emily/nixfiles
emily/nixfiles
1
0
Fork 1
Code Issues Pull requests Activity

Update from update-inputs-2024-11-06-04-20

Browse source
This commit is contained in:
Update Bot 2024-11-06 04:20:41 +01:00
commit 8b2e1d7bdc
No known key found for this signature in database
5 changed files with 51 additions and 61 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

19
config/hosts/florp/configuration.nix
View file

@ -11,6 +11,7 @@
hostName = "florp";
domain = lib.mkForce "social";
};
kyouma.nginx.defaultForbidden = "florp.social";
systemd.network.networks."98-eth-default" = {
address = [
"2a0f:be01:0:100::171/128"
@ -18,22 +19,22 @@
};
services.postgresql.settings = {
max_connections = 200;
shared_buffers = "8GB";
effective_cache_size = "10GB";
maintenance_work_mem = "2GB";
max_connections = 30;
shared_buffers = "4GB";
effective_cache_size = "12GB";
maintenance_work_mem = "1GB";
checkpoint_completion_target = 0.9;
wal_buffers = "16MB";
default_statistics_target = 100;
random_page_cost = 1.1;
effective_io_concurrency = 200;
work_mem = "31457kB";
work_mem = "34952kB";
huge_pages = "try";
min_wal_size = "1GB";
max_wal_size = "4GB";
max_worker_processes = 32;
min_wal_size = "2GB";
max_wal_size = "8GB";
max_worker_processes = 16;
max_parallel_workers_per_gather = 4;
max_parallel_workers = 32;
max_parallel_workers = 16;
max_parallel_maintenance_workers = 4;
};
system.stateVersion = "24.11";

39
config/services/akkoma/default.nix
View file

@ -1,4 +1,4 @@
{ config, inputs, pkgs, ... }: {
{ config, inputs, lib, pkgs, ... }: {
sops.secrets."services/akkoma/mailerPassword" = {
sopsFile = ../../../secrets/services/akkoma.yaml;
};
@ -38,23 +38,7 @@
extraStatic."images/sylvia-ritter-15012323.avif" = inputs.florp-branding.packages.${config.nixpkgs.hostPlatform.system}.wallpaper;
extraStatic."favicon.png" = let
rev = "697a8211b0f427a921e7935a35d14bb3e32d0a2c";
in pkgs.stdenvNoCC.mkDerivation {
name = "favicon.png";
src = pkgs.fetchurl {
url = "https://raw.githubusercontent.com/TilCreator/NixOwO/${rev}/NixOwO_plain.svg";
hash = "sha256-tWhHMfJ3Od58N9H5yOKPMfM56hYWSOnr/TGCBi8bo9E=";
};
nativeBuildInputs = with pkgs; [ librsvg ];
dontUnpack = true;
installPhase = ''
rsvg-convert -o $out -w 96 -h 96 $src
'';
};
extraStatic."favicon.png" = inputs.florp-branding.packages.${config.nixpkgs.hostPlatform.system}.favicon;
frontends = {
primary = {
@ -70,7 +54,8 @@
};
};
services.akkoma.config = let
inherit ((pkgs.formats.elixirConf { }).lib) mkRaw mkAtom mkMap;
inherit ((pkgs.formats.elixirConf { }).lib) mkRaw mkAtom mkMap mkTuple;
mapAttrsToListOfTuple = attr: lib.mapAttrsToList (name: value: mkTuple [ name value ]) attr;
in {
":pleroma" = {
":instance" = {
@ -146,16 +131,13 @@
"Pleroma.Upload.Filter.AnonymizeFilename"
];
":mrf" = {
transparency = true;
policies = map mkRaw [
"Pleroma.Web.ActivityPub.MRF.SimplePolicy"
"Pleroma.Web.ActivityPub.MRF.ObjectAgePolicy"
];
};
":mrf".policies = map mkRaw [
"Pleroma.Web.ActivityPub.MRF.SimplePolicy"
"Pleroma.Web.ActivityPub.MRF.ObjectAgePolicy"
];
":mrf_simple" = {
reject = mkMap {
reject = mapAttrsToListOfTuple {
"bae.st" = "harassment";
"brighteon.social" = "incompatible";
"detroitriotcity.com" = "incompatible";
@ -170,13 +152,12 @@
"spinster.xyz" = "incompatible";
"truthsocial.co.in" = "incompatible";
"varishangout.net" = "incompatible";
"activitypub-troll.cf" = "security";
"misskey-forkbomb.cf" = "security";
"repl.co" = "security";
};
followers_only = mkMap {
followers_only = mapAttrsToListOfTuple {
"bitcoinhackers.org" = "annoying";
};
};

32
flake.lock
View file

@ -437,11 +437,11 @@
]
},
"locked": {
"lastModified": 1730469723,
"narHash": "sha256-5U2aVAXbzd26f0r4+1fo0F4KTqY5h3z2fV0uDJ9YsMQ=",
"lastModified": 1730825511,
"narHash": "sha256-Ywc4Y+4VobocyxcVhHlJ5Q5h1fOdsJNlAlWlrkqC8U0=",
"ref": "refs/heads/main",
"rev": "16f4a9c871b5417b9ed17e7666c1b266dd8de464",
"revCount": 1,
"rev": "81bde12357d59215e7d67c7f55c2eb3d54c47689",
"revCount": 2,
"type": "git",
"url": "https://woof.rip/florp/branding.git"
},
@ -542,11 +542,11 @@
]
},
"locked": {
"lastModified": 1730633670,
"narHash": "sha256-ZFJqIXpvVKvzOVFKWNRDyIyAo+GYdmEPaYi1bZB6uf0=",
"lastModified": 1730837930,
"narHash": "sha256-0kZL4m+bKBJUBQse0HanewWO0g8hDdCvBhudzxgehqc=",
"owner": "nix-community",
"repo": "home-manager",
"rev": "8f6ca7855d409aeebe2a582c6fd6b6a8d0bf5661",
"rev": "2f607e07f3ac7e53541120536708e824acccfaa8",
"type": "github"
},
"original": {
@ -795,11 +795,11 @@
},
"nixos-hardware": {
"locked": {
"lastModified": 1730537918,
"narHash": "sha256-GJB1/aaTnAtt9sso/EQ77TAGJ/rt6uvlP0RqZFnWue8=",
"lastModified": 1730828750,
"narHash": "sha256-XrnZLkLiBYNlwV5gus/8DT7nncF1TS5la6Be7rdVOpI=",
"owner": "nixos",
"repo": "nixos-hardware",
"rev": "f6e0cd5c47d150c4718199084e5764f968f1b560",
"rev": "2e78b1af8025108ecd6edaa3ab09695b8a4d3d55",
"type": "github"
},
"original": {
@ -926,11 +926,11 @@
},
"nixpkgs_4": {
"locked": {
"lastModified": 1730531603,
"narHash": "sha256-Dqg6si5CqIzm87sp57j5nTaeBbWhHFaVyG7V6L8k3lY=",
"lastModified": 1730785428,
"narHash": "sha256-Zwl8YgTVJTEum+L+0zVAWvXAGbWAuXHax3KzuejaDyo=",
"owner": "nixos",
"repo": "nixpkgs",
"rev": "7ffd9ae656aec493492b44d0ddfb28e79a1ea25d",
"rev": "4aa36568d413aca0ea84a1684d2d46f55dbabad7",
"type": "github"
},
"original": {
@ -957,11 +957,11 @@
"treefmt-nix": "treefmt-nix_2"
},
"locked": {
"lastModified": 1730731617,
"narHash": "sha256-W7FNEe+gewzTSx0lykzZ3XUKmJ8uKk/SpIPblZIfYc0=",
"lastModified": 1730792264,
"narHash": "sha256-Ue3iywjyaNOxXgw7esVSBX3bZzM2bSPubZamYsBKIG8=",
"owner": "nix-community",
"repo": "nixvim",
"rev": "aa06b176e78c9ae9e779e605cab61c9d8681a54e",
"rev": "3d24cb72618738130e6af9c644c81fe42aa34ebc",
"type": "github"
},
"original": {

16
modules/nginx/default.nix
View file

@ -3,11 +3,11 @@
extraConfig = ''
add_header Strict-Transport-Security $hsts_header;
add_header Alt-Svc 'h3=":443"; ma=7776000; persist=1, h2=":443"; ma=7776000; persist=1';
#add_header Content-Security-Policy "script-src 'self'; object-src 'none'; base-uri 'none';" always;
add_header X-Content-Type-Options "nosniff" always;
add_header X-XSS-Protection "1; mode=block" always;
add_header X-Frame-Options "SAMEORIGIN" always;
add_header Referrer-Policy "same-origin" always;
#add_header Content-Security-Policy "script-src 'self'; object-src 'none'; base-uri 'none';" always;
add_header X-Content-Type-Options "nosniff" always;
add_header X-XSS-Protection "1; mode=block" always;
add_header X-Frame-Options "SAMEORIGIN" always;
add_header Referrer-Policy "same-origin" always;
'';
createHost = vhostName: vhostCfg: {
extraConfig = lib.optionalString (builtins.hasAttr "extraConfig" vhostCfg) (vhostCfg.extraConfig + "\n" + extraConfig);
@ -42,9 +42,13 @@ in {
builtins.mapAttrs (createHost) cfg.virtualHosts) //
lib.optionalAttrs (cfg.defaultForbidden != null) {
"redirect" = {
quic = true;
http3 = true;
# reuseport has to be specified on the quic listener
# when using worker_processes auto;
reuseport = true;
default = true;
forceSSL = true;
reuseport = true;
useACMEHost = cfg.defaultForbidden;
extraConfig = ''
return 403;

6
pkgs/overlay.nix
View file

@ -6,5 +6,9 @@ final: prev: {
librespeed-rust = final.callPackage ./librespeed-rust/default.nix {};
librespeed-go = final.callPackage ./librespeed-go/default.nix {};
akkoma-fe-domi = final.callPackage ./akkoma-fe-domi/default.nix {};
nginxQuic = prev.nginxQuic.override { withSlice = true; };
nginxQuic = prev.nginxQuic.override {
withSlice = true;
# Use zlib because zlib-ng uses larger buffers then nginx preallocates.
zlib = final.zlib;
};
}