florp.social: add dedicated host

This commit is contained in:
emily 2024-11-04 21:19:57 +01:00
parent 992b4796ad
commit 63a4db7f67
Signed by: emily
GPG key ID: F6F4C66207FCF995
13 changed files with 89 additions and 50 deletions

View file

@ -3,6 +3,7 @@ keys:
- &seras age1ht2wetcyl9rzu45e02pqqwgmyfsfe6y6ygxyuxpfhnkdm62d3pqsg3uqvd
- &emilia age1pjn7q6qs49jenr40dhsxa8x5g4z6elsh0pk0tc5pxg6pl0nzgc6scakynn
- &girldick age1r6cmthdk6lhy62wa4pu23l46f5fcqhuu7xrq353pe6c8f0s6ce8s67pdtf
- &florp age18vc8rcmczlt3r0ee7jr9s8l3yrkthu8wtypt08eh0eskpkw3dg6qxs7t3t
creation_rules:
- path_regex: secrets/services/dns-knot.yaml
key_groups:
@ -57,4 +58,4 @@ creation_rules:
- pgp:
- *emily
age:
- *seras
- *florp

View file

@ -1,6 +1,6 @@
{ config, inputs, lib, pkgs, ... }:
with lib; {
{ config, inputs, lib, pkgs, ... }: let
inherit (lib) mkDefault;
in {
imports = [
./kernel.nix
./networking.nix
@ -105,6 +105,6 @@ with lib; {
services.fprintd.enable = config.kyouma.machine-type.graphical;
system.stateVersion = "23.11";
system.stateVersion = mkDefault "23.11";
time.timeZone = mkDefault "CET";
}

View file

@ -7,11 +7,7 @@
../../services/nginx.nix
./nginx.nix
];
networking = {
hostName = "crime";
firewall.allowedTCPPorts = [ 80 443 ];
firewall.allowedUDPPorts = [ 443 ];
};
networking.hostName = "crime";
systemd.network.networks."98-eth-default" = {
address = [
"2a0f:be01:0:100::1337/128"

View file

@ -17,10 +17,8 @@
kyouma.machine-type.physical = true;
kyouma.nginx.defaultForbidden = "uptime.kyouma.net";
networking = {
firewall.allowedTCPPorts = [ 80 443 ];
hostName = "emilia";
};
networking.hostName = "emilia";
systemd.network.networks."98-eth-default" = {
matchConfig.MACAddress = "04:d4:c4:39:73:f6";
addresses = [

View file

@ -0,0 +1,41 @@
{ lib, ... }: {
imports = [
../../common
../../profiles/headless.nix
../../profiles/kartoffel.nix
../../profiles/lxc.nix
../../services/akkoma
../../services/nginx.nix
];
networking = {
hostName = "florp";
domain = lib.mkForce "social";
};
kyouma.nginx.defaultForbidden = "florp.social";
systemd.network.networks."98-eth-default" = {
address = [
"2a0f:be01:0:100::171/128"
];
};
services.postgresql.settings = {
max_connections = 200;
shared_buffers = "8GB";
effective_cache_size = "10GB";
maintenance_work_mem = "2GB";
checkpoint_completion_target = 0.9;
wal_buffers = "16MB";
default_statistics_target = 100;
random_page_cost = 1.1;
effective_io_concurrency = 200;
work_mem = "31457kB";
huge_pages = "try";
min_wal_size = "1GB";
max_wal_size = "4GB";
max_worker_processes = 32;
max_parallel_workers_per_gather = 4;
max_parallel_workers = 32;
max_parallel_maintenance_workers = 4;
};
system.stateVersion = "24.11";
}

View file

@ -11,7 +11,6 @@
domain = lib.mkForce "girldick.gay";
hostName = "staging";
nftables.enable = lib.mkForce false;
firewall.allowedTCPPorts = [ 80 443 ];
};
systemd.network.networks."98-eth-default" = {
address = [

View file

@ -5,17 +5,13 @@
../../profiles/headless.nix
../../profiles/kartoffel.nix
../../profiles/lxc.nix
../../services/akkoma
../../services/nginx.nix
../../services/hydra
../../services/update-nixfiles.nix
];
boot.binfmt.emulatedSystems = [ "aarch64-linux" ];
networking = {
hostName = "seras";
firewall.allowedTCPPorts = [ 80 443 ];
};
networking.hostName = "seras";
systemd.network.networks."98-eth-default" = {
address = [
"2a0f:be01:0:100::169/128"

View file

@ -11,8 +11,7 @@
networking = {
hostName = "web-dus";
nftables.enable = lib.mkForce false;
firewall.allowedTCPPorts = [ 80 443 11019 ];
firewall.allowedUDPPorts = [ 443 ];
firewall.allowedTCPPorts = [ 11019 ];
};
systemd.network.networks."98-eth-default" = {
address = [

View file

@ -1,4 +1,4 @@
{ config, inputs, pkgs, ... }: {
{ config, inputs, lib, pkgs, ... }: {
sops.secrets."services/akkoma/mailerPassword" = {
sopsFile = ../../../secrets/services/akkoma.yaml;
};
@ -70,13 +70,13 @@
};
};
services.akkoma.config = let
inherit ((pkgs.formats.elixirConf { }).lib) mkRaw mkAtom mkMap;
inherit ((pkgs.formats.elixirConf { }).lib) mkRaw mkAtom mkMap mkTuple;
in {
":pleroma" = {
":instance" = {
name = "florp.social";
email = "contact@florp.social";
notify_email = "akkoma@florp.social";
notify_email = "noreply@florp.social";
description = "Likes are now florps. The timeline goes sideways.";
instance_thumbnail = "/instance/thumbnail.avif";
limit = 69420;
@ -114,7 +114,7 @@
enabled = true;
adapter = mkRaw "Swoosh.Adapters.SMTP";
relay = "mail.kyouma.net";
username = "akkoma@florp.social";
username = "noreply@florp.social";
password._secret = config.sops.secrets."services/akkoma/mailerPassword".path;
port = 465;
ssl = true;
@ -155,7 +155,7 @@
};
":mrf_simple" = {
reject = mkMap {
reject = lib.mapAttrsToList (name: value: mkTuple [ name value ]) {
"bae.st" = "harassment";
"brighteon.social" = "incompatible";
"detroitriotcity.com" = "incompatible";
@ -170,13 +170,12 @@
"spinster.xyz" = "incompatible";
"truthsocial.co.in" = "incompatible";
"varishangout.net" = "incompatible";
"activitypub-troll.cf" = "security";
"misskey-forkbomb.cf" = "security";
"repl.co" = "security";
};
followers_only = mkMap {
followers_only = lib.mapAttrsToList (name: value: mkTuple [ name value ]) {
"bitcoinhackers.org" = "annoying";
};
};
@ -227,13 +226,14 @@
":joken".":default_signer"._secret = "/var/lib/secrets/akkoma/jwt-signer";
};
services.postgresql.enable = true;
services.postgresql.extraPlugins = [
pkgs.postgresql15Packages.rum
pkgs.postgresql16Packages.rum
];
services.nginx = {
clientMaxBodySize = "256m";
commonHttpConfig = ''
proxy_cache_path /var/cache/nginx/cache/akkoma-media-cache
proxy_cache_path /var/cache/nginx/akkoma-media-cache
levels= keys_zone=akkoma_media_cache:32m max_size=32g
inactive=1y use_temp_path=off;

View file

@ -11,6 +11,7 @@ in {
email = "noc@kyouma.net";
};
};
networking.firewall.allowedTCPPorts = [ 80 443 ];
networking.firewall.allowedUDPPorts = [ 443 ];
services.nginx = {
enable = true;

View file

@ -42,9 +42,13 @@ in {
builtins.mapAttrs (createHost) cfg.virtualHosts) //
lib.optionalAttrs (cfg.defaultForbidden != null) {
"redirect" = {
quic = true;
http3 = true;
# reuseport has to be specified on the quic listener
# when using worker_processes auto;
reuseport = true;
default = true;
forceSSL = true;
reuseport = true;
useACMEHost = cfg.defaultForbidden;
extraConfig = ''
return 403;

View file

@ -6,5 +6,9 @@ final: prev: {
librespeed-rust = final.callPackage ./librespeed-rust/default.nix {};
librespeed-go = final.callPackage ./librespeed-go/default.nix {};
akkoma-fe-domi = final.callPackage ./akkoma-fe-domi/default.nix {};
nginxQuic = prev.nginxQuic.override { withSlice = true; };
nginxQuic = prev.nginxQuic.override {
withSlice = true;
# Use zlib because zlib-ng uses larger buffers then nginx preallocates.
zlib = final.zlib;
};
}

View file

@ -8,27 +8,27 @@ sops:
azure_kv: []
hc_vault: []
age:
- recipient: age1ht2wetcyl9rzu45e02pqqwgmyfsfe6y6ygxyuxpfhnkdm62d3pqsg3uqvd
- recipient: age18vc8rcmczlt3r0ee7jr9s8l3yrkthu8wtypt08eh0eskpkw3dg6qxs7t3t
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBZTi9Ha0tQRGE2L3BzclpW
NnduRVVRUnhkV1pEOXllZTA0bnN0NENESlM4Ck9jSTcxcjJIdThvUk9IM1FCOGNv
V1FNV2ZHbHlTaWNBL0VvSGxhSzlWSDgKLS0tIEFoWEozY0VSWVA0cVp5dkI4NHNH
RVQ3aDd0c1RDNWd2eGxiNURGRXVXS2sKTT4LpWSIb9hjrcdUWOhieUeUHop0pwoA
OfOv3y3dp7tYc5HRREN5jkVx29jb2lrml0ycu9ek58S8+bolfzN8yQ==
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA1NGRYOHFVSXBNdjlpVDhF
V0g2ZkRiZnR6UElvWEZKUWxHSjZySlJadHlvCmpBdzBPRklkOVltZWwzNlNrc0pC
bG9kU3phNmFKNGkwek94Y2hZcjZCNW8KLS0tIFFqM0VTQXRuODAva0Rkc2xvWFB4
VTQ3RExKY093VG8vOThCczRzY2tpY2cKJOv0yVl9Zody0mjtytyjCXpe5V3NsReA
/Dqr6V9Hjuf3u0fjMHAjE6hDPGVH5t5NYLkNDeaGHNTaAd5dnhfprg==
-----END AGE ENCRYPTED FILE-----
lastmodified: "2024-10-31T16:57:58Z"
mac: ENC[AES256_GCM,data:VJpsLBdnle6bP6ALxLS2eTOEbiHJbNc5D+pvsoJulI9VODtBk0p1VvJv9ilToxh4oiwctMmCKSO4R9NyuZUqoqwwlYtW6tFDITBA2eg/iu/uQjcuuKLC+fFGdtnTpZcShUyMds3qi8Z8Iegk2sSMLk5QXCE2QhMUQ50VN4TXF2c=,iv:rOF34iqckOJMAVm+3RDSdlrJh4hgnyiTut3SM1e0w0E=,tag:cMjMkKkN8UFWGQqQfWBUnA==,type:str]
pgp:
- created_at: "2024-10-31T16:40:38Z"
- created_at: "2024-11-04T20:52:58Z"
enc: |-
-----BEGIN PGP MESSAGE-----
hF4D1GtNSlou/HkSAQdAmS/QDuU40+HtiMoCa9byz80b6lGMd6cvqxYShifFxUgw
Bn34D6HB6z3nQxWanlOCkA2ud8GBUhEFlLjsQf29apfWuWxKpNv37Olou1/vGvNm
0l4BIzFesU+aoIUi+Fp0GbJ1+ObzRvGZq1IULChsDgbbvDnHah7yvN5wKYwj6x7f
ZhPpm40+FLea1najiN6igUD6oUy8TSYnCgPODef4FeI0ZwFqF5MaucY8CNuWsugS
=1vZk
hF4D1GtNSlou/HkSAQdApk/nEYcccQBCzFwC+hZbMio0s37LJuK6ceSLW786Sjsw
90ggzfOg63e92cyqYxvbKqtCgVHHU/9RmKdsSZM+rFcR3XpzWw0ke10WjZNW0lU5
0l4BuP1sPvP7Z+kxWlITnYl4SPKxVhSmYtAdGbceiGUo36jtpi9vkziuPmyrGttM
t1PNZ9gjGVyNw96rRg9bgXCSvJo2FfMx8GeArj1yuO3+bkkbDm7mFrbF6fMQN3JE
=Q9iO
-----END PGP MESSAGE-----
fp: B04F01A7A98A13020C39B4A68AB7B773A214ACE5
unencrypted_suffix: _unencrypted