commit d81a8fb8578e674b74927794aed298f7707a6b5d · soopy.moe/gensokyo

+25 -2

creds/sops/koumakan.yaml

···

       1
       1
        
       comment_unencrypted: See https://github.com/Mic92/sops-nix/issues/120 for synapse.yaml quirks

     

       2
       2
        
       synapse.yaml: ENC[AES256_GCM,data:eQsUW4mwbSPzsoi8HIEngfU5x/PEaqPxvx1AXXJJj7WDX9RsPtQOqQJjuTAEPtz32Hm1nob+VVYuzAXXfCO8Cd0CIHG+xlV4cWNc4JB8wj1YgtMJu9J3yC7iv3HMULT0TL8MxmwWYKqSPKIVarLVN5gQl1G1SAfxEK3ET6qtmkmCD8y6ZVM/84fTR5lxpLe82CaplbUHXEHKk51XwGYLSp5IZsPwtMMFhYuaoqCsEVr65IiSozbD4LKddYNQKUlYmkSfThQsoPpe9ixE7+HS11S+LklyP1q3usWTfOPsQS8k5NJdcGkrCH2A4ddjWkDBAzdav3qauYoQEvbMd8BpoDqD/67lKuvoyXqDoPf5sLrQcxcUl8ObTI1I8zWhabGa9uTuiaTd3wYdMhvMvs/KIfPXNDqcBuIY9sR6LQmY2Zb9+FtYiQVnrr0XmzjB59oN023y1xC/xqkgRyXysndhnj4P1Q+PYbOMQi7hwAjM5xMk/mLkpLn41Ju4u0MqDwHSxA/NXbsEBp/u3Tim2jsrMZqjRZwQHt1n/gtMjm2cMTminM99c/fV2fcvAmcNB9u1KWgEte1JjQSRftg7pkaznYlfrQLyCQYghVu3kgeAJCaSPMewHVWOF/onTauNHYFMlJ8VDUuYOnt2LNJUk1Wap5dGfKm7661mTeYB8aw0h3111YEViuGkSp+oM5A8X6CBI6YsYYOWq5Qd+A3fFJVpcf9hhhdx0JsRmR3EZOupIVx5Y4ruuA6ipj/xMDRNfTZjqukpn3Y1s5xTjUYEo3moLdgd1PYxAVIY/KjPn31pmRThGG1NZpYHZ1yjmptVydtqf/tTd32i3e0WjIjUEZD1NE7Z5AiWJ+XAEaE3S804C6QxN1jHZvqIokA9C4HO+R/es1uDyf2KDvxf1It0hMLg7CAnq1AQcbLCDqXXZaqibSRNfv09lO4jZ3vBe3owvd1wGbK513nqC6m2gh8YDYiHdw7UlXMbMP9+,iv:fvaZQ66VKU+uzvn5AwTIFgzz+F2kJ8/QR2AfmynRfGU=,tag:8c/cAMZ6c7h3J+shh7l7tw==,type:str]

     

       3
       3
        
       matrix-signing-key: ENC[AES256_GCM,data:u6miE2oM3TUXaQ7wc776SwSMaOAxJOVlpl2kBW+AjI/aDH5vcGBp0L0uTpZbVfOtIe+RDNEv5E/mKA==,iv:abvwkrNe324QCbWLwiPY0UwqezS0wbyk2Fvi0vs3SI0=,tag:ZmpDB9LHbezQrxuwHNgpRg==,type:str]

     

       4
       4
       +
       akkoma:

     

       5
       5
       +
           endpoint:

     

       6
       6
       +
               secret_base: ENC[AES256_GCM,data:l34Rj4iIQIykgzTLJolqWLQQz5pcfa0o5U/ZMKeNc2CBQedxiMXYrLSNOx6OuV38aqoOolccJEOSiVjfbTawtg==,iv:/x0ydo2gOPrhIZI7at877bzfFgMpraauozfLq95aHCk=,tag:RQI4aeLiAkAcWYlwLaTj5w==,type:str]

     

       7
       7
       +
               salt: ENC[AES256_GCM,data:CP4805tG05A=,iv:aSun7ABJdbDQrFcrGQMM9H1/7d5lJqeMwO08gUYrD2A=,tag:ikhxbijsqyBFJs02j2j/vw==,type:str]

     

       8
       8
       +
               live_view:

     

       9
       9
       +
                   salt: ENC[AES256_GCM,data:4fKLclucoV0=,iv:ZvWKutuMTOm2X8w8a0fOTq+ldrXemayIUY2PUcurY80=,tag:qkIB1gPCI5HO0G0mLEsV+w==,type:str]

     

       10
       10
       +
           joken_default_signer: ENC[AES256_GCM,data:myCEFUkf8s1YNQAigjxygRYvbwkpsv7cqgs00fARe9nxSFl2wveWM5JcfOnoVPwVBVV2GaAjFe4oMWXkaTPtqg==,iv:Yk1f/fzzbruW64mvTTeiyTlbrOO/G47CKKfr9BLtQ5g=,tag:QLpM22ec+VWtkjx5U/mzCw==,type:str]

     

       11
       11
       +
           search:

     

       12
       12
       +
               meili:

     

       13
       13
       +
                   host_unencrypted: https://megumin.soopy.moe/

     

       14
       14
       +
                   key: ENC[AES256_GCM,data:00TLCUneHn7NcSK1joURfIzxNFWyOBf/0/fceOn4RMcMt59dZz9LOvbs3F8B0vcH7tf/eUi3SnhYJNyRdPklyw==,iv:t0kQUCmjhFw8Z2CTmYOPUNFvyiYfsXETU8GSxhRR5KE=,tag:CPjtd7jQzgHJDrsIjHlVFQ==,type:str]

     

       15
       15
       +
           vapid:

     

       16
       16
       +
               pub: ENC[AES256_GCM,data:HYMKjhVCW/7DsMfPPssEduuwWnFezH4OOq4hfAovI82RUPsfVEKhgvkI9INY8hArAb/AIfyyxZhVx+bd2QkPlnASz51L7MxPtkPfZNUKqafjlMmK0nwH,iv:154BP5EmBqnKyf9BND2laKV3caVxa34MCRzrsg6/dik=,tag:wHLYdI6oQXPUzbw8dSxgwg==,type:str]

     

       17
       17
       +
               key: ENC[AES256_GCM,data:t+da4NLEPZBMvq3MQkFEr+Fsj3XMGPMFKUWwbHDWNJAyuUZuiVcn3zX0kw==,iv:yQLu5CFl73GCojMBa2II6OhLrNNinsiVG1aPOAx+HtM=,tag:n0oelXaNFvilyee+MRSB8A==,type:str]

     

       18
       18
       +
           postgres:

     

       19
       19
       +
               hostname: ENC[AES256_GCM,data:rFEnhnn/Bw85,iv:GM2SH4Gkvt8tLG8AYIKxfHTZvB1sT+hgIoqkiViH6Es=,tag:yyGY9/nS9WFcJTGXlYpz6Q==,type:str]

     

       20
       20
       +
               database_unencrypted: akkoma

     

       21
       21
       +
               username: ENC[AES256_GCM,data:6skzOqv1,iv:OQ6zNmDn0uqKqNKEqOHWY6VBuT/4/CHog7b0Pf0TAPM=,tag:8HLmGykXg2V4t4RHzB8yaA==,type:str]

     

       22
       22
       +
               password: ENC[AES256_GCM,data:J3OewVKr2A3TlT7ZUTk7tQr4olFs7bKx47Lus4LGbwGAZfNEmyk9coFTeQ8L/EJ0hpLfPfD1OcGBc+p0ZWK/XQ==,iv:UFe/3H/AfTgSlJikHqE1IED3zINjDuOs5niXpGWXGYE=,tag:MvT0z3TMs1dehg4gp54MyQ==,type:str]

     

       23
       23
       +
           smtp:

     

       24
       24
       +
               username: ENC[AES256_GCM,data:N7XbQkngWcUGzn/SR4AXCQ==,iv:wBXWtRYawOkjumsvTPcKfvL95CCB+RbsEyJv0YUG3WA=,tag:vGQREe+Cv0ITTxszl21J2g==,type:str]

     

       25
       25
       +
               password: ENC[AES256_GCM,data:oU/aWkVmDU8WJhmwqOcXJ/EngiF7hvfUzPwpdjwkyh7Dw50dyG5AY7b2+hh6LIv9RZrN4yU+fXPAYr1W21OG/A==,iv:ds8Bg9JSJdNHUXh0FvD5a4pquyRnIXowcsJcVV1TyB4=,tag:JoYqas2RGSv8xyvJT9wHAQ==,type:str]

     

       26
       26
       +
               relay: ENC[AES256_GCM,data:F2NnRLSTO5kmbWy4fx0=,iv:omnyn+Xa/cjqK+9l5bI573aR2p7UsUvqGX5ZQGf3CD0=,tag:t4u/jLQ1nZchyxf3WrhW6w==,type:str]

     

       4
       27
        
       sops:

     

       5
       28
        
           kms: []

     

       6
       29
        
           gcp_kms: []

     
···

       25
       48
        
                   cHJ5aWIrQ2Zrb1dhbC9yZ1lIMU1jbzgK4mx+S5bF6KBMe6+TrSZfaBcuWEg9cHyd

     

       26
       49
        
                   tbJty1zxS9pndA/u3qz5EJxDouiAODvyAR07yeegtEcbw1FlG6W/gA==

     

       27
       50
        
                   -----END AGE ENCRYPTED FILE-----

     

       28
       28
       -
           lastmodified: "2023-09-10T15:48:03Z"

     

       29
       29
       -
           mac: ENC[AES256_GCM,data:qFiibBVhEobZOaQbrpVwGuBj4fHUIWNv1lE4Wz0Wfl+tF+75ZROTiXkRK4Wx5hDdkkeyiLmlU+4riidiKuY9CJ6dj3TuoAdFThp8Ac0IEzwlrx46xX56hHTu8mznwcr7mGtUqEYWJM3F6JItpnBayZaTdIeRrVYWP1yD1tZaseM=,iv:+lg8r4YjhTgRjkTDugBPS9xsz2nMMEjy6vEbxhTLwI0=,tag:SPqKUhM9jzDkT+lWN1eDcw==,type:str]

     

       51
       51
       +
           lastmodified: "2023-09-14T15:26:05Z"

     

       52
       52
       +
           mac: ENC[AES256_GCM,data:PbXOjRlmc7MdiNfrokcEzImTivAaFH6hnK/aGQq1NlAWqoRfbf3Ex5VJ/YNE3M56nIUjQwS7Arjmy8F8C5JTibqHy3m5MlkXuSeWEgKn0EQTreSFuujm0/j/9qJ9E11qRq32kaIOkfJZ5Bjdvf6m0RudwUcgzrstvrW+zR4y35I=,iv:OgEIc0RHy+jLOs4RzvZWIlrq1M9CssUbPVEKWAvrU14=,tag:hh1A+OcwVrKaxDWJXAs1SA==,type:str]

     

       30
       53
        
           pgp:

     

       31
       54
        
               - created_at: "2023-09-08T14:11:19Z"

     

       32
       55
        
                 enc: |-

systems/koumakan/certificates/default.nix

···

       2
       2
        
         imports = [

     

       3
       3
        
           ./global.nix

     

       4
       4
        
           ./postgresql.nix

     

       5
       5
       +
           ./fediverse.nix

     

       5
       6
        
         ];

     

       6
       7
        
       

     

       7
       8
        
         security.acme = {

+11

systems/koumakan/certificates/fediverse.nix

···

       1
       1
       +
       {...}: {

     

       2
       2
       +
         # Certificate for fedi services

     

       3
       3
       +
         security.acme.certs."fedi.c.soopy.moe" = {

     

       4
       4
       +
           group = "nginx";

     

       5
       5
       +
           extraDomainNames = [

     

       6
       6
       +
             "a.soopy.moe"

     

       7
       7
       +
             "m.soopy.moe"

     

       8
       8
       +
             "pixie.soopy.moe"

     

       9
       9
       +
           ];

     

       10
       10
       +
         };

     

       11
       11
       +
       }

systems/koumakan/services/default.nix

···

       10
       10
        
       

     

       11
       11
        
           # fediverse

     

       12
       12
        
           ./matrix

     

       13
       13
       +
           ./fediverse

     

       13
       14
        
       

     

       14
       15
        
           ./proxies

     

       15
       16
        
           ./static-sites

+140

systems/koumakan/services/fediverse/akkoma.nix

···

       1
       1
       +
       {

     

       2
       2
       +
         _utils,

     

       3
       3
       +
         pkgs,

     

       4
       4
       +
         config,

     

       5
       5
       +
         lib,

     

       6
       6
       +
         ...

     

       7
       7
       +
       }: let

     

       8
       8
       +
         mkRaw = (pkgs.formats.elixirConf {}).lib.mkRaw;

     

       9
       9
       +
         # I don't know what i did but i made this abomination

     

       10
       10
       +
         genSecrets = namespace: files: value: lib.genAttrs (map (x: namespace + x) files) (_: value);

     

       11
       11
       +
         mkSecret = file:

     

       12
       12
       +
           if !lib.elem file secrets

     

       13
       13
       +
           then throw "Provided secret file ${file} is not in the list of defined secrets."

     

       14
       14
       +
           else {_secret = "/run/secrets/akkoma/${file}";};

     

       15
       15
       +
         secrets = [

     

       16
       16
       +
           "joken_default_signer" # can't think of any better name spacing

     

       17
       17
       +
           "search/meili/host_unencrypted"

     

       18
       18
       +
           "search/meili/key"

     

       19
       19
       +
           "endpoint/secret_base"

     

       20
       20
       +
           "endpoint/salt"

     

       21
       21
       +
           "endpoint/live_view/salt"

     

       22
       22
       +
           "vapid/pub"

     

       23
       23
       +
           "vapid/key"

     

       24
       24
       +
           "postgres/hostname"

     

       25
       25
       +
           "postgres/database_unencrypted"

     

       26
       26
       +
           "postgres/username"

     

       27
       27
       +
           "postgres/password"

     

       28
       28
       +
           "smtp/username"

     

       29
       29
       +
           "smtp/password"

     

       30
       30
       +
           "smtp/relay"

     

       31
       31
       +
         ];

     

       32
       32
       +
       in {

     

       33
       33
       +
         # secrets definition

     

       34
       34
       +
         sops.secrets = genSecrets "akkoma/" secrets {};

     

       35
       35
       +
       

     

       36
       36
       +
         services.akkoma = {

     

       37
       37
       +
           enable = true;

     

       38
       38
       +
           initSecrets = false;

     

       39
       39
       +
           initDb.enable = false;

     

       40
       40
       +
           # TODO: figure out how to add swagger ui

     

       41
       41
       +
           # frontends = {

     

       42
       42
       +
           #   swagger

     

       43
       43
       +
           # };

     

       44
       44
       +
           config = {

     

       45
       45
       +
             ":joken".":default_signer" = mkSecret "joken_default_signer";

     

       46
       46
       +
       

     

       47
       47
       +
             ":pleroma" = {

     

       48
       48
       +
               ":http_security" = {

     

       49
       49
       +
                 sts = true;

     

       50
       50
       +
               };

     

       51
       51
       +
       

     

       52
       52
       +
               "configurable_from_database" = true;

     

       53
       53
       +
               ":instance" = {

     

       54
       54
       +
                 name = "CassieAkko";

     

       55
       55
       +
                 description = "You should not see this here...";

     

       56
       56
       +
                 email = "me@soopy.moe";

     

       57
       57
       +
                 notify_email = "noreply@a.soopy.moe";

     

       58
       58
       +
                 limit = 5000;

     

       59
       59
       +
                 registrations_open = true;

     

       60
       60
       +
               };

     

       61
       61
       +
       

     

       62
       62
       +
               ":media_proxy" = {

     

       63
       63
       +
                 enabled = true;

     

       64
       64
       +
                 redirect_on_failure = true;

     

       65
       65
       +
               };

     

       66
       66
       +
       

     

       67
       67
       +
               "Pleroma.Repo" = {

     

       68
       68
       +
                 adapter = mkRaw "Ecto.Adapters.Postgres";

     

       69
       69
       +
                 database = mkSecret "postgres/database_unencrypted";

     

       70
       70
       +
                 hostname = mkSecret "postgres/hostname";

     

       71
       71
       +
                 username = mkSecret "postgres/username";

     

       72
       72
       +
                 password = mkSecret "postgres/password";

     

       73
       73
       +
               };

     

       74
       74
       +
       

     

       75
       75
       +
               "Pleroma.Upload" = {

     

       76
       76
       +
                 filters = [

     

       77
       77
       +
                   (mkRaw "Pleroma.Upload.Filter.Exiftool")

     

       78
       78
       +
                   (mkRaw "Pleroma.Upload.Filter.Dedupe")

     

       79
       79
       +
                 ];

     

       80
       80
       +
               };

     

       81
       81
       +
       

     

       82
       82
       +
               "Pleroma.Web.Endpoint" = {

     

       83
       83
       +
                 # We don't need to specify http ip/ports here because we use unix sockets

     

       84
       84
       +
                 url = {

     

       85
       85
       +
                   host = "a.soopy.moe";

     

       86
       86
       +
                   scheme = "https";

     

       87
       87
       +
                   port = 443;

     

       88
       88
       +
                 };

     

       89
       89
       +
                 secure_cookie_flag = true;

     

       90
       90
       +
       

     

       91
       91
       +
                 secret_key_base = mkSecret "endpoint/secret_base";

     

       92
       92
       +
                 signing_salt = mkSecret "endpoint/salt";

     

       93
       93
       +
                 live_view = {

     

       94
       94
       +
                   signing_salt = mkSecret "endpoint/live_view/salt";

     

       95
       95
       +
                 };

     

       96
       96
       +
               };

     

       97
       97
       +
       

     

       98
       98
       +
               "Pleroma.Emails.Mailer" = {

     

       99
       99
       +
                 adapter = mkRaw "Swoosh.Adapters.SMTP";

     

       100
       100
       +
                 relay = mkSecret "smtp/relay";

     

       101
       101
       +
                 username = mkSecret "smtp/username";

     

       102
       102
       +
                 password = mkSecret "smtp/password";

     

       103
       103
       +
               };

     

       104
       104
       +
       

     

       105
       105
       +
               "Pleroma.Search.Meilisearch" = {

     

       106
       106
       +
                 url = mkSecret "search/meili/host_unencrypted";

     

       107
       107
       +
                 private_key = mkSecret "search/meili/key";

     

       108
       108
       +
                 initial_indexing_chunk_size = 100000;

     

       109
       109
       +
               };

     

       110
       110
       +
             };

     

       111
       111
       +
       

     

       112
       112
       +
             ":web_push_encryption".":vapid_details" = {

     

       113
       113
       +
               subject = "mailto:me@soopy.moe";

     

       114
       114
       +
               public_key = mkSecret "vapid/pub";

     

       115
       115
       +
               private_key = mkSecret "vapid/key";

     

       116
       116
       +
             };

     

       117
       117
       +
           };

     

       118
       118
       +
       

     

       119
       119
       +
           nginx = _utils.mkVhost {

     

       120
       120
       +
             useACMEHost = "fedi.c.soopy.moe";

     

       121
       121
       +
             extraConfig = ''

     

       122
       122
       +
               client_max_body_size 100M;

     

       123
       123
       +
             '';

     

       124
       124
       +
           };

     

       125
       125
       +
       

     

       126
       126
       +
           extraStatic = {

     

       127
       127
       +
             "static/terms-of-service.html" = pkgs.writeText "terms-of-service.html" ''

     

       128
       128
       +
               <h1>Terms of Service</h1><p>Please refer to this ToS:

     

       129
       129
       +
               <a href="https://m.soopy.moe/@admin/pages/tos" rel="noopener noreferrer nofollow">

     

       130
       130
       +
               https://m.soopy.moe/@admin/pages/tos</a></p>

     

       131
       131
       +
             '';

     

       132
       132
       +
             # refer to https://github.com/NixOS/nixpkgs/blob/nixos-unstable/pkgs/servers/akkoma/emoji/blobs_gg.nix#L29

     

       133
       133
       +
             # "emoji/Cat_girls_Emoji" = ...

     

       134
       134
       +
           };

     

       135
       135
       +
         };

     

       136
       136
       +
       

     

       137
       137
       +
         systemd.services.akkoma-config = {

     

       138
       138
       +
           serviceConfig.SupplementaryGroups = [config.users.groups.keys.name];

     

       139
       139
       +
         };

     

       140
       140
       +
       }

systems/koumakan/services/fediverse/default.nix

···

       1
       1
       +
       {...}: {

     

       2
       2
       +
         imports = [

     

       3
       3
       +
           ./akkoma.nix

     

       4
       4
       +
         ];

     

       5
       5
       +
       }