feat(modules/mastodon): init on server3

10 files changed, 144 insertions, 102 deletions

diff --git a/hosts/by-name/server3/configuration.nix b/hosts/by-name/server3/configuration.nix
index 41d69f8..470275b 100644
--- a/hosts/by-name/server3/configuration.nix
+++ b/hosts/by-name/server3/configuration.nix
@@ -6,6 +6,12 @@
 
   vhack = {
     fail2ban.enable = true;
+    mastodon = {
+      enable = true;
+      domain = "mastodon.vhack.eu";
+      enableTLD = false;
+      tld = "vhack.eu";
+    };
     miniflux = {
       enable = true;
       domain = "miniflux.foss-syndicate.org";
diff --git a/modules/by-name/co/constants/module.nix b/modules/by-name/co/constants/module.nix
index 6974768..de3ebac 100644
--- a/modules/by-name/co/constants/module.nix
+++ b/modules/by-name/co/constants/module.nix
@@ -27,6 +27,8 @@
       systemd-oom = 332;
       redis-peertube = 990;
       peertube = 992; # TODO Sort correctly
+      mastodon = 996;
+      redis-mastodon = 991;
 
       # As per the NixOS file, the uids should not be greater or equal to 400;
     };
@@ -40,6 +42,8 @@
       systemd-coredump = 151; # matches systemd-coredump user
       redis-peertube = 990;
       peertube = 992;
+      mastodon = 996;
+      redis-mastodon = 991;
 
       # The gid should match the uid. Thus should not be >= 400;
     };
diff --git a/modules/by-name/ma/mastodon/mail.age b/modules/by-name/ma/mastodon/mail.age
new file mode 100644
index 0000000..882ade9
--- /dev/null
+++ b/modules/by-name/ma/mastodon/mail.age
@@ -0,0 +1,14 @@
+-----BEGIN AGE ENCRYPTED FILE-----
+YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBPeTFoTjB6RTZHbDVzUzg2
+SzNnSE9aSi9yZUNSWWVKNlQxWUo1Y2M1R1h3CjR0RW8xdEtUTlBTcU9DWWE2OVVX
+WEJVVkF2bmtQaUxrK0Vpb21qSCtUcncKLT4gWDI1NTE5IG1JY25Jdmo3UWt4aXJK
+VTRFZVNja2R6MzlJcVMvdHhqZTY0WS91Vnp3Vk0KUG4xbVR2V3k0OFJCVFplODcw
+R0ZDSExRTzVpRWVyM0E4VVRvMXE5cHpWUQotPiBzc2gtZWQyNTUxOSBweXU5Ymcg
+RFFHaXFrS0IyWnVYdDE5aFhHNnZFSFY3S1ZVZHovRTRrV3VKV3JBQnJVTQordzJ5
+V0hpZ3dsdDVHODluNnRzWlBHRFBBcnVya0dMNTU3T2Z3NkpVZHBvCi0+IFB7LX5l
+Vm5wLWdyZWFzZSA8NVIgV08zU3lBIGBZJSAnRQpwbDZTUTNqdVd4MHFNNVRVZ1pQ
+MG1qcUtjVGRreU9zMwotLS0gMVJ4eldEQlRTTmdraDJDM2pzbkZOY0t6Wnl6TDd1
+cFRXZXJmS1FTMEtyNApWNUWWIXokgwgI+2GT+sBkTzFbXM4CPpIq2QOGRWMrRMmw
+dHoK5NJEI7uw9mP9t6PI04THBqVL5YotJtZkAk1Sx00SWvyLPpZRsSBdH11YiRAb
+jIx0T573hbbFoMNlZHoJ
+-----END AGE ENCRYPTED FILE-----
diff --git a/modules/by-name/ma/mastodon/module.nix b/modules/by-name/ma/mastodon/module.nix
new file mode 100644
index 0000000..0616138
--- /dev/null
+++ b/modules/by-name/ma/mastodon/module.nix
@@ -0,0 +1,119 @@
+{
+  config,
+  pkgs,
+  lib,
+  ...
+}: let
+  emailAddress = "mastodon@vhack.eu";
+  applyPatches = pkg:
+    pkg.overrideAttrs (attrs: {
+      patches = (attrs.patches or []) ++ [./patches/0001-feat-treewide-Increase-character-limit-to-5000-in-me.patch];
+    });
+  cfg = config.vhack.mastodon;
+in {
+  options.vhack.mastodon = {
+    enable = lib.mkEnableOption "a mastodon instance";
+    domain = lib.mkOption {
+      type = lib.types.str;
+      description = "The Domain mastodon should be served on";
+      example = "mastodon.vhack.eu";
+    };
+    enableTLD = lib.mkEnableOption "using the tld as handle, configured via
+    webfinger (note: this requires the tld to point to the same server as domain)";
+    tld = lib.mkOption {
+      type = lib.types.nullOr lib.types.str;
+      default = null;
+      example = "vhack.eu";
+    };
+  };
+  config = lib.mkIf cfg.enable {
+    age.secrets.mastodonMail = {
+      file = ./mail.age;
+      mode = "700";
+      owner = "mastodon";
+      group = "mastodon";
+    };
+    vhack.persist.directories = [
+      {
+        directory = "/var/lib/mastodon";
+        user = "mastodon";
+        group = "mastodon";
+        mode = "0700";
+      }
+    ];
+
+    vhack.postgresql.enable = true;
+    services.mastodon = {
+      enable = true;
+
+      package = applyPatches pkgs.mastodon;
+
+      # Unstable Mastodon package, used if
+      # security updates aren't backported.
+      #package = applyPatches pkgs-unstable.mastodon;
+
+      localDomain =
+        if cfg.enableTLD
+        then cfg.tld
+        else cfg.domain;
+      smtp = {
+        authenticate = true;
+        createLocally = false;
+        fromAddress = emailAddress;
+        user = emailAddress;
+        host = "server1.vhack.eu";
+        passwordFile = config.age.secrets.mastodonMail.path;
+      };
+      streamingProcesses = 3; # Number of Cores - 1
+      extraConfig = {
+        WEB_DOMAIN = cfg.domain;
+        EMAIL_DOMAIN_ALLOWLIST = "vhack.eu|sils.li";
+      };
+    };
+
+    vhack.nginx.enable = true;
+    services.nginx = {
+      enable = true;
+      recommendedProxySettings = true; # required for redirections to work
+      virtualHosts = {
+        "${cfg.domain}" = {
+          root = "${config.services.mastodon.package}/public/";
+          # mastodon only supports https, but you can override this if you offload tls elsewhere.
+          forceSSL = true;
+          enableACME = true;
+
+          locations = {
+            "/system/".alias = "/var/lib/mastodon/public-system/";
+            "/".tryFiles = "$uri @proxy";
+            "@proxy" = {
+              proxyPass = "http://unix:/run/mastodon-web/web.socket";
+              proxyWebsockets = true;
+            };
+            "/api/v1/streaming/" = {
+              proxyPass = "http://unix:/run/mastodon-streaming/streaming.socket";
+              proxyWebsockets = true;
+            };
+          };
+        };
+        "${cfg.tld}" =
+          if cfg.enableTLD
+          then {
+            locations."/.well-known/webfinger".return = "301 https://${cfg.domain}$request_uri";
+          }
+          else {};
+      };
+    };
+
+    users = {
+      users.mastodon.uid = config.vhack.constants.ids.uids.mastodon;
+      users.redis-mastodon.uid = config.vhack.constants.ids.uids.redis-mastodon;
+      groups.redis-mastodon.gid = config.vhack.constants.ids.gids.redis-mastodon;
+      groups.mastodon = {
+        gid = config.vhack.constants.ids.gids.mastodon;
+        members = [
+          config.services.nginx.user
+        ];
+      };
+    };
+  };
+}
diff --git a/system/services/mastodon/patches/0001-feat-treewide-Increase-character-limit-to-5000-in-me.patch b/modules/by-name/ma/mastodon/patches/0001-feat-treewide-Increase-character-limit-to-5000-in-me.patch
index 35dc809..35dc809 100644
--- a/system/services/mastodon/patches/0001-feat-treewide-Increase-character-limit-to-5000-in-me.patch
+++ b/modules/by-name/ma/mastodon/patches/0001-feat-treewide-Increase-character-limit-to-5000-in-me.patch
diff --git a/secrets.nix b/secrets.nix
index db54bc5..8efc4ba 100644
--- a/secrets.nix
+++ b/secrets.nix
@@ -28,11 +28,11 @@ in {
   "./modules/by-name/pe/peertube/secrets/general.age".publicKeys = server3;
   "./modules/by-name/pe/peertube/secrets/smtp.age".publicKeys = server3;
   "./modules/by-name/mi/miniflux/secrets/admin.age".publicKeys = server3;
+  "./modules/by-name/ma/mastodon/mail.age".publicKeys = server3;
 
   "./system/secrets/backup/backuppass.age".publicKeys = server1;
   "./system/secrets/backup/backupssh.age".publicKeys = server1;
   "./system/secrets/invidious/hmac.age".publicKeys = server1;
-  "./system/secrets/mastodon/mail.age".publicKeys = server1;
   "./system/secrets/matrix-synapse/passwd.age".publicKeys = server1;
   "./system/secrets/taskserver/ca.age".publicKeys = server1;
   "./system/secrets/taskserver/systemd_tmpfiles.age".publicKeys = server1;
diff --git a/system/secrets/default.nix b/system/secrets/default.nix
index 565a774..a8071eb 100644
--- a/system/secrets/default.nix
+++ b/system/secrets/default.nix
@@ -7,12 +7,6 @@
         owner = "root";
         group = "root";
       };
-      mastodonMail = {
-        file = ./mastodon/mail.age;
-        mode = "700";
-        owner = "mastodon";
-        group = "mastodon";
-      };
       matrix-synapse_registration_shared_secret = {
         file = ./matrix-synapse/passwd.age;
         mode = "700";
diff --git a/system/secrets/mastodon/mail.age b/system/secrets/mastodon/mail.age
deleted file mode 100644
index ea50b17..0000000
--- a/system/secrets/mastodon/mail.age
+++ /dev/null
@@ -1,15 +0,0 @@
------BEGIN AGE ENCRYPTED FILE-----
-YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBqZWlGM1MvTUN0U0pndkli
-RlJFZGtqTStzVzJpeFFRQ3BvandlWHJId2ljCkVPOGtaYThJdW4yeUl6Qnd2aUpi
-cEpIT2NraTlDcmdla0lSeWZ6VFdoaVUKLT4gWDI1NTE5IEwrdjVRYjlyakVnNGZ5
-UXVrU0tKT2NaOHdpYmE2L1E3TlFwWFZ2b2NuM2cKRnl5RFg1WWF6ejNlbGt6SVJC
-eXdtUE5LRzNlNHhHTGJsbkpwVWwrVWFXZwotPiBzc2gtZWQyNTUxOSBPRDhUNGcg
-ak9GNHhxOFJaY0pVTHphcVR6dGtReUYyUElrUDVCZVpjbnZiSFpBbjZ4MAo5R3E0
-WWNqWTU2TkFoN1I0OXBjS2QwWWxqRHNCemRvUHRJYkJXMEw0eFg0Ci0+IGlwey1n
-cmVhc2UgWkAhXU8xc0cKME4rTDFZemNxZnBCNU0yRFlNbWJCdnk3TFpsdGp0WXpD
-RWRPNG5zZjlqNnBnVDZrQythV3drZUxScUt5V1J3ZgpwRWt5REVHTy9pL3Bvd0VL
-RUQyOU5iWFNZa3NGUjJQakRIV2QKLS0tIElJSFdpOUppcHpJM3hWbSt4NWtob254
-TVBZNTZCMS9VRHFEUVZoMFowSncKrgSHBWQCSpoirkhv62BYGg7dvvDzkkduUqVY
-xXJU948PAe0skP2mPf5ba/W6K5lZCFrQo+AWQycBDNrLYI2/ZgXElfqqJKkpKbt3
-5tIpDZtld/q6DvmG5gp7vP541mHR8g==
------END AGE ENCRYPTED FILE-----
diff --git a/system/services/default.nix b/system/services/default.nix
index dfce3be..967bad0 100644
--- a/system/services/default.nix
+++ b/system/services/default.nix
@@ -2,7 +2,6 @@
   imports = [
     ./invidious
     ./mail
-    ./mastodon
     ./matrix
     ./minecraft
     ./restic
diff --git a/system/services/mastodon/default.nix b/system/services/mastodon/default.nix
deleted file mode 100644
index 15b8609..0000000
--- a/system/services/mastodon/default.nix
+++ /dev/null
@@ -1,79 +0,0 @@
-{
-  config,
-  pkgs,
-  ...
-}: let
-  emailAddress = "mastodon@vhack.eu";
-  applyPatches = pkg:
-    pkg.overrideAttrs (attrs: {
-      patches = (attrs.patches or []) ++ [./patches/0001-feat-treewide-Increase-character-limit-to-5000-in-me.patch];
-    });
-in {
-  vhack.persist.directories = [
-    {
-      directory = "/var/lib/mastodon";
-      user = "mastodon";
-      group = "mastodon";
-      mode = "0700";
-    }
-  ];
-
-  services.mastodon = {
-    enable = true;
-
-    package = applyPatches pkgs.mastodon;
-
-    # Unstable Mastodon package, used if
-    # security updates aren't backported.
-    #package = applyPatches pkgs-unstable.mastodon;
-
-    localDomain = "vhack.eu";
-    smtp = {
-      authenticate = true;
-      createLocally = false;
-      fromAddress = emailAddress;
-      user = emailAddress;
-      host = "server1.vhack.eu";
-      passwordFile = config.age.secrets.mastodonMail.path;
-    };
-    streamingProcesses = 5; # Number of Cores - 1
-    extraConfig = {
-      WEB_DOMAIN = "mastodon.vhack.eu";
-      EMAIL_DOMAIN_ALLOWLIST = "vhack.eu|sils.li";
-    };
-  };
-
-  services.nginx = {
-    enable = true;
-    recommendedProxySettings = true; # required for redirections to work
-    virtualHosts = {
-      ${config.services.mastodon.extraConfig.WEB_DOMAIN} = {
-        root = "${config.services.mastodon.package}/public/";
-        # mastodon only supports https, but you can override this if you offload tls elsewhere.
-        forceSSL = true;
-        enableACME = true;
-
-        locations = {
-          "/system/".alias = "/var/lib/mastodon/public-system/";
-          "/".tryFiles = "$uri @proxy";
-          "@proxy" = {
-            proxyPass = "http://unix:/run/mastodon-web/web.socket";
-            proxyWebsockets = true;
-          };
-          "/api/v1/streaming/" = {
-            proxyPass = "http://unix:/run/mastodon-streaming/streaming.socket";
-            proxyWebsockets = true;
-          };
-        };
-      };
-
-      "vhack.eu" = {
-        locations."/.well-known/webfinger".return = "301 https://${config.services.mastodon.extraConfig.WEB_DOMAIN}$request_uri";
-      };
-    };
-  };
-
-  users.groups.${config.services.mastodon.group}.members = [
-    config.services.nginx.user
-  ];
-}