Home Explore Blog CI



nixpkgs
3rd chunk of `nixos/modules/services/networking/pleroma.md`
2c4601b4a7d60c1722d2f90e3bf0f7aab66bfc89c8658aa10000000100000c8d
  private_key: "<the secret generated by pleroma_ctl>"

# ... TO CONTINUE ...
```
Note that the lines of the same configuration group are comma separated (i.e. all the lines end with a comma, except the last one), so when the lines with passwords are added or removed, commas must be adjusted accordingly.

The service can be enabled with the usual
```ShellSession
$ nixos-rebuild switch
```

The service is accessible only from the local `127.0.0.1:4000` port. It can be tested using a port forwarding like this
```ShellSession
$ ssh -L 4000:localhost:4000 myuser@example.net
```
and then accessing <http://localhost:4000> from a web browser.

## Creating the admin user {#module-services-pleroma-admin-user}

After Pleroma service is running, all [Pleroma administration utilities](https://docs-develop.pleroma.social/) can be used. In particular an admin user can be created with
```ShellSession
$ pleroma_ctl user new <nickname> <email>  --admin --moderator --password <password>
```

## Configuring Nginx {#module-services-pleroma-nginx}

In this configuration, Pleroma is listening only on the local port 4000. Nginx can be configured as a Reverse Proxy, for forwarding requests from public ports to the Pleroma service. This is an example of configuration, using
[Let's Encrypt](https://letsencrypt.org/) for the TLS certificates
```nix
{
  security.acme = {
    email = "root@example.net";
    acceptTerms = true;
  };

  services.nginx = {
    enable = true;
    addSSL = true;

    recommendedTlsSettings = true;
    recommendedOptimisation = true;
    recommendedGzipSettings = true;

    recommendedProxySettings = false;
    # NOTE: if enabled, the NixOS proxy optimizations will override the Pleroma
    # specific settings, and they will enter in conflict.

    virtualHosts = {
      "pleroma.example.net" = {
        http2 = true;
        enableACME = true;
        forceSSL = true;

        locations."/" = {
          proxyPass = "http://127.0.0.1:4000";

          extraConfig = ''
            etag on;
            gzip on;

            add_header 'Access-Control-Allow-Origin' '*' always;
            add_header 'Access-Control-Allow-Methods' 'POST, PUT, DELETE, GET, PATCH, OPTIONS' always;
            add_header 'Access-Control-Allow-Headers' 'Authorization, Content-Type, Idempotency-Key' always;
            add_header 'Access-Control-Expose-Headers' 'Link, X-RateLimit-Reset, X-RateLimit-Limit, X-RateLimit-Remaining, X-Request-Id' always;
            if ($request_method = OPTIONS) {
              return 204;
            }
            add_header X-XSS-Protection "1; mode=block";
            add_header X-Permitted-Cross-Domain-Policies none;
            add_header X-Frame-Options DENY;
            add_header X-Content-Type-Options nosniff;
            add_header Referrer-Policy same-origin;
            add_header X-Download-Options noopen;
            proxy_http_version 1.1;
            proxy_set_header Upgrade $http_upgrade;
            proxy_set_header Connection "upgrade";
            proxy_set_header Host $host;

            client_max_body_size 16m;
            # NOTE: increase if users need to upload very big files
          '';
        };
      };
    };
  };
}
```
Title: Configuring Nginx as a Reverse Proxy for Pleroma with Let's Encrypt
Summary
This section details how to configure Nginx as a reverse proxy for the Pleroma instance, allowing access from public ports. It provides a sample Nginx configuration using Let's Encrypt for TLS certificates. The configuration includes settings for HTTP/2, enabling ACME for automatic certificate management, forcing SSL, and setting up proxy pass to the Pleroma service running on localhost:4000. It also covers setting up CORS headers, security headers, and proxy settings. Finally, it notes the `client_max_body_size` setting for uploads.