin/pleroma_ctl email test --to someone@somewhere.net
|
|
config :pleroma, Pleroma.Emails.Mailer,
|
|
enabled: true,
|
|
adapter: Swoosh.Adapters.Sendmail,
|
|
cmd_path: "${pkgs.postfix}/bin/sendmail"
|
|
|
|
config :pleroma, Pleroma.User,
|
|
restricted_nicknames: [ "admin", "uninsane", "root" ]
|
|
|
|
config :pleroma, :media_proxy,
|
|
enabled: false,
|
|
redirect_on_failure: true
|
|
#base_url: "https://cache.pleroma.social"
|
|
|
|
# see for reference:
|
|
# - `force_custom_plan`: <https://docs.pleroma.social/backend/configuration/postgresql/#disable-generic-query-plans>
|
|
config :pleroma, Pleroma.Repo,
|
|
adapter: Ecto.Adapters.Postgres,
|
|
username: "pleroma",
|
|
database: "pleroma",
|
|
hostname: "localhost",
|
|
pool_size: 10,
|
|
prepare: :named,
|
|
parameters: [
|
|
plan_cache_mode: "force_custom_plan"
|
|
]
|
|
# XXX: prepare: :named is needed only for PG <= 12
|
|
# prepare: :named,
|
|
# password: "{secrets.pleroma.db_password}",
|
|
|
|
# Configure web push notifications
|
|
config :web_push_encryption, :vapid_details,
|
|
subject: "mailto:notify.pleroma@uninsane.org"
|
|
# public_key: "{secrets.pleroma.vapid_public_key}",
|
|
# private_key: "{secrets.pleroma.vapid_private_key}"
|
|
|
|
# config :joken, default_signer: "{secrets.pleroma.joken_default_signer}"
|
|
|
|
config :pleroma, :database, rum_enabled: false
|
|
config :pleroma, :instance, static_dir: "/var/lib/pleroma/instance/static"
|
|
config :pleroma, Pleroma.Uploaders.Local, uploads: "/var/lib/pleroma/uploads"
|
|
config :pleroma, configurable_from_database: false
|
|
|
|
# strip metadata from uploaded images
|
|
config :pleroma, Pleroma.Upload, filters: [Pleroma.Upload.Filter.Exiftool.StripLocation]
|
|
|
|
# TODO: GET /api/pleroma/captcha is broken
|
|
# there was a nixpkgs PR to fix this around 2022/10 though.
|
|
config :pleroma, Pleroma.Captcha,
|
|
enabled: false,
|
|
method: Pleroma.Captcha.Native
|
|
|
|
|
|
# (enabled by colin)
|
|
# Enable Strict-Transport-Security once SSL is working:
|
|
config :pleroma, :http_security,
|
|
sts: true
|
|
|
|
# docs: https://docs.pleroma.social/backend/configuration/cheatsheet/#logger
|
|
config :logger,
|
|
backends: [{ExSyslogger, :ex_syslogger}]
|
|
|
|
config :logger, :ex_syslogger,
|
|
level: :${logLevel}
|
|
|
|
# policies => list of message rewriting facilities to be enabled
|
|
# transparence => whether to publish these rules in node_info (and /about)
|
|
config :pleroma, :mrf,
|
|
policies: [Pleroma.Web.ActivityPub.MRF.SimplePolicy],
|
|
transparency: true
|
|
|
|
# reject => { host, reason }
|
|
config :pleroma, :mrf_simple,
|
|
reject: [ {"threads.net", "megacorp"}, {"*.threads.net", "megacorp"} ]
|
|
# reject: [ [host: "threads.net", reason: "megacorp"], [host: "*.threads.net", reason: "megacorp"] ]
|
|
|
|
# XXX colin: not sure if this actually _does_ anything
|
|
# better to steal emoji from other instances?
|
|
# - <https://docs.pleroma.social/backend/configuration/cheatsheet/#mrf_steal_emoji>
|
|
config :pleroma, :emoji,
|
|
shortcode_globs: ["/emoji/**/*.png"],
|
|
groups: [
|
|
"Cirno": "/emoji/cirno/*.png",
|
|
"Kirby": "/emoji/kirby/*.png",
|
|
"Bun": "/emoji/bun/*.png",
|
|
"Yuru Camp": "/emoji/yuru_camp/*.png",
|
|
]
|
|
''
|
|
];
|
|
|
|
systemd.services.pleroma.path = [
|
|
# something inside pleroma invokes `sh` w/o specifying it by path, so this is needed to allow pleroma to start
|
|
pkgs.bash
|
|
# used by Pleroma to strip geo tags from uploads
|
|
pkgs.exiftool
|
|
# i saw some errors when pleroma was shutting down about it not being able to find `awk`. probably not critical
|
|
pkgs.gawk
|
|
# needed for email operations like password reset
|
|
pkgs.postfix
|
|
];
|
|
|
|
systemd.services.pleroma.serviceConfig = {
|
|
# postgres can be slow to service early requests, preventing pleroma from starting on the first try
|
|
Restart = "on-failure";
|
|
RestartSec = "10s";
|
|
};
|
|
|
|
# systemd.services.pleroma.serviceConfig = {
|
|
# # required for sendmail. see https://git.pleroma.social/pleroma/pleroma/-/issues/2259
|
|
# NoNewPrivileges = lib.mkForce false;
|
|
# PrivateTmp = lib.mkForce false;
|
|
# CapabilityBoundingSet = lib.mkForce "~";
|
|
# };
|
|
|
|
# this is required to allow pleroma to send email.
|
|
# raw `sendmail` works, but i think pleroma's passing it some funny flags or something, idk.
|
|
# hack to fix that.
|
|
users.users.pleroma.extraGroups = [ "postdrop" ];
|
|
|
|
# Pleroma server and web interface
|
|
# TODO: enable publog?
|
|
services.nginx.virtualHosts."fed.uninsane.org" = {
|
|
forceSSL = true; # pleroma redirects to https anyway
|
|
enableACME = true;
|
|
# inherit kTLS;
|
|
locations."/" = {
|
|
proxyPass = "http://127.0.0.1:4000";
|
|
recommendedProxySettings = true;
|
|
# documented: https://git.pleroma.social/pleroma/pleroma/-/blob/develop/installation/pleroma.nginx
|
|
extraConfig = ''
|
|
# XXX colin: this block is in the nixos examples: i don't understand all of it
|
|
add_header 'Access-Control-Allow-Origin' '*' always;
|
|
add_header 'Access-Control-Allow-Methods' 'POST, PUT, DELETE, GET, PATCH, OPTIONS' always;
|
|
add_header 'Access-Control-Allow-Headers' 'Authorization, Content-Type, Idempotency-Key' always;
|
|
add_header 'Access-Control-Expose-Headers' 'Link, X-RateLimit-Reset, X-RateLimit-Limit, X-RateLimit-Remaining, X-Request-Id' always;
|
|
if ($request_method = OPTIONS) {
|
|
return 204;
|
|
}
|
|
|
|
add_header X-XSS-Protection "1; mode=block";
|
|
add_header X-Permitted-Cross-Domain-Policies none;
|
|
add_header X-Frame-Options DENY;
|
|
add_header X-Content-Type-Options nosniff;
|
|
add_header Referrer-Policy same-origin;
|
|
add_header X-Download-Options noopen;
|
|
|
|
# proxy_http_version 1.1;
|
|
# proxy_set_header Upgrade $http_upgrade;
|
|
# proxy_set_header Connection "upgrade";
|
|
# # proxy_set_header Host $http_host;
|
|
# proxy_set_header Host $host;
|
|
# proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
|
|
|
|
# colin: added this due to Pleroma complaining in its logs
|
|
# proxy_set_header X-Real-IP $remote_addr;
|
|
# proxy_set_header X-Forwarded-Proto $scheme;
|
|
|
|
# NB: this defines the maximum upload size
|
|
client_max_body_size 16m;
|
|
'';
|
|
};
|
|
};
|
|
|
|
sane.dns.zones."uninsane.org".inet.CNAME."fed" = "native";
|
|
|
|
sops.secrets."pleroma_secrets" = {
|
|
owner = config.users.users.pleroma.name;
|
|
};
|
|
}
|