diff --git a/config/hosts/florp/configuration.nix b/config/hosts/florp/configuration.nix index 578f28e..4a7e62f 100644 --- a/config/hosts/florp/configuration.nix +++ b/config/hosts/florp/configuration.nix @@ -11,6 +11,7 @@ hostName = "florp"; domain = lib.mkForce "social"; }; + kyouma.nginx.defaultForbidden = "florp.social"; systemd.network.networks."98-eth-default" = { address = [ "2a0f:be01:0:100::171/128" @@ -18,22 +19,22 @@ }; services.postgresql.settings = { - max_connections = 200; - shared_buffers = "8GB"; - effective_cache_size = "10GB"; - maintenance_work_mem = "2GB"; + max_connections = 30; + shared_buffers = "4GB"; + effective_cache_size = "12GB"; + maintenance_work_mem = "1GB"; checkpoint_completion_target = 0.9; wal_buffers = "16MB"; default_statistics_target = 100; random_page_cost = 1.1; effective_io_concurrency = 200; - work_mem = "31457kB"; + work_mem = "34952kB"; huge_pages = "try"; - min_wal_size = "1GB"; - max_wal_size = "4GB"; - max_worker_processes = 32; + min_wal_size = "2GB"; + max_wal_size = "8GB"; + max_worker_processes = 16; max_parallel_workers_per_gather = 4; - max_parallel_workers = 32; + max_parallel_workers = 16; max_parallel_maintenance_workers = 4; }; system.stateVersion = "24.11"; diff --git a/config/services/akkoma/default.nix b/config/services/akkoma/default.nix index 9a242c5..874f054 100644 --- a/config/services/akkoma/default.nix +++ b/config/services/akkoma/default.nix @@ -1,4 +1,4 @@ -{ config, inputs, pkgs, ... }: { +{ config, inputs, lib, pkgs, ... }: { sops.secrets."services/akkoma/mailerPassword" = { sopsFile = ../../../secrets/services/akkoma.yaml; }; @@ -38,23 +38,7 @@ extraStatic."images/sylvia-ritter-15012323.avif" = inputs.florp-branding.packages.${config.nixpkgs.hostPlatform.system}.wallpaper; - extraStatic."favicon.png" = let - rev = "697a8211b0f427a921e7935a35d14bb3e32d0a2c"; - in pkgs.stdenvNoCC.mkDerivation { - name = "favicon.png"; - - src = pkgs.fetchurl { - url = "https://raw.githubusercontent.com/TilCreator/NixOwO/${rev}/NixOwO_plain.svg"; - hash = "sha256-tWhHMfJ3Od58N9H5yOKPMfM56hYWSOnr/TGCBi8bo9E="; - }; - - nativeBuildInputs = with pkgs; [ librsvg ]; - - dontUnpack = true; - installPhase = '' - rsvg-convert -o $out -w 96 -h 96 $src - ''; - }; + extraStatic."favicon.png" = inputs.florp-branding.packages.${config.nixpkgs.hostPlatform.system}.favicon; frontends = { primary = { @@ -70,7 +54,8 @@ }; }; services.akkoma.config = let - inherit ((pkgs.formats.elixirConf { }).lib) mkRaw mkAtom mkMap; + inherit ((pkgs.formats.elixirConf { }).lib) mkRaw mkAtom mkMap mkTuple; + mapAttrsToListOfTuple = attr: lib.mapAttrsToList (name: value: mkTuple [ name value ]) attr; in { ":pleroma" = { ":instance" = { @@ -146,16 +131,13 @@ "Pleroma.Upload.Filter.AnonymizeFilename" ]; - ":mrf" = { - transparency = true; - policies = map mkRaw [ - "Pleroma.Web.ActivityPub.MRF.SimplePolicy" - "Pleroma.Web.ActivityPub.MRF.ObjectAgePolicy" - ]; - }; + ":mrf".policies = map mkRaw [ + "Pleroma.Web.ActivityPub.MRF.SimplePolicy" + "Pleroma.Web.ActivityPub.MRF.ObjectAgePolicy" + ]; ":mrf_simple" = { - reject = mkMap { + reject = mapAttrsToListOfTuple { "bae.st" = "harassment"; "brighteon.social" = "incompatible"; "detroitriotcity.com" = "incompatible"; @@ -170,13 +152,12 @@ "spinster.xyz" = "incompatible"; "truthsocial.co.in" = "incompatible"; "varishangout.net" = "incompatible"; - "activitypub-troll.cf" = "security"; "misskey-forkbomb.cf" = "security"; "repl.co" = "security"; }; - followers_only = mkMap { + followers_only = mapAttrsToListOfTuple { "bitcoinhackers.org" = "annoying"; }; }; diff --git a/flake.lock b/flake.lock index 6a5babc..4489d96 100644 --- a/flake.lock +++ b/flake.lock @@ -437,11 +437,11 @@ ] }, "locked": { - "lastModified": 1730469723, - "narHash": "sha256-5U2aVAXbzd26f0r4+1fo0F4KTqY5h3z2fV0uDJ9YsMQ=", + "lastModified": 1730825511, + "narHash": "sha256-Ywc4Y+4VobocyxcVhHlJ5Q5h1fOdsJNlAlWlrkqC8U0=", "ref": "refs/heads/main", - "rev": "16f4a9c871b5417b9ed17e7666c1b266dd8de464", - "revCount": 1, + "rev": "81bde12357d59215e7d67c7f55c2eb3d54c47689", + "revCount": 2, "type": "git", "url": "https://woof.rip/florp/branding.git" }, @@ -542,11 +542,11 @@ ] }, "locked": { - "lastModified": 1730633670, - "narHash": "sha256-ZFJqIXpvVKvzOVFKWNRDyIyAo+GYdmEPaYi1bZB6uf0=", + "lastModified": 1730837930, + "narHash": "sha256-0kZL4m+bKBJUBQse0HanewWO0g8hDdCvBhudzxgehqc=", "owner": "nix-community", "repo": "home-manager", - "rev": "8f6ca7855d409aeebe2a582c6fd6b6a8d0bf5661", + "rev": "2f607e07f3ac7e53541120536708e824acccfaa8", "type": "github" }, "original": { @@ -795,11 +795,11 @@ }, "nixos-hardware": { "locked": { - "lastModified": 1730537918, - "narHash": "sha256-GJB1/aaTnAtt9sso/EQ77TAGJ/rt6uvlP0RqZFnWue8=", + "lastModified": 1730828750, + "narHash": "sha256-XrnZLkLiBYNlwV5gus/8DT7nncF1TS5la6Be7rdVOpI=", "owner": "nixos", "repo": "nixos-hardware", - "rev": "f6e0cd5c47d150c4718199084e5764f968f1b560", + "rev": "2e78b1af8025108ecd6edaa3ab09695b8a4d3d55", "type": "github" }, "original": { @@ -926,11 +926,11 @@ }, "nixpkgs_4": { "locked": { - "lastModified": 1730531603, - "narHash": "sha256-Dqg6si5CqIzm87sp57j5nTaeBbWhHFaVyG7V6L8k3lY=", + "lastModified": 1730785428, + "narHash": "sha256-Zwl8YgTVJTEum+L+0zVAWvXAGbWAuXHax3KzuejaDyo=", "owner": "nixos", "repo": "nixpkgs", - "rev": "7ffd9ae656aec493492b44d0ddfb28e79a1ea25d", + "rev": "4aa36568d413aca0ea84a1684d2d46f55dbabad7", "type": "github" }, "original": { @@ -957,11 +957,11 @@ "treefmt-nix": "treefmt-nix_2" }, "locked": { - "lastModified": 1730731617, - "narHash": "sha256-W7FNEe+gewzTSx0lykzZ3XUKmJ8uKk/SpIPblZIfYc0=", + "lastModified": 1730792264, + "narHash": "sha256-Ue3iywjyaNOxXgw7esVSBX3bZzM2bSPubZamYsBKIG8=", "owner": "nix-community", "repo": "nixvim", - "rev": "aa06b176e78c9ae9e779e605cab61c9d8681a54e", + "rev": "3d24cb72618738130e6af9c644c81fe42aa34ebc", "type": "github" }, "original": { diff --git a/modules/nginx/default.nix b/modules/nginx/default.nix index 644a2c7..b9d827c 100644 --- a/modules/nginx/default.nix +++ b/modules/nginx/default.nix @@ -3,11 +3,11 @@ extraConfig = '' add_header Strict-Transport-Security $hsts_header; add_header Alt-Svc 'h3=":443"; ma=7776000; persist=1, h2=":443"; ma=7776000; persist=1'; - #add_header Content-Security-Policy "script-src 'self'; object-src 'none'; base-uri 'none';" always; - add_header X-Content-Type-Options "nosniff" always; - add_header X-XSS-Protection "1; mode=block" always; - add_header X-Frame-Options "SAMEORIGIN" always; - add_header Referrer-Policy "same-origin" always; + #add_header Content-Security-Policy "script-src 'self'; object-src 'none'; base-uri 'none';" always; + add_header X-Content-Type-Options "nosniff" always; + add_header X-XSS-Protection "1; mode=block" always; + add_header X-Frame-Options "SAMEORIGIN" always; + add_header Referrer-Policy "same-origin" always; ''; createHost = vhostName: vhostCfg: { extraConfig = lib.optionalString (builtins.hasAttr "extraConfig" vhostCfg) (vhostCfg.extraConfig + "\n" + extraConfig); @@ -42,9 +42,13 @@ in { builtins.mapAttrs (createHost) cfg.virtualHosts) // lib.optionalAttrs (cfg.defaultForbidden != null) { "redirect" = { + quic = true; + http3 = true; + # reuseport has to be specified on the quic listener + # when using worker_processes auto; + reuseport = true; default = true; forceSSL = true; - reuseport = true; useACMEHost = cfg.defaultForbidden; extraConfig = '' return 403; diff --git a/pkgs/overlay.nix b/pkgs/overlay.nix index 72ef525..8934f1c 100644 --- a/pkgs/overlay.nix +++ b/pkgs/overlay.nix @@ -6,5 +6,9 @@ final: prev: { librespeed-rust = final.callPackage ./librespeed-rust/default.nix {}; librespeed-go = final.callPackage ./librespeed-go/default.nix {}; akkoma-fe-domi = final.callPackage ./akkoma-fe-domi/default.nix {}; - nginxQuic = prev.nginxQuic.override { withSlice = true; }; + nginxQuic = prev.nginxQuic.override { + withSlice = true; + # Use zlib because zlib-ng uses larger buffers then nginx preallocates. + zlib = final.zlib; + }; }