Add lemmy

2025-12-06 08:07:45 +00:00 · 2025-05-17 10:54:00 +00:00 · 2025-05-17 10:54:00 +00:00 · ed26516625
commit ed26516625
parent 588fed0ea6
6 changed files with 121 additions and 23 deletions
--- a/modules/nixos/server/default.nix
+++ b/modules/nixos/server/default.nix
@ -22,5 +22,6 @@
    ./dash.nix
    ./nvr.nix
    ./ntfy.nix
+    ./lemmy.nix
  ];
 }
--- a/modules/nixos/server/lemmy.nix
+++ b/modules/nixos/server/lemmy.nix
@ -0,0 +1,83 @@
+{ pkgs, lib, config, ... }:
+let
+  inherit (lib) mkEnableOption;
+  cfg = config.mods.server.lemmy;
+  port = config.mods.server.local.ports.lemmy-api;
+  port-ui = config.mods.server.nginx.ports.lemmy;
+  port-pict = config.mods.server.local.ports.pict-rs;
+  hostname = "lemmy.muon.host";
+  bind = "0.0.0.0";
+in {
+  options.mods.server.lemmy = {
+    enable = mkEnableOption {
+      default = false;
+      description = "enables lemmy engine server";
+    };
+  };
+
+  config = {
+    services.lemmy = lib.mkIf cfg.enable {
+      enable = true;
+
+      ui.port = port-ui;
+
+      settings = { inherit port hostname bind; };
+
+      database.createLocally = true;
+    };
+
+    systemd.services.lemmy-ui = lib.mkIf cfg.enable {
+      environment = lib.mkForce {
+        LEMMY_UI_HOST = "${bind}:${toString port-ui}";
+        LEMMY_UI_LEMMY_INTERNAL_HOST = "${bind}:${toString port}";
+        LEMMY_UI_LEMMY_EXTERNAL_HOST = hostname;
+        LEMMY_UI_HTTPS = "false";
+        NODE_ENV = "production";
+      };
+    };
+
+    services.pict-rs = lib.mkIf cfg.enable {
+      enable = true;
+      port = port-pict;
+      address = "0.0.0.0";
+    };
+
+    services.nginx.virtualHosts."${hostname}".locations = let
+      ui = "http://10.0.0.3:${toString port-ui}";
+      backend = "http://10.0.0.3:${toString port}";
+    in lib.mkIf config.mods.server.nginx.enable {
+      "~ ^/(api|pictrs|feeds|nodeinfo|.well-known)" = {
+        # backend requests
+        proxyPass = backend;
+        proxyWebsockets = true;
+        recommendedProxySettings = true;
+      };
+      "/" = {
+        # mixed frontend and backend requests, based on the request headers
+        extraConfig = ''
+          set $proxpass "${ui}";
+          if ($http_accept = "application/activity+json") {
+            set $proxpass "${backend}";
+          }
+          if ($http_accept = "application/ld+json; profile=\"https://www.w3.org/ns/activitystreams\"") {
+            set $proxpass "${backend}";
+          }
+          if ($request_method = POST) {
+            set $proxpass "${backend}";
+          }
+
+          # Cuts off the trailing slash on URLs to make them valid
+          rewrite ^(.+)/+$ $1 permanent;
+
+          proxy_pass $proxpass;
+          # Proxied `Host` header is required to validate ActivityPub HTTP signatures for incoming events.
+          # The other headers are optional, for the sake of better log data.
+          proxy_set_header X-Real-IP $remote_addr;
+          proxy_set_header Host $host;
+          proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+        '';
+      };
+    };
+  };
+}
+
--- a/modules/nixos/sops/default.nix
+++ b/modules/nixos/sops/default.nix
@ -14,5 +14,8 @@ in with lib; {
      owner = "radicale";
      group = "radicale";
    };
+    secrets.lemmy-password = mkIf cfg.server.lemmy.enable {
+
+    };
  };
 }
--- a/modules/nixos/sops/secrets.yaml
+++ b/modules/nixos/sops/secrets.yaml
@ -1,11 +1,8 @@
 muon-password: ENC[AES256_GCM,data:K2ifHvs8hQXK4//FXf3vfDliiklx0dTn8gpirTBT07Q1XIMJR1Vgn/f1uo62bu4a/bknAR5gEBfd/cSRUTdBBxd7Lec2k3fxQg==,iv:j1JTzyfjcKEqh+PK5tyCWBMV7MpwvIG9MJ9eiajksxM=,tag:ZcSEVBW1UOCvE40yIsaBFQ==,type:str]
 zipline-secret: ENC[AES256_GCM,data:cdqPWBUg6FZkBrUYNkm7imntc2hXUAxDjd1Ymr3j9y763cbXDYEu44wJF0W1Ng==,iv:sdjV4SkRCTO04AvXqtoPOPyASlitrS4nS+M0Z2lZURA=,tag:gNcOdJvg9PtrRlm84CdbsQ==,type:str]
 htpasswd: ENC[AES256_GCM,data:YbDNElLsvRtC1ezgxIYI6U+ZZES1Lr6BXamNdbxQibj0NfC9oobP7ed8MQpFTlhhJZx5I5Xa6XtFrvjdo13NtdU=,iv:P98P1XxtdCp7+TuAwKybzjcWGF1OQtnAuQs4ObZct7o=,tag:gXrQaBxUvuVSB5yYhWcihA==,type:str]
+lemmy-password: ENC[AES256_GCM,data:VVPbhW6l+VYSUfmlySPSwITwonKQHaIY,iv:XcwM7Sz2novn3cHt4EK5HAZkYVPfPqwIcGtTWMQPByg=,tag:0b8epk98eTcx7b57yGcjpw==,type:str]
 sops:
-    kms: []
-    gcp_kms: []
-    azure_kv: []
-    hc_vault: []
    age:
        - recipient: age1m97a3eptxwpdd7h5kkqe9gkmhg6rquc64qjmlsfqfhfqv8q72crqrylhgc
          enc: |
@ -34,8 +31,7 @@ sops:
            cThxTVpmcEMrcG9Lczd3dkdyQ0paSHMKUfkx9jh7zIqBkUjxaH3dVKvNJG3Mipts
            OjmJ5aVVIR5U8MhgSgECb22mGlOgW8SU/x4gxcWgafZwbv2vbON6OA==
            -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2025-01-25T15:55:13Z"
-    mac: ENC[AES256_GCM,data:M/IPR1hqkiLHqt/fgmZ+HezGrmAKbu0LJJkMMr0895neP6WB571AQ29+VLRm+7jDp9qjKgelwDOU/t/UdUgKP1hSK0cOcHR1B7KecHVCFKHNdfaD70xzA4PUQpTFIc6bHyLSMeQAwoEDKkW3inuKwD6k1RVQmOOUMT9shs6Oe48=,iv:I6XbpfScaJwZPXyVkvreKL2tDwgt7p8Eub/pSD6Bm8g=,tag:6wdBYdoOgf9iX0cGT63v3Q==,type:str]
-    pgp: []
+    lastmodified: "2025-05-17T09:59:07Z"
+    mac: ENC[AES256_GCM,data:ewURL+W/C0XnEJiXipeSXr5F5hItD3LPMdThjBg1ObY/N7Tb28Tm18vCOpbr37H0gDWnDjNu2rzVN3+XjrbVzXe7n4YUzN2sZa2zZEJhHDTyQWdiPtMpApXeu1Va621EQymDyTm7N2hJz3MvadiWYIv/ft685FPY7qRX7pluUFc=,iv:FIoClE4hX8+PBHY5LOFeSowxSrAHIaDPFblD6Pkakes=,tag:FepKajXRusCbLTlJGPKm6g==,type:str]
    unencrypted_suffix: _unencrypted
-    version: 3.9.3
+    version: 3.10.2