diff --git a/configurations/host/valkyrie/default.nix b/configurations/host/valkyrie/default.nix index dab4def..d77dba6 100644 --- a/configurations/host/valkyrie/default.nix +++ b/configurations/host/valkyrie/default.nix @@ -9,7 +9,7 @@ [ # Include the results of the hardware scan. ./hardware-configuration.nix - ./pleroma.nix + ./services ]; materus.profile.nix.enable = true; @@ -28,7 +28,7 @@ networking.hostName = "valkyrie"; # Define your hostname. # Pick only one of the below networking options. # networking.wireless.enable = true; # Enables wireless support via wpa_supplicant. - networking.networkmanager.enable = false; # Easiest to use and most distros use this by default. + networking.networkmanager.enable = false; # Set your time zone. time.timeZone = "Europe/Warsaw"; @@ -100,7 +100,7 @@ services.openssh.settings.PasswordAuthentication = true; - services.adguardhome.enable = true; + # Open ports in the firewall. # networking.firewall.allowedTCPPorts = [ ... ]; # networking.firewall.allowedUDPPorts = [ ... ]; diff --git a/configurations/host/valkyrie/services/default.nix b/configurations/host/valkyrie/services/default.nix new file mode 100644 index 0000000..8702dc6 --- /dev/null +++ b/configurations/host/valkyrie/services/default.nix @@ -0,0 +1,15 @@ +{ config, pkgs, materusFlake, ... }: +{ + imports = + [ + ./pleroma.nix + ./pihole.nix + ]; + services.adguardhome.enable = false; + + valkyrieService.pihole.enable = true; + valkyrieService.pleroma.enable = true; + + + +} \ No newline at end of file diff --git a/configurations/host/valkyrie/services/pihole.nix b/configurations/host/valkyrie/services/pihole.nix new file mode 100644 index 0000000..24ba674 --- /dev/null +++ b/configurations/host/valkyrie/services/pihole.nix @@ -0,0 +1,54 @@ +{ config, pkgs, lib, materusPkgs, ... }: +{ + options.valkyrieService.pihole.enable = materusPkgs.lib.mkBoolOpt false "Enable pihole"; + options.valkyrieService.pihole.dnsIP = lib.mkOption { default = "127.0.0.1";}; + options.valkyrieService.pihole.webIP = lib.mkOption { default = "127.0.0.1";}; + + + + config = let + cfg = config.valkyrieService.pihole; + dnsmasqConf = pkgs.writeText "02-dnsmasq-custom.conf" '' + no-hosts + ''; + + in lib.mkIf config.valkyrieService.pihole.enable { + systemd.tmpfiles.rules = [ + "d /var/lib/dnsmasq.d 0776 root root -" + "d /var/lib/pihole 0776 root root -" + "L+ /var/lib/dnsmasq.d/02-dnsmasq-custom.conf 0776 root root - ${dnsmasqConf}" + ]; + + virtualisation.oci-containers.containers.pihole = { + image = "pihole/pihole:latest"; + ports = + [ + "${cfg.dnsIP}:53:53/tcp" + "${cfg.dnsIP}:53:53/udp" + "${cfg.webIP}:3000:80" + ]; + environment = { + TZ = "Europe/Warsaw"; + FTLCONF_LOCAL_IPV4="127.0.0.1"; + DNSMASQ_USER="root"; + VIRTUAL_HOST="pi.hole"; + PROXY_LOCATION="pi.hole"; + }; + volumes = [ + "/var/lib/pihole/:/etc/pihole/" + "/var/lib/dnsmasq.d:/etc/dnsmasq.d/" + "/nix/store:/nix/store" + ]; + extraOptions = + [ + "--cap-add=NET_ADMIN" + "--dns=127.0.0.1" + "--dns=9.9.9.9" + "--hostname=pi.hole" + ]; + }; + + }; + + +} diff --git a/configurations/host/valkyrie/services/pleroma.nix b/configurations/host/valkyrie/services/pleroma.nix new file mode 100644 index 0000000..7f5d6ba --- /dev/null +++ b/configurations/host/valkyrie/services/pleroma.nix @@ -0,0 +1,149 @@ +{ config, pkgs, lib, materusPkgs, ... }: +let + + socketPath = "/run/pleroma/http.sock"; + + + socketChmod = with pkgs; with lib; pkgs.writers.writeBashBin "pleroma-socket" + '' + coproc { + ${inotify-tools}/bin/inotifywait -q -m -e create ${escapeShellArg (dirOf socketPath)} + } + + trap 'kill "$COPROC_PID"' EXIT TERM + + until ${pkgs.coreutils}/bin/test -S ${escapeShellArg socketPath} + do read -r -u "''${COPROC[0]}" + done + + ${pkgs.coreutils}/bin/chmod 0666 ${socketPath} + ''; + + soapbox = pkgs.stdenv.mkDerivation rec { + pname = "soapbox"; + version = "v3.2.0"; + dontBuild = true; + dontConfigure = true; + src = pkgs.fetchurl { + name = "soapbox"; + url = "https://gitlab.com/soapbox-pub/soapbox/-/jobs/artifacts/${version}/download?job=build-production"; + sha256 = "sha256-AdW6JK7JkIKLZ8X+N9STeOHqmGNUdhcXyC9jsQPTa9o="; + }; + nativeBuildInputs = [ pkgs.unzip ]; + unpackPhase = '' + unzip $src -d . + ''; + installPhase = '' + mv ./static $out + ''; + + }; + +in +{ + options.valkyrieService.pleroma.enable = materusPkgs.lib.mkBoolOpt false "Enable pleroma"; + config = lib.mkIf config.valkyrieService.pleroma.enable { + systemd.tmpfiles.rules = [ + "d /var/lib/pleroma 0766 pleroma pleroma -" + "d /var/lib/pleroma/static 0766 pleroma pleroma -" + "d /var/lib/pleroma/uploads 0766 pleroma pleroma -" + "L+ /var/lib/pleroma/static/frontends/soapbox/${soapbox.version} 0766 pleroma pleroma - ${soapbox}" + ]; + + services.nginx.virtualHosts."podkos.xyz" = { + http2 = true; + useACMEHost = "podkos.xyz"; + forceSSL = true; + locations."/" = { + proxyPass = "http://unix:${socketPath}"; + extraConfig = '' + etag on; + gzip on; + + add_header 'Access-Control-Allow-Origin' '*' always; + add_header 'Access-Control-Allow-Methods' 'POST, PUT, DELETE, GET, PATCH, OPTIONS' always; + add_header 'Access-Control-Allow-Headers' 'Authorization, Content-Type, Idempotency-Key' always; + add_header 'Access-Control-Expose-Headers' 'Link, X-RateLimit-Reset, X-RateLimit-Limit, X-RateLimit-Remaining, X-Request-Id' always; + if ($request_method = OPTIONS) { + return 204; + } + + add_header X-XSS-Protection "1; mode=block"; + add_header X-Permitted-Cross-Domain-Policies none; + add_header X-Frame-Options DENY; + add_header X-Content-Type-Options nosniff; + add_header Referrer-Policy same-origin; + add_header X-Download-Options noopen; + proxy_http_version 1.1; + proxy_set_header Upgrade $http_upgrade; + proxy_set_header Connection "upgrade"; + proxy_set_header Host $host; + + client_max_body_size 8m; + + + ''; + }; + + }; + systemd.services.pleroma.serviceConfig = { + RuntimeDirectory = "pleroma"; + RuntimeDirectoryPreserve = true; + + + ExecStartPost = "${socketChmod}/bin/pleroma-socket"; + ExecStopPost = ''${pkgs.coreutils}/bin/rm -f ${socketPath}''; + }; + + + + + services.pleroma = { + enable = true; + secretConfigFile = "/var/lib/pleroma/secrets.exs"; + configs = [ + '' + import Config + + config :pleroma, Pleroma.Web.Endpoint, + url: [host: "podkos.xyz", scheme: "https", port: 443], + http: [ip: {:local, "${socketPath}"}, port: 0] + + config :pleroma, :instance, + name: "Podziemia Kosmosu", + email: "admin@podkos.xyz", + notify_email: "noreply@podkos.xyz", + limit: 5000, + registrations_open: false + + config :pleroma, :media_proxy, + enabled: false, + redirect_on_failure: true + + config :pleroma, Pleroma.Repo, + adapter: Ecto.Adapters.Postgres, + socket: "/run/postgresql/.s.PGSQL.5432", + username: "pleroma", + database: "pleroma" + + + # Configure web push notifications + config :web_push_encryption, :vapid_details, + subject: "mailto:admin@podkos.x yz" + config :pleroma, :frontends, + primary: %{ + "name" => "soapbox", + "ref" => "${soapbox.version}" + } + + config :pleroma, :database, rum_enabled: false + config :pleroma, :instance, static_dir: "/var/lib/pleroma/static" + config :pleroma, Pleroma.Uploaders.Local, uploads: "/var/lib/pleroma/uploads" + + config :pleroma, configurable_from_database: true + config :pleroma, Pleroma.Upload, filters: [Pleroma.Upload.Filter.AnonymizeFilename] + '' + ]; + }; + }; +}