From 5b1dd88d36109c504f5249b173ebc0e9f89e6e79 Mon Sep 17 00:00:00 2001
From: Ellie <6687206+wizzeh@users.noreply.github.com>
Date: Sat, 2 May 2026 00:49:27 -0700
Subject: [PATCH 1/3] update flake

---
 flake.lock | 1 -
 1 file changed, 1 deletion(-)

diff --git a/flake.lock b/flake.lock
index 43bf480..3e769b7 100644
--- a/flake.lock
+++ b/flake.lock
@@ -29,7 +29,6 @@
       "locked": {
         "lastModified": 1777364820,
         "narHash": "sha256-XHxV1V62RJlU/Y49WD6fNIyESJCHKMVwuoN+WIa3gLg=",
-        "ref": "refs/heads/main",
         "rev": "1cc9dbf2a47b7b329507cc4ddc970e10b968121c",
         "revCount": 6618,
         "type": "git",

From c30aa2526ebf6618672ed10ad18b8cebeafdc1d2 Mon Sep 17 00:00:00 2001
From: Ellie <6687206+wizzeh@users.noreply.github.com>
Date: Sat, 9 May 2026 13:04:52 -0700
Subject: [PATCH 2/3] .

---
 flake.nix                    |  1 +
 services/forgejo.nix         |  8 ++++++
 services/gotosocial.nix      | 47 ++++++++++++++++++++++++++++++++++++
 services/wireguard-outer.nix | 33 +++++++++----------------
 4 files changed, 67 insertions(+), 22 deletions(-)
 create mode 100644 services/gotosocial.nix

diff --git a/flake.nix b/flake.nix
index bae9a27..3302b6e 100644
--- a/flake.nix
+++ b/flake.nix
@@ -71,6 +71,7 @@
           ./services/forgejo.nix
           ./services/forgejo-runner.nix
           ./services/borgbackup.nix
+          ./services/gotosocial.nix
           # ./services/akkoma.nix
         ];
       };
diff --git a/services/forgejo.nix b/services/forgejo.nix
index 0009360..0ffb849 100644
--- a/services/forgejo.nix
+++ b/services/forgejo.nix
@@ -21,4 +21,12 @@
       SSH_LISTEN_PORT = 2222;
     };
   };
+
+  # Forgejo binds HTTP to 10.10.0.2 (the wg0 inner address). Without this
+  # ordering, forgejo races wireguard at boot, fails to bind, and stays up
+  # only on its all-interfaces SSH listener — leaving the web UI 502'd.
+  systemd.services.forgejo = {
+    after = [ "wireguard-wg0.service" ];
+    requires = [ "wireguard-wg0.service" ];
+  };
 }
diff --git a/services/gotosocial.nix b/services/gotosocial.nix
new file mode 100644
index 0000000..69d2938
--- /dev/null
+++ b/services/gotosocial.nix
@@ -0,0 +1,47 @@
+{ ... }:
+
+{
+  networking.firewall.interfaces.wg0.allowedTCPPorts = [ 8080 ];
+
+  services.gotosocial = {
+    enable = true;
+
+    settings = {
+      application-name = "gotosocial";
+      host = "fedi.ellie.town";
+      protocol = "https";
+
+      bind-address = "10.10.0.2";
+      port = 8080;
+
+      trusted-proxies = [ "10.10.0.1/32" ];
+
+      db-type = "sqlite";
+      db-address = "/var/lib/gotosocial/database.sqlite";
+
+      storage-backend = "local";
+      storage-local-base-path = "/var/lib/gotosocial/storage";
+
+      letsencrypt-enabled = false;
+
+      accounts-registration-open = false;
+      accounts-approval-required = true;
+      accounts-reason-required = false;
+      accounts-allow-custom-css = false;
+
+      instance-languages = [ "en" ];
+      instance-expose-public-timeline = false;
+      instance-expose-peers = false;
+      instance-deliver-to-shared-inboxes = true;
+      instance-federation-mode = "blocklist";
+
+      media-image-strip-metadata = true;
+      media-local-max-size = "40MiB";
+      media-remote-max-size = "40MiB";
+      media-cleanup-from = "00:00";
+      media-cleanup-every = "24h";
+
+      smtp-host = "";
+    };
+  };
+}
diff --git a/services/wireguard-outer.nix b/services/wireguard-outer.nix
index b6f148f..860fb6f 100644
--- a/services/wireguard-outer.nix
+++ b/services/wireguard-outer.nix
@@ -88,28 +88,17 @@
       };
     };
 
-    # virtualHosts."akkoma.ellie.town" = {
-    #   enableACME = true;
-    #   forceSSL = true;
-    #   locations."/" = {
-    #     proxyPass = "http://10.10.0.2:4000";
-    #     proxyWebsockets = true;
-    #     extraConfig = ''
-    #       client_max_body_size 16m;
-    #     '';
-    #   };
-    # };
-
-    # virtualHosts."media.ellie.town" = {
-    #   enableACME = true;
-    #   forceSSL = true;
-    #   locations."/" = {
-    #     proxyPass = "http://10.10.0.2:4000";
-    #     extraConfig = ''
-    #       client_max_body_size 16m;
-    #     '';
-    #   };
-    # };
+    virtualHosts."fedi.ellie.town" = {
+      enableACME = true;
+      forceSSL = true;
+      locations."/" = {
+        proxyPass = "http://10.10.0.2:8080";
+        proxyWebsockets = true;
+        extraConfig = ''
+          client_max_body_size 40m;
+        '';
+      };
+    };
 
     virtualHosts."forgejo.ellie.town" = {
       enableACME = true;

From 1e758cd558e0a8473ecee039edb8370ba6f93b05 Mon Sep 17 00:00:00 2001
From: Ellie <6687206+wizzeh@users.noreply.github.com>
Date: Mon, 11 May 2026 17:30:41 -0700
Subject: [PATCH 3/3] phanpy

---
 flake.nix                    |  1 +
 services/gotosocial.nix      |  2 +-
 services/phanpy.nix          | 34 ++++++++++++++++++++++++++++++++++
 services/wireguard-outer.nix |  3 +++
 4 files changed, 39 insertions(+), 1 deletion(-)
 create mode 100644 services/phanpy.nix

diff --git a/flake.nix b/flake.nix
index 3302b6e..05116dd 100644
--- a/flake.nix
+++ b/flake.nix
@@ -97,6 +97,7 @@
           ./hosts/vps/disko-config.nix
           ./services/nginx.nix
           ./services/blog.nix
+          ./services/phanpy.nix
           ./services/coturn.nix
           ./services/livekit.nix
           ./services/lk-jwt.nix
diff --git a/services/gotosocial.nix b/services/gotosocial.nix
index 69d2938..4d5f548 100644
--- a/services/gotosocial.nix
+++ b/services/gotosocial.nix
@@ -30,7 +30,7 @@
       accounts-allow-custom-css = false;
 
       instance-languages = [ "en" ];
-      instance-expose-public-timeline = false;
+      instance-expose-public-timeline = true;
       instance-expose-peers = false;
       instance-deliver-to-shared-inboxes = true;
       instance-federation-mode = "blocklist";
diff --git a/services/phanpy.nix b/services/phanpy.nix
new file mode 100644
index 0000000..c78609f
--- /dev/null
+++ b/services/phanpy.nix
@@ -0,0 +1,34 @@
+{ pkgs, ... }:
+
+let
+  phanpy = pkgs.stdenv.mkDerivation rec {
+    pname = "phanpy";
+    version = "2026.02.24.48b2cf7";
+
+    src = pkgs.fetchzip {
+      url = "https://github.com/cheeaun/phanpy/releases/download/${version}/phanpy-dist.zip";
+      hash = "sha256-55DI7tr3wvf/jC9S/J71I2YgIKqyPXODKSkZo5SqJM8=";
+      stripRoot = false;
+    };
+
+    installPhase = ''
+      runHook preInstall
+
+      mkdir -p $out
+      cp -r * $out/
+
+      runHook postInstall
+    '';
+  };
+in
+{
+  services.nginx.virtualHosts."phanpy.ellie.town" = {
+    enableACME = true;
+    forceSSL = true;
+    root = "${phanpy}";
+
+    locations."/" = {
+      tryFiles = "$uri $uri/ /index.html";
+    };
+  };
+}
diff --git a/services/wireguard-outer.nix b/services/wireguard-outer.nix
index 860fb6f..a4bd435 100644
--- a/services/wireguard-outer.nix
+++ b/services/wireguard-outer.nix
@@ -91,6 +91,9 @@
     virtualHosts."fedi.ellie.town" = {
       enableACME = true;
       forceSSL = true;
+      locations."= /".extraConfig = ''
+        return 302 /@ellie;
+      '';
       locations."/" = {
         proxyPass = "http://10.10.0.2:8080";
         proxyWebsockets = true;