fix(system/services/mastodon): separate domains for user handles and webinterface

1 files changed, 34 insertions, 2 deletions

diff --git a/system/services/mastodon/default.nix b/system/services/mastodon/default.nix
index 3a983c3..96c2744 100644
--- a/system/services/mastodon/default.nix
+++ b/system/services/mastodon/default.nix
@@ -3,8 +3,7 @@
 in {
   services.mastodon = {
     enable = true;
-    localDomain = "mstdn.vhack.eu";
-    configureNginx = true;
+    localDomain = "vhack.eu";
     smtp = {
       authenticate = true;
       createLocally = false;
@@ -13,5 +12,38 @@ in {
       host = "server1.vhack.eu";
       passwordFile = "${config.age.secrets.mastodonMail.path}";
     };
+    extraConfig.WEB_DOMAIN = "mastodon.vhack.eu";
+  };
+
+  services.nginx = {
+    enable = true;
+    recommendedProxySettings = true; # required for redirections to work
+    virtualHosts = {
+      "${config.services.mastodon.extraConfig.WEB_DOMAIN}" = {
+        root = "${config.services.mastodon.package}/public/";
+        # mastodon only supports https, but you can override this if you offload tls elsewhere.
+        forceSSL = true;
+        enableACME = true;
+
+        locations."/system/".alias = "/var/lib/mastodon/public-system/";
+
+        locations."/" = {
+          tryFiles = "$uri @proxy";
+        };
+
+        locations."@proxy" = {
+          proxyPass = "http://unix:/run/mastodon-web/web.socket";
+          proxyWebsockets = true;
+        };
+
+        locations."/api/v1/streaming/" = {
+          proxyPass = "http://unix:/run/mastodon-streaming/streaming.socket";
+          proxyWebsockets = true;
+        };
+      };
+      "vhack.eu" = {
+        locations."/.well-known/webfinger".return = "301 https://${config.services.mastodon.extraConfig.WEB_DOMAIN}$request_uri";
+      };
+    };
   };
 }