diff options
| author | Silas Schöffel <sils@sils.li> | 2025-01-21 14:31:56 +0100 |
|---|---|---|
| committer | Silas Schöffel <sils@sils.li> | 2025-01-21 14:31:56 +0100 |
| commit | 8ff7c1219a149386c753e2618f35507b0258f91c (patch) | |
| tree | 7800a23be7d76feea925620c2af91fe2a165269c | |
| parent | fix(peertube): migrate to server3 (diff) | |
| download | nixos-server-8ff7c1219a149386c753e2618f35507b0258f91c.zip | |
feat(modules/mastodon): init on server3
| -rw-r--r-- | hosts/by-name/server3/configuration.nix | 6 | ||||
| -rw-r--r-- | modules/by-name/co/constants/module.nix | 4 | ||||
| -rw-r--r-- | modules/by-name/ma/mastodon/mail.age | 14 | ||||
| -rw-r--r-- | modules/by-name/ma/mastodon/module.nix | 119 | ||||
| -rw-r--r-- | modules/by-name/ma/mastodon/patches/0001-feat-treewide-Increase-character-limit-to-5000-in-me.patch (renamed from system/services/mastodon/patches/0001-feat-treewide-Increase-character-limit-to-5000-in-me.patch) | 0 | ||||
| -rw-r--r-- | secrets.nix | 2 | ||||
| -rw-r--r-- | system/secrets/default.nix | 6 | ||||
| -rw-r--r-- | system/secrets/mastodon/mail.age | 15 | ||||
| -rw-r--r-- | system/services/default.nix | 1 | ||||
| -rw-r--r-- | system/services/mastodon/default.nix | 79 |
10 files changed, 144 insertions, 102 deletions
diff --git a/hosts/by-name/server3/configuration.nix b/hosts/by-name/server3/configuration.nix index 41d69f8..470275b 100644 --- a/hosts/by-name/server3/configuration.nix +++ b/hosts/by-name/server3/configuration.nix @@ -6,6 +6,12 @@ vhack = { fail2ban.enable = true; + mastodon = { + enable = true; + domain = "mastodon.vhack.eu"; + enableTLD = false; + tld = "vhack.eu"; + }; miniflux = { enable = true; domain = "miniflux.foss-syndicate.org"; diff --git a/modules/by-name/co/constants/module.nix b/modules/by-name/co/constants/module.nix index 6974768..de3ebac 100644 --- a/modules/by-name/co/constants/module.nix +++ b/modules/by-name/co/constants/module.nix @@ -27,6 +27,8 @@ systemd-oom = 332; redis-peertube = 990; peertube = 992; # TODO Sort correctly + mastodon = 996; + redis-mastodon = 991; # As per the NixOS file, the uids should not be greater or equal to 400; }; @@ -40,6 +42,8 @@ systemd-coredump = 151; # matches systemd-coredump user redis-peertube = 990; peertube = 992; + mastodon = 996; + redis-mastodon = 991; # The gid should match the uid. Thus should not be >= 400; }; diff --git a/modules/by-name/ma/mastodon/mail.age b/modules/by-name/ma/mastodon/mail.age new file mode 100644 index 0000000..882ade9 --- /dev/null +++ b/modules/by-name/ma/mastodon/mail.age @@ -0,0 +1,14 @@ +-----BEGIN AGE ENCRYPTED FILE----- +YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBPeTFoTjB6RTZHbDVzUzg2 +SzNnSE9aSi9yZUNSWWVKNlQxWUo1Y2M1R1h3CjR0RW8xdEtUTlBTcU9DWWE2OVVX +WEJVVkF2bmtQaUxrK0Vpb21qSCtUcncKLT4gWDI1NTE5IG1JY25Jdmo3UWt4aXJK +VTRFZVNja2R6MzlJcVMvdHhqZTY0WS91Vnp3Vk0KUG4xbVR2V3k0OFJCVFplODcw +R0ZDSExRTzVpRWVyM0E4VVRvMXE5cHpWUQotPiBzc2gtZWQyNTUxOSBweXU5Ymcg +RFFHaXFrS0IyWnVYdDE5aFhHNnZFSFY3S1ZVZHovRTRrV3VKV3JBQnJVTQordzJ5 +V0hpZ3dsdDVHODluNnRzWlBHRFBBcnVya0dMNTU3T2Z3NkpVZHBvCi0+IFB7LX5l +Vm5wLWdyZWFzZSA8NVIgV08zU3lBIGBZJSAnRQpwbDZTUTNqdVd4MHFNNVRVZ1pQ +MG1qcUtjVGRreU9zMwotLS0gMVJ4eldEQlRTTmdraDJDM2pzbkZOY0t6Wnl6TDd1 +cFRXZXJmS1FTMEtyNApWNUWWIXokgwgI+2GT+sBkTzFbXM4CPpIq2QOGRWMrRMmw +dHoK5NJEI7uw9mP9t6PI04THBqVL5YotJtZkAk1Sx00SWvyLPpZRsSBdH11YiRAb +jIx0T573hbbFoMNlZHoJ +-----END AGE ENCRYPTED FILE----- diff --git a/modules/by-name/ma/mastodon/module.nix b/modules/by-name/ma/mastodon/module.nix new file mode 100644 index 0000000..0616138 --- /dev/null +++ b/modules/by-name/ma/mastodon/module.nix @@ -0,0 +1,119 @@ +{ + config, + pkgs, + lib, + ... +}: let + emailAddress = "mastodon@vhack.eu"; + applyPatches = pkg: + pkg.overrideAttrs (attrs: { + patches = (attrs.patches or []) ++ [./patches/0001-feat-treewide-Increase-character-limit-to-5000-in-me.patch]; + }); + cfg = config.vhack.mastodon; +in { + options.vhack.mastodon = { + enable = lib.mkEnableOption "a mastodon instance"; + domain = lib.mkOption { + type = lib.types.str; + description = "The Domain mastodon should be served on"; + example = "mastodon.vhack.eu"; + }; + enableTLD = lib.mkEnableOption "using the tld as handle, configured via + webfinger (note: this requires the tld to point to the same server as domain)"; + tld = lib.mkOption { + type = lib.types.nullOr lib.types.str; + default = null; + example = "vhack.eu"; + }; + }; + config = lib.mkIf cfg.enable { + age.secrets.mastodonMail = { + file = ./mail.age; + mode = "700"; + owner = "mastodon"; + group = "mastodon"; + }; + vhack.persist.directories = [ + { + directory = "/var/lib/mastodon"; + user = "mastodon"; + group = "mastodon"; + mode = "0700"; + } + ]; + + vhack.postgresql.enable = true; + services.mastodon = { + enable = true; + + package = applyPatches pkgs.mastodon; + + # Unstable Mastodon package, used if + # security updates aren't backported. + #package = applyPatches pkgs-unstable.mastodon; + + localDomain = + if cfg.enableTLD + then cfg.tld + else cfg.domain; + smtp = { + authenticate = true; + createLocally = false; + fromAddress = emailAddress; + user = emailAddress; + host = "server1.vhack.eu"; + passwordFile = config.age.secrets.mastodonMail.path; + }; + streamingProcesses = 3; # Number of Cores - 1 + extraConfig = { + WEB_DOMAIN = cfg.domain; + EMAIL_DOMAIN_ALLOWLIST = "vhack.eu|sils.li"; + }; + }; + + vhack.nginx.enable = true; + services.nginx = { + enable = true; + recommendedProxySettings = true; # required for redirections to work + virtualHosts = { + "${cfg.domain}" = { + root = "${config.services.mastodon.package}/public/"; + # mastodon only supports https, but you can override this if you offload tls elsewhere. + forceSSL = true; + enableACME = true; + + locations = { + "/system/".alias = "/var/lib/mastodon/public-system/"; + "/".tryFiles = "$uri @proxy"; + "@proxy" = { + proxyPass = "http://unix:/run/mastodon-web/web.socket"; + proxyWebsockets = true; + }; + "/api/v1/streaming/" = { + proxyPass = "http://unix:/run/mastodon-streaming/streaming.socket"; + proxyWebsockets = true; + }; + }; + }; + "${cfg.tld}" = + if cfg.enableTLD + then { + locations."/.well-known/webfinger".return = "301 https://${cfg.domain}$request_uri"; + } + else {}; + }; + }; + + users = { + users.mastodon.uid = config.vhack.constants.ids.uids.mastodon; + users.redis-mastodon.uid = config.vhack.constants.ids.uids.redis-mastodon; + groups.redis-mastodon.gid = config.vhack.constants.ids.gids.redis-mastodon; + groups.mastodon = { + gid = config.vhack.constants.ids.gids.mastodon; + members = [ + config.services.nginx.user + ]; + }; + }; + }; +} diff --git a/system/services/mastodon/patches/0001-feat-treewide-Increase-character-limit-to-5000-in-me.patch b/modules/by-name/ma/mastodon/patches/0001-feat-treewide-Increase-character-limit-to-5000-in-me.patch index 35dc809..35dc809 100644 --- a/system/services/mastodon/patches/0001-feat-treewide-Increase-character-limit-to-5000-in-me.patch +++ b/modules/by-name/ma/mastodon/patches/0001-feat-treewide-Increase-character-limit-to-5000-in-me.patch diff --git a/secrets.nix b/secrets.nix index db54bc5..8efc4ba 100644 --- a/secrets.nix +++ b/secrets.nix @@ -28,11 +28,11 @@ in { "./modules/by-name/pe/peertube/secrets/general.age".publicKeys = server3; "./modules/by-name/pe/peertube/secrets/smtp.age".publicKeys = server3; "./modules/by-name/mi/miniflux/secrets/admin.age".publicKeys = server3; + "./modules/by-name/ma/mastodon/mail.age".publicKeys = server3; "./system/secrets/backup/backuppass.age".publicKeys = server1; "./system/secrets/backup/backupssh.age".publicKeys = server1; "./system/secrets/invidious/hmac.age".publicKeys = server1; - "./system/secrets/mastodon/mail.age".publicKeys = server1; "./system/secrets/matrix-synapse/passwd.age".publicKeys = server1; "./system/secrets/taskserver/ca.age".publicKeys = server1; "./system/secrets/taskserver/systemd_tmpfiles.age".publicKeys = server1; diff --git a/system/secrets/default.nix b/system/secrets/default.nix index 565a774..a8071eb 100644 --- a/system/secrets/default.nix +++ b/system/secrets/default.nix @@ -7,12 +7,6 @@ owner = "root"; group = "root"; }; - mastodonMail = { - file = ./mastodon/mail.age; - mode = "700"; - owner = "mastodon"; - group = "mastodon"; - }; matrix-synapse_registration_shared_secret = { file = ./matrix-synapse/passwd.age; mode = "700"; diff --git a/system/secrets/mastodon/mail.age b/system/secrets/mastodon/mail.age deleted file mode 100644 index ea50b17..0000000 --- a/system/secrets/mastodon/mail.age +++ /dev/null @@ -1,15 +0,0 @@ ------BEGIN AGE ENCRYPTED FILE----- -YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBqZWlGM1MvTUN0U0pndkli -RlJFZGtqTStzVzJpeFFRQ3BvandlWHJId2ljCkVPOGtaYThJdW4yeUl6Qnd2aUpi -cEpIT2NraTlDcmdla0lSeWZ6VFdoaVUKLT4gWDI1NTE5IEwrdjVRYjlyakVnNGZ5 -UXVrU0tKT2NaOHdpYmE2L1E3TlFwWFZ2b2NuM2cKRnl5RFg1WWF6ejNlbGt6SVJC -eXdtUE5LRzNlNHhHTGJsbkpwVWwrVWFXZwotPiBzc2gtZWQyNTUxOSBPRDhUNGcg -ak9GNHhxOFJaY0pVTHphcVR6dGtReUYyUElrUDVCZVpjbnZiSFpBbjZ4MAo5R3E0 -WWNqWTU2TkFoN1I0OXBjS2QwWWxqRHNCemRvUHRJYkJXMEw0eFg0Ci0+IGlwey1n -cmVhc2UgWkAhXU8xc0cKME4rTDFZemNxZnBCNU0yRFlNbWJCdnk3TFpsdGp0WXpD -RWRPNG5zZjlqNnBnVDZrQythV3drZUxScUt5V1J3ZgpwRWt5REVHTy9pL3Bvd0VL -RUQyOU5iWFNZa3NGUjJQakRIV2QKLS0tIElJSFdpOUppcHpJM3hWbSt4NWtob254 -TVBZNTZCMS9VRHFEUVZoMFowSncKrgSHBWQCSpoirkhv62BYGg7dvvDzkkduUqVY -xXJU948PAe0skP2mPf5ba/W6K5lZCFrQo+AWQycBDNrLYI2/ZgXElfqqJKkpKbt3 -5tIpDZtld/q6DvmG5gp7vP541mHR8g== ------END AGE ENCRYPTED FILE----- diff --git a/system/services/default.nix b/system/services/default.nix index dfce3be..967bad0 100644 --- a/system/services/default.nix +++ b/system/services/default.nix @@ -2,7 +2,6 @@ imports = [ ./invidious ./mail - ./mastodon ./matrix ./minecraft ./restic diff --git a/system/services/mastodon/default.nix b/system/services/mastodon/default.nix deleted file mode 100644 index 15b8609..0000000 --- a/system/services/mastodon/default.nix +++ /dev/null @@ -1,79 +0,0 @@ -{ - config, - pkgs, - ... -}: let - emailAddress = "mastodon@vhack.eu"; - applyPatches = pkg: - pkg.overrideAttrs (attrs: { - patches = (attrs.patches or []) ++ [./patches/0001-feat-treewide-Increase-character-limit-to-5000-in-me.patch]; - }); -in { - vhack.persist.directories = [ - { - directory = "/var/lib/mastodon"; - user = "mastodon"; - group = "mastodon"; - mode = "0700"; - } - ]; - - services.mastodon = { - enable = true; - - package = applyPatches pkgs.mastodon; - - # Unstable Mastodon package, used if - # security updates aren't backported. - #package = applyPatches pkgs-unstable.mastodon; - - localDomain = "vhack.eu"; - smtp = { - authenticate = true; - createLocally = false; - fromAddress = emailAddress; - user = emailAddress; - host = "server1.vhack.eu"; - passwordFile = config.age.secrets.mastodonMail.path; - }; - streamingProcesses = 5; # Number of Cores - 1 - extraConfig = { - WEB_DOMAIN = "mastodon.vhack.eu"; - EMAIL_DOMAIN_ALLOWLIST = "vhack.eu|sils.li"; - }; - }; - - services.nginx = { - enable = true; - recommendedProxySettings = true; # required for redirections to work - virtualHosts = { - ${config.services.mastodon.extraConfig.WEB_DOMAIN} = { - root = "${config.services.mastodon.package}/public/"; - # mastodon only supports https, but you can override this if you offload tls elsewhere. - forceSSL = true; - enableACME = true; - - locations = { - "/system/".alias = "/var/lib/mastodon/public-system/"; - "/".tryFiles = "$uri @proxy"; - "@proxy" = { - proxyPass = "http://unix:/run/mastodon-web/web.socket"; - proxyWebsockets = true; - }; - "/api/v1/streaming/" = { - proxyPass = "http://unix:/run/mastodon-streaming/streaming.socket"; - proxyWebsockets = true; - }; - }; - }; - - "vhack.eu" = { - locations."/.well-known/webfinger".return = "301 https://${config.services.mastodon.extraConfig.WEB_DOMAIN}$request_uri"; - }; - }; - }; - - users.groups.${config.services.mastodon.group}.members = [ - config.services.nginx.user - ]; -} |