aboutsummaryrefslogtreecommitdiffstats
path: root/modules/by-name/ma
diff options
context:
space:
mode:
Diffstat (limited to 'modules/by-name/ma')
-rw-r--r--modules/by-name/ma/mail/module.nix167
-rw-r--r--modules/by-name/ma/mastodon/module.nix128
-rw-r--r--modules/by-name/ma/mastodon/patches/0001-feat-treewide-Increase-character-limit-to-5000-in-me.patch40
-rw-r--r--modules/by-name/ma/matrix/module.nix181
4 files changed, 516 insertions, 0 deletions
diff --git a/modules/by-name/ma/mail/module.nix b/modules/by-name/ma/mail/module.nix
new file mode 100644
index 0000000..768eb33
--- /dev/null
+++ b/modules/by-name/ma/mail/module.nix
@@ -0,0 +1,167 @@
+{
+ config,
+ lib,
+ ...
+}: let
+ cfg = config.vhack.mail;
+ all_admins = [
+ "sils@vhack.eu"
+ "soispha@vhack.eu"
+ "nightingale@vhack.eu"
+ ];
+in {
+ options.vhack.mail = {
+ enable = lib.mkEnableOption "sophisticated mail setup with simple-nixos-mailserver";
+ fqdn = lib.mkOption {
+ type = lib.types.str;
+ description = "The fqdn mailserver should be served on.";
+ };
+ };
+
+ config = lib.mkIf cfg.enable {
+ vhack.persist.directories = [
+ {
+ directory = "/var/lib/mail/backup";
+ user = "virtualMail";
+ group = "virtualMail";
+ mode = "0700";
+ }
+ {
+ directory = "/var/lib/mail/vmail";
+ user = "virtualMail";
+ group = "virtualMail";
+ mode = "0700";
+ }
+ {
+ directory = "/var/lib/mail/dkim";
+ user = "opendkim";
+ group = "opendkim";
+ mode = "0700";
+ }
+ {
+ directory = "/var/lib/postfix/data";
+ user = "postfix";
+ group = "postfix";
+ mode = "0700";
+ }
+ {
+ directory = "/var/lib/postfix/queue";
+ user = "postfix";
+ group = "postfix";
+ mode = "0700";
+ }
+ {
+ directory = "/var/lib/rspamd";
+ user = "rspamd";
+ group = "rspamd";
+ mode = "0700";
+ }
+ ];
+
+ vhack.nginx.enable = true;
+ security.acme.certs = {
+ "${cfg.fqdn}" = {
+ domain = cfg.fqdn;
+ };
+ };
+
+ mailserver = {
+ enable = true;
+ inherit (cfg) fqdn;
+
+ stateVersion = 5;
+
+ aliases = {
+ "abuse@vhack.eu" = all_admins;
+ "postmaster@vhack.eu" = all_admins;
+ "admin@vhack.eu" = all_admins;
+ };
+
+ storage = {
+ directoryLayout = "fs";
+ path = "/var/lib/mail/vmail";
+ };
+
+ dkim.keyDirectory = "/var/lib/mail/dkim";
+ backup.snapshotRoot = "/var/lib/mail/backup";
+
+ enableImap = false;
+ enableImapSsl = true;
+ enablePop3 = false;
+ enablePop3Ssl = true;
+ # SMTP
+ enableSubmission = false;
+ enableSubmissionSsl = true;
+ openFirewall = true;
+
+ # Reference the existing ACME configuration created by nginx
+ x509.useACMEHost = cfg.fqdn;
+
+ domains = [
+ "vhack.eu"
+
+ "s-schoeffel.de"
+ "b-peetz.de"
+
+ "sils.li"
+ "nightingale.sils.li"
+ "sils.sils.li"
+ ];
+
+ accounts = {
+ "sils@vhack.eu" = {
+ hashedPassword = "$2b$05$RW/Svgk7iGxvP5W7ZwUZ1e.a3fj4fteevb2MtfFYYD0d1DQ17y9Fm";
+ };
+ "soispha@vhack.eu" = {
+ hashedPassword = "$2b$05$XX36sJuHNbTFvi8DFldscOeQBHahluSkiUqD9QGzQaET7NJusSuQW";
+ };
+
+ "benedikt.peetz@b-peetz.de" = {
+ hashedPassword = "$2b$05$MfET8utot2OolPZNASqoDe4VXNoG2chnEWhdfQ2E92mit0TvI2gBy";
+ aliases = ["@b-peetz.de"];
+ };
+ "silas.schoeffel@s-schoeffel.de" = {
+ hashedPassword = "$2b$05$Qb8rl7ncpCcTbsSdsduJBuOITp8RTD6sfOTjuxJsVtD9vjAYY9n8e";
+ aliases = ["@s-schoeffel.de"];
+ };
+
+ "nightingale@vhack.eu" = {
+ hashedPassword = "$2b$05$nDKVVq1EktKXWqGFhnOLP.plLovXFyvWSuptK9GIkxA5DScKFx6YS";
+ aliases = [
+ "@nightingale.sils.li"
+ ];
+ };
+ "sils@sils.li" = {
+ hashedPassword = "$2b$05$Ebzh2ZhuWkz1p4tqJ172IejNZg10FtCxPDY4k6umYrpirXg7ezIRq";
+ aliases = [
+ "@sils.sils.li"
+ "@sils.li"
+ ];
+ };
+
+ # Mail-Account used by hosted software
+ "mastodon@vhack.eu" = {
+ hashedPassword = "$2b$05$pSby3x2p3cHg0FyAE8IiJ.nYUqtAIR10JA8HNpHwMAiLXqc.ltSK.";
+ };
+ "peertube@vhack.eu" = {
+ hashedPassword = "$y$j9T$hyWQ8Awd2Xrc6qsK.2hwE1$LxACfaeW.yHGbkQL95dWtID9.zXL/aMwT6lp.yU/0g0";
+ };
+ };
+ };
+
+ users = {
+ users = {
+ knot-resolver.uid = config.vhack.constants.ids.uids.knot-resolver;
+ redis-rspamd.uid = config.vhack.constants.ids.uids.redis-rspamd;
+ rspamd.uid = config.vhack.constants.ids.uids.rspamd;
+ postfix-tlspol.uid = config.vhack.constants.ids.uids.postfix-tlspol;
+ };
+ groups = {
+ knot-resolver.gid = lib.mkForce config.vhack.constants.ids.gids.knot-resolver;
+ redis-rspamd.gid = config.vhack.constants.ids.gids.redis-rspamd;
+ rspamd.gid = config.vhack.constants.ids.gids.rspamd;
+ postfix-tlspol.gid = config.vhack.constants.ids.gids.postfix-tlspol;
+ };
+ };
+ };
+}
diff --git a/modules/by-name/ma/mastodon/module.nix b/modules/by-name/ma/mastodon/module.nix
new file mode 100644
index 0000000..84f3ec8
--- /dev/null
+++ b/modules/by-name/ma/mastodon/module.nix
@@ -0,0 +1,128 @@
+{
+ config,
+ pkgs,
+ lib,
+ ...
+}: let
+ emailAddress = "mastodon@vhack.eu";
+ applyPatches = pkg:
+ pkg.overrideAttrs (attrs: {
+ patches = (attrs.patches or []) ++ [./patches/0001-feat-treewide-Increase-character-limit-to-5000-in-me.patch];
+ });
+ cfg = config.vhack.mastodon;
+in {
+ options.vhack.mastodon = {
+ enable = lib.mkEnableOption "a mastodon instance";
+ domain = lib.mkOption {
+ type = lib.types.str;
+ description = "The Domain mastodon should be served on";
+ example = "mastodon.vhack.eu";
+ };
+ enableTLD = lib.mkEnableOption "using the tld as handle, configured via
+ webfinger (note: this requires the tld to point to the same server as domain)";
+ tld = lib.mkOption {
+ type = lib.types.nullOr lib.types.str;
+ default = null;
+ example = "vhack.eu";
+ };
+ mailPwFile = lib.mkOption {
+ type = lib.types.path;
+ description = "The age encrypted mail password file passed to agenix";
+ };
+ };
+ config = lib.mkIf cfg.enable {
+ age.secrets.mastodonMail = {
+ file = cfg.mailPwFile;
+ mode = "700";
+ owner = "mastodon";
+ group = "mastodon";
+ };
+
+ vhack = {
+ persist.directories = [
+ {
+ directory = "/var/lib/mastodon";
+ user = "mastodon";
+ group = "mastodon";
+ mode = "0700";
+ }
+ ];
+
+ postgresql.enable = true;
+
+ nginx.enable = true;
+ };
+
+ services.mastodon = {
+ enable = true;
+
+ package = applyPatches pkgs.mastodon;
+
+ # Unstable Mastodon package, used if
+ # security updates aren't backported.
+ #package = applyPatches pkgsUnstable.mastodon;
+
+ localDomain =
+ if cfg.enableTLD
+ then cfg.tld
+ else cfg.domain;
+ smtp = {
+ authenticate = true;
+ createLocally = false;
+ fromAddress = emailAddress;
+ user = emailAddress;
+ host = "mail.foss-syndicate.org";
+ passwordFile = config.age.secrets.mastodonMail.path;
+ };
+ streamingProcesses = 3; # Number of Cores - 1
+ extraConfig = {
+ WEB_DOMAIN = cfg.domain;
+ EMAIL_DOMAIN_ALLOWLIST = "vhack.eu|sils.li";
+ };
+ };
+
+ services.nginx = {
+ enable = true;
+ recommendedProxySettings = true; # required for redirections to work
+ virtualHosts = {
+ "${cfg.domain}" = {
+ root = "${config.services.mastodon.package}/public/";
+ # mastodon only supports https, but you can override this if you offload tls elsewhere.
+ forceSSL = true;
+ enableACME = true;
+
+ locations = {
+ "/system/".alias = "/var/lib/mastodon/public-system/";
+ "/".tryFiles = "$uri @proxy";
+ "@proxy" = {
+ proxyPass = "http://unix:/run/mastodon-web/web.socket";
+ proxyWebsockets = true;
+ };
+ "/api/v1/streaming/" = {
+ proxyPass = "http://unix:/run/mastodon-streaming/streaming.socket";
+ proxyWebsockets = true;
+ };
+ };
+ };
+ "${cfg.tld}" =
+ if cfg.enableTLD
+ then {
+ locations."/.well-known/webfinger".return = "301 https://${cfg.domain}$request_uri";
+ }
+ else {};
+ };
+ };
+
+ users = {
+ users.mastodon.uid = config.vhack.constants.ids.uids.mastodon;
+ users.redis-mastodon.uid = config.vhack.constants.ids.uids.redis-mastodon;
+ groups.redis-mastodon.gid = config.vhack.constants.ids.gids.redis-mastodon;
+ groups.mastodon = {
+ gid = config.vhack.constants.ids.gids.mastodon;
+ members = [
+ config.services.nginx.user
+ ];
+ };
+ };
+ };
+}
diff --git a/modules/by-name/ma/mastodon/patches/0001-feat-treewide-Increase-character-limit-to-5000-in-me.patch b/modules/by-name/ma/mastodon/patches/0001-feat-treewide-Increase-character-limit-to-5000-in-me.patch
new file mode 100644
index 0000000..870492a
--- /dev/null
+++ b/modules/by-name/ma/mastodon/patches/0001-feat-treewide-Increase-character-limit-to-5000-in-me.patch
@@ -0,0 +1,40 @@
+From 265bc7b12ab8229225b13565a361051b9e120792 Mon Sep 17 00:00:00 2001
+From: Benedikt Peetz <benedikt.peetz@b-peetz.de>
+Date: Tue, 7 Jul 2026 11:34:50 +0200
+Subject: [PATCH] feat(treewide): Increase character limit to 5000 in messages
+
+The default of 500 was just not enough.
+---
+ .../features/compose/containers/compose_form_container.js | 2 +-
+ app/validators/status_length_validator.rb | 2 +-
+ 2 files changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/app/javascript/mastodon/features/compose/containers/compose_form_container.js b/app/javascript/mastodon/features/compose/containers/compose_form_container.js
+index c5cffff10d..2172a0ad8f 100644
+--- a/app/javascript/mastodon/features/compose/containers/compose_form_container.js
++++ b/app/javascript/mastodon/features/compose/containers/compose_form_container.js
+@@ -58,7 +58,7 @@ const mapStateToProps = state => ({
+ && !state.getIn(['settings', 'dismissed_banners', PRIVATE_QUOTE_MODAL_ID]),
+ isInReply: state.getIn(['compose', 'in_reply_to']) !== null,
+ lang: state.getIn(['compose', 'language']),
+- maxChars: state.getIn(['server', 'server', 'item', 'configuration', 'statuses', 'max_characters'], 500),
++ maxChars: state.getIn(['server', 'server', 'item', 'configuration', 'statuses', 'max_characters'], 5000),
+ });
+
+ const mapDispatchToProps = (dispatch, props) => ({
+diff --git a/app/validators/status_length_validator.rb b/app/validators/status_length_validator.rb
+index 575aaf1869..ecefca6fe9 100644
+--- a/app/validators/status_length_validator.rb
++++ b/app/validators/status_length_validator.rb
+@@ -1,7 +1,7 @@
+ # frozen_string_literal: true
+
+ class StatusLengthValidator < ActiveModel::Validator
+- MAX_CHARS = 500
++ MAX_CHARS = 5000
+ URL_PLACEHOLDER_CHARS = 23
+ URL_PLACEHOLDER = 'x' * 23
+
+--
+2.54.0
+
diff --git a/modules/by-name/ma/matrix/module.nix b/modules/by-name/ma/matrix/module.nix
new file mode 100644
index 0000000..39631ef
--- /dev/null
+++ b/modules/by-name/ma/matrix/module.nix
@@ -0,0 +1,181 @@
+{
+ config,
+ lib,
+ ...
+}: let
+ cfg = config.vhack.matrix;
+ clientConfig."m.homeserver".base_url = "https://${cfg.fqdn}";
+ serverConfig."m.server" = "${cfg.fqdn}:443";
+ mkWellKnown = data: ''
+ add_header Content-Type application/json;
+ add_header Access-Control-Allow-Origin *;
+ return 200 '${builtins.toJSON data}';
+ '';
+in {
+ options.vhack.matrix = {
+ enable = lib.mkEnableOption "matrix setup based on synapse";
+ fqdn = lib.mkOption {
+ type = lib.types.str;
+ description = "The FQDN on which matrix-synapse should be served.";
+ example = "matrix.vhack.eu";
+ };
+ url = lib.mkOption {
+ type = lib.types.str;
+ description = "The url the matrix-server should be known under.";
+ };
+ sharedSecretFile = lib.mkOption {
+ type = lib.types.path;
+ description = "The age encrypted shared secret file for synapse, passed to agenix";
+ };
+ };
+
+ config = lib.mkIf cfg.enable {
+ age.secrets.matrix-synapse_registration_shared_secret = {
+ file = cfg.sharedSecretFile;
+ mode = "700";
+ owner = "matrix-synapse";
+ group = "matrix-synapse";
+ };
+ networking.firewall.allowedTCPPorts = [80 443];
+
+ vhack = {
+ persist.directories = [
+ {
+ directory = "/var/lib/matrix";
+ user = "matrix-synapse";
+ group = "matrix-synapse";
+ mode = "0700";
+ }
+ {
+ directory = "/var/lib/mautrix-whatsapp";
+ user = "mautrix-whatsapp";
+ group = "matrix-synapse";
+ mode = "0750";
+ }
+ ];
+
+ postgresql.enable = true;
+ nginx.enable = true;
+ };
+
+ systemd = {
+ tmpfiles.rules = [
+ "d /etc/matrix 0755 matrix-synapse matrix-synapse"
+ ];
+ # TODO: Do we still need this? <2025-12-18>
+ # The `$PSQL` env var seemed to go away between the 25.05 -> 25.11 update
+ # services.postgresql.postStart = ''
+ # $PSQL -tAc "ALTER ROLE \"matrix-synapse\" WITH PASSWORD 'synapse';"
+ # $PSQL -tAc "ALTER ROLE \"mautrix-whatsapp\" WITH PASSWORD 'whatsapp';"
+ # '';
+ };
+
+ services = {
+ postgresql = {
+ enable = true;
+ ensureUsers = [
+ {
+ name = "matrix-synapse";
+ ensureDBOwnership = true;
+ }
+ {
+ name = "mautrix-whatsapp";
+ ensureDBOwnership = true;
+ }
+ ];
+ ensureDatabases = [
+ "matrix-synapse"
+ "mautrix-whatsapp"
+ ];
+ };
+
+ nginx = {
+ enable = true;
+ recommendedTlsSettings = true;
+ recommendedOptimisation = true;
+ recommendedGzipSettings = true;
+ recommendedProxySettings = true;
+ virtualHosts = {
+ "${cfg.url}" = {
+ enableACME = true;
+ forceSSL = true;
+ locations = {
+ "/.well-known/matrix/server".extraConfig = mkWellKnown serverConfig;
+ "/.well-known/matrix/client".extraConfig = mkWellKnown clientConfig;
+ };
+ };
+ "${cfg.fqdn}" = {
+ enableACME = true;
+ forceSSL = true;
+ locations = {
+ "/".return = "404";
+ "/_matrix".proxyPass = "http://[::1]:8008";
+ "/_synapse/client".proxyPass = "http://[::1]:8008";
+ };
+ };
+ };
+ };
+
+ mautrix-whatsapp = {
+ # FIXME(@bpeetz): This was disabled because `mautrix-whatsapp` dependends on libolm.
+ # Re-enable it, when this has changed. <2024-09-06>
+ enable = false;
+ settings = {
+ appservice = {
+ database = {
+ type = "postgres";
+ uri = "postgres:///mautrix-whatsapp?host=/run/postgresql";
+ };
+ whatsapp = {
+ # TODO: See https://github.com/tulir/whatsmeow/blob/efc632c008604016ddde63bfcfca8de4e5304da9/binary/proto/def.proto#L43-L64 for a list.
+ # This also determines the WhatsApp icon
+ browser_name = "unknown";
+ };
+ };
+ homeserver.address = "https://${cfg.fqdn}";
+ bridge.permissions = {
+ "@soispha:vhack.eu" = "admin";
+ "@sils:vhack.eu" = "admin";
+ "@nightingale:vhack.eu" = "admin";
+ };
+ };
+ };
+
+ matrix-synapse = {
+ enable = true;
+ dataDir = "/var/lib/matrix";
+ configFile = "/etc/matrix/matrix.conf";
+ settings = {
+ media_store_path = "/var/lib/matrix/media_store";
+ registration_shared_secret_path = "${config.age.secrets.matrix-synapse_registration_shared_secret.path}";
+ server_name = cfg.url;
+ listeners = [
+ {
+ port = 8008;
+ bind_addresses = ["::1"];
+ type = "http";
+ tls = false;
+ x_forwarded = true;
+ resources = [
+ {
+ names = ["client" "federation"];
+ compress = true;
+ }
+ ];
+ }
+ ];
+ };
+ };
+ };
+ users = {
+ users = {
+ matrix-synapse.uid = config.vhack.constants.ids.uids.matrix-synapse;
+ mautrix-whatsapp = {
+ uid = config.vhack.constants.ids.uids.mautrix-whatsapp;
+ group = "matrix-synapse";
+ };
+ };
+ groups.matrix-synapse.gid = config.vhack.constants.ids.gids.matrix-synapse;
+ };
+ };
+}