From 6597734af783c55492e84b8d68773a5c24975e48 Mon Sep 17 00:00:00 2001
From: Charlotte Van Petegem <charlotte.vanpetegem@ugent.be>
Date: Wed, 2 Nov 2022 11:45:07 +0100
Subject: [PATCH] Mastodon

---
 machines/lasting-integrity/default.nix        |   7 ++
 machines/lasting-integrity/hardware.nix       |   4 +
 modules/services/default.nix                  |   1 +
 modules/services/mastodon/default.nix         |  74 ++++++++++++++++++
 secrets.nix                                   |   5 ++
 secrets/passwords/services/mastodon/key.age   | Bin 0 -> 642 bytes
 secrets/passwords/services/mastodon/otp.age   |  11 +++
 .../services/mastodon/vapid-private.age       |  12 +++
 .../services/mastodon/vapid-public.age        |  11 +++
 9 files changed, 125 insertions(+)
 create mode 100644 modules/services/mastodon/default.nix
 create mode 100644 secrets/passwords/services/mastodon/key.age
 create mode 100644 secrets/passwords/services/mastodon/otp.age
 create mode 100644 secrets/passwords/services/mastodon/vapid-private.age
 create mode 100644 secrets/passwords/services/mastodon/vapid-public.age

diff --git a/machines/lasting-integrity/default.nix b/machines/lasting-integrity/default.nix
index 4ef779d8..bca54851 100644
--- a/machines/lasting-integrity/default.nix
+++ b/machines/lasting-integrity/default.nix
@@ -44,6 +44,12 @@
             fast = true;
             location = "192.168.0.1";
           }
+          {
+            path = "zdata/big-apps/mastodon";
+            remotePath = "zdata/recv/lasting-integrity/big-apps/mastodon";
+            fast = true;
+            location = "192.168.0.1";
+          }
           {
             path = "zdata/big-apps/nextcloud";
             remotePath = "zdata/recv/lasting-integrity/big-apps/nextcloud";
@@ -62,6 +68,7 @@
       garmin-scraper.enable = true;
       grafana.enable = true;
       mail.enable = true;
+      mastodon.enable = true;
       matrix.enable = true;
       nginx.hosts = [
         {
diff --git a/machines/lasting-integrity/hardware.nix b/machines/lasting-integrity/hardware.nix
index 7afeaa2d..bb08297c 100644
--- a/machines/lasting-integrity/hardware.nix
+++ b/machines/lasting-integrity/hardware.nix
@@ -54,6 +54,10 @@
       device = "zdata/big-apps/influxdb2";
       fsType = "zfs";
     };
+    "/var/lib/mastodon/public-system" = {
+      device = "zdata/big-apps/mastodon";
+      fsType = "zfs";
+    };
     "/cache" = {
       device = "zroot/safe/cache";
       fsType = "zfs";
diff --git a/modules/services/default.nix b/modules/services/default.nix
index 78ca58c6..9b0b7b65 100644
--- a/modules/services/default.nix
+++ b/modules/services/default.nix
@@ -9,6 +9,7 @@
     ./garmin-scraper
     ./grafana
     ./mail
+    ./mastodon
     ./matrix
     ./nextcloud
     ./nginx
diff --git a/modules/services/mastodon/default.nix b/modules/services/mastodon/default.nix
new file mode 100644
index 00000000..ab810917
--- /dev/null
+++ b/modules/services/mastodon/default.nix
@@ -0,0 +1,74 @@
+{ config, lib, pkgs, ... }:
+
+{
+  options.chvp.services.mastodon.enable = lib.mkOption {
+    default = false;
+    example = true;
+  };
+
+  config = lib.mkIf config.chvp.services.mastodon.enable {
+    chvp.services.nginx.hosts = [{
+      fqdn = "social.chvp.be";
+      options = {
+        root = "${pkgs.mastodon}/public/";
+        locations = {
+          "/system/".alias = "/var/lib/mastodon/public-system/";
+          "/".tryFiles = "$uri @proxy";
+          "@proxy" = {
+            proxyPass = "http://unix:/run/mastodon-web/web.socket";
+            proxyWebsockets = true;
+          };
+          "/api/v1/streaming" = {
+            proxyPass = "http://unix:/run/mastodon-streaming/streaming.socket";
+            proxyWebsockets = true;
+          };
+        };
+      };
+    }];
+    users = {
+      users = {
+        mastodon.uid = 989;
+        nginx.extraGroups = [ "mastodon" ];
+      };
+      groups.mastodon.gid = 985;
+    };
+    services.mastodon = {
+      enable = true;
+      configureNginx = false;
+      localDomain = "social.chvp.be";
+      enableUnixSocket = true;
+
+      database.createLocally = true;
+      redis.createLocally = true;
+      smtp = {
+        fromAddress = "social@chvp.be";
+        createLocally = false;
+      };
+      extraConfig = {
+        SMTP_OPENSSL_VERIFY_MODE = "none";
+      };
+
+      otpSecretFile = config.age.secrets."passwords/services/mastodon/otp".path;
+      secretKeyBaseFile = config.age.secrets."passwords/services/mastodon/key".path;
+      vapidPublicKeyFile = config.age.secrets."passwords/services/mastodon/vapid-public".path;
+      vapidPrivateKeyFile = config.age.secrets."passwords/services/mastodon/vapid-private".path;
+    };
+
+    age.secrets."passwords/services/mastodon/vapid-public" = {
+      file = ../../../secrets/passwords/services/mastodon/vapid-public.age;
+      owner = "mastodon";
+    };
+    age.secrets."passwords/services/mastodon/vapid-private" = {
+      file = ../../../secrets/passwords/services/mastodon/vapid-private.age;
+      owner = "mastodon";
+    };
+    age.secrets."passwords/services/mastodon/key" = {
+      file = ../../../secrets/passwords/services/mastodon/key.age;
+      owner = "mastodon";
+    };
+    age.secrets."passwords/services/mastodon/otp" = {
+      file = ../../../secrets/passwords/services/mastodon/otp.age;
+      owner = "mastodon";
+    };
+  };
+}
diff --git a/secrets.nix b/secrets.nix
index 449ebeeb..ecfd29c8 100644
--- a/secrets.nix
+++ b/secrets.nix
@@ -53,6 +53,11 @@ in
 
   "secrets/passwords/services/acme.age".publicKeys = servers ++ users;
 
+  "secrets/passwords/services/mastodon/otp.age".publicKeys = [ lasting-integrity ] ++ users;
+  "secrets/passwords/services/mastodon/key.age".publicKeys = [ lasting-integrity ] ++ users;
+  "secrets/passwords/services/mastodon/vapid-public.age".publicKeys = [ lasting-integrity ] ++ users;
+  "secrets/passwords/services/mastodon/vapid-private.age".publicKeys = [ lasting-integrity ] ++ users;
+
   "secrets/passwords/services/garmin2influx-env.age".publicKeys = [ lasting-integrity ] ++ users;
   "secrets/passwords/services/grafana/smtp.age".publicKeys = [ lasting-integrity ] ++ users;
   "secrets/passwords/services/grafana/admin-password.age".publicKeys = [ lasting-integrity ] ++ users;
diff --git a/secrets/passwords/services/mastodon/key.age b/secrets/passwords/services/mastodon/key.age
new file mode 100644
index 0000000000000000000000000000000000000000..03890ab63851e7f00fbd13ea660db676cdd37899
GIT binary patch
literal 642
zcmYdHPt{G$OD?J`D9Oyv)5|YP*Do{V(zR14F3!+RO))YxHMCU7@OE@73sf*K&GB{&
z^LI7(^mYr%35^IZ&#LlBOY*WzkMK4&H}@{Chz$0~56E^2DdsA5Pb>5H@y_sYcQ5iX
z&hhqgN{I?AG%9v<kMK?Njxsck@=VS$3Qu!QEJwGk*s>_eB3&UYEXOP$(LC5+-^<t2
zG1I^`IWr>NHPScIq9m!RAi^&xH6zS4+%MbQ$dk*z+@~tgB`d(c)Y-MdEyOn}E5$p|
zFRHRQ)j6OlIXJJ>#Wh>sJ-@^?ARpbf%ET0tus{WO(_r^}ZP)NHw`BLyVB^xHs&wb%
zlmLGtul(}RVE3Ykq5|#8U~TOX=TI(xCu1{Hrz*$rLZft_#FB#4WUs2!Ds2<zbQ33w
zq6qCu!~CGIj4)?MV+)XNY9+Z2=DO)csfop@3Q@Jug<-x5)>g)@>RhfCS>=Z2=@u!8
zxsef}o^Gk7#zD^B&KAigk*Pjj1sUZ5Ufxjwj@iYfQTf3IWm(1L$y~a+x(WqBMXuRi
zMQO#xP6knCnJyJosU_~7MX8CEei3P*DH(=k5s9UaL1sz8o?Lo;w~q9EWf8yDZ+t8A
z$8(ltA9l2|wA3H6vUM;hn$H<__pj-L1=mDZy<<|6NIYP~A=3Z!(%EVy+kexV*I4J4
z?^}BLq3+xHxA!!+%=vMO!64AUPeU&D+ounc8pHMlSlU_7G4fWdeGm{3&z2V`!f~Kw
z?^VSaH*f!Eb8@S2%h>0=U;JOB+3R^5w^mG-oALLaly7^*B#Cty^76dB;i^9hPY7KB
E01D^mmjD0&

literal 0
HcmV?d00001

diff --git a/secrets/passwords/services/mastodon/otp.age b/secrets/passwords/services/mastodon/otp.age
new file mode 100644
index 00000000..25a0abf2
--- /dev/null
+++ b/secrets/passwords/services/mastodon/otp.age
@@ -0,0 +1,11 @@
+age-encryption.org/v1
+-> ssh-ed25519 hKAFvQ qUX3kbBrSvD0TpzPo1FSvj2Y0XgiRuB85hJWLnSLyCE
+xIS82BMrKIrdwyL9WmnUXu073kDrVd/R7VACiWBiiCw
+-> ssh-ed25519 s9rb8g TpqLGfeBjfK15OdnH7vWBCrwn0EbapG3joeIXi5hp18
+BuouswSPfGDMaXbpy/pC0pek66FBVBrQyFq32AxtStQ
+-> ssh-ed25519 yad4VQ 2Jq/gVbABw1+xgBOYYHMqMR4N2ZQwk9xbK3/Xar55CA
+IAbzT3BshmLho2psx08muvjc5ZU4DYpkmOkmHb7L+TI
+-> )+G8u*-grease 4 (', `F?]U 9~.V_L
+q7LbpDJis1PmlNyawx3MXxjXkrxUVBIUwoOuipvLi9TKDQ39KJxyOCIIZCIQwA
+--- iQNO5W76cfj2k8NdTPqCdJHestSwPCdHDf58p8FcihA
+Â„’éÔ$!m	‚çÍ“ÄP’SÂ1ÿ$ÄÐõ¼•¬qp×ûf]5)8+í$Ûn¢lçCjkËX‹ÿÁWU‚/åÉnHÕƒˆ$¦ÁÈÿ%YÑ@ÙûSX7×«´ž7ÉâÐð:h½ÐW¼2ã´{pÐôË=½ÿ •G9Í3Âk€?þÁVl>†ÌlúŸ'.¹¬¯ˆ†Î$0iâ5Æk
\ No newline at end of file
diff --git a/secrets/passwords/services/mastodon/vapid-private.age b/secrets/passwords/services/mastodon/vapid-private.age
new file mode 100644
index 00000000..83475c64
--- /dev/null
+++ b/secrets/passwords/services/mastodon/vapid-private.age
@@ -0,0 +1,12 @@
+age-encryption.org/v1
+-> ssh-ed25519 hKAFvQ dHxud0szOg7zaxwddGG1nUxCEny5jxKyQdYT7q/LGB8
+AO+kc43zv9MBwAvrq3DSSeGGYoY8gSUaN3drhNN4OWQ
+-> ssh-ed25519 s9rb8g JTm3AwLa4IO+rpWKA3J7yxk0vc4TRgSjk6j07XbNlyE
+RDIeGxXne8byHbbil4zUOqKa4a96Woo5JT84Ui7KFdE
+-> ssh-ed25519 yad4VQ RkizLgPPmAcyLRfRNrZZ83i9k1R8tRrfyH7AuBVrEV0
+pIe3Jm7bpYEUosHQfKg7lRUZyt4Svp28yLz68XUoqlQ
+-> `v$(@<Ud-grease | n[SSES [f*n{KB.
+ZfJDK2yqb6EzTU8YMC8BNlfb5d+ARkfDgbCxLj9K4RE8LVP+AbxakGFi3yfqudsU
+hKIXkY5KLcROde1/0JxxC14da0GbuhQg
+--- JA0bFHlGA7JmzmHALLBuvne23JP8vtOjgNotc5jPhyA
+óhGˆº­®MÿOŸTK	ó•¥{ûy¾®.ÜÛÈ&BûÇ²OêËK£\äïC÷Uzï(^gÈ¸gñZ¬)ý3¿wÃ­%¢€Ï+È
\ No newline at end of file
diff --git a/secrets/passwords/services/mastodon/vapid-public.age b/secrets/passwords/services/mastodon/vapid-public.age
new file mode 100644
index 00000000..30c43329
--- /dev/null
+++ b/secrets/passwords/services/mastodon/vapid-public.age
@@ -0,0 +1,11 @@
+age-encryption.org/v1
+-> ssh-ed25519 hKAFvQ CI+BwPK0Bi3U6nloqCCD2zHm18PE9R9nz/lwjymUxBs
+V8Ld8sfd8TkLnQCiCmVol92WJ66+zieQvHp6sqJXyNg
+-> ssh-ed25519 s9rb8g r5vaMLdo3BC/SABXlDe4Rpv+EloYcPUUvlstX7w2cRM
+sXGhO1qvNd7ekeLjYvkTgowcOoyfPrLybo5/mQhf5lw
+-> ssh-ed25519 yad4VQ PmFz7XS6/YHOsdtAPWK1t+FWH2uo6UEa6RdFBcDqHgE
+j9rItt2NBxV3C0+/d7Q/ikfhYqPgB0ebotg9grbrjiE
+-> A7t.]-grease
+VAC5XDxwmwsyufHKAMzR903+xqeBzw
+--- g7TlBRUIxwFAlbYfZQguaZhJoYl/2gPlUpEZfcOmI6I
+Ì–½5ÑÍ×,~êl’"Kqýé0!ñ„&ÚÍY>²îÓäE(]Å²Wé+²Ž¿bæÑý?-8|Ý%{¼cE’°ø™ÆúòIŸ˜)CÚÄçU¦‰öe+¬vÀZeÐ¤ó{¤Ñ1¼ŒõK=Dy¤†Nv¨ÊÀÄV:’j¹$5
\ No newline at end of file