b12f/nixpkgs
1
0
Fork 0
Code Issues Pull requests Packages Projects Releases Wiki Activity

Merge pull request #103138 from NinjaTrappeur/nin-pleroma

Browse source
This commit is contained in:
Ninjatrappeur 2021-01-27 13:28:44 +01:00 committed by GitHub
parent 693c7cd0f7 60b730fd94
commit ab224b550c
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
7 changed files with 611 additions and 0 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

1
nixos/modules/module-list.nix
View file

@ -727,6 +727,7 @@
./services/networking/owamp.nix
./services/networking/pdnsd.nix
./services/networking/pixiecore.nix
./services/networking/pleroma.nix
./services/networking/polipo.nix
./services/networking/powerdns.nix
./services/networking/pdns-recursor.nix

140
nixos/modules/services/networking/pleroma.nix Normal file
View file

@ -0,0 +1,140 @@
{ config, options, lib, pkgs, stdenv, ... }:
let
cfg = config.services.pleroma;
in {
options = {
services.pleroma = with lib; {
enable = mkEnableOption "pleroma";
package = mkOption {
type = types.package;
default = pkgs.pleroma-otp;
description = "Pleroma package to use.";
};
user = mkOption {
type = types.str;
default = "pleroma";
description = "User account under which pleroma runs.";
};
group = mkOption {
type = types.str;
default = "pleroma";
description = "Group account under which pleroma runs.";
};
stateDir = mkOption {
type = types.str;
default = "/var/lib/pleroma";
readOnly = true;
description = "Directory where the pleroma service will save the uploads and static files.";
};
configs = mkOption {
type = with types; listOf str;
description = ''
Pleroma public configuration.
This list gets appended from left to
right into /etc/pleroma/config.exs. Elixir evaluates its
configuration imperatively, meaning you can override a
setting by appending a new str to this NixOS option list.
<emphasis>DO NOT STORE ANY PLEROMA SECRET
HERE</emphasis>, use
<link linkend="opt-services.pleroma.secretConfigFile">services.pleroma.secretConfigFile</link>
instead.
This setting is going to be stored in a file part of
the Nix store. The Nix store being world-readable, it's not
the right place to store any secret
Have a look to Pleroma section in the NixOS manual for more
informations.
'';
};
secretConfigFile = mkOption {
type = types.str;
default = "/var/lib/pleroma/secrets.exs";
description = ''
Path to the file containing your secret pleroma configuration.
<emphasis>DO NOT POINT THIS OPTION TO THE NIX
STORE</emphasis>, the store being world-readable, it'll
compromise all your secrets.
'';
};
};
};
config = lib.mkIf cfg.enable {
users = {
users."${cfg.user}" = {
description = "Pleroma user";
home = cfg.stateDir;
extraGroups = [ cfg.group ];
};
groups."${cfg.group}" = {};
};
environment.systemPackages = [ cfg.package ];
environment.etc."/pleroma/config.exs".text = ''
${lib.concatMapStrings (x: "${x}") cfg.configs}
# The lau/tzdata library is trying to download the latest
# timezone database in the OTP priv directory by default.
# This directory being in the store, it's read-only.
# Setting that up to a more appropriate location.
config :tzdata, :data_dir, "/var/lib/pleroma/elixir_tzdata_data"
import_config "${cfg.secretConfigFile}"
'';
systemd.services.pleroma = {
description = "Pleroma social network";
after = [ "network-online.target" "postgresql.service" ];
wantedBy = [ "multi-user.target" ];
restartTriggers = [ config.environment.etc."/pleroma/config.exs".source ];
serviceConfig = {
User = cfg.user;
Group = cfg.group;
Type = "exec";
WorkingDirectory = "~";
StateDirectory = "pleroma pleroma/static pleroma/uploads";
StateDirectoryMode = "700";
# Checking the conf file is there then running the database
# migration before each service start, just in case there are
# some pending ones.
#
# It's sub-optimal as we'll always run this, even if pleroma
# has not been updated. But the no-op process is pretty fast.
# Better be safe than sorry migration-wise.
ExecStartPre =
let preScript = pkgs.writers.writeBashBin "pleromaStartPre"
"${cfg.package}/bin/pleroma_ctl migrate";
in "${preScript}/bin/pleromaStartPre";
ExecStart = "${cfg.package}/bin/pleroma start";
ExecStop = "${cfg.package}/bin/pleroma stop";
ExecReload = "${pkgs.coreutils}/bin/kill -HUP $MAINPID";
# Systemd sandboxing directives.
# Taken from the upstream contrib systemd service at
# pleroma/installation/pleroma.service
PrivateTmp = true;
ProtectHome = true;
ProtectSystem = "full";
PrivateDevices = false;
NoNewPrivileges = true;
CapabilityBoundingSet = "~CAP_SYS_ADMIN";
};
};
};
meta.maintainers = with lib.maintainers; [ ninjatrappeur ];
meta.doc = ./pleroma.xml;
}

132
nixos/modules/services/networking/pleroma.xml Normal file
View file

@ -0,0 +1,132 @@
<chapter xmlns="http://docbook.org/ns/docbook"
xmlns:xlink="http://www.w3.org/1999/xlink"
xmlns:xi="http://www.w3.org/2001/XInclude"
version="5.0"
xml:id="module-services-pleroma">
<title>Pleroma</title>
<para><link xlink:href="https://pleroma.social/">Pleroma</link> is a lightweight activity pub server.</para>
<section xml:id="module-services-pleroma-getting-started">
<title>Quick Start</title>
<para>To get quickly started, you can use this sample NixOS configuration and adapt it to your use case.</para>
<para><programlisting>
{
security.acme = {
email = "root@tld";
acceptTerms = true;
certs = {
"social.tld.com" = {
webroot = "/var/www/social.tld.com";
email = "root@tld";
group = "nginx";
};
};
};
services = {
pleroma = {
enable = true;
secretConfigFile = "/var/lib/pleroma/secrets.exs";
configs = [
''
import Config
config :pleroma, Pleroma.Web.Endpoint,
url: [host: "social.tld.com", scheme: "https", port: 443],
http: [ip: {127, 0, 0, 1}, port: 4000]
config :pleroma, :instance,
name: "NixOS test pleroma server",
email: "pleroma@social.tld.com",
notify_email: "pleroma@social.tld.com",
limit: 5000,
registrations_open: true
config :pleroma, :media_proxy,
enabled: false,
redirect_on_failure: true
#base_url: "https://cache.pleroma.social"
config :pleroma, Pleroma.Repo,
adapter: Ecto.Adapters.Postgres,
username: "pleroma",
password: "${test-db-passwd}",
database: "pleroma",
hostname: "localhost",
pool_size: 10,
prepare: :named,
parameters: [
plan_cache_mode: "force_custom_plan"
]
config :pleroma, :database, rum_enabled: false
config :pleroma, :instance, static_dir: "/var/lib/pleroma/static"
config :pleroma, Pleroma.Uploaders.Local, uploads: "/var/lib/pleroma/uploads"
config :pleroma, configurable_from_database: false
''
];
};
postgresql = {
enable = true;
package = pkgs.postgresql_12;
};
nginx = {
enable = true;
addSSL = true;
sslCertificate = "/var/lib/acme/social.tld.com/fullchain.pem";
sslCertificateKey = "/var/lib/acme/social.tld.com/key.pem";
root = "/var/www/social.tld.com";
# ACME endpoint
locations."/.well-known/acme-challenge" = {
root = "/var/www/social.tld.com/";
};
virtualHosts."social.tld.com" = {
addSSL = true;
locations."/" = {
proxyPass = "http://127.0.0.1:4000";
extraConfig = ''
add_header 'Access-Control-Allow-Origin' '*' always;
add_header 'Access-Control-Allow-Methods' 'POST, PUT, DELETE, GET, PATCH, OPTIONS' always;
add_header 'Access-Control-Allow-Headers' 'Authorization, Content-Type, Idempotency-Key' always;
add_header 'Access-Control-Expose-Headers' 'Link, X-RateLimit-Reset, X-RateLimit-Limit, X-RateLimit-Remaining, X-Request-Id' always;
if ($request_method = OPTIONS) {
return 204;
}
add_header X-XSS-Protection "1; mode=block";
add_header X-Permitted-Cross-Domain-Policies none;
add_header X-Frame-Options DENY;
add_header X-Content-Type-Options nosniff;
add_header Referrer-Policy same-origin;
add_header X-Download-Options noopen;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
proxy_set_header Host $host;
client_max_body_size 16m;
'';
};
};
};
};
};
</programlisting></para>
<para>Note that you'll need to seed your database and upload your pleroma secrets to the path pointed by <literal>config.pleroma.secretConfigFile</literal>. You can find more informations about how to do that in the <link linkend="module-services-pleroma-generate-config">next</link> section.</para>
</section>
<section xml:id="module-services-pleroma-generate-config">
<title>Generating the Pleroma Config and Seed the Database</title>
<para>Before using this service, you'll need to generate your
server configuration and its associated database seed. The
<literal>pleroma_ctl</literal> CLI utility can help you with that. You
can start with <literal>pleroma_ctl instance gen --output config.exs
--output-psql setup.psql</literal>, this will prompt you some
questions and will generate both your config file and database initial
migration. </para>
<para>For more details about this configuration format, please have a look at the <link xlink:href="https://docs-develop.pleroma.social/backend/configuration/cheatsheet/">upstream documentation</link>.</para>
<para>To seed your database, you can use the <literal>setup.psql</literal> file you just generated by running
<programlisting>
sudo -u postgres psql -f setup.psql
</programlisting></para>
<para>In regard of the pleroma service configuration you also just generated, you'll need to split it in two parts. The "public" part, which do not contain any secrets and thus can be safely stored in the Nix store and its "private" counterpart containing some secrets (database password, endpoint secret key, salts, etc.).</para>
<para>The public part will live in your NixOS machine configuration in the <link linkend="opt-services.pleroma.configs">services.pleroma.configs</link> option. However, it's up to you to upload the secret pleroma configuration to the path pointed by <link linkend="opt-services.pleroma.secretConfigFile">services.pleroma.secretConfigFile</link>. You can do that manually or rely on a third party tool such as <link xlink:href="https://github.com/DBCDK/morph">Morph</link> or <link xlink:href="https://github.com/NixOS/nixops">NixOps</link>.</para>
</section>
</chapter>

1
nixos/tests/all-tests.nix
View file

@ -302,6 +302,7 @@ in
php = handleTest ./php {};
pinnwand = handleTest ./pinnwand.nix {};
plasma5 = handleTest ./plasma5.nix {};
pleroma = handleTestOn [ "x86_64-linux" "aarch64-linux" ] ./pleroma.nix {};
plotinus = handleTest ./plotinus.nix {};
podman = handleTestOn ["x86_64-linux"] ./podman.nix {};
postfix = handleTest ./postfix.nix {};

265
nixos/tests/pleroma.nix Normal file
View file

@ -0,0 +1,265 @@
/*
Pleroma E2E VM test.
Abstract:
=========
Using pleroma, postgresql, a local CA cert, a nginx reverse proxy
and a toot-based client, we're going to:
1. Provision a pleroma service from scratch (pleroma config + postgres db).
2. Create a "jamy" admin user.
3. Send a toot from this user.
4. Send a upload from this user.
5. Check the toot is part of the server public timeline
Notes:
- We need a fully functional TLS setup without having any access to
the internet. We do that by issuing a self-signed cert, add this
self-cert to the hosts pki trust store and finally spoof the
hostnames using /etc/hosts.
- For this NixOS test, we *had* to store some DB-related and
pleroma-related secrets to the store. Keep in mind the store is
world-readable, it's the worst place possible to store *any*
secret. **DO NOT DO THIS IN A REAL WORLD DEPLOYMENT**.
*/
import ./make-test-python.nix ({ pkgs, ... }:
let
send-toot = pkgs.writeScriptBin "send-toot" ''
set -eux
# toot is using the requests library internally. This library
# sadly embed its own certificate store instead of relying on the
# system one. Overriding this pretty bad default behaviour.
export REQUESTS_CA_BUNDLE=/etc/ssl/certs/ca-certificates.crt
export TOOT_LOGIN_CLI_PASSWORD="jamy-password"
toot login_cli -i "pleroma.nixos.test" -e "jamy@nixos.test"
echo "Login OK"
# Send a toot then verify it's part of the public timeline
echo "y" | toot post "hello world Jamy here"
echo "Send toot OK"
echo "y" | toot timeline | grep -c "hello world Jamy here"
echo "Get toot from timeline OK"
# Test file upload
echo "y" | toot upload ${db-seed} | grep -c "https://pleroma.nixos.test/media"
echo "File upload OK"
echo "====================================================="
echo "= SUCCESS ="
echo "= ="
echo "= We were able to sent a toot + a upload and ="
echo "= retrieve both of them in the public timeline. ="
echo "====================================================="
'';
provision-db = pkgs.writeScriptBin "provision-db" ''
set -eux
sudo -u postgres psql -f ${db-seed}
'';
test-db-passwd = "SccZOvTGM//BMrpoQj68JJkjDkMGb4pHv2cECWiI+XhVe3uGJTLI0vFV/gDlZ5jJ";
/* For this NixOS test, we *had* to store this secret to the store.
Keep in mind the store is world-readable, it's the worst place
possible to store *any* secret. **DO NOT DO THIS IN A REAL WORLD
DEPLOYMENT**.*/
db-seed = pkgs.writeText "provision.psql" ''
CREATE USER pleroma WITH ENCRYPTED PASSWORD '${test-db-passwd}';
CREATE DATABASE pleroma OWNER pleroma;
\c pleroma;
--Extensions made by ecto.migrate that need superuser access
CREATE EXTENSION IF NOT EXISTS citext;
CREATE EXTENSION IF NOT EXISTS pg_trgm;
CREATE EXTENSION IF NOT EXISTS "uuid-ossp";
'';
pleroma-conf = ''
import Config
config :pleroma, Pleroma.Web.Endpoint,
url: [host: "pleroma.nixos.test", scheme: "https", port: 443],
http: [ip: {127, 0, 0, 1}, port: 4000]
config :pleroma, :instance,
name: "NixOS test pleroma server",
email: "pleroma@nixos.test",
notify_email: "pleroma@nixos.test",
limit: 5000,
registrations_open: true
config :pleroma, :media_proxy,
enabled: false,
redirect_on_failure: true
#base_url: "https://cache.pleroma.social"
config :pleroma, Pleroma.Repo,
adapter: Ecto.Adapters.Postgres,
username: "pleroma",
password: "${test-db-passwd}",
database: "pleroma",
hostname: "localhost",
pool_size: 10,
prepare: :named,
parameters: [
plan_cache_mode: "force_custom_plan"
]
config :pleroma, :database, rum_enabled: false
config :pleroma, :instance, static_dir: "/var/lib/pleroma/static"
config :pleroma, Pleroma.Uploaders.Local, uploads: "/var/lib/pleroma/uploads"
config :pleroma, configurable_from_database: false
'';
/* For this NixOS test, we *had* to store this secret to the store.
Keep in mind the store is world-readable, it's the worst place
possible to store *any* secret. **DO NOT DO THIS IN A REAL WORLD
DEPLOYMENT**.
In a real-word deployment, you'd handle this either by:
- manually upload your pleroma secrets to /var/lib/pleroma/secrets.exs
- use a deployment tool such as morph or NixOps to deploy your secrets.
*/
pleroma-conf-secret = pkgs.writeText "secrets.exs" ''
import Config
config :joken, default_signer: "PS69/wMW7X6FIQPABt9lwvlZvgrJIncfiAMrK9J5mjVus/7/NJJi1DsDA1OghBE5"
config :pleroma, Pleroma.Web.Endpoint,
secret_key_base: "NvfmU7lYaQrmmxt4NACm0AaAfN9t6WxsrX0NCB4awkGHvr1S7jyshlEmrjaPFhhq",
signing_salt: "3L41+BuJ"
config :web_push_encryption, :vapid_details,
subject: "mailto:pleroma@nixos.test",
public_key: "BKjfNX9-UqAcncaNqERQtF7n9pKrB0-MO-juv6U5E5XQr_Tg5D-f8AlRjduAguDpyAngeDzG8MdrTejMSL4VF30",
private_key: "k7o9onKMQrgMjMb6l4fsxSaXO0BTNAer5MVSje3q60k"
'';
/* For this NixOS test, we *had* to store this secret to the store.
Keep in mind the store is world-readable, it's the worst place
possible to store *any* secret. **DO NOT DO THIS IN A REAL WORLD
DEPLOYMENT**.
In a real-word deployment, you'd handle this either by:
- manually upload your pleroma secrets to /var/lib/pleroma/secrets.exs
- use a deployment tool such as morph or NixOps to deploy your secrets.
*/
provision-secrets = pkgs.writeScriptBin "provision-secrets" ''
set -eux
cp "${pleroma-conf-secret}" "/var/lib/pleroma/secrets.exs"
chown pleroma:pleroma /var/lib/pleroma/secrets.exs
'';
/* For this NixOS test, we *had* to store this secret to the store.
Keep in mind the store is world-readable, it's the worst place
possible to store *any* secret. **DO NOT DO THIS IN A REAL WORLD
DEPLOYMENT**.
*/
provision-user = pkgs.writeScriptBin "provision-user" ''
set -eux
# Waiting for pleroma to be up.
timeout 5m bash -c 'while [[ "$(curl -s -o /dev/null -w '%{http_code}' https://pleroma.nixos.test/api/v1/instance)" != "200" ]]; do sleep 2; done'
pleroma_ctl user new jamy jamy@nixos.test --password 'jamy-password' --moderator --admin -y
'';
tls-cert = pkgs.runCommandNoCC "selfSignedCerts" { buildInputs = [ pkgs.openssl ]; } ''
openssl req -x509 -newkey rsa:4096 -keyout key.pem -out cert.pem -nodes -subj '/CN=pleroma.nixos.test'
mkdir -p $out
cp key.pem cert.pem $out
'';
/* Toot is preventing users from feeding login_cli a password non
interactively. While it makes sense most of the times, it's
preventing us to login in this non-interactive test. This patch
introduce a TOOT_LOGIN_CLI_PASSWORD env variable allowing us to
provide a password to toot login_cli
If https://github.com/ihabunek/toot/pull/180 gets merged at some
point, feel free to remove this patch. */
custom-toot = pkgs.toot.overrideAttrs(old:{
patches = [ (pkgs.fetchpatch {
url = "https://github.com/NinjaTrappeur/toot/commit/b4a4c30f41c0cb7e336714c2c4af9bc9bfa0c9f2.patch";
sha256 = "sha256-0xxNwjR/fStLjjUUhwzCCfrghRVts+fc+fvVJqVcaFg=";
}) ];
});
hosts = nodes: ''
${nodes.pleroma.config.networking.primaryIPAddress} pleroma.nixos.test
${nodes.client.config.networking.primaryIPAddress} client.nixos.test
'';
in {
name = "pleroma";
nodes = {
client = { nodes, pkgs, config, ... }: {
security.pki.certificateFiles = [ "${tls-cert}/cert.pem" ];
networking.extraHosts = hosts nodes;
environment.systemPackages = with pkgs; [
custom-toot
send-toot
];
};
pleroma = { nodes, pkgs, config, ... }: {
security.pki.certificateFiles = [ "${tls-cert}/cert.pem" ];
networking.extraHosts = hosts nodes;
networking.firewall.enable = false;
environment.systemPackages = with pkgs; [
provision-db
provision-secrets
provision-user
];
services = {
pleroma = {
enable = true;
configs = [
pleroma-conf
];
};
postgresql = {
enable = true;
package = pkgs.postgresql_12;
};
nginx = {
enable = true;
virtualHosts."pleroma.nixos.test" = {
addSSL = true;
sslCertificate = "${tls-cert}/cert.pem";
sslCertificateKey = "${tls-cert}/key.pem";
locations."/" = {
proxyPass = "http://127.0.0.1:4000";
extraConfig = ''
add_header 'Access-Control-Allow-Origin' '*' always;
add_header 'Access-Control-Allow-Methods' 'POST, PUT, DELETE, GET, PATCH, OPTIONS' always;
add_header 'Access-Control-Allow-Headers' 'Authorization, Content-Type, Idempotency-Key' always;
add_header 'Access-Control-Expose-Headers' 'Link, X-RateLimit-Reset, X-RateLimit-Limit, X-RateLimit-Remaining, X-Request-Id' always;
if ($request_method = OPTIONS) {
return 204;
}
add_header X-XSS-Protection "1; mode=block";
add_header X-Permitted-Cross-Domain-Policies none;
add_header X-Frame-Options DENY;
add_header X-Content-Type-Options nosniff;
add_header Referrer-Policy same-origin;
add_header X-Download-Options noopen;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
proxy_set_header Host $host;
client_max_body_size 16m;
'';
};
};
};
};
};
};
testScript = { nodes, ... }: ''
pleroma.wait_for_unit("postgresql.service")
pleroma.succeed("provision-db")
pleroma.succeed("provision-secrets")
pleroma.systemctl("restart pleroma.service")
pleroma.wait_for_unit("pleroma.service")
pleroma.succeed("provision-user")
client.succeed("send-toot")
'';
})

70
pkgs/servers/pleroma-otp/default.nix Normal file
View file

@ -0,0 +1,70 @@
{ stdenv
, autoPatchelfHook
, fetchurl
, file
, makeWrapper
, ncurses
, nixosTests
, openssl
, unzip
, zlib
}:
stdenv.mkDerivation {
pname = "pleroma-otp";
version = "2.2.2";
# To find the latest binary release stable link, have a look at
# the CI pipeline for the latest commit of the stable branch
# https://git.pleroma.social/pleroma/pleroma/-/tree/stable
src = {
aarch64-linux = fetchurl {
url = "https://git.pleroma.social/pleroma/pleroma/-/jobs/175288/artifacts/download";
sha256 = "107kp5zqwq1lixk1cwkx4v7zpm0h248xzlm152aj36ghb43j2snw";
};
x86_64-linux = fetchurl {
url = "https://git.pleroma.social/pleroma/pleroma/-/jobs/175284/artifacts/download";
sha256 = "1c6l04gga9iigm249ywwcrjg6wzy8iiid652mws3j9dnl71w2sim";
};
}."${stdenv.hostPlatform.system}";
nativeBuildInputs = [ unzip ];
buildInputs = [
autoPatchelfHook
file
makeWrapper
ncurses
openssl
zlib
];
# mkDerivation fails to detect the zip nature of $src due to the
# missing .zip extension.
# Let's unpack the archive explicitely.
unpackCmd = "unzip $curSrc";
installPhase = ''
mkdir $out
cp -r * $out'';
# Pleroma is using the project's root path (here the store path)
# as its TMPDIR.
# Patching it to move the tmp dir to the actual tmpdir
postFixup = ''
wrapProgram $out/bin/pleroma \
--set-default RELEASE_TMP "/tmp"
wrapProgram $out/bin/pleroma_ctl \
--set-default RELEASE_TMP "/tmp"'';
passthru.tests = {
pleroma = nixosTests.pleroma;
};
meta = {
description = "ActivityPub microblogging server";
homepage = https://git.pleroma.social/pleroma/pleroma;
license = stdenv.lib.licenses.agpl3;
maintainers = with stdenv.lib.maintainers; [ ninjatrappeur ];
platforms = [ "x86_64-linux" "aarch64-linux" ];
};
}

2
pkgs/top-level/all-packages.nix
View file

@ -7055,6 +7055,8 @@ in
tautulli = python3Packages.callPackage ../servers/tautulli { };
pleroma-otp = callPackage ../servers/pleroma-otp { };
ploticus = callPackage ../tools/graphics/ploticus {
libpng = libpng12;
};