nixos-config/config/services/akkoma/default.nix

{
  pkgs,
  nix-packages,
  config,
  ...
}: let
  raccoon-emoji = pkgs.fetchzip {
    url = "https://volpeon.ink/art/emojis/raccoon/raccoon.zip";
    sha256 = "sha256-GkMiYAP0LS0TL6GMDG4R4FkGwFjhIwn3pAWUmCTUfHg=";
    stripRoot = false;
  };
  static_dir = pkgs.stdenvNoCC.mkDerivation {
    name = "akkoma-static";
    src = pkgs.emptyDirectory;
    nativeBuildInputs = with pkgs; [xorg.lndir];
    akkoma_fe = nix-packages.packages.${pkgs.system}.pleroma-fe;
    akkoma_admin_fe = nix-packages.packages.${pkgs.system}.admin-fe;
    raccoon_emoji = raccoon-emoji;
    tos = ./terms-of-service.html;
    dontUnpack = false;
    installPhase = ''
      mkdir -p $out/frontends/pleroma-fe/stable
      lndir $akkoma_fe $out/frontends/pleroma-fe/stable
      mkdir -p $out/frontends/admin-fe/stable
      lndir $akkoma_admin_fe $out/frontends/admin-fe/stable
      mkdir -p $out/emoji/raccoons
      lndir $raccoon_emoji $out/emoji/raccoons
      mkdir $out/static
      cp $tos $out/static/terms-of-service.html
    '';
  };
  ec = pkgs.formats.elixirConf {};
  akkconfig = ec.generate "config.exs" (with ec.lib; {
    ":pleroma" = {
      "Pleroma.Upload" = {
        uploader = mkRaw "Pleroma.Uploaders.S3";
        filters = map (v: mkRaw ("Pleroma.Upload.Filter." + v)) ["Mogrify" "Exiftool" "Dedupe" "AnonymizeFilename"];
        base_url = "https://mastodon-assets.chir.rs/";
      };
      "Pleroma.Uploaders.S3" = {
        bucket = "mastodon-chir-rs";
        truncated_namespace = "";
      };
      "Pleroma.Upload.Filter.Mogrify" = {
        args = "auto-orient";
      };
      ":instance" = {
        name = "Raccoon Noises";
        email = "lotte@chir.rs";
        description = "Single User Akkoma Instance";
        limit = 58913;
        description_limit = 58913;
        upload_limit = 134217728;
        languages = ["en" "tok"];
        registrations_open = false;
        invites_enabled = true;
        static_dir = "${static_dir}";
        max_pinned_statuses = 10;
        attachment_links = true;
        max_report_comment_size = 58913;
        safe_dm_mentions = true;
        healthcheck = true;
        user_bio_length = 58913;
        user_name_length = 621;
        max_account_fields = 69;
        max_remote_account_fields = 621;
        account_field_name_length = 621;
        account_field_value_length = 58913;
        registration_reason_length = 621;
        external_user_synchronization = true;
        cleanup_attachments = true;
      };
      ":markup" = {
        allow_headings = true;
        allow_tables = true;
        allow_fonts = true;
      };
      ":frontend_configurations" = {
        pleroma_fe = mkMap {
          webPushNotifications = true;
        };
      };
      ":activitypub" = {
        unfollow_blocked = false;
        outgoing_blocks = false;
        blockers_visible = false;
        deny_follow_blocked = true;
        sign_object_fetches = true;
        authorized_fetch_mode = true;
      };
      ":mrf_simple" = let
        processMap = m: map (k: mkTuple [k m.${k}]) (builtins.attrNames m);
      in {
        reject = processMap {
          "qoto.org" = "Freeze Peach";
          "poa.st" = "Hosting neonazis";
          "kiwifarms.cc" = "Targeted Harassment";
          "pmth.us" = "Harassment";
          "nicecrew.digital" = "TERF Instance";
          "freespeechextremist.com" = "Freeze Peach";
          "ryona.agency" = "Freeze Peach";
          "howlr.me" = "Run by verified kiwifarms user";
          "rdrama.cc" = "smells like Kiwifarms shit";
          "xhais.love" = "Zoophile instance";
          "beefyboys.win" = "freeze peach; hosts neonazis";
          "bae.st" = "freeze peach";
        };
        media_removal = processMap {
          "a.rathersafe.space" = "posting borderline illegal imagery as the fediblock account";
        };
      };
      ":mrf" = {
        policies = map (v: mkRaw ("Pleroma.Web.ActivityPub.MRF." + v)) ["SimplePolicy" "EnsureRePrepended" "MediaProxyWarmingPolicy" "ForceBotUnlistedPolicy" "AntiFollowbotPolicy" "ObjectAgePolicy" "TagPolicy" "RequireImageDescription"];
        transparency = true;
      };
      ":http_security" = {
        enabled = true;
        sts = true;
        referrer_policy = "no-referrer";
      };
      ":frontends" = {
        primary = mkMap {
          name = "pleroma-fe";
          ref = "stable";
        };
        admin = mkMap {
          name = "admin-fe";
          ref = "stable";
        };
      };
      ":media_proxy" = {
        enabled = true;
        proxy_opts = {
          redirect_on_failure = true;
        };
      };
      "Pleroma.Repo" = {
        adapter = mkRaw "Ecto.Adapters.Postgres";
        database = "akkoma";
        pool_size = 10;
        socket_dir = "/run/postgresql";
        prepare = mkAtom ":named";
        parameters.plan_cache_mode = "force_custom_plan";
      };
      "Pleroma.Web.Endpoint" = {
        url = {
          host = "akko.chir.rs";
          port = 443;
          scheme = "https";
        };
        secure_cookie_flag = true;
      };
      "Pleroma.Emails.Mailer" = {
        enabled = true;
        adapter = mkRaw "Swoosh.Adapters.SMTP";
        relay = "mail.chir.rs";
        username = "akko@chir.rs";
        port = "465";
        ssl = true;
        auth = mkAtom ":always";
      };
      "Pleroma.Emails.NewUsersDigestEmail" = {
        enabled = true;
      };
      ":database".rum_enabled = true;
    };
    ":web_push_encryption".":vapid_details".subject = "lotte@chir.rs";
  });
in {
  imports = [
    ./mediaproxy.nix
  ];
  services.pleroma = {
    enable = true;
    package = nix-packages.packages.${pkgs.system}.akkoma;
    configs = [(builtins.readFile akkconfig)];
    user = "akkoma";
    group = "akkoma";
    secretConfigFile = config.sops.secrets."services/akkoma.exs".path;
  };
  systemd.services.pleroma.path = with pkgs; [exiftool imagemagick ffmpeg];
  services.postgresql.ensureDatabases = ["akkoma"];
  services.postgresql.ensureUsers = [
    {
      name = "akkoma";
      ensurePermissions = {"DATABASE akkoma" = "ALL PRIVILEGES";};
    }
  ];
  sops.secrets."services/akkoma.exs" = {owner = "akkoma";};
  services.caddy.virtualHosts."akko.chir.rs" = {
    useACMEHost = "chir.rs";
    extraConfig = ''
      import baseConfig
      handle /media_attachments/* {
        redir https://mastodon-assets.chir.rs{uri} permanent
      }
      handle /proxy/* {
        reverse_proxy {
          to http://127.0.0.1:24154
        }
      }
      handle {
        reverse_proxy {
          to http://127.0.0.1:4000
        }
      }
    '';
  };

  services.postgresql.extraPlugins = with pkgs.postgresql_13.pkgs; [rum];
}
notify on service failures 2022-09-12 10:03:10 +00:00			`{`
			`pkgs,`
			`nix-packages,`
			`config,`
			`...`
			`}: let`
add blob raccoon emoji 2022-09-15 10:36:55 +00:00			`raccoon-emoji = pkgs.fetchzip {`
			`url = "https://volpeon.ink/art/emojis/raccoon/raccoon.zip";`
fix hash 2022-09-16 08:00:26 +00:00			`sha256 = "sha256-GkMiYAP0LS0TL6GMDG4R4FkGwFjhIwn3pAWUmCTUfHg=";`
it’s a flat list of files unfortunately 2022-09-16 07:58:14 +00:00			`stripRoot = false;`
add blob raccoon emoji 2022-09-15 10:36:55 +00:00			`};`
notify on service failures 2022-09-12 10:03:10 +00:00			`static_dir = pkgs.stdenvNoCC.mkDerivation {`
			`name = "akkoma-static";`
			`src = pkgs.emptyDirectory;`
			`nativeBuildInputs = with pkgs; [xorg.lndir];`
manual update 2022-09-30 15:46:21 +00:00			`akkoma_fe = nix-packages.packages.${pkgs.system}.pleroma-fe;`
			`akkoma_admin_fe = nix-packages.packages.${pkgs.system}.admin-fe;`
add blob raccoon emoji 2022-09-15 10:36:55 +00:00			`raccoon_emoji = raccoon-emoji;`
add a TOS to akkoma 2022-11-04 16:52:16 +00:00			`tos = ./terms-of-service.html;`
notify on service failures 2022-09-12 10:03:10 +00:00			`dontUnpack = false;`
			`installPhase = ''`
			`mkdir -p $out/frontends/pleroma-fe/stable`
			`lndir $akkoma_fe $out/frontends/pleroma-fe/stable`
			`mkdir -p $out/frontends/admin-fe/stable`
			`lndir $akkoma_admin_fe $out/frontends/admin-fe/stable`
add blob raccoon emoji 2022-09-15 10:36:55 +00:00			`mkdir -p $out/emoji/raccoons`
			`lndir $raccoon_emoji $out/emoji/raccoons`
add a TOS to akkoma 2022-11-04 16:52:16 +00:00			`mkdir $out/static`
			`cp $tos $out/static/terms-of-service.html`
notify on service failures 2022-09-12 10:03:10 +00:00			`'';`
			`};`
convert akkoma config to nix 2022-10-26 19:26:48 +00:00			`ec = pkgs.formats.elixirConf {};`
			`akkconfig = ec.generate "config.exs" (with ec.lib; {`
			`":pleroma" = {`
			`"Pleroma.Upload" = {`
			`uploader = mkRaw "Pleroma.Uploaders.S3";`
			`filters = map (v: mkRaw ("Pleroma.Upload.Filter." + v)) ["Mogrify" "Exiftool" "Dedupe" "AnonymizeFilename"];`
			`base_url = "https://mastodon-assets.chir.rs/";`
			`};`
			`"Pleroma.Uploaders.S3" = {`
			`bucket = "mastodon-chir-rs";`
			`truncated_namespace = "";`
			`};`
			`"Pleroma.Upload.Filter.Mogrify" = {`
			`args = "auto-orient";`
			`};`
			`":instance" = {`
			`name = "Raccoon Noises";`
			`email = "lotte@chir.rs";`
			`description = "Single User Akkoma Instance";`
			`limit = 58913;`
			`description_limit = 58913;`
make the RequireImageDescription policy less strict 2022-11-04 15:37:18 +00:00			`upload_limit = 134217728;`
convert akkoma config to nix 2022-10-26 19:26:48 +00:00			`languages = ["en" "tok"];`
enable invites 2022-11-06 07:22:50 +00:00			`registrations_open = false;`
			`invites_enabled = true;`
convert akkoma config to nix 2022-10-26 19:26:48 +00:00			`static_dir = "${static_dir}";`
			`max_pinned_statuses = 10;`
			`attachment_links = true;`
			`max_report_comment_size = 58913;`
			`safe_dm_mentions = true;`
			`healthcheck = true;`
			`user_bio_length = 58913;`
			`user_name_length = 621;`
			`max_account_fields = 69;`
			`max_remote_account_fields = 621;`
			`account_field_name_length = 621;`
			`account_field_value_length = 58913;`
			`registration_reason_length = 621;`
			`external_user_synchronization = true;`
			`cleanup_attachments = true;`
			`};`
			`":markup" = {`
			`allow_headings = true;`
			`allow_tables = true;`
			`allow_fonts = true;`
			`};`
			`":frontend_configurations" = {`
			`pleroma_fe = mkMap {`
			`webPushNotifications = true;`
			`};`
			`};`
activitypub hardening 2022-11-05 16:50:31 +00:00			`":activitypub" = {`
			`unfollow_blocked = false;`
			`outgoing_blocks = false;`
			`blockers_visible = false;`
			`deny_follow_blocked = true;`
			`sign_object_fetches = true;`
			`authorized_fetch_mode = true;`
			`};`
convert akkoma config to nix 2022-10-26 19:26:48 +00:00			`":mrf_simple" = let`
index with key not value 2022-10-26 19:32:41 +00:00			`processMap = m: map (k: mkTuple [k m.${k}]) (builtins.attrNames m);`
convert akkoma config to nix 2022-10-26 19:26:48 +00:00			`in {`
			`reject = processMap {`
			`"qoto.org" = "Freeze Peach";`
			`"poa.st" = "Hosting neonazis";`
			`"kiwifarms.cc" = "Targeted Harassment";`
			`"pmth.us" = "Harassment";`
			`"nicecrew.digital" = "TERF Instance";`
			`"freespeechextremist.com" = "Freeze Peach";`
			`"ryona.agency" = "Freeze Peach";`
			`"howlr.me" = "Run by verified kiwifarms user";`
			`"rdrama.cc" = "smells like Kiwifarms shit";`
Block xhais.love Zoophile instance 2022-11-05 08:47:25 +00:00			`"xhais.love" = "Zoophile instance";`
catch up with some blocks 2022-11-05 16:47:30 +00:00			`"beefyboys.win" = "freeze peach; hosts neonazis";`
			`"bae.st" = "freeze peach";`
convert akkoma config to nix 2022-10-26 19:26:48 +00:00			`};`
			`media_removal = processMap {`
			`"a.rathersafe.space" = "posting borderline illegal imagery as the fediblock account";`
			`};`
			`};`
			`":mrf" = {`
			`policies = map (v: mkRaw ("Pleroma.Web.ActivityPub.MRF." + v)) ["SimplePolicy" "EnsureRePrepended" "MediaProxyWarmingPolicy" "ForceBotUnlistedPolicy" "AntiFollowbotPolicy" "ObjectAgePolicy" "TagPolicy" "RequireImageDescription"];`
			`transparency = true;`
			`};`
add some hardening options 2022-11-05 13:05:45 +00:00			`":http_security" = {`
			`enabled = true;`
			`sts = true;`
			`referrer_policy = "no-referrer";`
			`};`
convert akkoma config to nix 2022-10-26 19:26:48 +00:00			`":frontends" = {`
			`primary = mkMap {`
			`name = "pleroma-fe";`
			`ref = "stable";`
			`};`
			`admin = mkMap {`
			`name = "admin-fe";`
			`ref = "stable";`
			`};`
			`};`
enable mediaproxy in akkoma 2022-11-05 21:04:41 +00:00			`":media_proxy" = {`
			`enabled = true;`
			`proxy_opts = {`
			`redirect_on_failure = true;`
			`};`
			`};`
convert akkoma config to nix 2022-10-26 19:26:48 +00:00			`"Pleroma.Repo" = {`
			`adapter = mkRaw "Ecto.Adapters.Postgres";`
			`database = "akkoma";`
			`pool_size = 10;`
			`socket_dir = "/run/postgresql";`
force custom query plans in akkoma 2022-11-06 18:28:32 +00:00			`prepare = mkAtom ":named";`
			`parameters.plan_cache_mode = "force_custom_plan";`
convert akkoma config to nix 2022-10-26 19:26:48 +00:00			`};`
add some hardening options 2022-11-05 13:05:45 +00:00			`"Pleroma.Web.Endpoint" = {`
			`url = {`
			`host = "akko.chir.rs";`
			`port = 443;`
			`scheme = "https";`
			`};`
			`secure_cookie_flag = true;`
convert akkoma config to nix 2022-10-26 19:26:48 +00:00			`};`
Add mail support to akkoma 2022-11-04 18:04:23 +00:00			`"Pleroma.Emails.Mailer" = {`
			`enabled = true;`
			`adapter = mkRaw "Swoosh.Adapters.SMTP";`
			`relay = "mail.chir.rs";`
			`username = "akko@chir.rs";`
			`port = "465";`
			`ssl = true;`
fix mailer config 2022-11-05 09:03:42 +00:00			`auth = mkAtom ":always";`
Add mail support to akkoma 2022-11-04 18:04:23 +00:00			`};`
			`"Pleroma.Emails.NewUsersDigestEmail" = {`
			`enabled = true;`
			`};`
enable rum indexes 2022-11-06 18:49:46 +00:00			`":database".rum_enabled = true;`
convert akkoma config to nix 2022-10-26 19:26:48 +00:00			`};`
			`":web_push_encryption".":vapid_details".subject = "lotte@chir.rs";`
			`});`
notify on service failures 2022-09-12 10:03:10 +00:00			`in {`
add mediaproxy maybe 2022-11-05 20:26:45 +00:00			`imports = [`
			`./mediaproxy.nix`
			`];`
add akkoma 2022-09-09 17:59:43 +00:00			`services.pleroma = {`
			`enable = true;`
			`package = nix-packages.packages.${pkgs.system}.akkoma;`
make akkoma config an ifd 2022-10-26 21:08:58 +00:00			`configs = [(builtins.readFile akkconfig)];`
add akkoma 2022-09-09 17:59:43 +00:00			`user = "akkoma";`
			`group = "akkoma";`
			`secretConfigFile = config.sops.secrets."services/akkoma.exs".path;`
			`};`
notify on service failures 2022-09-12 10:03:10 +00:00			`systemd.services.pleroma.path = with pkgs; [exiftool imagemagick ffmpeg];`
add akkoma 2022-09-09 17:59:43 +00:00			`services.postgresql.ensureDatabases = ["akkoma"];`
			`services.postgresql.ensureUsers = [`
			`{`
			`name = "akkoma";`
			`ensurePermissions = {"DATABASE akkoma" = "ALL PRIVILEGES";};`
			`}`
			`];`
notify on service failures 2022-09-12 10:03:10 +00:00			`sops.secrets."services/akkoma.exs" = {owner = "akkoma";};`
add akkoma 2022-09-09 17:59:43 +00:00			`services.caddy.virtualHosts."akko.chir.rs" = {`
			`useACMEHost = "chir.rs";`
			`extraConfig = ''`
			`import baseConfig`
			`handle /media_attachments/* {`
			`redir https://mastodon-assets.chir.rs{uri} permanent`
			`}`
add mediaproxy maybe 2022-11-05 20:26:45 +00:00			`handle /proxy/* {`
			`reverse_proxy {`
			`to http://127.0.0.1:24154`
			`}`
			`}`
add akkoma 2022-09-09 17:59:43 +00:00			`handle {`
			`reverse_proxy {`
			`to http://127.0.0.1:4000`
			`}`
			`}`
			`'';`
			`};`
add rum support 2022-11-06 18:35:24 +00:00
			`services.postgresql.extraPlugins = with pkgs.postgresql_13.pkgs; [rum];`
add akkoma 2022-09-09 17:59:43 +00:00			`}`