From ce06f43476863da90dc60dcee606d2b6c5a89a8e Mon Sep 17 00:00:00 2001 From: sefidel Date: Wed, 29 Mar 2023 20:54:19 +0900 Subject: project: initial commit --- modules/services/misskey/config/default.yml | 156 ++++++++++++++++++++++++++++ modules/services/misskey/default.nix | 88 ++++++++++++++++ 2 files changed, 244 insertions(+) create mode 100644 modules/services/misskey/config/default.yml create mode 100644 modules/services/misskey/default.nix (limited to 'modules/services/misskey') diff --git a/modules/services/misskey/config/default.yml b/modules/services/misskey/config/default.yml new file mode 100644 index 0000000..cab83b8 --- /dev/null +++ b/modules/services/misskey/config/default.yml @@ -0,0 +1,156 @@ +#━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ +# Misskey configuration +#━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ + +# ┌─────┐ +#───┘ URL └───────────────────────────────────────────────────── + +# Final accessible URL seen by a user. +url: https://nand.moe + +# ONCE YOU HAVE STARTED THE INSTANCE, DO NOT CHANGE THE +# URL SETTINGS AFTER THAT! + +# ┌───────────────────────┐ +#───┘ Port and TLS settings └─────────────────────────────────── + +# +# Misskey requires a reverse proxy to support HTTPS connections. +# +# +----- https://example.tld/ ------------+ +# +------+ |+-------------+ +----------------+| +# | User | ---> || Proxy (443) | ---> | Misskey (3000) || +# +------+ |+-------------+ +----------------+| +# +---------------------------------------+ +# +# You need to set up a reverse proxy. (e.g. nginx) +# An encrypted connection with HTTPS is highly recommended +# because tokens may be transferred in GET requests. + +# The port that your Misskey server should listen on. +port: 3000 + +# ┌──────────────────────────┐ +#───┘ PostgreSQL configuration └──────────────────────────────── + +db: + host: localhost + port: 5432 + + # Database name + db: misskey + + # Auth + user: misskey + # pass: example-misskey-pass + + # Whether disable Caching queries + #disableCache: true + + # Extra Connection options + #extra: + # ssl: true + +# ┌─────────────────────┐ +#───┘ Redis configuration └───────────────────────────────────── + +redis: + host: localhost + port: 16434 + family: 4 # 0=Both, 4=IPv4, 6=IPv6 + #pass: example-pass + #prefix: example-prefix + #db: 1 + +# ┌─────────────────────────────┐ +#───┘ Elasticsearch configuration └───────────────────────────── + +#elasticsearch: +# host: localhost +# port: 9200 +# ssl: false +# user: +# pass: + +# ┌───────────────┐ +#───┘ ID generation └─────────────────────────────────────────── + +# You can select the ID generation method. +# You don't usually need to change this setting, but you can +# change it according to your preferences. + +# Available methods: +# aid ... Short, Millisecond accuracy +# meid ... Similar to ObjectID, Millisecond accuracy +# ulid ... Millisecond accuracy +# objectid ... This is left for backward compatibility + +# ONCE YOU HAVE STARTED THE INSTANCE, DO NOT CHANGE THE +# ID SETTINGS AFTER THAT! + +id: 'aid' + +# ┌─────────────────────┐ +#───┘ Other configuration └───────────────────────────────────── + +# Whether disable HSTS +#disableHsts: true + +# Number of worker processes +#clusterLimit: 1 + +# Job concurrency per worker +# deliverJobConcurrency: 128 +# inboxJobConcurrency: 16 + +# Job rate limiter +# deliverJobPerSec: 128 +# inboxJobPerSec: 16 + +# Job attempts +# deliverJobMaxAttempts: 12 +# inboxJobMaxAttempts: 8 + +# IP address family used for outgoing request (ipv4, ipv6 or dual) +#outgoingAddressFamily: ipv4 + +# Proxy for HTTP/HTTPS +#proxy: http://127.0.0.1:3128 + +proxyBypassHosts: + - api.deepl.com + - api-free.deepl.com + - www.recaptcha.net + - hcaptcha.com + - challenges.cloudflare.com + +# Proxy for SMTP/SMTPS +#proxySmtp: http://127.0.0.1:3128 # use HTTP/1.1 CONNECT +#proxySmtp: socks4://127.0.0.1:1080 # use SOCKS4 +#proxySmtp: socks5://127.0.0.1:1080 # use SOCKS5 + +# Media Proxy +# Reference Implementation: https://github.com/misskey-dev/media-proxy +# * Deliver a common cache between instances +# * Perform image compression (on a different server resource than the main process) +#mediaProxy: https://example.com/proxy + +# Proxy remote files (default: false) +# Proxy remote files by this instance or mediaProxy to prevent remote files from running in remote domains. +#proxyRemoteFiles: true + +# Movie Thumbnail Generation URL +# There is no reference implementation. +# For example, Misskey will point to the following URL: +# https://example.com/thumbnail.webp?thumbnail=1&url=https%3A%2F%2Fstorage.example.com%2Fpath%2Fto%2Fvideo.mp4 +#videoThumbnailGenerator: https://example.com + +# Sign to ActivityPub GET request (default: true) +signToActivityPubGet: true + +#allowedPrivateNetworks: [ +# '127.0.0.1/32' +#] + +# Upload or download file size limits (bytes) +#maxFileSize: 262144000 diff --git a/modules/services/misskey/default.nix b/modules/services/misskey/default.nix new file mode 100644 index 0000000..355e91f --- /dev/null +++ b/modules/services/misskey/default.nix @@ -0,0 +1,88 @@ +{ config, lib, pkgs, ... }: + +with lib; +let + cfg = config.modules.services.misskey; + + inherit (lib.my) wrapFile; +in +{ + options.modules.services.misskey = { + enable = mkEnableOption "Misskey, an interplanetary microblogging platform [container]"; + domain = mkOption { type = types.str; }; + realHost = mkOption { type = types.str; }; + }; + + config = mkIf cfg.enable { + # TODO: refactor + + # Misskey sets uid/gid to 991 in container, user is created here to + # ensure that misskey files directory is accessible by the container user. + users = { + users.misskey = { + description = "Misskey user"; + group = "misskey"; + extraGroups = [ "podman" ]; + isSystemUser = true; + uid = 991; + }; + groups.misskey = { gid = 991; }; + }; + + virtualisation.podman.extraPackages = [ pkgs.zfs ]; + + # Packaging misskey is too much of a hassle, so we're using containers for now. + virtualisation.oci-containers.containers.misskey = { + volumes = [ + "/var/lib/misskey-files:/misskey/files" + # TODO: manage this with nix + "${wrapFile ".config" ./config}:/misskey/.config:ro" + ]; + image = "misskey/misskey:13.10.3"; + ports = [ "3000:3000" ]; + extraOptions = [ + "--network=host" + ]; + }; + + environment.persistence."/persist".directories = [ + "/var/lib/containers" + "/var/lib/misskey-files" + ]; + + systemd.tmpfiles.rules = [ + "d /var/lib/misskey-files 0755 misskey misskey -" + ]; + + services.postgresql.enable = true; + services.postgresql.ensureDatabases = [ "misskey" ]; + services.postgresql.ensureUsers = [ + { + name = "misskey"; + ensurePermissions."DATABASE misskey" = "ALL PRIVILEGES"; + } + ]; + + services.redis.servers.misskey = { + enable = true; + bind = "127.0.0.1"; + port = 16434; + }; + + services.nginx.virtualHosts.${cfg.realHost} = { + forceSSL = true; + useACMEHost = cfg.domain; + locations."/" = { + proxyPass = "http://127.0.0.1:3000"; + proxyWebsockets = true; + }; + + extraConfig = '' + proxy_set_header Host $host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Proto https; + ''; + }; + }; +} -- cgit 1.4.1