Mastodon

2022-11-02 11:45:07 +01:00 · 2022-11-02 11:45:07 +01:00 · 6597734af7
commit 6597734af7
parent c32f685321
9 changed files with 125 additions and 0 deletions
--- a/machines/lasting-integrity/default.nix
+++ b/machines/lasting-integrity/default.nix
@ -44,6 +44,12 @@
            fast = true;
            location = "192.168.0.1";
          }
+          {
+            path = "zdata/big-apps/mastodon";
+            remotePath = "zdata/recv/lasting-integrity/big-apps/mastodon";
+            fast = true;
+            location = "192.168.0.1";
+          }
          {
            path = "zdata/big-apps/nextcloud";
            remotePath = "zdata/recv/lasting-integrity/big-apps/nextcloud";
@ -62,6 +68,7 @@
      garmin-scraper.enable = true;
      grafana.enable = true;
      mail.enable = true;
+      mastodon.enable = true;
      matrix.enable = true;
      nginx.hosts = [
        {
--- a/machines/lasting-integrity/hardware.nix
+++ b/machines/lasting-integrity/hardware.nix
@ -54,6 +54,10 @@
      device = "zdata/big-apps/influxdb2";
      fsType = "zfs";
    };
+    "/var/lib/mastodon/public-system" = {
+      device = "zdata/big-apps/mastodon";
+      fsType = "zfs";
+    };
    "/cache" = {
      device = "zroot/safe/cache";
      fsType = "zfs";
--- a/modules/services/default.nix
+++ b/modules/services/default.nix
@ -9,6 +9,7 @@
    ./garmin-scraper
    ./grafana
    ./mail
+    ./mastodon
    ./matrix
    ./nextcloud
    ./nginx
--- a/modules/services/mastodon/default.nix
+++ b/modules/services/mastodon/default.nix
@ -0,0 +1,74 @@
+{ config, lib, pkgs, ... }:
+
+{
+  options.chvp.services.mastodon.enable = lib.mkOption {
+    default = false;
+    example = true;
+  };
+
+  config = lib.mkIf config.chvp.services.mastodon.enable {
+    chvp.services.nginx.hosts = [{
+      fqdn = "social.chvp.be";
+      options = {
+        root = "${pkgs.mastodon}/public/";
+        locations = {
+          "/system/".alias = "/var/lib/mastodon/public-system/";
+          "/".tryFiles = "$uri @proxy";
+          "@proxy" = {
+            proxyPass = "http://unix:/run/mastodon-web/web.socket";
+            proxyWebsockets = true;
+          };
+          "/api/v1/streaming" = {
+            proxyPass = "http://unix:/run/mastodon-streaming/streaming.socket";
+            proxyWebsockets = true;
+          };
+        };
+      };
+    }];
+    users = {
+      users = {
+        mastodon.uid = 989;
+        nginx.extraGroups = [ "mastodon" ];
+      };
+      groups.mastodon.gid = 985;
+    };
+    services.mastodon = {
+      enable = true;
+      configureNginx = false;
+      localDomain = "social.chvp.be";
+      enableUnixSocket = true;
+
+      database.createLocally = true;
+      redis.createLocally = true;
+      smtp = {
+        fromAddress = "social@chvp.be";
+        createLocally = false;
+      };
+      extraConfig = {
+        SMTP_OPENSSL_VERIFY_MODE = "none";
+      };
+
+      otpSecretFile = config.age.secrets."passwords/services/mastodon/otp".path;
+      secretKeyBaseFile = config.age.secrets."passwords/services/mastodon/key".path;
+      vapidPublicKeyFile = config.age.secrets."passwords/services/mastodon/vapid-public".path;
+      vapidPrivateKeyFile = config.age.secrets."passwords/services/mastodon/vapid-private".path;
+    };
+
+    age.secrets."passwords/services/mastodon/vapid-public" = {
+      file = ../../../secrets/passwords/services/mastodon/vapid-public.age;
+      owner = "mastodon";
+    };
+    age.secrets."passwords/services/mastodon/vapid-private" = {
+      file = ../../../secrets/passwords/services/mastodon/vapid-private.age;
+      owner = "mastodon";
+    };
+    age.secrets."passwords/services/mastodon/key" = {
+      file = ../../../secrets/passwords/services/mastodon/key.age;
+      owner = "mastodon";
+    };
+    age.secrets."passwords/services/mastodon/otp" = {
+      file = ../../../secrets/passwords/services/mastodon/otp.age;
+      owner = "mastodon";
+    };
+  };
+}
--- a/secrets.nix
+++ b/secrets.nix
@ -53,6 +53,11 @@ in

  "secrets/passwords/services/acme.age".publicKeys = servers ++ users;

+  "secrets/passwords/services/mastodon/otp.age".publicKeys = [ lasting-integrity ] ++ users;
+  "secrets/passwords/services/mastodon/key.age".publicKeys = [ lasting-integrity ] ++ users;
+  "secrets/passwords/services/mastodon/vapid-public.age".publicKeys = [ lasting-integrity ] ++ users;
+  "secrets/passwords/services/mastodon/vapid-private.age".publicKeys = [ lasting-integrity ] ++ users;
+
  "secrets/passwords/services/garmin2influx-env.age".publicKeys = [ lasting-integrity ] ++ users;
  "secrets/passwords/services/grafana/smtp.age".publicKeys = [ lasting-integrity ] ++ users;
  "secrets/passwords/services/grafana/admin-password.age".publicKeys = [ lasting-integrity ] ++ users;
--- a/secrets/passwords/services/mastodon/key.age
+++ b/secrets/passwords/services/mastodon/key.age
--- a/secrets/passwords/services/mastodon/otp.age
+++ b/secrets/passwords/services/mastodon/otp.age
@ -0,0 +1,11 @@
+age-encryption.org/v1
+-> ssh-ed25519 hKAFvQ qUX3kbBrSvD0TpzPo1FSvj2Y0XgiRuB85hJWLnSLyCE
+xIS82BMrKIrdwyL9WmnUXu073kDrVd/R7VACiWBiiCw
+-> ssh-ed25519 s9rb8g TpqLGfeBjfK15OdnH7vWBCrwn0EbapG3joeIXi5hp18
+BuouswSPfGDMaXbpy/pC0pek66FBVBrQyFq32AxtStQ
+-> ssh-ed25519 yad4VQ 2Jq/gVbABw1+xgBOYYHMqMR4N2ZQwk9xbK3/Xar55CA
+IAbzT3BshmLho2psx08muvjc5ZU4DYpkmOkmHb7L+TI
+-> )+G8u*-grease 4 (', `F?]U 9~.V_L
+q7LbpDJis1PmlNyawx3MXxjXkrxUVBIUwoOuipvLi9TKDQ39KJxyOCIIZCIQwA
+--- iQNO5W76cfj2k8NdTPqCdJHestSwPCdHDf58p8FcihA
+Â„’éÔ$!m	‚çÍ“ÄP’SÂ1ÿ$ÄÐõ¼•¬qp×ûf]5)<29>8+í$Ûn¢<6E>lçCjkËX‹<58>ÿÁWU‚/åÉnHÕƒˆ$¦ÁÈÿ%YÑ@ÙûSX7×«´ž7ÉâÐð:h½ÐW¼2ã´{pÐôË=<3D>½ÿ •G9Í3Âk€?þÁVl>†ÌlúŸ'.¹¬¯ˆ†Î$0iâ5Æk
--- a/secrets/passwords/services/mastodon/vapid-private.age
+++ b/secrets/passwords/services/mastodon/vapid-private.age
@ -0,0 +1,12 @@
+age-encryption.org/v1
+-> ssh-ed25519 hKAFvQ dHxud0szOg7zaxwddGG1nUxCEny5jxKyQdYT7q/LGB8
+AO+kc43zv9MBwAvrq3DSSeGGYoY8gSUaN3drhNN4OWQ
+-> ssh-ed25519 s9rb8g JTm3AwLa4IO+rpWKA3J7yxk0vc4TRgSjk6j07XbNlyE
+RDIeGxXne8byHbbil4zUOqKa4a96Woo5JT84Ui7KFdE
+-> ssh-ed25519 yad4VQ RkizLgPPmAcyLRfRNrZZ83i9k1R8tRrfyH7AuBVrEV0
+pIe3Jm7bpYEUosHQfKg7lRUZyt4Svp28yLz68XUoqlQ
+-> `v$(@<Ud-grease | n[SSES [f*n{KB.
+ZfJDK2yqb6EzTU8YMC8BNlfb5d+ARkfDgbCxLj9K4RE8LVP+AbxakGFi3yfqudsU
+hKIXkY5KLcROde1/0JxxC14da0GbuhQg
+--- JA0bFHlGA7JmzmHALLBuvne23JP8vtOjgNotc5jPhyA
+óhGˆº<EFBFBD>®MÿOŸTK	ó•¥{ûy¾®.ÜÛÈ&BûÇ²OêËK£\äïC<C3AF>÷U<C3B7>zï(^gÈ¸gñZ¬)ý3¿wÃ%¢€Ï+È
--- a/secrets/passwords/services/mastodon/vapid-public.age
+++ b/secrets/passwords/services/mastodon/vapid-public.age
@ -0,0 +1,11 @@
+age-encryption.org/v1
+-> ssh-ed25519 hKAFvQ CI+BwPK0Bi3U6nloqCCD2zHm18PE9R9nz/lwjymUxBs
+V8Ld8sfd8TkLnQCiCmVol92WJ66+zieQvHp6sqJXyNg
+-> ssh-ed25519 s9rb8g r5vaMLdo3BC/SABXlDe4Rpv+EloYcPUUvlstX7w2cRM
+sXGhO1qvNd7ekeLjYvkTgowcOoyfPrLybo5/mQhf5lw
+-> ssh-ed25519 yad4VQ PmFz7XS6/YHOsdtAPWK1t+FWH2uo6UEa6RdFBcDqHgE
+j9rItt2NBxV3C0+/d7Q/ikfhYqPgB0ebotg9grbrjiE
+-> A7t.]-grease
+VAC5XDxwmwsyufHKAMzR903+xqeBzw
+--- g7TlBRUIxwFAlbYfZQguaZhJoYl/2gPlUpEZfcOmI6I
+Ì–½5ÑÍ×,~êl’"Kqýé0!ñ„&ÚÍY>²îÓäE(]Å²Wé+²Ž¿<C5BD>bæÑý?-8|Ý%{¼cE’°ø™ÆúòIŸ˜)CÚÄçU¦‰öe+¬vÀZeÐ¤ó{¤Ñ1¼ŒõK=Dy¤†Nv¨ÊÀÄV:’j¹$5