Added Pleroma-OTP deployment

This commit is contained in:
Illia Chub 2021-02-10 11:43:06 +02:00
parent 64f84b9c76
commit 137c526361

View file

@ -12,6 +12,7 @@ makeConf() {
mkdir -p /etc/nixos/mailserver/system mkdir -p /etc/nixos/mailserver/system
mkdir /etc/nixos/mailserver/userdata mkdir /etc/nixos/mailserver/userdata
mkdir /etc/nixos/api mkdir /etc/nixos/api
mkdir /etc/nixos/social
mkdir /etc/nixos/letsencrypt mkdir /etc/nixos/letsencrypt
mkdir /etc/nixos/backup mkdir /etc/nixos/backup
mkdir /etc/nixos/passmgr mkdir /etc/nixos/passmgr
@ -44,6 +45,8 @@ makeConf() {
./vpn/ocserv.nix ./vpn/ocserv.nix
./api/api.nix ./api/api.nix
./api/api-service.nix ./api/api-service.nix
./social/pleroma-module.nix
./social/pleroma.nix
./letsencrypt/acme.nix ./letsencrypt/acme.nix
./backup/restic.nix ./backup/restic.nix
./passmgr/bitwarden.nix ./passmgr/bitwarden.nix
@ -79,14 +82,7 @@ makeConf() {
}; };
environment.systemPackages = with pkgs; [ environment.systemPackages = with pkgs; [
git git
wget ];
curl
python3
] ++ (with python38Packages; [
pip
flask
pandas
]);
environment.variables = { environment.variables = {
DOMAIN = "$DOMAIN"; DOMAIN = "$DOMAIN";
AWS_ACCESS_KEY_ID = "$AWS_ACCESS_KEY_ID"; AWS_ACCESS_KEY_ID = "$AWS_ACCESS_KEY_ID";
@ -115,7 +111,6 @@ makeConf() {
security = { security = {
sudo = { sudo = {
enable = true; enable = true;
wheelNeedsPassword = true;
}; };
}; };
users.mutableUsers = false; users.mutableUsers = false;
@ -151,14 +146,10 @@ EOF
resticPass = builtins.replaceStrings [ "\n" "\"" "\\\" ] [ "\\\n" "\\\\\"" "\\\\\\\\" ] '' resticPass = builtins.replaceStrings [ "\n" "\"" "\\\" ] [ "\\\n" "\\\\\"" "\\\\\\\\" ] ''
$PASSWORD $PASSWORD
''; '';
shadowsocksPass = builtins.replaceStrings [ "\n" "\"" "\\\" ] [ "\\\n" "\\\\\"" "\\\\\\\\" ] ''
$PASSWORD
'';
domain = builtins.replaceStrings [ "\n" "\"" "\\\" ] [ "\\\n" "\\\\\"" "\\\\\\\\" ] '' domain = builtins.replaceStrings [ "\n" "\"" "\\\" ] [ "\\\n" "\\\\\"" "\\\\\\\\" ] ''
$DOMAIN $DOMAIN
''; '';
cloudflareCredentials = builtins.replaceStrings [ "\n" "\"" "\\\" ] [ "\\\n" "\\\\\"" "\\\\\\\\" ] '' cloudflareCredentials = builtins.replaceStrings [ "\n" "\"" "\\\" ] [ "\\\n" "\\\\\"" "\\\\\\\\" ] ''
# Cloudflare API token used by Certbot
CF_API_KEY=$CF_TOKEN CF_API_KEY=$CF_TOKEN
CLOUDFLARE_DNS_API_TOKEN=$CF_TOKEN CLOUDFLARE_DNS_API_TOKEN=$CF_TOKEN
CLOUDFLARE_ZONE_API_TOKEN=$CF_TOKEN CLOUDFLARE_ZONE_API_TOKEN=$CF_TOKEN
@ -356,10 +347,6 @@ EOF
locations = { locations = {
"/" = { "/" = {
proxyPass = "http://127.0.0.1:3000"; proxyPass = "http://127.0.0.1:3000";
extraConfig = ''
proxy_headers_hash_max_size 512;
proxy_headers_hash_bucket_size 128;
'';
}; };
}; };
}; };
@ -370,10 +357,6 @@ proxy_headers_hash_bucket_size 128;
locations = { locations = {
"/" = { "/" = {
proxyPass = "http://127.0.0.1:80/"; proxyPass = "http://127.0.0.1:80/";
extraConfig = ''
proxy_headers_hash_max_size 512;
proxy_headers_hash_bucket_size 128;
'';
}; };
}; };
}; };
@ -384,10 +367,6 @@ proxy_headers_hash_bucket_size 128;
locations = { locations = {
"/" = { "/" = {
proxyPass = "http://127.0.0.1:8222"; proxyPass = "http://127.0.0.1:8222";
extraConfig = ''
proxy_headers_hash_max_size 512;
proxy_headers_hash_bucket_size 128;
'';
}; };
}; };
}; };
@ -398,15 +377,25 @@ proxy_headers_hash_bucket_size 128;
locations = { locations = {
"/" = { "/" = {
proxyPass = "http://127.0.0.1:5050"; proxyPass = "http://127.0.0.1:5050";
};
};
};
"social.$DOMAIN" = {
sslCertificate = "/var/lib/acme/$DOMAIN/fullchain.pem";
sslCertificateKey = "/var/lib/acme/$DOMAIN/key.pem";
root = "/var/www/social.$DOMAIN";
forceSSL = true;
locations = {
"/" = {
proxyPass = "http://127.0.0.1:4000";
};
};
extraConfig = '' extraConfig = ''
proxy_headers_hash_max_size 512; client_max_body_size 1024m;
proxy_headers_hash_bucket_size 128;
''; '';
}; };
}; };
}; };
};
};
} }
EOF EOF
@ -710,6 +699,299 @@ route = default
''; '';
}; };
} }
EOF
cat > /etc/nixos/social/pleroma-package.nix << EOF
{ lib
, stdenv
, autoPatchelfHook
, fetchurl
, file
, makeWrapper
, ncurses
, nixosTests
, openssl
, unzip
, zlib
}:
stdenv.mkDerivation {
pname = "pleroma-otp";
version = "2.2.2";
# To find the latest binary release stable link, have a look at
# the CI pipeline for the latest commit of the stable branch
# https://git.pleroma.social/pleroma/pleroma/-/tree/stable
src = {
aarch64-linux = fetchurl {
url = "https://git.pleroma.social/pleroma/pleroma/-/jobs/175288/artifacts/download";
sha256 = "107kp5zqwq1lixk1cwkx4v7zpm0h248xzlm152aj36ghb43j2snw";
};
x86_64-linux = fetchurl {
url = "https://git.pleroma.social/pleroma/pleroma/-/jobs/175284/artifacts/download";
sha256 = "1c6l04gga9iigm249ywwcrjg6wzy8iiid652mws3j9dnl71w2sim";
};
}."\${stdenv.hostPlatform.system}";
nativeBuildInputs = [ unzip ];
buildInputs = [
autoPatchelfHook
file
makeWrapper
ncurses
openssl
zlib
];
# mkDerivation fails to detect the zip nature of $src due to the
# missing .zip extension.
# Let's unpack the archive explicitely.
unpackCmd = "unzip \$curSrc";
installPhase = ''
mkdir \$out
cp -r * \$out'';
# Pleroma is using the project's root path (here the store path)
# as its TMPDIR.
# Patching it to move the tmp dir to the actual tmpdir
postFixup = ''
wrapProgram \$out/bin/pleroma \
--set-default RELEASE_TMP "/tmp"
wrapProgram \$out/bin/pleroma_ctl \
--set-default RELEASE_TMP "/tmp"'';
passthru.tests = {
pleroma = nixosTests.pleroma;
};
meta = with lib; {
description = "ActivityPub microblogging server";
homepage = https://git.pleroma.social/pleroma/pleroma;
license = licenses.agpl3;
maintainers = with maintainers; [ ninjatrappeur ];
platforms = [ "x86_64-linux" "aarch64-linux" ];
};
}
EOF
cat > /etc/nixos/social/pleroma-package.nix << EOF
{ config, options, lib, pkgs, stdenv, ... }:
let
cfg = config.services.pleroma;
in {
options = {
services.pleroma = with lib; {
enable = mkEnableOption "pleroma";
package = mkOption {
type = types.package;
default = pkgs.pleroma-otp;
description = "Pleroma package to use.";
};
user = mkOption {
type = types.str;
default = "pleroma";
description = "User account under which pleroma runs.";
};
group = mkOption {
type = types.str;
default = "pleroma";
description = "Group account under which pleroma runs.";
};
stateDir = mkOption {
type = types.str;
default = "/var/lib/pleroma";
readOnly = true;
description = "Directory where the pleroma service will save the uploads and static files.";
};
configs = mkOption {
type = with types; listOf str;
description = ''
Pleroma public configuration.
This list gets appended from left to
right into /etc/pleroma/config.exs. Elixir evaluates its
configuration imperatively, meaning you can override a
setting by appending a new str to this NixOS option list.
<emphasis>DO NOT STORE ANY PLEROMA SECRET
HERE</emphasis>, use
<link linkend="opt-services.pleroma.secretConfigFile">services.pleroma.secretConfigFile</link>
instead.
This setting is going to be stored in a file part of
the Nix store. The Nix store being world-readable, it's not
the right place to store any secret
Have a look to Pleroma section in the NixOS manual for more
informations.
'';
};
secretConfigFile = mkOption {
type = types.str;
default = "/var/lib/pleroma/secrets.exs";
description = ''
Path to the file containing your secret pleroma configuration.
<emphasis>DO NOT POINT THIS OPTION TO THE NIX
STORE</emphasis>, the store being world-readable, it'll
compromise all your secrets.
'';
};
};
};
config = lib.mkIf cfg.enable {
users = {
users."\${cfg.user}" = {
description = "Pleroma user";
home = cfg.stateDir;
extraGroups = [ cfg.group ];
};
groups."\${cfg.group}" = {};
};
environment.systemPackages = [ cfg.package ];
environment.etc."/pleroma/config.exs".text = ''
\${lib.concatMapStrings (x: "\${x}") cfg.configs}
# The lau/tzdata library is trying to download the latest
# timezone database in the OTP priv directory by default.
# This directory being in the store, it's read-only.
# Setting that up to a more appropriate location.
config :tzdata, :data_dir, "/var/lib/pleroma/elixir_tzdata_data"
import_config "\${cfg.secretConfigFile}"
'';
systemd.services.pleroma = {
description = "Pleroma social network";
after = [ "network-online.target" "postgresql.service" ];
wantedBy = [ "multi-user.target" ];
restartTriggers = [ config.environment.etc."/pleroma/config.exs".source ];
serviceConfig = {
User = cfg.user;
Group = cfg.group;
Type = "exec";
WorkingDirectory = "~";
StateDirectory = "pleroma pleroma/static pleroma/uploads";
StateDirectoryMode = "700";
# Checking the conf file is there then running the database
# migration before each service start, just in case there are
# some pending ones.
#
# It's sub-optimal as we'll always run this, even if pleroma
# has not been updated. But the no-op process is pretty fast.
# Better be safe than sorry migration-wise.
ExecStartPre =
let preScript = pkgs.writers.writeBashBin "pleromaStartPre"
"\${cfg.package}/bin/pleroma_ctl migrate";
in "\${preScript}/bin/pleromaStartPre";
ExecStart = "\${cfg.package}/bin/pleroma start";
ExecStop = "\${cfg.package}/bin/pleroma stop";
ExecReload = "\${pkgs.coreutils}/bin/kill -HUP \$MAINPID";
# Systemd sandboxing directives.
# Taken from the upstream contrib systemd service at
# pleroma/installation/pleroma.service
PrivateTmp = true;
ProtectHome = true;
ProtectSystem = "full";
PrivateDevices = false;
NoNewPrivileges = true;
CapabilityBoundingSet = "~CAP_SYS_ADMIN";
};
};
};
meta.maintainers = with lib.maintainers; [ ninjatrappeur ];
}
EOF
cat > /etc/nixos/social/pleroma-package.nix << EOF
{ pkgs, ... }:
{
nixpkgs.overlays = [(self: super: {
pleroma-otp = self.callPackage ./pleroma-package.nix {};
})];
services = {
pleroma = {
enable = true;
user = "pleroma";
group = "pleroma";
configs = [
(builtins.readFile ./config.exs)
];
};
postgresql = {
enable = true;
package = pkgs.postgresql_12;
initialScript = "/etc/setup.psql";
};
};
environment.etc."pleroma_setup.psql".text = ''
CREATE USER pleroma WITH ENCRYPTED PASSWORD '$DB_PASSWORD';
CREATE DATABASE pleroma OWNER pleroma;
\\c pleroma;
--Extensions made by ecto.migrate that need superuser access
CREATE EXTENSION IF NOT EXISTS citext;
CREATE EXTENSION IF NOT EXISTS pg_trgm;
CREATE EXTENSION IF NOT EXISTS "uuid-ossp";
'';
users.users.pleroma = {
extraGroups = [ "postgres" ];
};
}
EOF
cat > /etc/nixos/social/config.exs << EOF
import Config
config :pleroma, Pleroma.Web.Endpoint,
url: [host: "social.$DOMAIN", scheme: "https", port: 443],
http: [ip: {127, 0, 0, 1}, port: 4000],
#secret_key_base: "",
#signing_salt: ""
config :pleroma, :instance,
name: "social.$DOMAIN",
email: "$LUSER@$DOMAIN",
notify_email: "$LUSER@$DOMAIN",
limit: 5000,
upload_limit: 1073741824,
registrations_open: true
config :pleroma, :media_proxy,
enabled: false,
redirect_on_failure: true
#base_url: "https://cache.pleroma.social"
config :pleroma, Pleroma.Repo,
adapter: Ecto.Adapters.Postgres,
username: "pleroma",
password: "$DB_PASSWORD",
database: "pleroma",
hostname: "localhost",
pool_size: 10
config :web_push_encryption, :vapid_details,
#subject: "",
#public_key: "",
#private_key: ""
config :pleroma, :database, rum_enabled: false
config :pleroma, :instance, static_dir: "/var/lib/pleroma/static"
config :pleroma, Pleroma.Uploaders.Local, uploads: "/var/lib/pleroma/uploads"
config :pleroma, :http_security,
sts: true
#config :joken, default_signer: ""
config :pleroma, configurable_from_database: false
EOF EOF
[[ -n "$doNetConf" ]] && makeNetworkingConf || true [[ -n "$doNetConf" ]] && makeNetworkingConf || true