From 2c03cf9491e1c29bd8a3777a18a20926da2119dc Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?F=C3=A9lix=20Baylac-Jacqu=C3=A9?= Date: Sat, 7 Nov 2020 18:41:44 +0100 Subject: [PATCH 1/3] pleroma-otp: init at 2.2.2 Co-authored-by: flokli --- pkgs/servers/pleroma-otp/default.nix | 66 ++++++++++++++++++++++++++++ pkgs/top-level/all-packages.nix | 2 + 2 files changed, 68 insertions(+) create mode 100644 pkgs/servers/pleroma-otp/default.nix diff --git a/pkgs/servers/pleroma-otp/default.nix b/pkgs/servers/pleroma-otp/default.nix new file mode 100644 index 00000000000..756f2fc33dc --- /dev/null +++ b/pkgs/servers/pleroma-otp/default.nix @@ -0,0 +1,66 @@ +{ stdenv +, autoPatchelfHook +, fetchurl +, file +, makeWrapper +, ncurses +, nixosTests +, openssl +, unzip +, zlib +}: +stdenv.mkDerivation { + pname = "pleroma-otp"; + version = "2.2.2"; + + # To find the latest binary release stable link, have a look at + # the CI pipeline for the latest commit of the stable branch + # https://git.pleroma.social/pleroma/pleroma/-/tree/stable + src = { + aarch64-linux = fetchurl { + url = "https://git.pleroma.social/pleroma/pleroma/-/jobs/175288/artifacts/download"; + sha256 = "107kp5zqwq1lixk1cwkx4v7zpm0h248xzlm152aj36ghb43j2snw"; + }; + x86_64-linux = fetchurl { + url = "https://git.pleroma.social/pleroma/pleroma/-/jobs/175284/artifacts/download"; + sha256 = "1c6l04gga9iigm249ywwcrjg6wzy8iiid652mws3j9dnl71w2sim"; + }; + }."${stdenv.hostPlatform.system}"; + + nativeBuildInputs = [ unzip ]; + + buildInputs = [ + autoPatchelfHook + file + makeWrapper + ncurses + openssl + zlib + ]; + + # mkDerivation fails to detect the zip nature of $src due to the + # missing .zip extension. + # Let's unpack the archive explicitely. + unpackCmd = "unzip $curSrc"; + + installPhase = '' + mkdir $out + cp -r * $out''; + + # Pleroma is using the project's root path (here the store path) + # as its TMPDIR. + # Patching it to move the tmp dir to the actual tmpdir + postFixup = '' + wrapProgram $out/bin/pleroma \ + --set-default RELEASE_TMP "/tmp" + wrapProgram $out/bin/pleroma_ctl \ + --set-default RELEASE_TMP "/tmp"''; + + meta = { + description = "ActivityPub microblogging server"; + homepage = https://git.pleroma.social/pleroma/pleroma; + license = stdenv.lib.licenses.agpl3; + maintainers = with stdenv.lib.maintainers; [ ninjatrappeur ]; + platforms = [ "x86_64-linux" "aarch64-linux" ]; + }; +} diff --git a/pkgs/top-level/all-packages.nix b/pkgs/top-level/all-packages.nix index b5f88bdb8e7..6eb9ef1f46e 100644 --- a/pkgs/top-level/all-packages.nix +++ b/pkgs/top-level/all-packages.nix @@ -7020,6 +7020,8 @@ in tautulli = python3Packages.callPackage ../servers/tautulli { }; + pleroma-otp = callPackage ../servers/pleroma-otp { }; + ploticus = callPackage ../tools/graphics/ploticus { libpng = libpng12; }; From 231c5a576a95391d5e4cd5b8948bfa8a6224bed1 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?F=C3=A9lix=20Baylac-Jacqu=C3=A9?= Date: Sun, 8 Nov 2020 15:05:37 +0100 Subject: [PATCH 2/3] nixos/pleroma: init Adding a new pleroma NixOS module and its associated documentation. co-authored-by: duponin --- nixos/modules/module-list.nix | 1 + nixos/modules/services/networking/pleroma.nix | 140 ++++++++++++++++++ nixos/modules/services/networking/pleroma.xml | 132 +++++++++++++++++ 3 files changed, 273 insertions(+) create mode 100644 nixos/modules/services/networking/pleroma.nix create mode 100644 nixos/modules/services/networking/pleroma.xml diff --git a/nixos/modules/module-list.nix b/nixos/modules/module-list.nix index 1ccfba68453..0b565ed9f64 100644 --- a/nixos/modules/module-list.nix +++ b/nixos/modules/module-list.nix @@ -725,6 +725,7 @@ ./services/networking/owamp.nix ./services/networking/pdnsd.nix ./services/networking/pixiecore.nix + ./services/networking/pleroma.nix ./services/networking/polipo.nix ./services/networking/powerdns.nix ./services/networking/pdns-recursor.nix diff --git a/nixos/modules/services/networking/pleroma.nix b/nixos/modules/services/networking/pleroma.nix new file mode 100644 index 00000000000..9b2bf9f6124 --- /dev/null +++ b/nixos/modules/services/networking/pleroma.nix @@ -0,0 +1,140 @@ +{ config, options, lib, pkgs, stdenv, ... }: +let + cfg = config.services.pleroma; +in { + options = { + services.pleroma = with lib; { + enable = mkEnableOption "pleroma"; + + package = mkOption { + type = types.package; + default = pkgs.pleroma-otp; + description = "Pleroma package to use."; + }; + + user = mkOption { + type = types.str; + default = "pleroma"; + description = "User account under which pleroma runs."; + }; + + group = mkOption { + type = types.str; + default = "pleroma"; + description = "Group account under which pleroma runs."; + }; + + stateDir = mkOption { + type = types.str; + default = "/var/lib/pleroma"; + readOnly = true; + description = "Directory where the pleroma service will save the uploads and static files."; + }; + + configs = mkOption { + type = with types; listOf str; + description = '' + Pleroma public configuration. + + This list gets appended from left to + right into /etc/pleroma/config.exs. Elixir evaluates its + configuration imperatively, meaning you can override a + setting by appending a new str to this NixOS option list. + + DO NOT STORE ANY PLEROMA SECRET + HERE, use + services.pleroma.secretConfigFile + instead. + + This setting is going to be stored in a file part of + the Nix store. The Nix store being world-readable, it's not + the right place to store any secret + + Have a look to Pleroma section in the NixOS manual for more + informations. + ''; + }; + + secretConfigFile = mkOption { + type = types.str; + default = "/var/lib/pleroma/secrets.exs"; + description = '' + Path to the file containing your secret pleroma configuration. + + DO NOT POINT THIS OPTION TO THE NIX + STORE, the store being world-readable, it'll + compromise all your secrets. + ''; + }; + }; + }; + + config = lib.mkIf cfg.enable { + users = { + users."${cfg.user}" = { + description = "Pleroma user"; + home = cfg.stateDir; + extraGroups = [ cfg.group ]; + }; + groups."${cfg.group}" = {}; + }; + + environment.systemPackages = [ cfg.package ]; + + environment.etc."/pleroma/config.exs".text = '' + ${lib.concatMapStrings (x: "${x}") cfg.configs} + + # The lau/tzdata library is trying to download the latest + # timezone database in the OTP priv directory by default. + # This directory being in the store, it's read-only. + # Setting that up to a more appropriate location. + config :tzdata, :data_dir, "/var/lib/pleroma/elixir_tzdata_data" + + import_config "${cfg.secretConfigFile}" + ''; + + systemd.services.pleroma = { + description = "Pleroma social network"; + after = [ "network-online.target" "postgresql.service" ]; + wantedBy = [ "multi-user.target" ]; + restartTriggers = [ config.environment.etc."/pleroma/config.exs".source ]; + serviceConfig = { + User = cfg.user; + Group = cfg.group; + Type = "exec"; + WorkingDirectory = "~"; + StateDirectory = "pleroma pleroma/static pleroma/uploads"; + StateDirectoryMode = "700"; + + # Checking the conf file is there then running the database + # migration before each service start, just in case there are + # some pending ones. + # + # It's sub-optimal as we'll always run this, even if pleroma + # has not been updated. But the no-op process is pretty fast. + # Better be safe than sorry migration-wise. + ExecStartPre = + let preScript = pkgs.writers.writeBashBin "pleromaStartPre" + "${cfg.package}/bin/pleroma_ctl migrate"; + in "${preScript}/bin/pleromaStartPre"; + + ExecStart = "${cfg.package}/bin/pleroma start"; + ExecStop = "${cfg.package}/bin/pleroma stop"; + ExecReload = "${pkgs.coreutils}/bin/kill -HUP $MAINPID"; + + # Systemd sandboxing directives. + # Taken from the upstream contrib systemd service at + # pleroma/installation/pleroma.service + PrivateTmp = true; + ProtectHome = true; + ProtectSystem = "full"; + PrivateDevices = false; + NoNewPrivileges = true; + CapabilityBoundingSet = "~CAP_SYS_ADMIN"; + }; + }; + + }; + meta.maintainers = with lib.maintainers; [ ninjatrappeur ]; + meta.doc = ./pleroma.xml; +} diff --git a/nixos/modules/services/networking/pleroma.xml b/nixos/modules/services/networking/pleroma.xml new file mode 100644 index 00000000000..9ab0be3d947 --- /dev/null +++ b/nixos/modules/services/networking/pleroma.xml @@ -0,0 +1,132 @@ + + Pleroma + Pleroma is a lightweight activity pub server. +
+ Quick Start + To get quickly started, you can use this sample NixOS configuration and adapt it to your use case. + + { + security.acme = { + email = "root@tld"; + acceptTerms = true; + certs = { + "social.tld.com" = { + webroot = "/var/www/social.tld.com"; + email = "root@tld"; + group = "nginx"; + }; + }; + }; + services = { + pleroma = { + enable = true; + secretConfigFile = "/var/lib/pleroma/secrets.exs"; + configs = [ + '' + import Config + + config :pleroma, Pleroma.Web.Endpoint, + url: [host: "social.tld.com", scheme: "https", port: 443], + http: [ip: {127, 0, 0, 1}, port: 4000] + + config :pleroma, :instance, + name: "NixOS test pleroma server", + email: "pleroma@social.tld.com", + notify_email: "pleroma@social.tld.com", + limit: 5000, + registrations_open: true + + config :pleroma, :media_proxy, + enabled: false, + redirect_on_failure: true + #base_url: "https://cache.pleroma.social" + + config :pleroma, Pleroma.Repo, + adapter: Ecto.Adapters.Postgres, + username: "pleroma", + password: "${test-db-passwd}", + database: "pleroma", + hostname: "localhost", + pool_size: 10, + prepare: :named, + parameters: [ + plan_cache_mode: "force_custom_plan" + ] + + config :pleroma, :database, rum_enabled: false + config :pleroma, :instance, static_dir: "/var/lib/pleroma/static" + config :pleroma, Pleroma.Uploaders.Local, uploads: "/var/lib/pleroma/uploads" + config :pleroma, configurable_from_database: false + '' + ]; + }; + postgresql = { + enable = true; + package = pkgs.postgresql_12; + }; + nginx = { + enable = true; + addSSL = true; + sslCertificate = "/var/lib/acme/social.tld.com/fullchain.pem"; + sslCertificateKey = "/var/lib/acme/social.tld.com/key.pem"; + root = "/var/www/social.tld.com"; + # ACME endpoint + locations."/.well-known/acme-challenge" = { + root = "/var/www/social.tld.com/"; + }; + virtualHosts."social.tld.com" = { + addSSL = true; + locations."/" = { + proxyPass = "http://127.0.0.1:4000"; + extraConfig = '' + add_header 'Access-Control-Allow-Origin' '*' always; + add_header 'Access-Control-Allow-Methods' 'POST, PUT, DELETE, GET, PATCH, OPTIONS' always; + add_header 'Access-Control-Allow-Headers' 'Authorization, Content-Type, Idempotency-Key' always; + add_header 'Access-Control-Expose-Headers' 'Link, X-RateLimit-Reset, X-RateLimit-Limit, X-RateLimit-Remaining, X-Request-Id' always; + if ($request_method = OPTIONS) { + return 204; + } + add_header X-XSS-Protection "1; mode=block"; + add_header X-Permitted-Cross-Domain-Policies none; + add_header X-Frame-Options DENY; + add_header X-Content-Type-Options nosniff; + add_header Referrer-Policy same-origin; + add_header X-Download-Options noopen; + proxy_http_version 1.1; + proxy_set_header Upgrade $http_upgrade; + proxy_set_header Connection "upgrade"; + proxy_set_header Host $host; + client_max_body_size 16m; + ''; + }; + }; + }; + }; + }; + + Note that you'll need to seed your database and upload your pleroma secrets to the path pointed by config.pleroma.secretConfigFile. You can find more informations about how to do that in the next section. +
+
+ Generating the Pleroma Config and Seed the Database + + Before using this service, you'll need to generate your +server configuration and its associated database seed. The +pleroma_ctl CLI utility can help you with that. You +can start with pleroma_ctl instance gen --output config.exs +--output-psql setup.psql, this will prompt you some +questions and will generate both your config file and database initial +migration. +For more details about this configuration format, please have a look at the upstream documentation. +To seed your database, you can use the setup.psql file you just generated by running + + sudo -u postgres psql -f setup.psql + + In regard of the pleroma service configuration you also just generated, you'll need to split it in two parts. The "public" part, which do not contain any secrets and thus can be safely stored in the Nix store and its "private" counterpart containing some secrets (database password, endpoint secret key, salts, etc.). + + The public part will live in your NixOS machine configuration in the services.pleroma.configs option. However, it's up to you to upload the secret pleroma configuration to the path pointed by services.pleroma.secretConfigFile. You can do that manually or rely on a third party tool such as Morph or NixOps. +
+ From 60b730fd944b6e42bc185dd92ed8cb71e48d795b Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?F=C3=A9lix=20Baylac-Jacqu=C3=A9?= Date: Sun, 8 Nov 2020 15:10:14 +0100 Subject: [PATCH 3/3] nixos/pleroma: add NixOS VM test. --- nixos/tests/all-tests.nix | 1 + nixos/tests/pleroma.nix | 265 +++++++++++++++++++++++++++ pkgs/servers/pleroma-otp/default.nix | 4 + 3 files changed, 270 insertions(+) create mode 100644 nixos/tests/pleroma.nix diff --git a/nixos/tests/all-tests.nix b/nixos/tests/all-tests.nix index 902c3bbc65e..22629042ae5 100644 --- a/nixos/tests/all-tests.nix +++ b/nixos/tests/all-tests.nix @@ -301,6 +301,7 @@ in php = handleTest ./php {}; pinnwand = handleTest ./pinnwand.nix {}; plasma5 = handleTest ./plasma5.nix {}; + pleroma = handleTestOn [ "x86_64-linux" "aarch64-linux" ] ./pleroma.nix {}; plotinus = handleTest ./plotinus.nix {}; podman = handleTestOn ["x86_64-linux"] ./podman.nix {}; postfix = handleTest ./postfix.nix {}; diff --git a/nixos/tests/pleroma.nix b/nixos/tests/pleroma.nix new file mode 100644 index 00000000000..797cac44f95 --- /dev/null +++ b/nixos/tests/pleroma.nix @@ -0,0 +1,265 @@ +/* + Pleroma E2E VM test. + + Abstract: + ========= + Using pleroma, postgresql, a local CA cert, a nginx reverse proxy + and a toot-based client, we're going to: + + 1. Provision a pleroma service from scratch (pleroma config + postgres db). + 2. Create a "jamy" admin user. + 3. Send a toot from this user. + 4. Send a upload from this user. + 5. Check the toot is part of the server public timeline + + Notes: + - We need a fully functional TLS setup without having any access to + the internet. We do that by issuing a self-signed cert, add this + self-cert to the hosts pki trust store and finally spoof the + hostnames using /etc/hosts. + - For this NixOS test, we *had* to store some DB-related and + pleroma-related secrets to the store. Keep in mind the store is + world-readable, it's the worst place possible to store *any* + secret. **DO NOT DO THIS IN A REAL WORLD DEPLOYMENT**. +*/ + +import ./make-test-python.nix ({ pkgs, ... }: + let + send-toot = pkgs.writeScriptBin "send-toot" '' + set -eux + # toot is using the requests library internally. This library + # sadly embed its own certificate store instead of relying on the + # system one. Overriding this pretty bad default behaviour. + export REQUESTS_CA_BUNDLE=/etc/ssl/certs/ca-certificates.crt + + export TOOT_LOGIN_CLI_PASSWORD="jamy-password" + toot login_cli -i "pleroma.nixos.test" -e "jamy@nixos.test" + echo "Login OK" + + # Send a toot then verify it's part of the public timeline + echo "y" | toot post "hello world Jamy here" + echo "Send toot OK" + echo "y" | toot timeline | grep -c "hello world Jamy here" + echo "Get toot from timeline OK" + + # Test file upload + echo "y" | toot upload ${db-seed} | grep -c "https://pleroma.nixos.test/media" + echo "File upload OK" + + echo "=====================================================" + echo "= SUCCESS =" + echo "= =" + echo "= We were able to sent a toot + a upload and =" + echo "= retrieve both of them in the public timeline. =" + echo "=====================================================" + ''; + + provision-db = pkgs.writeScriptBin "provision-db" '' + set -eux + sudo -u postgres psql -f ${db-seed} + ''; + + test-db-passwd = "SccZOvTGM//BMrpoQj68JJkjDkMGb4pHv2cECWiI+XhVe3uGJTLI0vFV/gDlZ5jJ"; + + /* For this NixOS test, we *had* to store this secret to the store. + Keep in mind the store is world-readable, it's the worst place + possible to store *any* secret. **DO NOT DO THIS IN A REAL WORLD + DEPLOYMENT**.*/ + db-seed = pkgs.writeText "provision.psql" '' + CREATE USER pleroma WITH ENCRYPTED PASSWORD '${test-db-passwd}'; + CREATE DATABASE pleroma OWNER pleroma; + \c pleroma; + --Extensions made by ecto.migrate that need superuser access + CREATE EXTENSION IF NOT EXISTS citext; + CREATE EXTENSION IF NOT EXISTS pg_trgm; + CREATE EXTENSION IF NOT EXISTS "uuid-ossp"; + ''; + + pleroma-conf = '' + import Config + + config :pleroma, Pleroma.Web.Endpoint, + url: [host: "pleroma.nixos.test", scheme: "https", port: 443], + http: [ip: {127, 0, 0, 1}, port: 4000] + + config :pleroma, :instance, + name: "NixOS test pleroma server", + email: "pleroma@nixos.test", + notify_email: "pleroma@nixos.test", + limit: 5000, + registrations_open: true + + config :pleroma, :media_proxy, + enabled: false, + redirect_on_failure: true + #base_url: "https://cache.pleroma.social" + + config :pleroma, Pleroma.Repo, + adapter: Ecto.Adapters.Postgres, + username: "pleroma", + password: "${test-db-passwd}", + database: "pleroma", + hostname: "localhost", + pool_size: 10, + prepare: :named, + parameters: [ + plan_cache_mode: "force_custom_plan" + ] + + config :pleroma, :database, rum_enabled: false + config :pleroma, :instance, static_dir: "/var/lib/pleroma/static" + config :pleroma, Pleroma.Uploaders.Local, uploads: "/var/lib/pleroma/uploads" + config :pleroma, configurable_from_database: false + ''; + + /* For this NixOS test, we *had* to store this secret to the store. + Keep in mind the store is world-readable, it's the worst place + possible to store *any* secret. **DO NOT DO THIS IN A REAL WORLD + DEPLOYMENT**. + In a real-word deployment, you'd handle this either by: + - manually upload your pleroma secrets to /var/lib/pleroma/secrets.exs + - use a deployment tool such as morph or NixOps to deploy your secrets. + */ + pleroma-conf-secret = pkgs.writeText "secrets.exs" '' + import Config + + config :joken, default_signer: "PS69/wMW7X6FIQPABt9lwvlZvgrJIncfiAMrK9J5mjVus/7/NJJi1DsDA1OghBE5" + + config :pleroma, Pleroma.Web.Endpoint, + secret_key_base: "NvfmU7lYaQrmmxt4NACm0AaAfN9t6WxsrX0NCB4awkGHvr1S7jyshlEmrjaPFhhq", + signing_salt: "3L41+BuJ" + + config :web_push_encryption, :vapid_details, + subject: "mailto:pleroma@nixos.test", + public_key: "BKjfNX9-UqAcncaNqERQtF7n9pKrB0-MO-juv6U5E5XQr_Tg5D-f8AlRjduAguDpyAngeDzG8MdrTejMSL4VF30", + private_key: "k7o9onKMQrgMjMb6l4fsxSaXO0BTNAer5MVSje3q60k" + ''; + + /* For this NixOS test, we *had* to store this secret to the store. + Keep in mind the store is world-readable, it's the worst place + possible to store *any* secret. **DO NOT DO THIS IN A REAL WORLD + DEPLOYMENT**. + In a real-word deployment, you'd handle this either by: + - manually upload your pleroma secrets to /var/lib/pleroma/secrets.exs + - use a deployment tool such as morph or NixOps to deploy your secrets. + */ + provision-secrets = pkgs.writeScriptBin "provision-secrets" '' + set -eux + cp "${pleroma-conf-secret}" "/var/lib/pleroma/secrets.exs" + chown pleroma:pleroma /var/lib/pleroma/secrets.exs + ''; + + /* For this NixOS test, we *had* to store this secret to the store. + Keep in mind the store is world-readable, it's the worst place + possible to store *any* secret. **DO NOT DO THIS IN A REAL WORLD + DEPLOYMENT**. + */ + provision-user = pkgs.writeScriptBin "provision-user" '' + set -eux + + # Waiting for pleroma to be up. + timeout 5m bash -c 'while [[ "$(curl -s -o /dev/null -w '%{http_code}' https://pleroma.nixos.test/api/v1/instance)" != "200" ]]; do sleep 2; done' + pleroma_ctl user new jamy jamy@nixos.test --password 'jamy-password' --moderator --admin -y + ''; + + tls-cert = pkgs.runCommandNoCC "selfSignedCerts" { buildInputs = [ pkgs.openssl ]; } '' + openssl req -x509 -newkey rsa:4096 -keyout key.pem -out cert.pem -nodes -subj '/CN=pleroma.nixos.test' + mkdir -p $out + cp key.pem cert.pem $out + ''; + + /* Toot is preventing users from feeding login_cli a password non + interactively. While it makes sense most of the times, it's + preventing us to login in this non-interactive test. This patch + introduce a TOOT_LOGIN_CLI_PASSWORD env variable allowing us to + provide a password to toot login_cli + + If https://github.com/ihabunek/toot/pull/180 gets merged at some + point, feel free to remove this patch. */ + custom-toot = pkgs.toot.overrideAttrs(old:{ + patches = [ (pkgs.fetchpatch { + url = "https://github.com/NinjaTrappeur/toot/commit/b4a4c30f41c0cb7e336714c2c4af9bc9bfa0c9f2.patch"; + sha256 = "sha256-0xxNwjR/fStLjjUUhwzCCfrghRVts+fc+fvVJqVcaFg="; + }) ]; + }); + + hosts = nodes: '' + ${nodes.pleroma.config.networking.primaryIPAddress} pleroma.nixos.test + ${nodes.client.config.networking.primaryIPAddress} client.nixos.test + ''; + in { + name = "pleroma"; + nodes = { + client = { nodes, pkgs, config, ... }: { + security.pki.certificateFiles = [ "${tls-cert}/cert.pem" ]; + networking.extraHosts = hosts nodes; + environment.systemPackages = with pkgs; [ + custom-toot + send-toot + ]; + }; + pleroma = { nodes, pkgs, config, ... }: { + security.pki.certificateFiles = [ "${tls-cert}/cert.pem" ]; + networking.extraHosts = hosts nodes; + networking.firewall.enable = false; + environment.systemPackages = with pkgs; [ + provision-db + provision-secrets + provision-user + ]; + services = { + pleroma = { + enable = true; + configs = [ + pleroma-conf + ]; + }; + postgresql = { + enable = true; + package = pkgs.postgresql_12; + }; + nginx = { + enable = true; + virtualHosts."pleroma.nixos.test" = { + addSSL = true; + sslCertificate = "${tls-cert}/cert.pem"; + sslCertificateKey = "${tls-cert}/key.pem"; + locations."/" = { + proxyPass = "http://127.0.0.1:4000"; + extraConfig = '' + add_header 'Access-Control-Allow-Origin' '*' always; + add_header 'Access-Control-Allow-Methods' 'POST, PUT, DELETE, GET, PATCH, OPTIONS' always; + add_header 'Access-Control-Allow-Headers' 'Authorization, Content-Type, Idempotency-Key' always; + add_header 'Access-Control-Expose-Headers' 'Link, X-RateLimit-Reset, X-RateLimit-Limit, X-RateLimit-Remaining, X-Request-Id' always; + if ($request_method = OPTIONS) { + return 204; + } + add_header X-XSS-Protection "1; mode=block"; + add_header X-Permitted-Cross-Domain-Policies none; + add_header X-Frame-Options DENY; + add_header X-Content-Type-Options nosniff; + add_header Referrer-Policy same-origin; + add_header X-Download-Options noopen; + proxy_http_version 1.1; + proxy_set_header Upgrade $http_upgrade; + proxy_set_header Connection "upgrade"; + proxy_set_header Host $host; + client_max_body_size 16m; + ''; + }; + }; + }; + }; + }; + }; + + testScript = { nodes, ... }: '' + pleroma.wait_for_unit("postgresql.service") + pleroma.succeed("provision-db") + pleroma.succeed("provision-secrets") + pleroma.systemctl("restart pleroma.service") + pleroma.wait_for_unit("pleroma.service") + pleroma.succeed("provision-user") + client.succeed("send-toot") + ''; +}) diff --git a/pkgs/servers/pleroma-otp/default.nix b/pkgs/servers/pleroma-otp/default.nix index 756f2fc33dc..e66ae693a0e 100644 --- a/pkgs/servers/pleroma-otp/default.nix +++ b/pkgs/servers/pleroma-otp/default.nix @@ -56,6 +56,10 @@ stdenv.mkDerivation { wrapProgram $out/bin/pleroma_ctl \ --set-default RELEASE_TMP "/tmp"''; + passthru.tests = { + pleroma = nixosTests.pleroma; + }; + meta = { description = "ActivityPub microblogging server"; homepage = https://git.pleroma.social/pleroma/pleroma;