=

oluceps · Jul 28, 2024 · 1558987 · 1558987
1 parent e15c529
commit 1558987
Show file tree

Hide file tree

Showing 5 changed files with 56 additions and 3 deletions.
diff --git a/hosts/hastur/rekey.nix b/hosts/hastur/rekey.nix
@@ -43,6 +43,10 @@ in
         rekeyFile = ../../sec/harmonia.age;
         mode = "400";
       };
+      pleroma = {
+        rekeyFile = ../../sec/pleroma-secret.age;
+        mode = "400";
+      };
     };
   };
   services.openssh.hostKeys = [

diff --git a/hosts/hastur/spec.nix b/hosts/hastur/spec.nix
@@ -12,8 +12,11 @@
   # Running database and web services.
 
   system.stateVersion = "22.11"; # Did you read the comment?
-  users.mutableUsers = true;
-  system.etc.overlay.mutable = true;
+  users.mutableUsers = false;
+  system.etc.overlay.mutable = false;
+  environment.etc."resolv.conf".text = ''
+    nameserver 127.0.0.1
+  '';
 
   zramSwap = {
     enable = false;
@@ -46,6 +49,7 @@
   systemd = {
     services = {
       atuin.serviceConfig.Environment = [ "RUST_LOG=debug" ];
+      pleroma.serviceConfig.LoadCredential = [ ("config.exs:" + config.age.secrets.pleroma.path) ];
       # atticd.serviceConfig.Environment = [
       #   "RUST_LOG=debug"
       #   "RUST_BACKTRACE=1"
@@ -118,6 +122,7 @@
     # coredns.enable = true;
     mosproxy.enable = true;
     srs.enable = true;
+    pleroma.enable = true;
 
     phantomsocks = {
       enable = false;
@@ -161,7 +166,7 @@
       signKeyPath = config.age.secrets.harmonia.path;
     };
     realm = {
-      enable = true;
+      enable = false;
       settings = {
         log.level = "warn";
         network = {

diff --git a/sec/pleroma-secret.age b/sec/pleroma-secret.age
diff --git a/sec/rekeyed/hastur/b540a9fda4bbb5e3caaff8899238aa95-pleroma.age b/sec/rekeyed/hastur/b540a9fda4bbb5e3caaff8899238aa95-pleroma.age
diff --git a/srv/pleroma.nix b/srv/pleroma.nix
@@ -0,0 +1,44 @@
+{ pkgs, ... }:
+{
+  # bcz of hard 2 use
+  enable = false;
+  secretConfigFile = "/run/credentials/pleroma.service/config.exs";
+  configs = [
+    ''
+      # Pleroma instance configuration
+
+      # NOTE: This file should not be committed to a repo or otherwise made public
+      # without removing sensitive information.
+
+      import Config
+
+      config :pleroma, Pleroma.Web.Endpoint,
+         url: [host: "nyaw.xyz", scheme: "https", port: 443],
+         http: [ip: {0, 0, 0, 0}, port: 3000]
+
+      config :pleroma, :instance,
+        name: "nyaw.xyz",
+        email: "pleroma@oluceps.uk",
+        notify_email: "pleroma@oluceps.uk",
+        limit: 5000,
+        registrations_open: false
+
+      config :pleroma, :media_proxy,
+        enabled: false,
+        redirect_on_failure: true
+        #base_url: "https://cache.pleroma.social"
+
+      config :pleroma, :database, rum_enabled: false
+      config :pleroma, :instance, static_dir: "/var/lib/pleroma/static"
+      config :pleroma, Pleroma.Uploaders.Local, uploads: "/var/lib/pleroma/uploads"
+
+      # Enable Strict-Transport-Security once SSL is working:
+      # config :pleroma, :http_security,
+      #   sts: true
+
+      config :pleroma, configurable_from_database: true
+
+      config :pleroma, Pleroma.Upload, filters: [Pleroma.Upload.Filter.Dedupe]
+    ''
+  ];
+}