1 changed files with 4 additions and 141 deletions
@ -1,145 +1,8 @@
|
||||
# Pleroma on NixOS: OTP Release |
||||
|
||||
## Quick Start |
||||
# WARNING!! |
||||
|
||||
Add your pleroma configuration to `/etc/pleroma/config.exs`, make sure |
||||
it's readable by the `pleroma` user. |
||||
This module is **outdated** and in the process of getting upstreamed |
||||
to NixPkgs. https://github.com/NixOS/nixpkgs/pull/103138 |
||||
|
||||
You can then use the following example to get started. |
||||
|
||||
``` |
||||
{ pkgs, ... }: |
||||
let |
||||
pleromaModuleSrc = builtins.fetchTarball { |
||||
url = "https://git.alternativebit.fr/NinjaTrappeur/pleroma-otp-nixos/archive/v2.1.2.tar.gz"; |
||||
sha256 = "0kli4n7jsqk485hgqfp8px5byl6n115cjk2w4i7jnii6h9791q6q"; |
||||
}; |
||||
in |
||||
{ |
||||
imports = [ "${pleromaModuleSrc}/modules/pleroma.nix" ] |
||||
|
||||
security.acme = { |
||||
email = "root@tld"; |
||||
acceptTerms = true; |
||||
certs = { |
||||
"social.tld.com" = { |
||||
webroot = "/var/www/social.tld.com"; |
||||
email = "root@tld"; |
||||
group = "nginx"; |
||||
}; |
||||
}; |
||||
}; |
||||
|
||||
services = { |
||||
pleroma.enable = true; |
||||
postgresql = { |
||||
enable = true; |
||||
package = pkgs.postgresql_12; |
||||
}; |
||||
|
||||
nginx = { |
||||
enable = true; |
||||
virtualHosts."social.tld.com" = { |
||||
addSSL = true; |
||||
sslCertificate = "/var/lib/acme/social.tld.com/fullchain.pem"; |
||||
sslCertificateKey = "/var/lib/acme/social.tld.com/key.pem"; |
||||
root = "/var/www/social.tld.com"; |
||||
# ACME endpoint |
||||
locations."/.well-known/acme-challenge" = { |
||||
root = "/var/www/social.tld.com/"; |
||||
}; |
||||
locations."/" = { |
||||
proxyPass = "http://localhost:4000"; |
||||
extraConfig = '' |
||||
# if you do not want remote frontends to be able to access your Pleroma backend |
||||
# server, remove these lines. |
||||
add_header 'Access-Control-Allow-Origin' '*' always; |
||||
add_header 'Access-Control-Allow-Methods' 'POST, PUT, DELETE, GET, PATCH, OPTIONS' always; |
||||
add_header 'Access-Control-Allow-Headers' 'Authorization, Content-Type, Idempotency-Key' always; |
||||
add_header 'Access-Control-Expose-Headers' 'Link, X-RateLimit-Reset, X-RateLimit-Limit, X-RateLimit-Remaining, X-Request-Id' always; |
||||
if ($request_method = OPTIONS) { |
||||
return 204; |
||||
} |
||||
# stop removing lines here. |
||||
|
||||
add_header X-XSS-Protection "1; mode=block"; |
||||
add_header X-Permitted-Cross-Domain-Policies none; |
||||
add_header X-Frame-Options DENY; |
||||
add_header X-Content-Type-Options nosniff; |
||||
add_header Referrer-Policy same-origin; |
||||
add_header X-Download-Options noopen; |
||||
|
||||
proxy_http_version 1.1; |
||||
proxy_set_header Upgrade $http_upgrade; |
||||
proxy_set_header Connection "upgrade"; |
||||
proxy_set_header Host $host; |
||||
|
||||
client_max_body_size 16m; |
||||
''; |
||||
}; |
||||
}; |
||||
}; |
||||
}; |
||||
} |
||||
``` |
||||
|
||||
## Pleroma Configuration Management |
||||
|
||||
### File Configuration |
||||
|
||||
Pleroma is expecting its configuration to be found at |
||||
`/etc/pleroma/config.exs`. This configuration file is containing some |
||||
secrets, the Nix store being world-readable, it seems like storing the |
||||
pleroma conf there is a pretty bad idea. |
||||
|
||||
Meaning, this module won't handle this configuration file for you, you |
||||
have to do it manually. From here, two options: |
||||
|
||||
1. You are migrating a src-based install (mix-based). You can re-use |
||||
your `$src_root/config/prod.secret.exs` file. Change the `use Mix.Config` |
||||
statement with `use Config`. |
||||
2. This is a brand new installation. In that case you can use |
||||
`pleroma_ctl instance gen --output config.exs --output-psql setup.psql`, |
||||
this will prompt you some questions and will generate both your |
||||
config file and database initial migration. Note: `pleroma_ctl` |
||||
will be in your system path as soon as you enable the pleroma |
||||
service. You can alternatively build it by building this repo's |
||||
`default.nix` derivation. |
||||
|
||||
### Database Configuration |
||||
|
||||
If it's not already done, you need to seed your pleroma postgresql database. |
||||
|
||||
Using the `setup.psql` file generated in the previous section, you can |
||||
load the seed with `sudo -u postgres psql -f seed.psql`. |
||||
|
||||
## Open Questions |
||||
|
||||
- In this module, we decided not to try any kind of magical conf on |
||||
the Nginx-side. Web server configurations can quickly get pretty |
||||
custom, letting the admin handle it seems like the best thing to do |
||||
to me. On top of that, a lot of directives we're using are not |
||||
covered by the NixOS Nginx module, we have to make a heavy use of |
||||
`extraConfig`, making the whole config not easily overrideable. |
||||
**However**, the Nginx block config is quite huge, there's maybe |
||||
something smarter to do. |
||||
- The configuration file contains some secrets. On top of that, the |
||||
config file format is a pure Elixir file, making it poor candidate |
||||
for a |
||||
[RFC042](https://github.com/Infinisil/rfcs/blob/config-option/rfcs/0042-config-option.md) |
||||
-style `settings` attributeset. Because of that, I kinda chicken out |
||||
and decided to keep the conf file management 100% out of this |
||||
module. There's probably a better middle ground here. Something |
||||
allowing us to keep the secret part (db password, endpoint secret |
||||
key) out of the store while leveraging the module system for the |
||||
less secret configuration settings. Maybe the solution is to |
||||
leverage Elixir's import system? |
||||
|
||||
## Update Pleroma to a New Version |
||||
|
||||
We're retrieving the binary distribution directly from the GitLab CI |
||||
pipeline. |
||||
|
||||
To find the latest and greatest bindist stable URL, you have to visit |
||||
https://git.pleroma.social/pleroma/pleroma/-/tree/stable, clicky click |
||||
on the CI status and find the amd64 release link. |
||||
Please use the module coming from the NixPkgs PR rather than this repo. |
||||
|
Loading…
Reference in new issue