sapphic-engineer: reinit

nixos/hosts/sapphic-engineer/akkoma.nix

@@ -0,0 +1,217 @@
+{ pkgs, inputs, config, lib, ... }: let 
+  nameValuePair = name: value: { inherit name value; };
+  defaultSecret = {
+    sopsFile = ../../../secrets/sapphic-engineer/default.yaml;
+  }; 
+  secrets = keys: builtins.listToAttr (map (name: nameValuePair name defaultSecret) keys);
+  secretRef = key: { _secret: config.sops.secrets.${key}.path; };
+in {
+  imports = [
+    inputs.tachikoma-fe.nixosModules.default
+  ];
+
+  sops.secrets = secrets [
+    "s3--access_key_id"
+    "s3--host"
+    "s3--secret_access_key"
+    "joken--default_signer"
+    "pleroma--secret_key_base"
+    "pleroma--signing_salt"
+    "pleroma--live_view--signing_salt"
+    "vapid--private_key"
+    "vapid--public_key"
+  ];
+
+  services.akkoma = {
+    enable = true;
+    initSecrets = lib.mkForce false;
+
+    config = with (pkgs.formats.elixirConf { }).lib; {
+      ":pleroma" =  {
+        ":instance" = {
+          name = "sapphic.engineer";
+          description = '' 
+            Private instance for @noe@sapphic.engineer and friends.
+
+            gex!
+          '';
+          email = "admin@sapphic.engineer";
+          registrations_open = false;
+          account_approval_required = true;
+          upload_limit = 100000000;
+          avatar_upload_limit = 1000000;
+          banner_upload_limit = 3000000;
+          background_upload_limit = 10000000;
+          max_pinned_statuses = 10;
+        };
+        ":media_proxy" = {
+          enabled = true;
+          proxy_opts.redirect_on_failure = true;
+          proxy_url = "";
+        };
+        ":media_preview_proxy" = {
+          enabled = true;
+          thumbnail_max_width = 1920;
+          thumbnail_max_height = 1080;
+        };
+        ":mrf" = {
+          transparency = false;
+          policies =
+            map mkRaw [
+              "Pleroma.Web.ActivityPub.MRF.SimplePolicy"
+              "Pleroma.Web.ActivityPub.MRF.MediaProxyWarmingPolicy"
+              "Pleroma.Web.ActivityPub.MRF.ObjectAgePolicy"
+          ];
+        };
+          ":mrf_simple" =  {
+            reject = mkMap {
+
+            };
+            media_nsfw = mkMap {
+
+            };
+            federated_timeline_removal = mkMap {
+              "mastodon.social" = "";
+            };
+          };
+          ":mrf_object_age" = {
+            threshold = 60 * 60 * 24 * 90;
+            actions = map mkRaw [ ":reject" ];
+          };
+
+        "Pleroma.Web.Endpoint" = {
+          http.ip = "::";
+          url.host = "sapphic.engineer";
+          live_view.signing_salt = secretRef "pleroma--live_view--signing_salt";
+          signing_salt = secretRef "pleroma--signing_salt";
+          secret_key_base = secretRef "pleroma--secret_key_base";
+        };
+
+        "Pleroma.Upload" = {
+          filters =
+            map (pkgs.formats.elixirConf { }).lib.mkRaw [
+              "Pleroma.Upload.Filter.OnlyMedia"
+              "Pleroma.Upload.Filter.Exiftool"
+              "Pleroma.Upload.Filter.Mogrify"
+              "Pleroma.Upload.Filter.Dedupe"
+              "Pleroma.Upload.Filter.AnonymizeFilename"
+            ];
+
+          link_name = true;
+          uploader = mkRaw "Pleroma.Uploaders.S3";
+          base_url = "https://i.sapphic.engineer/";
+        };
+          "Pleroma.Upload.Filter.Mogrify" = {
+            args = [ "strip" "auto-orient" ];
+          };
+          "Pleroma.Uploaders.S3" = {
+            bucket = "sapphicengineer-akkoma-uploads";
+            truncated_namespace = "";
+            streaming_enabled = true;
+          };
+      };
+      ":ex_aws".":s3" = {
+        access_key_id = secretRef "s3--access_key_id";
+        secret_access_key = secretRef "s3--secret_access_key";
+        host = secretRef "s3--host";
+      };
+
+      ":joken".":default_signer_secret" = secretRef "joken--default_signer";
+      ":web_push_encryption".":vapid_details" = {
+        private_key = secretRef "vapid--private_key";
+        public_key = secretRef "vapid--public_key";
+      };
+    };
+    nginx = null;
+    extraPackages = with pkgs; [ exiftool imagemagick ffmpeg_5-full ];
+    extraStatic = {
+      "robots.txt" = pkgs.writeText "robots.txt" ''
+        User-agent: *
+        Disallow: /
+      '';
+      "favicon.png" = pkgs.stdenvNoCC.mkDerivation {
+        name = "favicon.png";
+        src = pkgs.fetchurl {
+          url = "https://raw.githubusercontent.com/foxxolay/foxxolay.com/main/akkoma/favicon.png";
+          sha256 = "sha256-6L+1P+qAXxksss8U9GUcbMQQk8C32LTe/rznNXaf72c=";
+        };
+        dontUnpack = true;
+        installPhase = ''
+          cp $src $out
+        '';
+      };
+      "static/logo.png" = pkgs.stdenvNoCC.mkDerivation {
+        name = "static/logo.png";
+        src = pkgs.fetchurl {
+          url = "https://raw.githubusercontent.com/foxxolay/foxxolay.com/main/akkoma/logo.png";
+          sha256 = "sha256-drYYZxeeRkTrRlp1weh4xRVm/6tdWAnF7KHmfYWQg6M=";
+        };
+        dontUnpack = true;
+        installPhase = ''
+          cp $src $out
+        '';
+      };
+      "static/logo.svg" = pkgs.stdenvNoCC.mkDerivation {
+        name = "static/logo.svg";
+        src = ./.;
+        dontUnpack = true;
+        installPhase = ''
+          touch $out
+        '';
+      };
+      # "static/logo.png" = pkgs.stdenvNoCC.mkDerivation {
+      #   name = "files/static/logo.png";
+      #   src = ./files;
+      #   phases = [ "unpackPhase" "installPhase" ];
+      #   installPhase = ''
+      #     mkdir -p $out/static
+      #     cp static/logo.png $out/static/logo.png
+      #   '';
+      # };
+      "emoji/foxes" = pkgs.stdenvNoCC.mkDerivation {
+        name = "emoji/foxes";
+        src = ./emotes;
+        dontUnpack = true;
+        installPhase = ''
+          cp -r $src $out
+        '';
+      };
+      "emoji/blobs.gg" = pkgs.akkoma-emoji.blobs_gg;
+      "static/terms-of-service.html" = pkgs.writeText "terms-of-service.html" ''
+        This is a private instance. Requests are not accepted.
+
+        <div>
+          <a href="https://noe.sh" target="_blank"><img src="https://noe.sh/yay/88x31.png" width="88" height="31" alt="noe" /></a>
+          <a href="https://noe.sh/pronouns/" target="_blank"><img src="https://noe.sh/yay/88x31-vp.png" width="88" height="31" alt="it/its" /></a>
+          <img src="https://noe.sh/yay/88x31-nap.png" width="88" height="31" alt="not a person" />
+          <a href="https://sapphic.engineer" target="_blank"><img src="https://noe.sh/yay/88x31-se.png" width="88" height="31" alt="sapphic.engineer" /></a>
+        </div>
+      '';
+    };
+  };
+
+  services.postgresql.enable = true;
+  services.postgresql.package = pkgs.postgresql_15;
+
+  # services.nginx = {
+  #   enable = true;
+  #   package = pkgs.tengine;
+
+  #   clientMaxBodySize = "150m";
+  #   recommendedTlsSettings = true;
+  #   recommendedOptimisation = true;
+  #   recommendedGzipSettings = true;
+  #   recommendedZstdSettings = true;
+  #   recommendedBrotliSettings = true;
+  #   recommendedProxySettings = true;
+  #   commonHttpConfig = ''
+  #     proxy_request_buffering off;
+  #     proxy_cache_path /var/cache/nginx/cache/akkoma-media-cache
+  #       levels= keys_zone=akkoma_media_cache:16m max_size=16g
+  #       inactive=1y use_temp_path=off;
+      
+  #     log_format combined2 "$server_name: $remote_addr - $remote_user [$time_local] \"$request\" $status $body_bytes_sent \"$http_referer\" \"$http_user_agent\" \"$http_x_forwarded_for\"";
+  #     access_log /var/log/nginx/access.log combined2;
+  #   '';
+  # };
+}