Nginx Reverse Proxy Configuration for Pleroma, Admin User Creation, and Service Activation

private_key: "<the secret generated by pleroma_ctl>" # ... TO CONTINUE ... ``` Note that the lines of the same configuration group are comma separated (i.e. all the lines end with a comma, except the last one), so when the lines with passwords are added or removed, commas must be adjusted accordingly. The service can be enabled with the usual ```ShellSession $ nixos-rebuild switch ``` The service is accessible only from the local `127.0.0.1:4000` port. It can be tested using a port forwarding like this ```ShellSession $ ssh -L 4000:localhost:4000 myuser@example.net ``` and then accessing <http://localhost:4000> from a web browser. ## Creating the admin user {#module-services-pleroma-admin-user} After Pleroma service is running, all [Pleroma administration utilities](https://docs-develop.pleroma.social/) can be used. In particular an admin user can be created with ```ShellSession $ pleroma_ctl user new <nickname> <email> --admin --moderator --password <password> ``` ## Configuring Nginx {#module-services-pleroma-nginx} In this configuration, Pleroma is listening only on the local port 4000. Nginx can be configured as a Reverse Proxy, for forwarding requests from public ports to the Pleroma service. This is an example of configuration, using [Let's Encrypt](https://letsencrypt.org/) for the TLS certificates ```nix { security.acme = { email = "root@example.net"; acceptTerms = true; }; services.nginx = { enable = true; addSSL = true; recommendedTlsSettings = true; recommendedOptimisation = true; recommendedGzipSettings = true; recommendedProxySettings = false; # NOTE: if enabled, the NixOS proxy optimizations will override the Pleroma # specific settings, and they will enter in conflict. virtualHosts = { "pleroma.example.net" = { http2 = true; enableACME = true; forceSSL = true; locations."/" = { proxyPass = "http://127.0.0.1:4000"; extraConfig = '' etag on; gzip on; add_header 'Access-Control-Allow-Origin' '*' always; add_header 'Access-Control-Allow-Methods' 'POST, PUT, DELETE, GET, PATCH, OPTIONS' always; add_header 'Access-Control-Allow-Headers' 'Authorization, Content-Type, Idempotency-Key' always; add_header 'Access-Control-Expose-Headers' 'Link, X-RateLimit-Reset, X-RateLimit-Limit, X-RateLimit-Remaining, X-Request-Id' always; if ($request_method = OPTIONS) { return 204; } add_header X-XSS-Protection "1; mode=block"; add_header X-Permitted-Cross-Domain-Policies none; add_header X-Frame-Options DENY; add_header X-Content-Type-Options nosniff; add_header Referrer-Policy same-origin; add_header X-Download-Options noopen; proxy_http_version 1.1; proxy_set_header Upgrade $http_upgrade; proxy_set_header Connection "upgrade"; proxy_set_header Host $host; client_max_body_size 16m; # NOTE: increase if users need to upload very big files ''; }; }; }; }; } ```

This chunk outlines the final steps for deploying Pleroma, starting with the importance of correctly formatting secrets files by adjusting commas. It then details how to enable the service using `nixos-rebuild switch` and test its local accessibility via SSH port forwarding. A key section explains how to create an administrator user with the `pleroma_ctl user new` command. The chunk culminates in a comprehensive example of configuring Nginx as a reverse proxy for Pleroma, including settings for Let's Encrypt TLS certificates, HTTP/2, various security headers (CORS, X-XSS-Protection, etc.), WebSocket support (`Upgrade`, `Connection`), and `client_max_body_size` adjustments, specifically noting to disable NixOS's recommended proxy settings to avoid conflicts with Pleroma's requirements.