Bonfire

Open-source framework for building federated digital spaces where people can gather, interact, and form communities online

Declared in: projects/Bonfire/default.nix

Try the service in a VM

Missing Contribute tests for the demo.

Options

services.bonfire

: Runtime Elixir configuration for Bonfire.

Type:

open submodule of attribute set of attribute set of (Elixir value)

Default:

{ }

Declared in:

projects/Bonfire/services/bonfire/module.nix
: Listening IP address or Unix socket.

Type:

unspecified value

Default:

(pkgs.formats.elixirConf { }).lib.mkTuple [0 0 0 0 0 0 0 0]

Declared in:

projects/Bonfire/services/bonfire/module.nix
: Whether to enable bonfire.

Type:

boolean

Default:

false

Declared in:

projects/Bonfire/services/bonfire/module.nix
: Whether to enable running a local Meilisearch search engine.

Type:

boolean

Default:

false

Declared in:

projects/Bonfire/services/bonfire/module.nix
: Whether to enable an Nginx reverse-proxy to bonfire.

Type:

boolean

Default:

false

Declared in:

profiles/nixos/nginx/reverse-proxy.nix
: With this option, you can customize an nginx virtual host which already has sensible defaults for bonfire. Set to {} if you do not need any customization to the virtual host. If enabled, then by default, the {option}serverName is bonfire.${config.networking.domain}, TLS is active, and certificates are acquired via ACME. If this is set to null (the default), no nginx virtual host will be configured.

Type:

submodule

Default:

{ }

Declared in:

profiles/nixos/nginx/reverse-proxy.nix
: Host which to proxy requests to if ACME challenge is not found. Useful if you want multiple hosts to be able to verify the same domain name.

With this option, you could request certificates for the present domain with an ACME client that is running on another host, which you would specify here.

Type:

null or string

Default:

null

Declared in:

profiles/nixos/nginx/reverse-proxy.nix
: Directory for the ACME challenge, which is public. Don't put certs or keys in here. Set to null to inherit from config.security.acme.

Type:

null or string

Default:

"/var/lib/acme/acme-challenge"

Declared in:

profiles/nixos/nginx/reverse-proxy.nix
: Whether to enable HTTPS in addition to plain HTTP. This will set defaults for listen to listen on all interfaces on the respective default ports (80, 443).

Type:

boolean

Default:

false

Declared in:

profiles/nixos/nginx/reverse-proxy.nix
: Basic Auth protection for a vhost.

WARNING: This is implemented to store the password in plain text in the Nix store.

Type:

attribute set of string

Default:

{ }

Declared in:

profiles/nixos/nginx/reverse-proxy.nix
: Basic Auth password file for a vhost. Can be created by running {command}nix-shell --packages apacheHttpd --run 'htpasswd -B -c FILENAME USERNAME'.

Type:

null or absolute path

Default:

null

Declared in:

profiles/nixos/nginx/reverse-proxy.nix
: Makes this vhost the default.

Type:

boolean

Default:

false

Declared in:

profiles/nixos/nginx/reverse-proxy.nix
: Whether to ask Let's Encrypt to sign a certificate for this vhost. Alternately, you can use an existing certificate through {option}useACMEHost.

Type:

boolean

Default:

false

Declared in:

profiles/nixos/nginx/reverse-proxy.nix
: These lines go to the end of the vhost verbatim.

Type:

strings concatenated with "\n"

Default:

""

Declared in:

profiles/nixos/nginx/reverse-proxy.nix
: Whether to add a separate nginx server block that redirects (defaults to 301, configurable with redirectCode) all plain HTTP traffic to HTTPS. This will set defaults for listen to listen on all interfaces on the respective default ports (80, 443), where the non-SSL listens are used for the redirect vhosts.

Type:

boolean

Default:

false

Declared in:

profiles/nixos/nginx/reverse-proxy.nix
: If set, all requests for this host are redirected (defaults to 301, configurable with redirectCode) to the given hostname.

Type:

null or string

Default:

null

Declared in:

profiles/nixos/nginx/reverse-proxy.nix
: Whether to enable the HTTP/2 protocol. Note that (as of writing) due to nginx's implementation, to disable HTTP/2 you have to disable it on all vhosts that use a given IP address / port. If there is one server block configured to enable http2, then it is enabled for all server blocks on this IP. See https://stackoverflow.com/a/39466948/263061.

Type:

boolean

Default:

true

Declared in:

profiles/nixos/nginx/reverse-proxy.nix
: Whether to enable the HTTP/3 protocol. This requires activating the QUIC transport protocol services.nginx.virtualHosts.<name>.quic = true;. Note that HTTP/3 support is experimental and not yet recommended for production. Read more at https://quic.nginx.org/ HTTP/3 availability must be manually advertised, preferably in each location block.

Type:

boolean

Default:

true

Declared in:

profiles/nixos/nginx/reverse-proxy.nix
: Whether to enable the HTTP/0.9 protocol negotiation used in QUIC interoperability tests. This requires activating the QUIC transport protocol services.nginx.virtualHosts.<name>.quic = true;. Note that special application protocol support is experimental and not yet recommended for production. Read more at https://quic.nginx.org/

Type:

boolean

Default:

false

Declared in:

profiles/nixos/nginx/reverse-proxy.nix
: Whether to enable kTLS support. Implementing TLS in the kernel (kTLS) improves performance by significantly reducing the need for copying operations between user space and the kernel. Required Nginx version 1.21.4 or later.

Type:

boolean

Default:

false

Declared in:

profiles/nixos/nginx/reverse-proxy.nix
: Listen addresses and ports for this virtual host. IPv6 addresses must be enclosed in square brackets. Note: this option overrides addSSL and onlySSL.

If you only want to set the addresses manually and not the ports, take a look at listenAddresses.

Type:

list of (submodule)

Default:

[ ]

Declared in:

profiles/nixos/nginx/reverse-proxy.nix
: Listen address.

Type:

string

Declared in:

profiles/nixos/nginx/reverse-proxy.nix
: Extra parameters of this listen directive.

Type:

list of string

Default:

[ ]

Declared in:

profiles/nixos/nginx/reverse-proxy.nix
: Port number to listen on. If unset and the listen address is not a socket then nginx defaults to 80.

Type:

null or 16 bit unsigned integer; between 0 and 65535 (both inclusive)

Default:

null

Declared in:

profiles/nixos/nginx/reverse-proxy.nix
: Enable PROXY protocol.

Type:

boolean

Default:

false

Declared in:

profiles/nixos/nginx/reverse-proxy.nix
: Enable SSL.

Type:

boolean

Default:

false

Declared in:

profiles/nixos/nginx/reverse-proxy.nix
: Listen addresses for this virtual host. Compared to listen this only sets the addresses and the ports are chosen automatically.

Note: This option overrides networking.enableIPv6

Type:

list of string

Default:

[ ]

Declared in:

profiles/nixos/nginx/reverse-proxy.nix
: Declarative location config

Type:

attribute set of (submodule)

Default:

{ }

Declared in:

profiles/nixos/nginx/reverse-proxy.nix
: Alias directory for requests.

Type:

null or absolute path

Default:

null

Declared in:

profiles/nixos/nginx/reverse-proxy.nix
: Basic Auth protection for a vhost.

WARNING: This is implemented to store the password in plain text in the Nix store.

Type:

attribute set of string

Default:

{ }

Declared in:

profiles/nixos/nginx/reverse-proxy.nix
: Basic Auth password file for a vhost. Can be created by running {command}nix-shell --packages apacheHttpd --run 'htpasswd -B -c FILENAME USERNAME'.

Type:

null or absolute path

Default:

null

Declared in:

profiles/nixos/nginx/reverse-proxy.nix
: These lines go to the end of the location verbatim.

Type:

strings concatenated with "\n"

Default:

""

Declared in:

profiles/nixos/nginx/reverse-proxy.nix
: FastCGI parameters to override. Unlike in the Nginx configuration file, overriding only some default parameters won't unset the default values for other parameters.

Type:

attribute set of (string or absolute path)

Default:

{ }

Declared in:

profiles/nixos/nginx/reverse-proxy.nix
: Adds index directive.

Type:

null or string

Default:

null

Declared in:

profiles/nixos/nginx/reverse-proxy.nix
: Order of this location block in relation to the others in the vhost. The semantics are the same as with lib.mkOrder. Smaller values have a greater priority.

Type:

signed integer

Default:

1000

Declared in:

profiles/nixos/nginx/reverse-proxy.nix
: Adds proxy_pass directive and sets recommended proxy headers if recommendedProxySettings is enabled.

Type:

null or string

Default:

null

Declared in:

profiles/nixos/nginx/reverse-proxy.nix
: Whether to support proxying websocket connections with HTTP/1.1.

Type:

boolean

Default:

false

Declared in:

profiles/nixos/nginx/reverse-proxy.nix
: Enable recommended proxy settings.

Type:

boolean

Default:

config.services.nginx.recommendedProxySettings

Declared in:

profiles/nixos/nginx/reverse-proxy.nix
: Enable recommended uwsgi settings.

Type:

boolean

Default:

config.services.nginx.recommendedUwsgiSettings

Declared in:

profiles/nixos/nginx/reverse-proxy.nix
: Adds a return directive, for e.g. redirections.

Type:

null or string or signed integer

Default:

null

Declared in:

profiles/nixos/nginx/reverse-proxy.nix
: Root directory for requests.

Type:

null or absolute path

Default:

null

Declared in:

profiles/nixos/nginx/reverse-proxy.nix
: Adds try_files directive.

Type:

null or string

Default:

null

Declared in:

profiles/nixos/nginx/reverse-proxy.nix
: Adds uwsgi_pass directive and sets recommended proxy headers if recommendedUwsgiSettings is enabled.

Type:

null or string

Default:

null

Declared in:

profiles/nixos/nginx/reverse-proxy.nix
: Whether to enable HTTPS and reject plain HTTP connections. This will set defaults for listen to listen on all interfaces on port 443.

Type:

boolean

Default:

false

Declared in:

profiles/nixos/nginx/reverse-proxy.nix
: Whether to enable the QUIC transport protocol. Note that QUIC support is experimental and not yet recommended for production. Read more at https://quic.nginx.org/

Type:

boolean

Default:

false

Declared in:

profiles/nixos/nginx/reverse-proxy.nix
: HTTP status used by globalRedirect and forceSSL. Possible usecases include temporary (302, 307) redirects, keeping the request method and body (307, 308), or explicitly resetting the method to GET (303). See https://developer.mozilla.org/en-US/docs/Web/HTTP/Redirections.

Type:

integer between 300 and 399 (both inclusive)

Default:

301

Declared in:

profiles/nixos/nginx/reverse-proxy.nix
: Whether to listen for and reject all HTTPS connections to this vhost. Useful in default server blocks to avoid serving the certificate for another vhost. Uses the ssl_reject_handshake directive available in nginx versions 1.19.4 and above.

Type:

boolean

Default:

false

Declared in:

profiles/nixos/nginx/reverse-proxy.nix
: Create an individual listening socket . It is required to specify only once on one of the hosts.

Type:

boolean

Default:

false

Declared in:

profiles/nixos/nginx/reverse-proxy.nix
: The path of the web root directory.

Type:

null or absolute path

Default:

null

Declared in:

profiles/nixos/nginx/reverse-proxy.nix
: Additional names of virtual hosts served by this virtual host configuration.

Type:

list of string

Default:

[ ]

Declared in:

profiles/nixos/nginx/reverse-proxy.nix
: Name of this virtual host. Defaults to attribute name in virtualHosts.

Type:

null or string

Default:

"bonfire.\${config.networking.domain}"

Declared in:

profiles/nixos/nginx/reverse-proxy.nix
: Path to server SSL certificate.

Type:

absolute path

Declared in:

profiles/nixos/nginx/reverse-proxy.nix
: Path to server SSL certificate key.

Type:

absolute path

Declared in:

profiles/nixos/nginx/reverse-proxy.nix
: Path to root SSL certificate for stapling and client certificates.

Type:

null or absolute path

Default:

null

Declared in:

profiles/nixos/nginx/reverse-proxy.nix
: A host of an existing Let's Encrypt certificate to use. This is useful if you have many subdomains and want to avoid hitting the rate limit. Alternately, you can generate a certificate through {option}enableACME. Note that this option does not create any certificates, nor it does add subdomains to existing ones – you will need to create them manually using .

Type:

null or string

Default:

null

Declared in:

profiles/nixos/nginx/reverse-proxy.nix
: Whether to enable opening the firewall for Bonfire's PUBLIC_PORT. This is only necessary if you do not use a reverse-proxy .

Type:

boolean

Default:

false

Declared in:

projects/Bonfire/services/bonfire/module.nix
: The social package to use.

Type:

package

Default:

pkgs.bonfire.social

Declared in:

projects/Bonfire/services/bonfire/module.nix
: Whether to enable running a local PostgreSQL database.

Type:

boolean

Default:

false

Declared in:

projects/Bonfire/services/bonfire/module.nix
: Configuration for Bonfire, will be passed as environment variables. See https://docs.bonfirenetworks.org/deploy.html.

Type:

open submodule of attribute set of (boolean or signed integer or absolute path or 16 bit unsigned integer; between 0 and 65535 (both inclusive) or string)

Default:

{ }

Declared in:

projects/Bonfire/services/bonfire/module.nix
: Whether to enable disable changes to the database schema when upgrading Bonfire

Bonfire initialization fails hard with concurrent indexing, yet it may be enabled after initial migrations were run if you feel lucky. .

Type:

boolean

Default:

false

Declared in:

projects/Bonfire/services/bonfire/module.nix
: The log level.

Type:

one of "emergency", "alert", "critical", "error", "warning", "notice", "info", "debug"

Default:

"warning"

Declared in:

projects/Bonfire/services/bonfire/module.nix
: Whether to enable disable changes to the database schema when upgrading Bonfire.

Type:

boolean

Default:

false

Declared in:

projects/Bonfire/services/bonfire/module.nix
: Whether to enable IPv6 when connecting to the PostgreSQL database.

Do not enable it when connecting through a Unix socket, it would make it fail .

Type:

boolean

Default:

config.networking.enableIPv6 && !(lib.types.path.check config.services.bonfire.settings.POSTGRES_HOST)

Declared in:

projects/Bonfire/services/bonfire/module.nix
: The systemd credential name of the encryption salt, resolved from systemd credential stores as documented at https://www.freedesktop.org/software/systemd/man/latest/systemd.exec.html#ImportCredential=GLOB

Type:

string

Default:

"bonfire.ENCRYPTION_SALT"

Declared in:

projects/Bonfire/services/bonfire/module.nix
: Whether to enable federate .

Type:

boolean

Default:

false

Declared in:

projects/Bonfire/services/bonfire/module.nix
: Hostname your visitors will use to access bonfire.

Type:

string

Default:

bonfire-${config.networking.domain}

Declared in:

projects/Bonfire/services/bonfire/module.nix
: Default language and locale.

Type:

string

Default:

"en_US.UTF-8"

Declared in:

projects/Bonfire/services/bonfire/module.nix
: Default language and locale.

Type:

string

Default:

"en_US.UTF-8"

Declared in:

projects/Bonfire/services/bonfire/module.nix
: The mail backend to use.

Type:

one of "smtp", "mailgun", "none"

Default:

"none"

Declared in:

projects/Bonfire/services/bonfire/module.nix
: The systemd credential name of the Meilisearch master key, resolved from systemd credential stores as documented at https://www.freedesktop.org/software/systemd/man/latest/systemd.exec.html#ImportCredential=GLOB

Type:

null or string

Default:

if config.services.meilisearch.enable then "bonfire.MEILI_MASTER_KEY" else null

Declared in:

projects/Bonfire/services/bonfire/module.nix
: Webserver to use.

Type:

one of "bandit", "cowboy"

Default:

"cowboy"

Declared in:

projects/Bonfire/services/bonfire/module.nix
: name of the PostgreSQL database

Type:

string

Default:

config.users.users.bonfire.name

Declared in:

projects/Bonfire/services/bonfire/module.nix
: Hostname or Unix socket directory to connect to the PostgreSQL database.

Type:

string

Default:

"/run/postgresql"

Declared in:

projects/Bonfire/services/bonfire/module.nix
: The systemd credential name of the password to connect to the PostgreSQL database, resolved from systemd credential stores as documented at https://www.freedesktop.org/software/systemd/man/latest/systemd.exec.html#ImportCredential=GLOB

Type:

null or string

Default:

"bonfire.POSTGRES_PASSWORD"

Declared in:

projects/Bonfire/services/bonfire/module.nix
: role name to connect to the PostgreSQL database

Type:

string

Default:

config.users.users.bonfire.name

Declared in:

projects/Bonfire/services/bonfire/module.nix
: Port your visitors will use to access bonfire (typically 80 or 443 if using a reverse-proxy).

Type:

16 bit unsigned integer; between 0 and 65535 (both inclusive)

Default:

4000

Declared in:

projects/Bonfire/services/bonfire/module.nix
: The systemd credential name of the Erlang Distribution cookie, resolved from systemd credential stores as documented at https://www.freedesktop.org/software/systemd/man/latest/systemd.exec.html#ImportCredential=GLOB

It's recommend to use a long and randomly generated string such as: head -c 40 /dev/random | base32. It's also recommended to only use alphanumeric characters and underscores.

All Bonfire components in your cluster must use the same value.

If this is null, a shared value will automatically be generated on startup and used for all components on this machine. You do not need to set this except when you spread your cluster over multiple hosts.

Type:

null or string

Default:

"bonfire.RELEASE_COOKIE"

Declared in:

projects/Bonfire/services/bonfire/module.nix
: Hostname and port of Meilisearch search index.

Type:

null or string

Default:

null

Declared in:

projects/Bonfire/services/bonfire/module.nix
: The systemd credential name of the key to sign/encrypt cookies and other secrets, resolved from systemd credential stores as documented at https://www.freedesktop.org/software/systemd/man/latest/systemd.exec.html#ImportCredential=GLOB

It should be a unique base64 encoded secret. All Bonfire components in your cluster must use the same value.

If this is null, a shared value will automatically be generated on startup and used for all components on this machine. You do not need to set this except when you spread your cluster over multiple hosts.

Type:

null or string

Default:

"bonfire.SECRET_KEY_BASE"

Declared in:

projects/Bonfire/services/bonfire/module.nix
: Bonfire port.

Type:

16 bit unsigned integer; between 0 and 65535 (both inclusive)

Default:

4000

Declared in:

projects/Bonfire/services/bonfire/module.nix
: The systemd credential name of the signing salt, resolved from systemd credential stores as documented at https://www.freedesktop.org/software/systemd/man/latest/systemd.exec.html#ImportCredential=GLOB

Type:

string

Default:

"bonfire.SIGNING_SALT"

Declared in:

projects/Bonfire/services/bonfire/module.nix

Examples

Enable bonfire

{
  pkgs,
  ...
}:
{
  networking.domain = "localdomain";

  services.bonfire = {
    enable = true;

    settings = {
      HOSTNAME = "localhost";
      PUBLIC_PORT = 80;
    };

    postgresql.enable = true;
    meilisearch.enable = true;

    nginx = {
      enable = true;
      virtualHost = {
        serverAliases = [
          "localhost"
          "localhost.localdomain"
        ];
        forceSSL = false;
        enableACME = false;
      };
    };
  };

  # WARN: !! Don't use this in production !!
  # Instead, put the secrets directly in the systemd credentials store (`/etc/credstore/`, `/run/credstore/`, ...)
  # For more information on this topic, see: <https://www.freedesktop.org/software/systemd/man/latest/systemd.exec.html#ImportCredential=GLOB>
  environment.etc = {
    # openssl rand -hex 128
    "credstore/bonfire.ENCRYPTION_SALT".text =
      "fde9939363a25b2696a7cfd738afcb19f82e2212bca4124d2c70102f3809974c618aeaa279e4daa062b53e07e7d14b4297409a582389a94bac247de13da116d76d6644174d21ad3814ddd7269696997447b8c8fb5f75aa757a8f32148708bb38bf0d66f1dd4a206e9ab3b3818f79dc48303c9375fa68210dbd8567f3a5bcf4f2";
    # openssl rand -hex 25
    "credstore/bonfire.POSTGRES_PASSWORD".text = "ced4a928ed2305630f7865a160b26bc6ab690c445529340fcf";
    # openssl rand -hex 40
    "credstore/bonfire.RELEASE_COOKIE".text =
      "1255749c5082f5c64d6984231a02095f6273875363008a0a6ed2c413bbd7ed66249eeebf8abbae3d";
    # openssl rand -hex 128
    "credstore/bonfire.SECRET_KEY_BASE".text =
      "0da76ae83b6e2170d3d501ac000dfe96adc820d16cbf54567188f206c9322dcfaf5fac1c5fc6ab742249ff28b69e7b06addc69e02e49290319bb3cc8df0aff920e1f812cf6906ac4711425a7bb7af2f5cf78e03039c8812f04eb2f1ce1ef31a1ff81bc6d4de06ec524171310f6c7fb2ac832f387725842667870081311386b82";
    # openssl rand -hex 128
    "credstore/bonfire.SIGNING_SALT".text =
      "3278f788f120031c3d2b8dc480fce1dba38b6ce3f16de17df443e24c66a689d75e52516beec260a3f3bf53e8637c7e66591126e25a526dd25e3e26383124656eb9ad94441c31f278852a55cfe8083e8a0fef6b061fa8c34cbe26169a3dd43854c719c2ad269449fe9172193b031b5f76c16813fb7ec0a195289b6eb5ccfaa1ca";
  };

  services.meilisearch.masterKeyFile = pkgs.writeText "meilisearch.masterKeyFile" "675b2c63f569d0bb3f872517b903fa9ea3ddce19d5766c80a8";
}

    
    
  

Declared in: projects/Bonfire/services/bonfire/examples/basic.nix

Metadata

This project is funded by NLnet through these subgrants:

Entrust: Bonfire-FederatedGroups; Bonfire-Framework
Review: Bonfire