florp.social: add dedicated host
This commit is contained in:
parent
992b4796ad
commit
0fd0ec16c8
15 changed files with 203 additions and 145 deletions
|
@ -3,6 +3,7 @@ keys:
|
||||||
- &seras age1ht2wetcyl9rzu45e02pqqwgmyfsfe6y6ygxyuxpfhnkdm62d3pqsg3uqvd
|
- &seras age1ht2wetcyl9rzu45e02pqqwgmyfsfe6y6ygxyuxpfhnkdm62d3pqsg3uqvd
|
||||||
- &emilia age1pjn7q6qs49jenr40dhsxa8x5g4z6elsh0pk0tc5pxg6pl0nzgc6scakynn
|
- &emilia age1pjn7q6qs49jenr40dhsxa8x5g4z6elsh0pk0tc5pxg6pl0nzgc6scakynn
|
||||||
- &girldick age1r6cmthdk6lhy62wa4pu23l46f5fcqhuu7xrq353pe6c8f0s6ce8s67pdtf
|
- &girldick age1r6cmthdk6lhy62wa4pu23l46f5fcqhuu7xrq353pe6c8f0s6ce8s67pdtf
|
||||||
|
- &florp age18vc8rcmczlt3r0ee7jr9s8l3yrkthu8wtypt08eh0eskpkw3dg6qxs7t3t
|
||||||
creation_rules:
|
creation_rules:
|
||||||
- path_regex: secrets/services/dns-knot.yaml
|
- path_regex: secrets/services/dns-knot.yaml
|
||||||
key_groups:
|
key_groups:
|
||||||
|
@ -57,4 +58,4 @@ creation_rules:
|
||||||
- pgp:
|
- pgp:
|
||||||
- *emily
|
- *emily
|
||||||
age:
|
age:
|
||||||
- *seras
|
- *florp
|
||||||
|
|
|
@ -1,6 +1,6 @@
|
||||||
{ config, inputs, lib, pkgs, ... }:
|
{ config, inputs, lib, pkgs, ... }: let
|
||||||
|
inherit (lib) mkDefault;
|
||||||
with lib; {
|
in {
|
||||||
imports = [
|
imports = [
|
||||||
./kernel.nix
|
./kernel.nix
|
||||||
./networking.nix
|
./networking.nix
|
||||||
|
@ -105,6 +105,6 @@ with lib; {
|
||||||
|
|
||||||
services.fprintd.enable = config.kyouma.machine-type.graphical;
|
services.fprintd.enable = config.kyouma.machine-type.graphical;
|
||||||
|
|
||||||
system.stateVersion = "23.11";
|
system.stateVersion = mkDefault "23.11";
|
||||||
time.timeZone = mkDefault "CET";
|
time.timeZone = mkDefault "CET";
|
||||||
}
|
}
|
||||||
|
|
|
@ -7,11 +7,7 @@
|
||||||
../../services/nginx.nix
|
../../services/nginx.nix
|
||||||
./nginx.nix
|
./nginx.nix
|
||||||
];
|
];
|
||||||
networking = {
|
networking.hostName = "crime";
|
||||||
hostName = "crime";
|
|
||||||
firewall.allowedTCPPorts = [ 80 443 ];
|
|
||||||
firewall.allowedUDPPorts = [ 443 ];
|
|
||||||
};
|
|
||||||
systemd.network.networks."98-eth-default" = {
|
systemd.network.networks."98-eth-default" = {
|
||||||
address = [
|
address = [
|
||||||
"2a0f:be01:0:100::1337/128"
|
"2a0f:be01:0:100::1337/128"
|
||||||
|
|
|
@ -17,10 +17,8 @@
|
||||||
kyouma.machine-type.physical = true;
|
kyouma.machine-type.physical = true;
|
||||||
kyouma.nginx.defaultForbidden = "uptime.kyouma.net";
|
kyouma.nginx.defaultForbidden = "uptime.kyouma.net";
|
||||||
|
|
||||||
networking = {
|
networking.hostName = "emilia";
|
||||||
firewall.allowedTCPPorts = [ 80 443 ];
|
|
||||||
hostName = "emilia";
|
|
||||||
};
|
|
||||||
systemd.network.networks."98-eth-default" = {
|
systemd.network.networks."98-eth-default" = {
|
||||||
matchConfig.MACAddress = "04:d4:c4:39:73:f6";
|
matchConfig.MACAddress = "04:d4:c4:39:73:f6";
|
||||||
addresses = [
|
addresses = [
|
||||||
|
|
41
config/hosts/florp/configuration.nix
Normal file
41
config/hosts/florp/configuration.nix
Normal file
|
@ -0,0 +1,41 @@
|
||||||
|
{ lib, ... }: {
|
||||||
|
imports = [
|
||||||
|
../../common
|
||||||
|
../../profiles/headless.nix
|
||||||
|
../../profiles/kartoffel.nix
|
||||||
|
../../profiles/lxc.nix
|
||||||
|
../../services/akkoma
|
||||||
|
../../services/nginx.nix
|
||||||
|
];
|
||||||
|
networking = {
|
||||||
|
hostName = "florp";
|
||||||
|
domain = lib.mkForce "social";
|
||||||
|
};
|
||||||
|
kyouma.nginx.defaultForbidden = "florp.social";
|
||||||
|
systemd.network.networks."98-eth-default" = {
|
||||||
|
address = [
|
||||||
|
"2a0f:be01:0:100::171/128"
|
||||||
|
];
|
||||||
|
};
|
||||||
|
|
||||||
|
services.postgresql.settings = {
|
||||||
|
max_connections = 30;
|
||||||
|
shared_buffers = "4GB";
|
||||||
|
effective_cache_size = "12GB";
|
||||||
|
maintenance_work_mem = "1GB";
|
||||||
|
checkpoint_completion_target = 0.9;
|
||||||
|
wal_buffers = "16MB";
|
||||||
|
default_statistics_target = 100;
|
||||||
|
random_page_cost = 1.1;
|
||||||
|
effective_io_concurrency = 200;
|
||||||
|
work_mem = "34952kB";
|
||||||
|
huge_pages = "try";
|
||||||
|
min_wal_size = "2GB";
|
||||||
|
max_wal_size = "8GB";
|
||||||
|
max_worker_processes = 16;
|
||||||
|
max_parallel_workers_per_gather = 4;
|
||||||
|
max_parallel_workers = 16;
|
||||||
|
max_parallel_maintenance_workers = 4;
|
||||||
|
};
|
||||||
|
system.stateVersion = "24.11";
|
||||||
|
}
|
|
@ -11,7 +11,6 @@
|
||||||
domain = lib.mkForce "girldick.gay";
|
domain = lib.mkForce "girldick.gay";
|
||||||
hostName = "staging";
|
hostName = "staging";
|
||||||
nftables.enable = lib.mkForce false;
|
nftables.enable = lib.mkForce false;
|
||||||
firewall.allowedTCPPorts = [ 80 443 ];
|
|
||||||
};
|
};
|
||||||
systemd.network.networks."98-eth-default" = {
|
systemd.network.networks."98-eth-default" = {
|
||||||
address = [
|
address = [
|
||||||
|
|
|
@ -5,17 +5,13 @@
|
||||||
../../profiles/headless.nix
|
../../profiles/headless.nix
|
||||||
../../profiles/kartoffel.nix
|
../../profiles/kartoffel.nix
|
||||||
../../profiles/lxc.nix
|
../../profiles/lxc.nix
|
||||||
../../services/akkoma
|
|
||||||
../../services/nginx.nix
|
../../services/nginx.nix
|
||||||
../../services/hydra
|
../../services/hydra
|
||||||
../../services/update-nixfiles.nix
|
../../services/update-nixfiles.nix
|
||||||
];
|
];
|
||||||
boot.binfmt.emulatedSystems = [ "aarch64-linux" ];
|
boot.binfmt.emulatedSystems = [ "aarch64-linux" ];
|
||||||
|
|
||||||
networking = {
|
networking.hostName = "seras";
|
||||||
hostName = "seras";
|
|
||||||
firewall.allowedTCPPorts = [ 80 443 ];
|
|
||||||
};
|
|
||||||
systemd.network.networks."98-eth-default" = {
|
systemd.network.networks."98-eth-default" = {
|
||||||
address = [
|
address = [
|
||||||
"2a0f:be01:0:100::169/128"
|
"2a0f:be01:0:100::169/128"
|
||||||
|
|
|
@ -11,8 +11,7 @@
|
||||||
networking = {
|
networking = {
|
||||||
hostName = "web-dus";
|
hostName = "web-dus";
|
||||||
nftables.enable = lib.mkForce false;
|
nftables.enable = lib.mkForce false;
|
||||||
firewall.allowedTCPPorts = [ 80 443 11019 ];
|
firewall.allowedTCPPorts = [ 11019 ];
|
||||||
firewall.allowedUDPPorts = [ 443 ];
|
|
||||||
};
|
};
|
||||||
systemd.network.networks."98-eth-default" = {
|
systemd.network.networks."98-eth-default" = {
|
||||||
address = [
|
address = [
|
||||||
|
|
|
@ -1,34 +1,21 @@
|
||||||
{ config, inputs, pkgs, ... }: {
|
{ config, inputs, lib, pkgs, ... }: {
|
||||||
sops.secrets."services/akkoma/mailerPassword" = {
|
sops.secrets."services/akkoma/mailerPassword" = {
|
||||||
sopsFile = ../../../secrets/services/akkoma.yaml;
|
sopsFile = ../../../secrets/services/akkoma.yaml;
|
||||||
};
|
};
|
||||||
sops.secrets."services/akkoma/deepl" = {
|
sops.secrets."services/akkoma/deepl" = {
|
||||||
sopsFile = ../../../secrets/services/akkoma.yaml;
|
sopsFile = ../../../secrets/services/akkoma.yaml;
|
||||||
};
|
};
|
||||||
|
|
||||||
services.akkoma = {
|
services.akkoma = {
|
||||||
enable = true;
|
enable = true;
|
||||||
extraPackages = with pkgs; [ exiftool ffmpeg-headless imagemagick ];
|
extraPackages = with pkgs; [ exiftool ffmpeg-headless imagemagick ];
|
||||||
extraStatic."emoji/blobs.gg" = pkgs.akkoma-emoji.blobs_gg;
|
extraStatic."emoji/blobs.gg" = pkgs.akkoma-emoji.blobs_gg;
|
||||||
|
|
||||||
extraStatic."static/styles.json" = pkgs.writeText "styles.json" (builtins.toJSON {
|
extraStatic."static/styles.json" = pkgs.writeText "styles.json" (builtins.toJSON (
|
||||||
pleroma-dark = "/static/themes/pleroma-dark.json";
|
builtins.fromJSON (builtins.readFile "${pkgs.akkoma-fe-domi}/static/styles.json") // {
|
||||||
pleroma-light = "/static/themes/pleroma-light.json";
|
elly-mod = "/static/themes/elly-mod.json";
|
||||||
pleroma-amoled = [ "Pleroma Dark AMOLED" "#000000" "#111111" "#b0b0b1" "#d8a070" "#aa0000" "#0fa00f" "#0095ff" "#d59500"];
|
}
|
||||||
classic-dark = [ "Classic Dark" "#161c20" "#282e32" "#b9b9b9" "#baaa9c" "#d31014" "#0fa00f" "#0095ff" "#ffa500" ];
|
));
|
||||||
bird = [ "Bird" "#f8fafd" "#e6ecf0" "#14171a" "#0084b8" "#e0245e" "#17bf63" "#1b95e0" "#fab81e"];
|
|
||||||
ir-black = [ "Ir Black" "#000000" "#242422" "#b5b3aa" "#ff6c60" "#FF6C60" "#A8FF60" "#96CBFE" "#FFFFB6" ];
|
|
||||||
monokai = [ "Monokai" "#272822" "#383830" "#f8f8f2" "#f92672" "#F92672" "#a6e22e" "#66d9ef" "#f4bf75" ];
|
|
||||||
|
|
||||||
redmond-xx = "/static/themes/redmond-xx.json";
|
|
||||||
redmond-xx-se = "/static/themes/redmond-xx-se.json";
|
|
||||||
redmond-xxi = "/static/themes/redmond-xxi.json";
|
|
||||||
breezy-dark = "/static/themes/breezy-dark.json";
|
|
||||||
breezy-light = "/static/themes/breezy-light.json";
|
|
||||||
paper = "/static/themes/paper.json";
|
|
||||||
thekanata = "/static/themes/thekanata.json";
|
|
||||||
ihatebeingalive = "/static/themes/ihatebeingalive.json";
|
|
||||||
elly-mod = "/static/themes/elly-mod.json";
|
|
||||||
});
|
|
||||||
|
|
||||||
extraStatic."static/themes/elly-mod.json" = pkgs.writeText "elly-mod.json" (builtins.readFile ./elly-mod.json);
|
extraStatic."static/themes/elly-mod.json" = pkgs.writeText "elly-mod.json" (builtins.readFile ./elly-mod.json);
|
||||||
|
|
||||||
|
@ -38,23 +25,7 @@
|
||||||
|
|
||||||
extraStatic."images/sylvia-ritter-15012323.avif" = inputs.florp-branding.packages.${config.nixpkgs.hostPlatform.system}.wallpaper;
|
extraStatic."images/sylvia-ritter-15012323.avif" = inputs.florp-branding.packages.${config.nixpkgs.hostPlatform.system}.wallpaper;
|
||||||
|
|
||||||
extraStatic."favicon.png" = let
|
extraStatic."favicon.png" = inputs.florp-branding.packages.${config.nixpkgs.hostPlatform.system}.favicon;
|
||||||
rev = "697a8211b0f427a921e7935a35d14bb3e32d0a2c";
|
|
||||||
in pkgs.stdenvNoCC.mkDerivation {
|
|
||||||
name = "favicon.png";
|
|
||||||
|
|
||||||
src = pkgs.fetchurl {
|
|
||||||
url = "https://raw.githubusercontent.com/TilCreator/NixOwO/${rev}/NixOwO_plain.svg";
|
|
||||||
hash = "sha256-tWhHMfJ3Od58N9H5yOKPMfM56hYWSOnr/TGCBi8bo9E=";
|
|
||||||
};
|
|
||||||
|
|
||||||
nativeBuildInputs = with pkgs; [ librsvg ];
|
|
||||||
|
|
||||||
dontUnpack = true;
|
|
||||||
installPhase = ''
|
|
||||||
rsvg-convert -o $out -w 96 -h 96 $src
|
|
||||||
'';
|
|
||||||
};
|
|
||||||
|
|
||||||
frontends = {
|
frontends = {
|
||||||
primary = {
|
primary = {
|
||||||
|
@ -70,13 +41,29 @@
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
services.akkoma.config = let
|
services.akkoma.config = let
|
||||||
inherit ((pkgs.formats.elixirConf { }).lib) mkRaw mkAtom mkMap;
|
inherit ((pkgs.formats.elixirConf { }).lib) mkRaw mkAtom mkMap mkTuple;
|
||||||
|
|
||||||
|
mapAttrsToListOfTuple = attr: lib.mapAttrsToList (name: value: mkTuple [ name value ]) attr;
|
||||||
|
|
||||||
|
mkMapOfPredefinedKeys = set: let
|
||||||
|
toElixir = value:
|
||||||
|
if value == null then "nil" else
|
||||||
|
if value == true then "true" else
|
||||||
|
if value == false then "false" else
|
||||||
|
if lib.isInt value || lib.isFloat value then toString value else
|
||||||
|
abort "Not a elixir value ${value}";
|
||||||
|
|
||||||
|
entries = attrs: lib.concatStringsSep ", " (lib.mapAttrsToList (name: value:
|
||||||
|
"${toElixir name}: ${toElixir value}"
|
||||||
|
) attrs);
|
||||||
|
in mkRaw "%{${entries set}}";
|
||||||
|
|
||||||
in {
|
in {
|
||||||
":pleroma" = {
|
":pleroma" = {
|
||||||
":instance" = {
|
":instance" = {
|
||||||
name = "florp.social";
|
name = "florp.social";
|
||||||
email = "contact@florp.social";
|
email = "contact@florp.social";
|
||||||
notify_email = "akkoma@florp.social";
|
notify_email = "noreply@florp.social";
|
||||||
description = "Likes are now florps. The timeline goes sideways.";
|
description = "Likes are now florps. The timeline goes sideways.";
|
||||||
instance_thumbnail = "/instance/thumbnail.avif";
|
instance_thumbnail = "/instance/thumbnail.avif";
|
||||||
limit = 69420;
|
limit = 69420;
|
||||||
|
@ -90,14 +77,16 @@
|
||||||
registration_reason_length = 2048;
|
registration_reason_length = 2048;
|
||||||
account_approval_required = true;
|
account_approval_required = true;
|
||||||
account_activation_required = true;
|
account_activation_required = true;
|
||||||
federation = false;
|
federating = false;
|
||||||
federation_incoming_replies_max_depth = 1024;
|
federation_incoming_replies_max_depth = 1024;
|
||||||
|
federation_reachability_timeout_days = 14;
|
||||||
|
allow_relay = true;
|
||||||
max_pinned_statuses = 10;
|
max_pinned_statuses = 10;
|
||||||
|
max_report_comment_size = 2048;
|
||||||
safe_dm_mentions = true;
|
safe_dm_mentions = true;
|
||||||
remote_post_retention_days = 365;
|
remote_post_retention_days = 365;
|
||||||
user_bio_length = 8192;
|
user_bio_length = 8192;
|
||||||
user_name_length = 64;
|
user_name_length = 64;
|
||||||
max_account_fields = 8;
|
|
||||||
cleanup_attachments = true;
|
cleanup_attachments = true;
|
||||||
local_bubble = [
|
local_bubble = [
|
||||||
"solitary.social"
|
"solitary.social"
|
||||||
|
@ -110,11 +99,13 @@
|
||||||
|
|
||||||
"Pleroma.Web.Endpoint".url.host = "florp.social";
|
"Pleroma.Web.Endpoint".url.host = "florp.social";
|
||||||
|
|
||||||
|
"Pleroma.Web.Metadata.Providers.Theme".theme_color = "#070F1C";
|
||||||
|
|
||||||
"Pleroma.Emails.Mailer" = {
|
"Pleroma.Emails.Mailer" = {
|
||||||
enabled = true;
|
enabled = true;
|
||||||
adapter = mkRaw "Swoosh.Adapters.SMTP";
|
adapter = mkRaw "Swoosh.Adapters.SMTP";
|
||||||
relay = "mail.kyouma.net";
|
relay = "mail.kyouma.net";
|
||||||
username = "akkoma@florp.social";
|
username = "noreply@florp.social";
|
||||||
password._secret = config.sops.secrets."services/akkoma/mailerPassword".path;
|
password._secret = config.sops.secrets."services/akkoma/mailerPassword".path;
|
||||||
port = 465;
|
port = 465;
|
||||||
ssl = true;
|
ssl = true;
|
||||||
|
@ -146,37 +137,42 @@
|
||||||
"Pleroma.Upload.Filter.AnonymizeFilename"
|
"Pleroma.Upload.Filter.AnonymizeFilename"
|
||||||
];
|
];
|
||||||
|
|
||||||
":mrf" = {
|
":mrf".policies = map mkRaw [
|
||||||
transparency = true;
|
"Pleroma.Web.ActivityPub.MRF.SimplePolicy"
|
||||||
policies = map mkRaw [
|
"Pleroma.Web.ActivityPub.MRF.ObjectAgePolicy"
|
||||||
"Pleroma.Web.ActivityPub.MRF.SimplePolicy"
|
"Pleroma.Web.ActivityPub.MRF.MediaProxyWarmingPolicy"
|
||||||
"Pleroma.Web.ActivityPub.MRF.ObjectAgePolicy"
|
];
|
||||||
];
|
|
||||||
};
|
|
||||||
|
|
||||||
":mrf_simple" = {
|
":mrf_simple" = {
|
||||||
reject = mkMap {
|
reject = mapAttrsToListOfTuple {
|
||||||
"bae.st" = "harassment";
|
"bae.st" = "transphobia / queerphobia";
|
||||||
"brighteon.social" = "incompatible";
|
"brighteon.social" = "transphobia, pro trump";
|
||||||
"detroitriotcity.com" = "incompatible";
|
"detroitriotcity.com" = "transphobia / queerphobia";
|
||||||
"freeatlantis.com" = "incompatible";
|
"freeatlantis.com" = "harassment";
|
||||||
"freespeechextremist.com" = "incompatible";
|
"freespeechextremist.com" = "N/A";
|
||||||
"gab.com" = "incompatible";
|
"gab.com" = "N/A";
|
||||||
"gleasonator.com" = "incompatible";
|
"gleasonator.com" = "transphobia";
|
||||||
"kitsunemimi.club" = "incompatible";
|
"kitsunemimi.club" = "transphobia";
|
||||||
"poa.st" = "incompatible";
|
"kiwifarms.*" = "N/A";
|
||||||
"seal.cafe" = "harassment";
|
"poa.st" = "queerphobia / racism / nazis";
|
||||||
"social.quodverum.com" = "incompatible";
|
"seal.cafe" = "transphobia";
|
||||||
"spinster.xyz" = "incompatible";
|
"social.quodverum.com" = "N/A";
|
||||||
"truthsocial.co.in" = "incompatible";
|
"spinster.xyz" = "transphobia";
|
||||||
"varishangout.net" = "incompatible";
|
"truthsocial.co.in" = "N/A";
|
||||||
|
"varishangout.net" = "transphobia";
|
||||||
"activitypub-troll.cf" = "security";
|
"activitypub-troll.cf" = "N/A";
|
||||||
"misskey-forkbomb.cf" = "security";
|
"misskey-forkbomb.cf" = "N/A";
|
||||||
"repl.co" = "security";
|
"repl.co" = "N/A";
|
||||||
|
"rape.pet" = "CP";
|
||||||
|
"childlove.space" = "CP";
|
||||||
|
"pedo.school" = "CP";
|
||||||
|
"loli.church" = "transphobia";
|
||||||
|
"usasa.ky" = "spam";
|
||||||
|
"tickler.cc" = "spam";
|
||||||
|
"shitposter.club" = "transphobia";
|
||||||
};
|
};
|
||||||
|
|
||||||
followers_only = mkMap {
|
followers_only = mapAttrsToListOfTuple {
|
||||||
"bitcoinhackers.org" = "annoying";
|
"bitcoinhackers.org" = "annoying";
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
|
@ -184,7 +180,7 @@
|
||||||
":mrf_object_age".threshold = 180 * 24 * 3600;
|
":mrf_object_age".threshold = 180 * 24 * 3600;
|
||||||
|
|
||||||
":frontend_configurations" = {
|
":frontend_configurations" = {
|
||||||
pleroma_fe = mkMap {
|
pleroma_fe = mkMapOfPredefinedKeys {
|
||||||
background = "/images/sylvia-ritter-15012323.avif";
|
background = "/images/sylvia-ritter-15012323.avif";
|
||||||
collapseMessageWithSubject = true;
|
collapseMessageWithSubject = true;
|
||||||
streaming = true;
|
streaming = true;
|
||||||
|
@ -204,9 +200,10 @@
|
||||||
};
|
};
|
||||||
|
|
||||||
":restrict_unauthenticated" = {
|
":restrict_unauthenticated" = {
|
||||||
timelines = mkMap {
|
timelines = mkMapOfPredefinedKeys {
|
||||||
local = false;
|
local = false;
|
||||||
federated = true;
|
federated = true;
|
||||||
|
bubble = true;
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
|
|
||||||
|
@ -227,21 +224,44 @@
|
||||||
|
|
||||||
":joken".":default_signer"._secret = "/var/lib/secrets/akkoma/jwt-signer";
|
":joken".":default_signer"._secret = "/var/lib/secrets/akkoma/jwt-signer";
|
||||||
};
|
};
|
||||||
|
services.postgresql.enable = true;
|
||||||
services.postgresql.extraPlugins = [
|
services.postgresql.extraPlugins = [
|
||||||
pkgs.postgresql15Packages.rum
|
pkgs.postgresql16Packages.rum
|
||||||
];
|
];
|
||||||
services.nginx = {
|
services.nginx = {
|
||||||
clientMaxBodySize = "256m";
|
clientMaxBodySize = "256m";
|
||||||
commonHttpConfig = ''
|
commonHttpConfig = ''
|
||||||
proxy_cache_path /var/cache/nginx/cache/akkoma-media-cache
|
proxy_cache_path /var/cache/nginx/akkoma-media-cache
|
||||||
levels= keys_zone=akkoma_media_cache:32m max_size=32g
|
levels= keys_zone=akkoma_media_cache:32m max_size=32g
|
||||||
inactive=1y use_temp_path=off;
|
inactive=1y use_temp_path=off;
|
||||||
|
|
||||||
access_log off;
|
access_log off;
|
||||||
'';
|
'';
|
||||||
};
|
};
|
||||||
kyouma.nginx.virtualHosts = {
|
kyouma.nginx.virtualHosts = let
|
||||||
|
proxyCache = ''
|
||||||
|
proxy_cache akkoma_media_cache;
|
||||||
|
|
||||||
|
# Cache objects in slices of 1 MiB
|
||||||
|
slice 1m;
|
||||||
|
proxy_cache_key $host$uri$is_args$args$slice_range;
|
||||||
|
proxy_set_header Range $slice_range;
|
||||||
|
|
||||||
|
# Decouple proxy and upstream responses
|
||||||
|
proxy_buffering on;
|
||||||
|
proxy_cache_lock on;
|
||||||
|
proxy_ignore_client_abort on;
|
||||||
|
|
||||||
|
# Default cache times for various responses
|
||||||
|
proxy_cache_valid 200 1y;
|
||||||
|
proxy_cache_valid 206 301 304 1h;
|
||||||
|
|
||||||
|
# Allow serving of stale items
|
||||||
|
proxy_cache_use_stale error timeout invalid_header updating;
|
||||||
|
'';
|
||||||
|
in {
|
||||||
"florp.social" = {
|
"florp.social" = {
|
||||||
|
serverAliases = map (x: "${x}.florp.social") [ "a" "b" "c" ];
|
||||||
locations."/" = {
|
locations."/" = {
|
||||||
proxyPass = "http://unix:/run/akkoma/socket";
|
proxyPass = "http://unix:/run/akkoma/socket";
|
||||||
proxyWebsockets = true;
|
proxyWebsockets = true;
|
||||||
|
@ -254,7 +274,9 @@
|
||||||
useACMEHost = "florp.social";
|
useACMEHost = "florp.social";
|
||||||
locations."/" = {
|
locations."/" = {
|
||||||
proxyPass = "http://unix:/run/akkoma/socket";
|
proxyPass = "http://unix:/run/akkoma/socket";
|
||||||
extraConfig = "rewrite ^(?!/media)(.*)$ /media$1;";
|
extraConfig = ''
|
||||||
|
rewrite ^(?!/media)(.*)$ /media$1;
|
||||||
|
'' + proxyCache;
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
|
|
||||||
|
@ -264,27 +286,12 @@
|
||||||
proxyPass = "http://unix:/run/akkoma/socket";
|
proxyPass = "http://unix:/run/akkoma/socket";
|
||||||
extraConfig = ''
|
extraConfig = ''
|
||||||
rewrite ^(?!/proxy)(.*)$ /proxy$1;
|
rewrite ^(?!/proxy)(.*)$ /proxy$1;
|
||||||
proxy_cache akkoma_media_cache;
|
'' + proxyCache;
|
||||||
|
|
||||||
# Cache objects in slices of 1 MiB
|
|
||||||
slice 1m;
|
|
||||||
proxy_cache_key $host$uri$is_args$args$slice_range;
|
|
||||||
proxy_set_header Range $slice_range;
|
|
||||||
|
|
||||||
# Decouple proxy and upstream responses
|
|
||||||
proxy_buffering on;
|
|
||||||
proxy_cache_lock on;
|
|
||||||
proxy_ignore_client_abort on;
|
|
||||||
|
|
||||||
# Default cache times for various responses
|
|
||||||
proxy_cache_valid 200 1y;
|
|
||||||
proxy_cache_valid 206 301 304 1h;
|
|
||||||
|
|
||||||
# Allow serving of stale items
|
|
||||||
proxy_cache_use_stale error timeout invalid_header updating;
|
|
||||||
'';
|
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
security.acme.certs."florp.social".extraDomainNames = [ "cache.florp.social" "media.florp.social" ];
|
security.acme.certs."florp.social".extraDomainNames = [
|
||||||
|
"cache.florp.social"
|
||||||
|
"media.florp.social"
|
||||||
|
] ++ map (x: "${x}.florp.social") [ "a" "b" "c" ];
|
||||||
}
|
}
|
||||||
|
|
|
@ -11,6 +11,7 @@ in {
|
||||||
email = "noc@kyouma.net";
|
email = "noc@kyouma.net";
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
|
networking.firewall.allowedTCPPorts = [ 80 443 ];
|
||||||
networking.firewall.allowedUDPPorts = [ 443 ];
|
networking.firewall.allowedUDPPorts = [ 443 ];
|
||||||
services.nginx = {
|
services.nginx = {
|
||||||
enable = true;
|
enable = true;
|
||||||
|
|
|
@ -437,11 +437,11 @@
|
||||||
]
|
]
|
||||||
},
|
},
|
||||||
"locked": {
|
"locked": {
|
||||||
"lastModified": 1730469723,
|
"lastModified": 1730825511,
|
||||||
"narHash": "sha256-5U2aVAXbzd26f0r4+1fo0F4KTqY5h3z2fV0uDJ9YsMQ=",
|
"narHash": "sha256-Ywc4Y+4VobocyxcVhHlJ5Q5h1fOdsJNlAlWlrkqC8U0=",
|
||||||
"ref": "refs/heads/main",
|
"ref": "refs/heads/main",
|
||||||
"rev": "16f4a9c871b5417b9ed17e7666c1b266dd8de464",
|
"rev": "81bde12357d59215e7d67c7f55c2eb3d54c47689",
|
||||||
"revCount": 1,
|
"revCount": 2,
|
||||||
"type": "git",
|
"type": "git",
|
||||||
"url": "https://woof.rip/florp/branding.git"
|
"url": "https://woof.rip/florp/branding.git"
|
||||||
},
|
},
|
||||||
|
|
|
@ -3,11 +3,11 @@
|
||||||
extraConfig = ''
|
extraConfig = ''
|
||||||
add_header Strict-Transport-Security $hsts_header;
|
add_header Strict-Transport-Security $hsts_header;
|
||||||
add_header Alt-Svc 'h3=":443"; ma=7776000; persist=1, h2=":443"; ma=7776000; persist=1';
|
add_header Alt-Svc 'h3=":443"; ma=7776000; persist=1, h2=":443"; ma=7776000; persist=1';
|
||||||
#add_header Content-Security-Policy "script-src 'self'; object-src 'none'; base-uri 'none';" always;
|
#add_header Content-Security-Policy "script-src 'self'; object-src 'none'; base-uri 'none';" always;
|
||||||
add_header X-Content-Type-Options "nosniff" always;
|
add_header X-Content-Type-Options "nosniff" always;
|
||||||
add_header X-XSS-Protection "1; mode=block" always;
|
add_header X-XSS-Protection "1; mode=block" always;
|
||||||
add_header X-Frame-Options "SAMEORIGIN" always;
|
add_header X-Frame-Options "SAMEORIGIN" always;
|
||||||
add_header Referrer-Policy "same-origin" always;
|
add_header Referrer-Policy "same-origin" always;
|
||||||
'';
|
'';
|
||||||
createHost = vhostName: vhostCfg: {
|
createHost = vhostName: vhostCfg: {
|
||||||
extraConfig = lib.optionalString (builtins.hasAttr "extraConfig" vhostCfg) (vhostCfg.extraConfig + "\n" + extraConfig);
|
extraConfig = lib.optionalString (builtins.hasAttr "extraConfig" vhostCfg) (vhostCfg.extraConfig + "\n" + extraConfig);
|
||||||
|
@ -42,9 +42,13 @@ in {
|
||||||
builtins.mapAttrs (createHost) cfg.virtualHosts) //
|
builtins.mapAttrs (createHost) cfg.virtualHosts) //
|
||||||
lib.optionalAttrs (cfg.defaultForbidden != null) {
|
lib.optionalAttrs (cfg.defaultForbidden != null) {
|
||||||
"redirect" = {
|
"redirect" = {
|
||||||
|
quic = true;
|
||||||
|
http3 = true;
|
||||||
|
# reuseport has to be specified on the quic listener
|
||||||
|
# when using worker_processes auto;
|
||||||
|
reuseport = true;
|
||||||
default = true;
|
default = true;
|
||||||
forceSSL = true;
|
forceSSL = true;
|
||||||
reuseport = true;
|
|
||||||
useACMEHost = cfg.defaultForbidden;
|
useACMEHost = cfg.defaultForbidden;
|
||||||
extraConfig = ''
|
extraConfig = ''
|
||||||
return 403;
|
return 403;
|
||||||
|
|
|
@ -6,5 +6,9 @@ final: prev: {
|
||||||
librespeed-rust = final.callPackage ./librespeed-rust/default.nix {};
|
librespeed-rust = final.callPackage ./librespeed-rust/default.nix {};
|
||||||
librespeed-go = final.callPackage ./librespeed-go/default.nix {};
|
librespeed-go = final.callPackage ./librespeed-go/default.nix {};
|
||||||
akkoma-fe-domi = final.callPackage ./akkoma-fe-domi/default.nix {};
|
akkoma-fe-domi = final.callPackage ./akkoma-fe-domi/default.nix {};
|
||||||
nginxQuic = prev.nginxQuic.override { withSlice = true; };
|
nginxQuic = prev.nginxQuic.override {
|
||||||
|
withSlice = true;
|
||||||
|
# Use zlib because zlib-ng uses larger buffers then nginx preallocates.
|
||||||
|
zlib = final.zlib;
|
||||||
|
};
|
||||||
}
|
}
|
||||||
|
|
|
@ -6,6 +6,7 @@ BRANCH="update-inputs-$(date +%Y-%m-%d-%H-%M)"
|
||||||
HYDRA_URL="https://hydra.kyouma.net"
|
HYDRA_URL="https://hydra.kyouma.net"
|
||||||
JOBSET_URL="${HYDRA_URL}/jobset/nixfiles/update-inputs"
|
JOBSET_URL="${HYDRA_URL}/jobset/nixfiles/update-inputs"
|
||||||
ROOT="$(mktemp -d)"
|
ROOT="$(mktemp -d)"
|
||||||
|
START_TIME="$(date +%s)"
|
||||||
|
|
||||||
gitin () {
|
gitin () {
|
||||||
git -C "${ROOT}/nixfiles" "$@"
|
git -C "${ROOT}/nixfiles" "$@"
|
||||||
|
@ -21,20 +22,31 @@ merge_theirs () {
|
||||||
}
|
}
|
||||||
|
|
||||||
test_build () {
|
test_build () {
|
||||||
|
local last_error
|
||||||
local build_jobs
|
local build_jobs
|
||||||
|
|
||||||
build_jobs="$(curl --fail -s -L -H "Accept: application/json" "${JOBSET_URL}/latest-eval" | jq -r ".builds | .[]")"
|
build_jobs="$(curl --fail -s -L -H "Accept: application/json" "${JOBSET_URL}/latest-eval" | jq -r ".builds | .[]")"
|
||||||
for build in ${build_jobs}; do
|
for build in ${build_jobs}; do
|
||||||
local build_status
|
local build_status
|
||||||
|
|
||||||
while true; do
|
while true; do
|
||||||
local build_finished
|
local build_finished
|
||||||
build_finished="$(curl --fail -s -L -H "Accept: application/json" "${HYDRA_URL}/build/${build}" | jq -r ".finished")"
|
build_finished="$(curl --fail -s -L -H "Accept: application/json" "${HYDRA_URL}/build/${build}" | jq -r ".finished")"
|
||||||
[[ ${build_finished} == 1 ]] && break
|
[[ ${build_finished} == 1 ]] && break
|
||||||
sleep 5
|
sleep 5
|
||||||
done
|
done
|
||||||
|
|
||||||
build_status="$(curl --fail -s -L -H "Accept: application/json" "${HYDRA_URL}/build/${build}" | jq -r ".buildstatus")"
|
build_status="$(curl --fail -s -L -H "Accept: application/json" "${HYDRA_URL}/build/${build}" | jq -r ".buildstatus")"
|
||||||
[[ $build_status != 0 ]] && echo "Build ${build} failed" && exit 1
|
[[ $build_status != 0 ]] &&
|
||||||
|
echo "Build ${build} failed" &&
|
||||||
|
exit 1
|
||||||
echo "Build ${build} was successful"
|
echo "Build ${build} was successful"
|
||||||
done
|
done
|
||||||
|
|
||||||
|
last_error="$(curl --fail -s -L -H "Accept: application/json" "${JOBSET_URL}" | jq -r ".errortime")"
|
||||||
|
[[ $last_error -gt $START_TIME ]] &&
|
||||||
|
echo "Evaluation error encountered at $(date +%Y-%m-%d-%H:%M:%S --date="${last_error}")" &&
|
||||||
|
exit 1
|
||||||
}
|
}
|
||||||
|
|
||||||
wait_for_hydra () {
|
wait_for_hydra () {
|
||||||
|
@ -42,9 +54,9 @@ wait_for_hydra () {
|
||||||
local hydra_rev
|
local hydra_rev
|
||||||
local counter
|
local counter
|
||||||
counter=0
|
counter=0
|
||||||
git_rev="$(git -C "${ROOT}/nixfiles" rev-parse update-inputs)"
|
git_rev="$(git -C "${1}/nixfiles" rev-parse update-inputs)"
|
||||||
while true; do
|
while true; do
|
||||||
hydra_rev="$(curl -s -L -H "Accept: application/json" "${JOBSET_URL}/latest-eval" | jq -r .flake | sed -E "s/.+&rev=(.*)/\1/g")"
|
hydra_rev="$(curl -s -L -H "Accept: application/json" "${2}/latest-eval" | jq -r .flake | sed -E "s/.+&rev=(.*)/\1/g")"
|
||||||
if [[ "${git_rev}" == "${hydra_rev}" ]]; then
|
if [[ "${git_rev}" == "${hydra_rev}" ]]; then
|
||||||
echo "Hydra got new commit"
|
echo "Hydra got new commit"
|
||||||
break
|
break
|
||||||
|
@ -87,7 +99,7 @@ gitin push origin update-inputs
|
||||||
|
|
||||||
echo "Waiting for hydra to get new commit"
|
echo "Waiting for hydra to get new commit"
|
||||||
export -f wait_for_hydra
|
export -f wait_for_hydra
|
||||||
timeout 4h bash -c wait_for_hydra
|
timeout 4h bash -c "wait_for_hydra ${ROOT} ${JOBSET_URL}"
|
||||||
|
|
||||||
echo "Testing if all build jobs completed successfully"
|
echo "Testing if all build jobs completed successfully"
|
||||||
test_build
|
test_build
|
||||||
|
|
|
@ -8,27 +8,27 @@ sops:
|
||||||
azure_kv: []
|
azure_kv: []
|
||||||
hc_vault: []
|
hc_vault: []
|
||||||
age:
|
age:
|
||||||
- recipient: age1ht2wetcyl9rzu45e02pqqwgmyfsfe6y6ygxyuxpfhnkdm62d3pqsg3uqvd
|
- recipient: age18vc8rcmczlt3r0ee7jr9s8l3yrkthu8wtypt08eh0eskpkw3dg6qxs7t3t
|
||||||
enc: |
|
enc: |
|
||||||
-----BEGIN AGE ENCRYPTED FILE-----
|
-----BEGIN AGE ENCRYPTED FILE-----
|
||||||
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBZTi9Ha0tQRGE2L3BzclpW
|
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA1NGRYOHFVSXBNdjlpVDhF
|
||||||
NnduRVVRUnhkV1pEOXllZTA0bnN0NENESlM4Ck9jSTcxcjJIdThvUk9IM1FCOGNv
|
V0g2ZkRiZnR6UElvWEZKUWxHSjZySlJadHlvCmpBdzBPRklkOVltZWwzNlNrc0pC
|
||||||
V1FNV2ZHbHlTaWNBL0VvSGxhSzlWSDgKLS0tIEFoWEozY0VSWVA0cVp5dkI4NHNH
|
bG9kU3phNmFKNGkwek94Y2hZcjZCNW8KLS0tIFFqM0VTQXRuODAva0Rkc2xvWFB4
|
||||||
RVQ3aDd0c1RDNWd2eGxiNURGRXVXS2sKTT4LpWSIb9hjrcdUWOhieUeUHop0pwoA
|
VTQ3RExKY093VG8vOThCczRzY2tpY2cKJOv0yVl9Zody0mjtytyjCXpe5V3NsReA
|
||||||
OfOv3y3dp7tYc5HRREN5jkVx29jb2lrml0ycu9ek58S8+bolfzN8yQ==
|
/Dqr6V9Hjuf3u0fjMHAjE6hDPGVH5t5NYLkNDeaGHNTaAd5dnhfprg==
|
||||||
-----END AGE ENCRYPTED FILE-----
|
-----END AGE ENCRYPTED FILE-----
|
||||||
lastmodified: "2024-10-31T16:57:58Z"
|
lastmodified: "2024-10-31T16:57:58Z"
|
||||||
mac: ENC[AES256_GCM,data:VJpsLBdnle6bP6ALxLS2eTOEbiHJbNc5D+pvsoJulI9VODtBk0p1VvJv9ilToxh4oiwctMmCKSO4R9NyuZUqoqwwlYtW6tFDITBA2eg/iu/uQjcuuKLC+fFGdtnTpZcShUyMds3qi8Z8Iegk2sSMLk5QXCE2QhMUQ50VN4TXF2c=,iv:rOF34iqckOJMAVm+3RDSdlrJh4hgnyiTut3SM1e0w0E=,tag:cMjMkKkN8UFWGQqQfWBUnA==,type:str]
|
mac: ENC[AES256_GCM,data:VJpsLBdnle6bP6ALxLS2eTOEbiHJbNc5D+pvsoJulI9VODtBk0p1VvJv9ilToxh4oiwctMmCKSO4R9NyuZUqoqwwlYtW6tFDITBA2eg/iu/uQjcuuKLC+fFGdtnTpZcShUyMds3qi8Z8Iegk2sSMLk5QXCE2QhMUQ50VN4TXF2c=,iv:rOF34iqckOJMAVm+3RDSdlrJh4hgnyiTut3SM1e0w0E=,tag:cMjMkKkN8UFWGQqQfWBUnA==,type:str]
|
||||||
pgp:
|
pgp:
|
||||||
- created_at: "2024-10-31T16:40:38Z"
|
- created_at: "2024-11-04T20:52:58Z"
|
||||||
enc: |-
|
enc: |-
|
||||||
-----BEGIN PGP MESSAGE-----
|
-----BEGIN PGP MESSAGE-----
|
||||||
|
|
||||||
hF4D1GtNSlou/HkSAQdAmS/QDuU40+HtiMoCa9byz80b6lGMd6cvqxYShifFxUgw
|
hF4D1GtNSlou/HkSAQdApk/nEYcccQBCzFwC+hZbMio0s37LJuK6ceSLW786Sjsw
|
||||||
Bn34D6HB6z3nQxWanlOCkA2ud8GBUhEFlLjsQf29apfWuWxKpNv37Olou1/vGvNm
|
90ggzfOg63e92cyqYxvbKqtCgVHHU/9RmKdsSZM+rFcR3XpzWw0ke10WjZNW0lU5
|
||||||
0l4BIzFesU+aoIUi+Fp0GbJ1+ObzRvGZq1IULChsDgbbvDnHah7yvN5wKYwj6x7f
|
0l4BuP1sPvP7Z+kxWlITnYl4SPKxVhSmYtAdGbceiGUo36jtpi9vkziuPmyrGttM
|
||||||
ZhPpm40+FLea1najiN6igUD6oUy8TSYnCgPODef4FeI0ZwFqF5MaucY8CNuWsugS
|
t1PNZ9gjGVyNw96rRg9bgXCSvJo2FfMx8GeArj1yuO3+bkkbDm7mFrbF6fMQN3JE
|
||||||
=1vZk
|
=Q9iO
|
||||||
-----END PGP MESSAGE-----
|
-----END PGP MESSAGE-----
|
||||||
fp: B04F01A7A98A13020C39B4A68AB7B773A214ACE5
|
fp: B04F01A7A98A13020C39B4A68AB7B773A214ACE5
|
||||||
unencrypted_suffix: _unencrypted
|
unencrypted_suffix: _unencrypted
|
||||||
|
|
Loading…
Reference in a new issue