athens/modules/akkoma/default.nix

{ config, pkgs, ... }:

let
  inherit (config.services) akkoma;
  inherit (config.sops) secrets;
  inherit ((pkgs.formats.elixirConf { }).lib) mkRaw;
in
{
  services = {
    akkoma = {
      enable = true;
      config = {
        ":pleroma" = {
          ":instance" = {
            name = "walkah.social";
            email = "walkah@walkah.net";
            notify_email = "walkah@walkah.net";
            description = "James Walker's personal Akkoma instance";
            registrations_open = false;
            invites_enabled = true;
            federating = true;
            federation_incoming_replies_max_depth = null;
            allow_relay = true;
            safe_dm_mentions = true;
            external_user_synchronization = true;
            cleanup_attachments = true;
          };
          ":media_proxy" = {
            enabled = false;
            redirect_on_failure = true;
          };

          "Pleroma.Repo" = {
            adapter = mkRaw "Ecto.Adapters.Postgres";
            socket_dir = "/run/postgresql";
            username = config.services.akkoma.user;
            database = "akkoma";

            prepare = mkRaw ":named";
            parameters.plan_cache_mode = "force_custom_plan";
          };

          "Pleroma.Web.Endpoint" = {
            secret_key_base = { _secret = secrets.akkoma-secret-key-base.path; };
            signing_salt = { _secret = secrets.akkoma-signing-salt.path; };
            live_view.signing_salt = { _secret = secrets.akkoma-signing-salt.path; };
            url = {
              host = "walkah.social";
              scheme = "https";
              port = 443;
            };
            http = {
              ip = "127.0.0.1";
              port = 4000;
            };
          };
        };
        ":web_push_encryption" = {
          ":vapid_details" = {
            private_key = { _secret = secrets.akkoma-vapid-private-key.path; };
            public_key = { _secret = secrets.akkoma-vapid-public-key.path; };
          };
        };
        ":joken" = {
          ":default_signer" = { _secret = secrets.akkoma-joken-signer.path; };
        };
      };
      nginx = null; # doing this manually
    };

    postgresql = {
      enable = true;
    };

    postgresqlBackup = {
      enable = true;
      databases = [ "akkoma" ];
    };
  };
  sops = {
    secrets = {
      akkoma-secret-key-base = {
        owner = akkoma.user;
      };
      akkoma-signing-salt = {
        owner = akkoma.user;
      };
      akkoma-vapid-private-key = {
        owner = akkoma.user;
      };
      akkoma-vapid-public-key = {
        owner = akkoma.user;
      };
      akkoma-joken-signer = {
        owner = akkoma.user;
      };
    };
  };
}