egirls-nixos/misskey-service.nix

230 lines
6.1 KiB
Nix
Raw Normal View History

{ pkgs, ... }:
2024-02-26 17:51:53 +00:00
let
nodejs = pkgs.unstable.nodejs_20;
nodePackages = (pkgs.nodePackages.override { nodejs = nodejs; });
in {
2024-02-25 23:14:02 +00:00
services.postgresql = {
enable = true;
package = pkgs.postgresql_15;
2024-02-26 17:42:55 +00:00
ensureUsers = [
{ name = "jaina"; }
{
name = "misskey";
2024-02-26 17:46:09 +00:00
ensureDBOwnership = true;
2024-02-26 17:42:55 +00:00
}
{ name = "postgres"; }
];
ensureDatabases = [ "misskey" ];
identMap = ''
# ArbitraryMapName systemUser DBUser
superuser_map root postgres
superuser_map postgres postgres
# Let other names login as themselves
superuser_map /^(.*)$ \1
'';
2024-02-25 23:14:02 +00:00
};
2024-02-26 01:52:54 +00:00
services.redis.servers.misskey = {
port = 6379;
enable = true;
openFirewall = false;
2024-02-26 02:04:42 +00:00
requirePassFile = "/etc/nixos-secrets/redis-pass";
2024-02-26 01:52:54 +00:00
};
2024-02-27 22:03:41 +00:00
# services.meilisearch = {
# enable = true;
# maxIndexSize = "20Gb";
# environment = "production";
# masterKeyEnvironmentFile = "/etc/nixos-secrets/meili-key";
# };
2024-02-27 20:34:18 +00:00
2024-02-25 23:14:02 +00:00
security.acme = {
acceptTerms = true;
defaults.email = "admin+acme@heartles.xyz";
certs."egirls.gay" = {
domain = "egirls.gay";
dnsProvider = "namecheap";
credentialsFile = "/etc/nixos-secrets/namecheap-acme";
group = "nginx";
};
2024-02-27 23:13:56 +00:00
certs."STAR.egirls.gay" = {
domain = "*.egirls.gay";
dnsProvider = "namecheap";
credentialsFile = "/etc/nixos-secrets/namecheap-acme";
group = "nginx";
};
2024-02-25 23:14:02 +00:00
};
2024-02-26 02:13:53 +00:00
networking.firewall.allowedTCPPorts = [ 80 443 ];
2024-02-27 23:13:56 +00:00
services.nginx = let
listen = [
{
port = 443;
addr = "0.0.0.0";
ssl = true;
}
{
port = 80;
addr = "0.0.0.0";
}
2024-02-28 03:10:42 +00:00
{
port = 443;
addr = "[::]";
ssl = true;
}
{
port = 80;
addr = "[::]";
}
2024-02-27 23:13:56 +00:00
];
in {
2024-02-25 23:14:02 +00:00
enable = true;
recommendedProxySettings = true;
package = pkgs.openresty;
2024-02-25 23:14:02 +00:00
2024-02-26 01:52:54 +00:00
upstreams."misskey".extraConfig = ''
2024-02-26 17:43:11 +00:00
server unix:/var/run/misskey/misskey.sock;
2024-02-26 01:52:54 +00:00
'';
proxyCachePath."egirls_media_cache" = {
enable = true;
maxSize = "1g";
inactive = "10m";
keysZoneName = "egirls_media_cache";
};
2024-02-27 23:13:56 +00:00
virtualHosts."media.egirls.gay" = {
inherit listen;
forceSSL = true;
useACMEHost = "STAR.egirls.gay";
extraConfig = ''
client_max_body_size 1m;
2024-04-16 05:01:11 +00:00
proxy_cache egirls_media_cache;
proxy_cache_valid 200 10m;
proxy_cache_lock on;
proxy_ignore_headers X-Accel-Expires Expires Cache-Control;
proxy_hide_header X-Amz-ID-2;
proxy_hide_header X-Amz-Request-ID;
proxy_hide_header X-Wasabi-CM-Reference-ID;
proxy_hide_header Set-Cookie;
proxy_ignore_headers Set-Cookie;
2024-02-27 23:13:56 +00:00
'';
locations."/".extraConfig = ''
return 404;
'';
locations."/misskey/".extraConfig = ''
2024-02-27 23:13:56 +00:00
proxy_http_version 1.1;
include /etc/nixos-secrets/s3-access-nginx.conf;
2024-02-27 23:13:56 +00:00
set $s3_bucket 'egirls-gay-misskey';
set $path_full '/$s3_bucket$request_uri';
set_by_lua $now "return ngx.http_time(ngx.time())";
set $signature_string "GET\n\n\n\nx-amz-date:''${now}\n$path_full";
set_hmac_sha1 $s3_signature $s3_secret $signature_string;
set_encode_base64 $s3_signature_b64 $s3_signature;
proxy_set_header x-amz-date $now;
proxy_set_header Authorization "AWS $s3_access:$s3_signature_b64";
2024-02-27 23:13:56 +00:00
proxy_ssl_session_reuse on;
rewrite .* $path_full break;
proxy_pass https://s3.us-west-1.wasabisys.com;
2024-02-27 23:13:56 +00:00
'';
2024-07-31 03:58:14 +00:00
locations."/localfiles/" = {
root = "/srv/www";
tryFiles = "$uri =404";
};
2024-02-27 23:13:56 +00:00
};
2024-02-25 23:14:02 +00:00
virtualHosts."egirls.gay" = {
2024-02-27 23:13:56 +00:00
inherit listen;
2024-02-25 23:14:02 +00:00
2024-08-03 08:37:36 +00:00
default = true;
2024-02-25 23:14:02 +00:00
forceSSL = true;
2024-02-26 00:06:29 +00:00
useACMEHost = "egirls.gay";
2024-02-25 23:14:02 +00:00
locations."/" = {
proxyWebsockets = true;
2024-02-26 01:52:54 +00:00
proxyPass = "http://misskey";
2024-02-25 23:14:02 +00:00
extraConfig = ''
proxy_cache off;
'';
};
locations."/api/drive/files/create" = {
proxyWebsockets = true;
2024-02-26 01:52:54 +00:00
proxyPass = "http://misskey";
2024-02-25 23:14:02 +00:00
extraConfig = ''
# increase max size and don't buffer file uploads
client_max_body_size 2g;
proxy_request_buffering off;
proxy_cache off;
'';
};
locations."/.well-known/matrix/server".extraConfig = ''
add_header Content-Type application/json;
add_header Access-Control-Allow-Origin '*';
return 200 '{"m.server":"synapse.egirls.gay"}';
'';
locations."/.well-known/matrix/client".extraConfig = ''
add_header Content-Type application/json;
add_header Access-Control-Allow-Origin '*';
return 200 '{"m.homeserver":{"base_url":"https://synapse.egirls.gay"}}';
'';
};
};
2024-02-26 00:23:08 +00:00
2024-02-26 01:52:54 +00:00
users.groups.misskey = { members = [ "jaina" ]; };
users.users.misskey = {
isSystemUser = true;
group = "misskey";
2024-02-27 20:36:08 +00:00
createHome = true;
2024-02-26 01:52:54 +00:00
};
2024-02-26 01:05:26 +00:00
# todo: figure out how to get misskey to build in nix instead of requiring a manual build process
#
# pnpm2nix does not work due to misskey using workspaces
2024-02-26 17:51:53 +00:00
environment.systemPackages =
2024-09-22 22:49:31 +00:00
[ nodejs pkgs.pnpm pkgs.cypress pkgs.pkg-config pkgs.vips ];
2024-02-26 01:05:26 +00:00
environment.sessionVariables = {
CYPRESS_INSTALL_BINARY = "0";
CYPRESS_RUN_BINARY = "${pkgs.cypress}/bin/Cypress";
};
2024-02-26 01:52:54 +00:00
systemd.services.misskey = {
enable = true;
description = "Misskey daemon";
2024-02-27 20:36:08 +00:00
#path = [ nodejs nodePackages.pnpm pkgs.coreutils pkgs.cypress pkgs.pkg-config pkgs.vips ];
2024-02-26 01:52:54 +00:00
serviceConfig = {
Restart = "always";
StandardOutput = "syslog";
StandardError = "syslog";
2024-02-27 20:36:08 +00:00
Environment = [
"NODE_ENV=production"
# TODO Fix this
"PATH=/run/wrappers/bin:/var/empty/.nix-profile/bin:/nix/profile/bin:/var/empty/.local/state/nix/profile/bin:/etc/profiles/per-user/misskey/bin:/nix/var/nix/profiles/default/bin:/run/current-system/sw/bin"
];
2024-02-26 01:52:54 +00:00
WorkingDirectory = "/srv/misskey";
User = "misskey";
2024-02-26 18:00:57 +00:00
ExecStart = "${nodePackages.pnpm}/bin/pnpm start";
2024-02-26 17:45:27 +00:00
RuntimeDirectory = "misskey";
2024-02-26 01:52:54 +00:00
};
2024-02-26 02:06:15 +00:00
wantedBy = [ "multi-user.target" ];
2024-02-26 01:52:54 +00:00
};
2024-02-25 23:14:02 +00:00
}