diff --git a/hosts/akko/akkoma.nix b/hosts/akko/akkoma.nix new file mode 100644 index 0000000..4f0ac70 --- /dev/null +++ b/hosts/akko/akkoma.nix @@ -0,0 +1,81 @@ +{ pkgs, lib, ... }: +let vhost = "akko.within.website"; +in { + services.akkoma = { + enable = true; + config = let inherit ((pkgs.formats.elixirConf { }).lib) mkRaw mkMap; + in { + ":pleroma"."Pleroma.Web.Endpoint".url.host = vhost; + ":pleroma".":media_proxy".enabled = true; + ":pleroma".":instance" = { + name = "Within's Bot Zone"; + description = + "Within's akkoma server for testing and bot deployment, antifash edition"; + email = "akko@xeserv.us"; + notify_email = "akko@xeserv.us"; + + registrations_open = false; + invites_enabled = true; + + limit = 69420; + remote_limit = 100000; + max_pinned_statuses = 10; + max_account_fields = 100; + + limit_to_local_content = mkRaw ":unauthenticated"; + healthcheck = true; + cleanup_attachments = true; + allow_relay = true; + }; + ":pleroma".":mrf".policies = + map mkRaw [ "Pleroma.Web.ActivityPub.MRF.SimplePolicy" ]; + + # To allow configuration from admin-fe + ":pleroma".":configurable_from_database" = false; + + # S3 setup + ":pleroma"."Pleroma.Upload" = { + uploader = mkRaw "Pleroma.Uploaders.S3"; + base_url = "https://s3.us-west-000.backblazeb2.com"; + strip_exif = false; + }; + ":pleroma"."Pleroma.Uploaders.S3".bucket = "xeserv-akko"; + ":ex_aws".":s3" = { + access_key_id._secret = "/var/lib/secrets/akkoma/b2_key_id"; + secret_access_key._secret = "/var/lib/secrets/akkoma/b2_app_key"; + host = "s3.us-west-001.backblazeb2.com"; + }; + + # Automated moderation settings + # Borrowed from https://github.com/chaossocial/about/blob/master/blocked_instances.md + ":pleroma".":mrf_simple" = let blocklist = import ./blocklist.nix; + in { + media_nsfw = mkMap blocklist.media_nsfw; + reject = mkMap blocklist.reject; + followers_only = mkMap blocklist.followers_only; + }; + }; + + nginx = { + enableACME = true; + forceSSL = true; + }; + }; + + services.postgresql.enable = true; + + age.secrets = { + akko-keyid = { + file = ../../secret/akko-keyid.age; + path = "/var/lib/secrets/akkoma/b2_key_id"; + owner = "akkoma"; + group = "akkoma"; + }; + akko-applicationkey = { + file = ../../secret/akko-applicationkey.age; + path = "/var/lib/secrets/akkoma/b2_app_key"; + owner = "akkoma"; + group = "akkoma"; + }; + }; +} diff --git a/hosts/akko/default.nix b/hosts/akko/default.nix index 4f0ac70..4a39301 100644 --- a/hosts/akko/default.nix +++ b/hosts/akko/default.nix @@ -1,81 +1,14 @@ -{ pkgs, lib, ... }: -let vhost = "akko.within.website"; -in { - services.akkoma = { - enable = true; - config = let inherit ((pkgs.formats.elixirConf { }).lib) mkRaw mkMap; - in { - ":pleroma"."Pleroma.Web.Endpoint".url.host = vhost; - ":pleroma".":media_proxy".enabled = true; - ":pleroma".":instance" = { - name = "Within's Bot Zone"; - description = - "Within's akkoma server for testing and bot deployment, antifash edition"; - email = "akko@xeserv.us"; - notify_email = "akko@xeserv.us"; +{ ... }: { + imports = [ + ./akkoma.nix + ./hardware-configuration.nix + ]; - registrations_open = false; - invites_enabled = true; - - limit = 69420; - remote_limit = 100000; - max_pinned_statuses = 10; - max_account_fields = 100; - - limit_to_local_content = mkRaw ":unauthenticated"; - healthcheck = true; - cleanup_attachments = true; - allow_relay = true; - }; - ":pleroma".":mrf".policies = - map mkRaw [ "Pleroma.Web.ActivityPub.MRF.SimplePolicy" ]; - - # To allow configuration from admin-fe - ":pleroma".":configurable_from_database" = false; - - # S3 setup - ":pleroma"."Pleroma.Upload" = { - uploader = mkRaw "Pleroma.Uploaders.S3"; - base_url = "https://s3.us-west-000.backblazeb2.com"; - strip_exif = false; - }; - ":pleroma"."Pleroma.Uploaders.S3".bucket = "xeserv-akko"; - ":ex_aws".":s3" = { - access_key_id._secret = "/var/lib/secrets/akkoma/b2_key_id"; - secret_access_key._secret = "/var/lib/secrets/akkoma/b2_app_key"; - host = "s3.us-west-001.backblazeb2.com"; - }; - - # Automated moderation settings - # Borrowed from https://github.com/chaossocial/about/blob/master/blocked_instances.md - ":pleroma".":mrf_simple" = let blocklist = import ./blocklist.nix; - in { - media_nsfw = mkMap blocklist.media_nsfw; - reject = mkMap blocklist.reject; - followers_only = mkMap blocklist.followers_only; - }; - }; - - nginx = { - enableACME = true; - forceSSL = true; - }; - }; - - services.postgresql.enable = true; - - age.secrets = { - akko-keyid = { - file = ../../secret/akko-keyid.age; - path = "/var/lib/secrets/akkoma/b2_key_id"; - owner = "akkoma"; - group = "akkoma"; - }; - akko-applicationkey = { - file = ../../secret/akko-applicationkey.age; - path = "/var/lib/secrets/akkoma/b2_app_key"; - owner = "akkoma"; - group = "akkoma"; - }; - }; + boot.cleanTmpDir = true; + zramSwap.enable = true; + networking.hostName = "akko"; + services.openssh.enable = true; + users.users.root.openssh.authorizedKeys.keys = [ + "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIM6NPbPIcCTzeEsjyx0goWyj6fr2qzcfKCCdOUqg0N/v cadey@kos-mos" + ]; } diff --git a/hosts/akko/hardware-configuration.nix b/hosts/akko/hardware-configuration.nix new file mode 100644 index 0000000..82ed5ec --- /dev/null +++ b/hosts/akko/hardware-configuration.nix @@ -0,0 +1,9 @@ +{ modulesPath, ... }: +{ + imports = [ (modulesPath + "/profiles/qemu-guest.nix") ]; + boot.loader.grub.device = "/dev/vda"; + boot.initrd.availableKernelModules = [ "ata_piix" "uhci_hcd" "vmw_pvscsi" "xen_blkfront" ]; + boot.initrd.kernelModules = [ "nvme" ]; + fileSystems."/" = { device = "/dev/vda1"; fsType = "ext4"; }; + +}