blob: 56450145ed94bd2877c12a57a32bcfacc86d6f3b (
plain) (
blame)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
|
{
config,
pkgs,
lib,
...
}: let
emailAddress = "mastodon@vhack.eu";
applyPatches = pkg:
pkg.overrideAttrs (attrs: {
patches = (attrs.patches or []) ++ [./patches/0001-feat-treewide-Increase-character-limit-to-5000-in-me.patch];
});
cfg = config.vhack.mastodon;
in {
options.vhack.mastodon = {
enable = lib.mkEnableOption "a mastodon instance";
domain = lib.mkOption {
type = lib.types.str;
description = "The Domain mastodon should be served on";
example = "mastodon.vhack.eu";
};
enableTLD = lib.mkEnableOption "using the tld as handle, configured via
webfinger (note: this requires the tld to point to the same server as domain)";
tld = lib.mkOption {
type = lib.types.nullOr lib.types.str;
default = null;
example = "vhack.eu";
};
};
config = lib.mkIf cfg.enable {
age.secrets.mastodonMail = {
file = ./mail.age;
mode = "700";
owner = "mastodon";
group = "mastodon";
};
vhack.persist.directories = [
{
directory = "/var/lib/mastodon";
user = "mastodon";
group = "mastodon";
mode = "0700";
}
];
vhack.postgresql.enable = true;
services.mastodon = {
enable = true;
package = applyPatches pkgs.mastodon;
# Unstable Mastodon package, used if
# security updates aren't backported.
#package = applyPatches pkgs-unstable.mastodon;
localDomain =
if cfg.enableTLD
then cfg.tld
else cfg.domain;
smtp = {
authenticate = true;
createLocally = false;
fromAddress = emailAddress;
user = emailAddress;
host = "mail.foss-syndicate.org";
passwordFile = config.age.secrets.mastodonMail.path;
};
streamingProcesses = 3; # Number of Cores - 1
extraConfig = {
WEB_DOMAIN = cfg.domain;
EMAIL_DOMAIN_ALLOWLIST = "vhack.eu|sils.li";
};
};
vhack.nginx.enable = true;
services.nginx = {
enable = true;
recommendedProxySettings = true; # required for redirections to work
virtualHosts = {
"${cfg.domain}" = {
root = "${config.services.mastodon.package}/public/";
# mastodon only supports https, but you can override this if you offload tls elsewhere.
forceSSL = true;
enableACME = true;
locations = {
"/system/".alias = "/var/lib/mastodon/public-system/";
"/".tryFiles = "$uri @proxy";
"@proxy" = {
proxyPass = "http://unix:/run/mastodon-web/web.socket";
proxyWebsockets = true;
};
"/api/v1/streaming/" = {
proxyPass = "http://unix:/run/mastodon-streaming/streaming.socket";
proxyWebsockets = true;
};
};
};
"${cfg.tld}" =
if cfg.enableTLD
then {
locations."/.well-known/webfinger".return = "301 https://${cfg.domain}$request_uri";
}
else {};
};
};
users = {
users.mastodon.uid = config.vhack.constants.ids.uids.mastodon;
users.redis-mastodon.uid = config.vhack.constants.ids.uids.redis-mastodon;
groups.redis-mastodon.gid = config.vhack.constants.ids.gids.redis-mastodon;
groups.mastodon = {
gid = config.vhack.constants.ids.gids.mastodon;
members = [
config.services.nginx.user
];
};
};
};
}
|
