1 files changed, 119 insertions, 0 deletions
diff --git a/modules/by-name/ma/mastodon/module.nix b/modules/by-name/ma/mastodon/module.nix
new file mode 100644
index 0000000..0616138
--- /dev/null
+++ b/modules/by-name/ma/mastodon/module.nix
@@ -0,0 +1,119 @@
+{
+  config,
+  pkgs,
+  lib,
+  ...
+}: let
+  emailAddress = "mastodon@vhack.eu";
+  applyPatches = pkg:
+    pkg.overrideAttrs (attrs: {
+      patches = (attrs.patches or []) ++ [./patches/0001-feat-treewide-Increase-character-limit-to-5000-in-me.patch];
+    });
+  cfg = config.vhack.mastodon;
+in {
+  options.vhack.mastodon = {
+    enable = lib.mkEnableOption "a mastodon instance";
+    domain = lib.mkOption {
+      type = lib.types.str;
+      description = "The Domain mastodon should be served on";
+      example = "mastodon.vhack.eu";
+    };
+    enableTLD = lib.mkEnableOption "using the tld as handle, configured via
+    webfinger (note: this requires the tld to point to the same server as domain)";
+    tld = lib.mkOption {
+      type = lib.types.nullOr lib.types.str;
+      default = null;
+      example = "vhack.eu";
+    };
+  };
+  config = lib.mkIf cfg.enable {
+    age.secrets.mastodonMail = {
+      file = ./mail.age;
+      mode = "700";
+      owner = "mastodon";
+      group = "mastodon";
+    };
+    vhack.persist.directories = [
+      {
+        directory = "/var/lib/mastodon";
+        user = "mastodon";
+        group = "mastodon";
+        mode = "0700";
+      }
+    ];
+
+    vhack.postgresql.enable = true;
+    services.mastodon = {
+      enable = true;
+
+      package = applyPatches pkgs.mastodon;
+
+      # Unstable Mastodon package, used if
+      # security updates aren't backported.
+      #package = applyPatches pkgs-unstable.mastodon;
+
+      localDomain =
+        if cfg.enableTLD
+        then cfg.tld
+        else cfg.domain;
+      smtp = {
+        authenticate = true;
+        createLocally = false;
+        fromAddress = emailAddress;
+        user = emailAddress;
+        host = "server1.vhack.eu";
+        passwordFile = config.age.secrets.mastodonMail.path;
+      };
+      streamingProcesses = 3; # Number of Cores - 1
+      extraConfig = {
+        WEB_DOMAIN = cfg.domain;
+        EMAIL_DOMAIN_ALLOWLIST = "vhack.eu|sils.li";
+      };
+    };
+
+    vhack.nginx.enable = true;
+    services.nginx = {
+      enable = true;
+      recommendedProxySettings = true; # required for redirections to work
+      virtualHosts = {
+        "${cfg.domain}" = {
+          root = "${config.services.mastodon.package}/public/";
+          # mastodon only supports https, but you can override this if you offload tls elsewhere.
+          forceSSL = true;
+          enableACME = true;
+
+          locations = {
+            "/system/".alias = "/var/lib/mastodon/public-system/";
+            "/".tryFiles = "$uri @proxy";
+            "@proxy" = {
+              proxyPass = "http://unix:/run/mastodon-web/web.socket";
+              proxyWebsockets = true;
+            };
+            "/api/v1/streaming/" = {
+              proxyPass = "http://unix:/run/mastodon-streaming/streaming.socket";
+              proxyWebsockets = true;
+            };
+          };
+        };
+        "${cfg.tld}" =
+          if cfg.enableTLD
+          then {
+            locations."/.well-known/webfinger".return = "301 https://${cfg.domain}$request_uri";
+          }
+          else {};
+      };
+    };
+
+    users = {
+      users.mastodon.uid = config.vhack.constants.ids.uids.mastodon;
+      users.redis-mastodon.uid = config.vhack.constants.ids.uids.redis-mastodon;
+      groups.redis-mastodon.gid = config.vhack.constants.ids.gids.redis-mastodon;
+      groups.mastodon = {
+        gid = config.vhack.constants.ids.gids.mastodon;
+        members = [
+          config.services.nginx.user
+        ];
+      };
+    };
+  };
+}