From c30aa2526ebf6618672ed10ad18b8cebeafdc1d2 Mon Sep 17 00:00:00 2001
From: Ellie <6687206+wizzeh@users.noreply.github.com>
Date: Sat, 9 May 2026 13:04:52 -0700
Subject: [PATCH] .

---
 flake.nix                    |  1 +
 services/forgejo.nix         |  8 ++++++
 services/gotosocial.nix      | 47 ++++++++++++++++++++++++++++++++++++
 services/wireguard-outer.nix | 33 +++++++++----------------
 4 files changed, 67 insertions(+), 22 deletions(-)
 create mode 100644 services/gotosocial.nix

diff --git a/flake.nix b/flake.nix
index bae9a27..3302b6e 100644
--- a/flake.nix
+++ b/flake.nix
@@ -71,6 +71,7 @@
           ./services/forgejo.nix
           ./services/forgejo-runner.nix
           ./services/borgbackup.nix
+          ./services/gotosocial.nix
           # ./services/akkoma.nix
         ];
       };
diff --git a/services/forgejo.nix b/services/forgejo.nix
index 0009360..0ffb849 100644
--- a/services/forgejo.nix
+++ b/services/forgejo.nix
@@ -21,4 +21,12 @@
       SSH_LISTEN_PORT = 2222;
     };
   };
+
+  # Forgejo binds HTTP to 10.10.0.2 (the wg0 inner address). Without this
+  # ordering, forgejo races wireguard at boot, fails to bind, and stays up
+  # only on its all-interfaces SSH listener — leaving the web UI 502'd.
+  systemd.services.forgejo = {
+    after = [ "wireguard-wg0.service" ];
+    requires = [ "wireguard-wg0.service" ];
+  };
 }
diff --git a/services/gotosocial.nix b/services/gotosocial.nix
new file mode 100644
index 0000000..69d2938
--- /dev/null
+++ b/services/gotosocial.nix
@@ -0,0 +1,47 @@
+{ ... }:
+
+{
+  networking.firewall.interfaces.wg0.allowedTCPPorts = [ 8080 ];
+
+  services.gotosocial = {
+    enable = true;
+
+    settings = {
+      application-name = "gotosocial";
+      host = "fedi.ellie.town";
+      protocol = "https";
+
+      bind-address = "10.10.0.2";
+      port = 8080;
+
+      trusted-proxies = [ "10.10.0.1/32" ];
+
+      db-type = "sqlite";
+      db-address = "/var/lib/gotosocial/database.sqlite";
+
+      storage-backend = "local";
+      storage-local-base-path = "/var/lib/gotosocial/storage";
+
+      letsencrypt-enabled = false;
+
+      accounts-registration-open = false;
+      accounts-approval-required = true;
+      accounts-reason-required = false;
+      accounts-allow-custom-css = false;
+
+      instance-languages = [ "en" ];
+      instance-expose-public-timeline = false;
+      instance-expose-peers = false;
+      instance-deliver-to-shared-inboxes = true;
+      instance-federation-mode = "blocklist";
+
+      media-image-strip-metadata = true;
+      media-local-max-size = "40MiB";
+      media-remote-max-size = "40MiB";
+      media-cleanup-from = "00:00";
+      media-cleanup-every = "24h";
+
+      smtp-host = "";
+    };
+  };
+}
diff --git a/services/wireguard-outer.nix b/services/wireguard-outer.nix
index b6f148f..860fb6f 100644
--- a/services/wireguard-outer.nix
+++ b/services/wireguard-outer.nix
@@ -88,28 +88,17 @@
       };
     };
 
-    # virtualHosts."akkoma.ellie.town" = {
-    #   enableACME = true;
-    #   forceSSL = true;
-    #   locations."/" = {
-    #     proxyPass = "http://10.10.0.2:4000";
-    #     proxyWebsockets = true;
-    #     extraConfig = ''
-    #       client_max_body_size 16m;
-    #     '';
-    #   };
-    # };
-
-    # virtualHosts."media.ellie.town" = {
-    #   enableACME = true;
-    #   forceSSL = true;
-    #   locations."/" = {
-    #     proxyPass = "http://10.10.0.2:4000";
-    #     extraConfig = ''
-    #       client_max_body_size 16m;
-    #     '';
-    #   };
-    # };
+    virtualHosts."fedi.ellie.town" = {
+      enableACME = true;
+      forceSSL = true;
+      locations."/" = {
+        proxyPass = "http://10.10.0.2:8080";
+        proxyWebsockets = true;
+        extraConfig = ''
+          client_max_body_size 40m;
+        '';
+      };
+    };
 
     virtualHosts."forgejo.ellie.town" = {
       enableACME = true;