diff options
Diffstat (limited to '')
| -rw-r--r-- | modules/by-name/co/constants/module.nix | 4 | ||||
| -rw-r--r-- | modules/by-name/ma/mastodon/mail.age | 14 | ||||
| -rw-r--r-- | modules/by-name/ma/mastodon/module.nix | 119 | ||||
| -rw-r--r-- | modules/by-name/ma/mastodon/patches/0001-feat-treewide-Increase-character-limit-to-5000-in-me.patch (renamed from system/services/mastodon/patches/0001-feat-treewide-Increase-character-limit-to-5000-in-me.patch) | 0 |
4 files changed, 137 insertions, 0 deletions
diff --git a/modules/by-name/co/constants/module.nix b/modules/by-name/co/constants/module.nix index 6974768..de3ebac 100644 --- a/modules/by-name/co/constants/module.nix +++ b/modules/by-name/co/constants/module.nix @@ -27,6 +27,8 @@ systemd-oom = 332; redis-peertube = 990; peertube = 992; # TODO Sort correctly + mastodon = 996; + redis-mastodon = 991; # As per the NixOS file, the uids should not be greater or equal to 400; }; @@ -40,6 +42,8 @@ systemd-coredump = 151; # matches systemd-coredump user redis-peertube = 990; peertube = 992; + mastodon = 996; + redis-mastodon = 991; # The gid should match the uid. Thus should not be >= 400; }; diff --git a/modules/by-name/ma/mastodon/mail.age b/modules/by-name/ma/mastodon/mail.age new file mode 100644 index 0000000..882ade9 --- /dev/null +++ b/modules/by-name/ma/mastodon/mail.age @@ -0,0 +1,14 @@ +-----BEGIN AGE ENCRYPTED FILE----- +YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBPeTFoTjB6RTZHbDVzUzg2 +SzNnSE9aSi9yZUNSWWVKNlQxWUo1Y2M1R1h3CjR0RW8xdEtUTlBTcU9DWWE2OVVX +WEJVVkF2bmtQaUxrK0Vpb21qSCtUcncKLT4gWDI1NTE5IG1JY25Jdmo3UWt4aXJK +VTRFZVNja2R6MzlJcVMvdHhqZTY0WS91Vnp3Vk0KUG4xbVR2V3k0OFJCVFplODcw +R0ZDSExRTzVpRWVyM0E4VVRvMXE5cHpWUQotPiBzc2gtZWQyNTUxOSBweXU5Ymcg +RFFHaXFrS0IyWnVYdDE5aFhHNnZFSFY3S1ZVZHovRTRrV3VKV3JBQnJVTQordzJ5 +V0hpZ3dsdDVHODluNnRzWlBHRFBBcnVya0dMNTU3T2Z3NkpVZHBvCi0+IFB7LX5l +Vm5wLWdyZWFzZSA8NVIgV08zU3lBIGBZJSAnRQpwbDZTUTNqdVd4MHFNNVRVZ1pQ +MG1qcUtjVGRreU9zMwotLS0gMVJ4eldEQlRTTmdraDJDM2pzbkZOY0t6Wnl6TDd1 +cFRXZXJmS1FTMEtyNApWNUWWIXokgwgI+2GT+sBkTzFbXM4CPpIq2QOGRWMrRMmw +dHoK5NJEI7uw9mP9t6PI04THBqVL5YotJtZkAk1Sx00SWvyLPpZRsSBdH11YiRAb +jIx0T573hbbFoMNlZHoJ +-----END AGE ENCRYPTED FILE----- diff --git a/modules/by-name/ma/mastodon/module.nix b/modules/by-name/ma/mastodon/module.nix new file mode 100644 index 0000000..0616138 --- /dev/null +++ b/modules/by-name/ma/mastodon/module.nix @@ -0,0 +1,119 @@ +{ + config, + pkgs, + lib, + ... +}: let + emailAddress = "mastodon@vhack.eu"; + applyPatches = pkg: + pkg.overrideAttrs (attrs: { + patches = (attrs.patches or []) ++ [./patches/0001-feat-treewide-Increase-character-limit-to-5000-in-me.patch]; + }); + cfg = config.vhack.mastodon; +in { + options.vhack.mastodon = { + enable = lib.mkEnableOption "a mastodon instance"; + domain = lib.mkOption { + type = lib.types.str; + description = "The Domain mastodon should be served on"; + example = "mastodon.vhack.eu"; + }; + enableTLD = lib.mkEnableOption "using the tld as handle, configured via + webfinger (note: this requires the tld to point to the same server as domain)"; + tld = lib.mkOption { + type = lib.types.nullOr lib.types.str; + default = null; + example = "vhack.eu"; + }; + }; + config = lib.mkIf cfg.enable { + age.secrets.mastodonMail = { + file = ./mail.age; + mode = "700"; + owner = "mastodon"; + group = "mastodon"; + }; + vhack.persist.directories = [ + { + directory = "/var/lib/mastodon"; + user = "mastodon"; + group = "mastodon"; + mode = "0700"; + } + ]; + + vhack.postgresql.enable = true; + services.mastodon = { + enable = true; + + package = applyPatches pkgs.mastodon; + + # Unstable Mastodon package, used if + # security updates aren't backported. + #package = applyPatches pkgs-unstable.mastodon; + + localDomain = + if cfg.enableTLD + then cfg.tld + else cfg.domain; + smtp = { + authenticate = true; + createLocally = false; + fromAddress = emailAddress; + user = emailAddress; + host = "server1.vhack.eu"; + passwordFile = config.age.secrets.mastodonMail.path; + }; + streamingProcesses = 3; # Number of Cores - 1 + extraConfig = { + WEB_DOMAIN = cfg.domain; + EMAIL_DOMAIN_ALLOWLIST = "vhack.eu|sils.li"; + }; + }; + + vhack.nginx.enable = true; + services.nginx = { + enable = true; + recommendedProxySettings = true; # required for redirections to work + virtualHosts = { + "${cfg.domain}" = { + root = "${config.services.mastodon.package}/public/"; + # mastodon only supports https, but you can override this if you offload tls elsewhere. + forceSSL = true; + enableACME = true; + + locations = { + "/system/".alias = "/var/lib/mastodon/public-system/"; + "/".tryFiles = "$uri @proxy"; + "@proxy" = { + proxyPass = "http://unix:/run/mastodon-web/web.socket"; + proxyWebsockets = true; + }; + "/api/v1/streaming/" = { + proxyPass = "http://unix:/run/mastodon-streaming/streaming.socket"; + proxyWebsockets = true; + }; + }; + }; + "${cfg.tld}" = + if cfg.enableTLD + then { + locations."/.well-known/webfinger".return = "301 https://${cfg.domain}$request_uri"; + } + else {}; + }; + }; + + users = { + users.mastodon.uid = config.vhack.constants.ids.uids.mastodon; + users.redis-mastodon.uid = config.vhack.constants.ids.uids.redis-mastodon; + groups.redis-mastodon.gid = config.vhack.constants.ids.gids.redis-mastodon; + groups.mastodon = { + gid = config.vhack.constants.ids.gids.mastodon; + members = [ + config.services.nginx.user + ]; + }; + }; + }; +} diff --git a/system/services/mastodon/patches/0001-feat-treewide-Increase-character-limit-to-5000-in-me.patch b/modules/by-name/ma/mastodon/patches/0001-feat-treewide-Increase-character-limit-to-5000-in-me.patch index 35dc809..35dc809 100644 --- a/system/services/mastodon/patches/0001-feat-treewide-Increase-character-limit-to-5000-in-me.patch +++ b/modules/by-name/ma/mastodon/patches/0001-feat-treewide-Increase-character-limit-to-5000-in-me.patch |