diff --git a/hosts/hades/default.nix b/hosts/hades/default.nix index c44a4a1..d573e98 100644 --- a/hosts/hades/default.nix +++ b/hosts/hades/default.nix @@ -99,6 +99,12 @@ in { port = 8084; }; + pleroma = { + enable = true; + port = 8086; + secretConfigFile = config.age.secrets."pleroma/pleroma-config".path; + }; + restic-backup = { enable = true; repo = "b2:hades-backup-alarsyo"; diff --git a/hosts/hades/secrets.nix b/hosts/hades/secrets.nix index 28b5d07..409fc21 100644 --- a/hosts/hades/secrets.nix +++ b/hosts/hades/secrets.nix @@ -28,6 +28,8 @@ "paperless/admin-password" = {}; "paperless/secret-key" = {}; + "pleroma/pleroma-config" = {}; + "restic-backup/hades-credentials" = {}; "restic-backup/hades-password" = {}; diff --git a/modules/secrets/pleroma/pleroma-config.age b/modules/secrets/pleroma/pleroma-config.age new file mode 100644 index 0000000..9b14639 Binary files /dev/null and b/modules/secrets/pleroma/pleroma-config.age differ diff --git a/modules/secrets/secrets.nix b/modules/secrets/secrets.nix index c5e3a36..112685e 100644 --- a/modules/secrets/secrets.nix +++ b/modules/secrets/secrets.nix @@ -24,6 +24,8 @@ in { "paperless/admin-password.age".publicKeys = [alarsyo hades]; "paperless/secret-key.age".publicKeys = [alarsyo hades]; + "pleroma/pleroma-config.age".publicKeys = [alarsyo hades]; + "restic-backup/boreal-password.age".publicKeys = [alarsyo boreal]; "restic-backup/boreal-credentials.age".publicKeys = [alarsyo boreal]; "restic-backup/hades-password.age".publicKeys = [alarsyo hades]; diff --git a/services/default.nix b/services/default.nix index c129d03..44c7def 100644 --- a/services/default.nix +++ b/services/default.nix @@ -16,6 +16,7 @@ ./paperless.nix ./photoprism.nix ./pipewire.nix + ./pleroma.nix ./postgresql-backup.nix ./postgresql.nix ./restic-backup.nix diff --git a/services/pleroma.nix b/services/pleroma.nix new file mode 100644 index 0000000..1016de3 --- /dev/null +++ b/services/pleroma.nix @@ -0,0 +1,106 @@ +{ + config, + lib, + pkgs, + ... +}: let + inherit + (lib) + mkEnableOption + mkIf + mkOption + ; + + cfg = config.my.services.pleroma; + my = config.my; + + domain = config.networking.domain; + hostname = config.networking.hostName; + fqdn = "${hostname}.${domain}"; +in { + options.my.services.jellyfin = let + inherit (lib) types; + in { + enable = mkEnableOption "Pleroma"; + + port = mkOption { + type = types.port; + default = 8080; + example = 8080; + description = "Pleroma server port"; + }; + + secretConfigFile = mkOption { + type = types.str; + default = "/var/lib/pleroma/secrets.exs"; + }; + }; + + config = mkIf cfg.enable { + services.pleroma = { + enable = true; + secretConfigFile = cfg.secretConfigFile; + + configs = [ + '' + import Config + + config :pleroma, Pleroma.Web.Endpoint, + url: [host: "social.${domain}", scheme: "https", port: 443], + http: [ip: {127, 0, 0, 1}, port: ${cfg.port}] + + config :pleroma, :instance, + name: "social.alarsyo.net", + email: "contact+pleroma@alarsyo.net", + notify_email: "pleroma@alarsyo.net", + limit: 5000, + registrations_open: false + + config :pleroma, :media_proxy, + enabled: false, + redirect_on_failure: true + #base_url: "https://cache.pleroma.social" + + config :pleroma, Pleroma.Repo, + adapter: Ecto.Adapters.Postgres, + username: "pleroma", + database: "pleroma", + hostname: "localhost" + + # Configure web push notifications + config :web_push_encryption, :vapid_details, + subject: "mailto:contact+pleroma@alarsyo.net" + + config :pleroma, :database, rum_enabled: false + config :pleroma, :instance, static_dir: "/var/lib/pleroma/static" + config :pleroma, Pleroma.Uploaders.Local, uploads: "/var/lib/pleroma/uploads" + + # Enable Strict-Transport-Security once SSL is working: + # config :pleroma, :http_security, + # sts: true + + config :pleroma, configurable_from_database: false + + config :pleroma, Pleroma.Upload, filters: [Pleroma.Upload.Filter.AnonymizeFilename] + '' + ]; + }; + + # Proxy to Jellyfin + services.nginx.virtualHosts."social.${domain}" = { + forceSSL = true; + useACMEHost = fqdn; + + locations."/" = { + proxyPass = "http://127.0.0.1:${toString cfg.port}/"; + proxyWebsockets = true; + extraConfig = '' + etag on; + client_max_body_size 50m; + ''; + }; + }; + + security.acme.certs.${fqdn}.extraDomainNames = ["social.${domain}"]; + }; +}