hades: add pleroma service

This commit is contained in:
Antoine Martin 2022-11-07 22:37:52 +01:00
parent 1f29508108
commit 4c05607622
6 changed files with 125 additions and 0 deletions

View file

@ -99,6 +99,12 @@ in {
port = 8084; port = 8084;
}; };
pleroma = {
enable = true;
port = 8086;
secretConfigFile = config.age.secrets."pleroma/pleroma-config".path;
};
restic-backup = { restic-backup = {
enable = true; enable = true;
repo = "b2:hades-backup-alarsyo"; repo = "b2:hades-backup-alarsyo";

View file

@ -28,6 +28,10 @@
"paperless/admin-password" = {}; "paperless/admin-password" = {};
"paperless/secret-key" = {}; "paperless/secret-key" = {};
"pleroma/pleroma-config" = {
owner = "pleroma";
};
"restic-backup/hades-credentials" = {}; "restic-backup/hades-credentials" = {};
"restic-backup/hades-password" = {}; "restic-backup/hades-password" = {};

Binary file not shown.

View file

@ -24,6 +24,8 @@ in {
"paperless/admin-password.age".publicKeys = [alarsyo hades]; "paperless/admin-password.age".publicKeys = [alarsyo hades];
"paperless/secret-key.age".publicKeys = [alarsyo hades]; "paperless/secret-key.age".publicKeys = [alarsyo hades];
"pleroma/pleroma-config.age".publicKeys = [alarsyo hades];
"restic-backup/boreal-password.age".publicKeys = [alarsyo boreal]; "restic-backup/boreal-password.age".publicKeys = [alarsyo boreal];
"restic-backup/boreal-credentials.age".publicKeys = [alarsyo boreal]; "restic-backup/boreal-credentials.age".publicKeys = [alarsyo boreal];
"restic-backup/hades-password.age".publicKeys = [alarsyo hades]; "restic-backup/hades-password.age".publicKeys = [alarsyo hades];

View file

@ -16,6 +16,7 @@
./paperless.nix ./paperless.nix
./photoprism.nix ./photoprism.nix
./pipewire.nix ./pipewire.nix
./pleroma.nix
./postgresql-backup.nix ./postgresql-backup.nix
./postgresql.nix ./postgresql.nix
./restic-backup.nix ./restic-backup.nix

112
services/pleroma.nix Normal file
View file

@ -0,0 +1,112 @@
{
config,
lib,
pkgs,
...
}: let
inherit
(lib)
mkEnableOption
mkIf
mkOption
;
cfg = config.my.services.pleroma;
my = config.my;
domain = config.networking.domain;
hostname = config.networking.hostName;
fqdn = "${hostname}.${domain}";
in {
options.my.services.pleroma = let
inherit (lib) types;
in {
enable = mkEnableOption "Pleroma";
port = mkOption {
type = types.port;
default = 8080;
example = 8080;
description = "Pleroma server port";
};
secretConfigFile = mkOption {
type = types.str;
default = "/var/lib/pleroma/secrets.exs";
};
};
config = mkIf cfg.enable {
systemd.services.pleroma = {
path = [
pkgs.hexdump
pkgs.exiftool
];
};
services.pleroma = {
enable = true;
secretConfigFile = cfg.secretConfigFile;
configs = [
''
import Config
config :pleroma, Pleroma.Web.Endpoint,
url: [host: "social.${domain}", scheme: "https", port: 443],
http: [ip: {127, 0, 0, 1}, port: ${toString cfg.port}]
config :pleroma, :instance,
name: "social.alarsyo.net",
email: "contact+pleroma@alarsyo.net",
notify_email: "pleroma@alarsyo.net",
limit: 5000,
registrations_open: false
config :pleroma, :media_proxy,
enabled: false,
redirect_on_failure: true
#base_url: "https://cache.pleroma.social"
config :pleroma, Pleroma.Repo,
adapter: Ecto.Adapters.Postgres,
username: "pleroma",
database: "pleroma",
hostname: "localhost"
# Configure web push notifications
config :web_push_encryption, :vapid_details,
subject: "mailto:contact+pleroma@alarsyo.net"
config :pleroma, :database, rum_enabled: false
config :pleroma, :instance, static_dir: "/var/lib/pleroma/static"
config :pleroma, Pleroma.Uploaders.Local, uploads: "/var/lib/pleroma/uploads"
# Enable Strict-Transport-Security once SSL is working:
# config :pleroma, :http_security,
# sts: true
config :pleroma, configurable_from_database: false
config :pleroma, Pleroma.Upload, filters: [Pleroma.Upload.Filter.AnonymizeFilename]
''
];
};
services.nginx.virtualHosts."social.${domain}" = {
forceSSL = true;
useACMEHost = fqdn;
locations."/" = {
proxyPass = "http://127.0.0.1:${toString cfg.port}/";
proxyWebsockets = true;
extraConfig = ''
etag on;
client_max_body_size 50m;
'';
};
};
security.acme.certs.${fqdn}.extraDomainNames = ["social.${domain}"];
};
}