258 lines
6.8 KiB
Nix
258 lines
6.8 KiB
Nix
{ pkgs, config, ... }:
|
|
|
|
let
|
|
nodejs = pkgs.unstable.nodejs_20;
|
|
nodePackages = (pkgs.nodePackages.override { nodejs = nodejs; });
|
|
in {
|
|
services.postgresql = {
|
|
enable = true;
|
|
package = pkgs.postgresql_15;
|
|
|
|
ensureUsers = [
|
|
{ name = "jaina"; }
|
|
{
|
|
name = "misskey";
|
|
ensureDBOwnership = true;
|
|
}
|
|
{ name = "logrotate"; }
|
|
{ name = "postgres"; }
|
|
];
|
|
ensureDatabases = [ "misskey" ];
|
|
|
|
identMap = ''
|
|
# ArbitraryMapName systemUser DBUser
|
|
superuser_map root postgres
|
|
superuser_map postgres postgres
|
|
# Let other names login as themselves
|
|
superuser_map /^(.*)$ \1
|
|
'';
|
|
};
|
|
|
|
services.redis.servers.misskey = {
|
|
port = 6379;
|
|
enable = true;
|
|
openFirewall = false;
|
|
requirePassFile = "/etc/nixos-secrets/redis-pass";
|
|
};
|
|
|
|
# services.meilisearch = {
|
|
# enable = true;
|
|
# maxIndexSize = "20Gb";
|
|
# environment = "production";
|
|
# masterKeyEnvironmentFile = "/etc/nixos-secrets/meili-key";
|
|
# };
|
|
|
|
security.acme = {
|
|
acceptTerms = true;
|
|
defaults.email = "admin+acme@heartles.xyz";
|
|
certs."egirls.gay" = {
|
|
domain = "egirls.gay";
|
|
dnsProvider = "namecheap";
|
|
credentialsFile = "/etc/nixos-secrets/namecheap-acme";
|
|
group = "nginx";
|
|
};
|
|
certs."STAR.egirls.gay" = {
|
|
domain = "*.egirls.gay";
|
|
dnsProvider = "namecheap";
|
|
credentialsFile = "/etc/nixos-secrets/namecheap-acme";
|
|
group = "nginx";
|
|
};
|
|
};
|
|
|
|
networking.firewall.allowedTCPPorts = [ 80 443 ];
|
|
|
|
services.nginx = let
|
|
listen = [
|
|
{
|
|
port = 443;
|
|
addr = "0.0.0.0";
|
|
ssl = true;
|
|
}
|
|
{
|
|
port = 80;
|
|
addr = "0.0.0.0";
|
|
}
|
|
{
|
|
port = 443;
|
|
addr = "[::]";
|
|
ssl = true;
|
|
}
|
|
{
|
|
port = 80;
|
|
addr = "[::]";
|
|
}
|
|
];
|
|
in {
|
|
enable = true;
|
|
recommendedProxySettings = true;
|
|
|
|
upstreams."misskey".extraConfig = ''
|
|
server unix:/var/run/misskey/misskey.sock;
|
|
'';
|
|
|
|
virtualHosts."media.egirls.gay" = {
|
|
inherit listen;
|
|
|
|
forceSSL = true;
|
|
useACMEHost = "STAR.egirls.gay";
|
|
|
|
extraConfig = ''
|
|
client_max_body_size 1m;
|
|
'';
|
|
|
|
locations."/".extraConfig = ''
|
|
set $bucket rub-um5oh2ac4yi9c2mf.misskey.egirls.gay;
|
|
set $region us-east-1;
|
|
|
|
proxy_pass https://storage.us-east-1.linodeobjects.com;
|
|
proxy_set_header Host $bucket.us-east-1.linodeobjects.com;
|
|
proxy_http_version 1.1;
|
|
proxy_redirect off;
|
|
proxy_intercept_errors on;
|
|
error_page 400 401 403 404 406 409 410 /404;
|
|
|
|
proxy_set_header X-Real-IP $remote_addr;
|
|
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
|
|
proxy_set_header X-Forwarded-Proto https;
|
|
|
|
proxy_cache off;
|
|
'';
|
|
|
|
locations."/404".extraConfig = ''
|
|
return 404 "not found";
|
|
'';
|
|
};
|
|
|
|
virtualHosts."egirls.gay" = {
|
|
inherit listen;
|
|
|
|
forceSSL = true;
|
|
useACMEHost = "egirls.gay";
|
|
locations."/" = {
|
|
proxyWebsockets = true;
|
|
proxyPass = "http://misskey";
|
|
extraConfig = ''
|
|
proxy_cache off;
|
|
'';
|
|
};
|
|
|
|
locations."/api/drive/files/create" = {
|
|
proxyWebsockets = true;
|
|
proxyPass = "http://misskey";
|
|
extraConfig = ''
|
|
# increase max size and don't buffer file uploads
|
|
client_max_body_size 2g;
|
|
proxy_request_buffering off;
|
|
proxy_cache off;
|
|
'';
|
|
};
|
|
|
|
locations."/.well-known/matrix/server".extraConfig = ''
|
|
add_header Content-Type application/json;
|
|
add_header Access-Control-Allow-Origin '*';
|
|
return 200 '{"m.server":"synapse.egirls.gay"}';
|
|
'';
|
|
locations."/.well-known/matrix/client".extraConfig = ''
|
|
add_header Content-Type application/json;
|
|
add_header Access-Control-Allow-Origin '*';
|
|
return 200 '{"m.homeserver":{"base_url":"https://synapse.egirls.gay"}}';
|
|
'';
|
|
};
|
|
};
|
|
|
|
services.cron = {
|
|
enable = true;
|
|
systemCronJobs = let
|
|
logrotateScript = pkgs.writeShellApplication {
|
|
name = "logrotate.sh";
|
|
runtimeInputs = with pkgs; [
|
|
s3cmd
|
|
coreutils
|
|
bc
|
|
config.services.postgresql.package
|
|
];
|
|
text = ''
|
|
now="$(date +%s)"
|
|
stamp="$(echo "$now - 2592000" | bc)"
|
|
|
|
tmp="$(mktemp -d)"
|
|
date="$(date --date="@$stamp" -I)"
|
|
file="log-$date.csv.gz"
|
|
|
|
|
|
echo "Using temporary dir $tmp"
|
|
echo "Collecting logs prior to $date..."
|
|
psql misskey -P format=unaligned -F , \
|
|
-c "select * from public.log where \"createdAt\" < to_timestamp($stamp);" \
|
|
| gzip > "$tmp/$file"
|
|
|
|
echo "Uploading..."
|
|
if s3cmd --config /etc/nixos-secrets/logrotate-s3cfg put "$tmp/$file" s3://log.misskey.egirls.gay/
|
|
then
|
|
echo "$file successfully uploaded"
|
|
echo "Deleting log records..."
|
|
|
|
psql misskey -c "delete from public.log where \"createdAt\" < to_timestamp($stamp)"
|
|
rm -rf "$tmp"
|
|
|
|
echo "Done."
|
|
exit
|
|
fi
|
|
|
|
echo "Error uploading file. Records have not been touched" 1>&2
|
|
rm -rf "$tmp"
|
|
'';
|
|
};
|
|
in [
|
|
# Manage logs
|
|
# min hour monthday month weekday user command
|
|
"30 7 * * * logrotate ${logrotateScript}"
|
|
];
|
|
};
|
|
|
|
users.users.logrotate = {
|
|
isSystemUser = true;
|
|
group = "logrotate";
|
|
};
|
|
users.groups.logrotate = { };
|
|
|
|
users.groups.misskey = { members = [ "jaina" ]; };
|
|
users.users.misskey = {
|
|
isSystemUser = true;
|
|
group = "misskey";
|
|
createHome = true;
|
|
};
|
|
|
|
# todo: figure out how to get misskey to build in nix instead of requiring a manual build process
|
|
#
|
|
# pnpm2nix does not work due to misskey using workspaces
|
|
environment.systemPackages =
|
|
[ nodejs nodePackages.pnpm pkgs.cypress pkgs.pkg-config pkgs.vips ];
|
|
environment.sessionVariables = {
|
|
CYPRESS_INSTALL_BINARY = "0";
|
|
CYPRESS_RUN_BINARY = "${pkgs.cypress}/bin/Cypress";
|
|
};
|
|
|
|
systemd.services.misskey = {
|
|
enable = true;
|
|
description = "Misskey daemon";
|
|
#path = [ nodejs nodePackages.pnpm pkgs.coreutils pkgs.cypress pkgs.pkg-config pkgs.vips ];
|
|
|
|
serviceConfig = {
|
|
Restart = "always";
|
|
StandardOutput = "syslog";
|
|
StandardError = "syslog";
|
|
Environment = [
|
|
"NODE_ENV=production"
|
|
# TODO Fix this
|
|
"PATH=/run/wrappers/bin:/var/empty/.nix-profile/bin:/nix/profile/bin:/var/empty/.local/state/nix/profile/bin:/etc/profiles/per-user/misskey/bin:/nix/var/nix/profiles/default/bin:/run/current-system/sw/bin"
|
|
];
|
|
WorkingDirectory = "/srv/misskey";
|
|
User = "misskey";
|
|
ExecStart = "${nodePackages.pnpm}/bin/pnpm start";
|
|
RuntimeDirectory = "misskey";
|
|
};
|
|
|
|
wantedBy = [ "multi-user.target" ];
|
|
};
|
|
}
|