nixfiles/nixos/boxes/colony/vms/shill/containers/toot.nix

{ lib, ... }:
let
  inherit (lib) mkForce;
  inherit (lib.my) net;
  inherit (lib.my.c.colony) domain prefixes;
in
{
  nixos.systems.toot = { config, ... }: {
    system = "x86_64-linux";
    nixpkgs = "mine";
    rendered = config.configuration.config.my.asContainer;

    assignments = {
      internal = {
        name = "toot-ctr";
        inherit domain;
        ipv4.address = net.cidr.host 8 prefixes.ctrs.v4;
        ipv6 = {
          iid = "::8";
          address = net.cidr.host 8 prefixes.ctrs.v6;
        };
      };
    };

    configuration = { lib, pkgs, config, assignments, allAssignments, ... }:
    let
      inherit (lib) mkMerge mkIf genAttrs;
      inherit (lib.my) networkdAssignment systemdAwaitPostgres;
    in
    {
      config = mkMerge [
        {
          my = {
            deploy.enable = false;
            server.enable = true;

            secrets = {
              key = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAILSslLkDe54AKYzxdtKD70zcU72W0EpYsfbdJ6UFq0QK";
              files = genAttrs
                (map (f: "toot/${f}") [
                  "postgres-password.txt"
                  "secret-key.txt"
                  "otp-secret.txt"
                  "vapid-key.txt"
                  "smtp-password.txt"
                  "s3-secret-key.txt"
                ])
                (_: with config.services.mastodon; {
                  owner = user;
                  inherit group;
                });
            };

            firewall = {
              tcp.allowed = [
                19999

                "http"
              ];
            };
          };

          systemd = {
            network.networks."80-container-host0" = networkdAssignment "host0" assignments.internal;
            services = {
              # No option to provide an S3 secret access key file :(
              mastodon-init-dirs.script = ''
                echo "AWS_SECRET_ACCESS_KEY=\""$(< ${config.age.secrets."toot/s3-secret-key.txt".path})"\"" >> /var/lib/mastodon/.secrets_env
              '';
              mastodon-init-db = systemdAwaitPostgres pkgs.postgresql "colony-psql";

              # Can't use the extraConfig because these services expect a different format for the both family bind address...
              mastodon-streaming.environment.BIND = "::";
              mastodon-web.environment.BIND = "[::]";
            };
          };

          services = {
            netdata.enable = true;
            mastodon = mkMerge [
              rec {
                enable = true;
                localDomain = extraConfig.WEB_DOMAIN; # for nginx config
                extraConfig = {
                  LOCAL_DOMAIN = "nul.ie";
                  WEB_DOMAIN = "toot.nul.ie";
                };

                secretKeyBaseFile = config.age.secrets."toot/secret-key.txt".path;
                otpSecretFile = config.age.secrets."toot/otp-secret.txt".path;
                vapidPrivateKeyFile = config.age.secrets."toot/vapid-key.txt".path;
                vapidPublicKeyFile = toString (pkgs.writeText
                  "vapid-pubkey.txt"
                  "BAyRyD2pnLQtMHr3J5AzjNMll_HDC6ra1ilOLAUmKyhkEdbm7_OwKZUgw1UefY4CHEcv4OOX9TnnN2DOYYuPZu8=");

                streamingProcesses = 4;
                configureNginx = true;

                database = {
                  createLocally = false;
                  host = "colony-psql";
                  user = "mastodon";
                  passwordFile = config.age.secrets."toot/postgres-password.txt".path;
                  name = "mastodon";
                };

                smtp = {
                  createLocally = false;
                  fromAddress = "Mastodon <toot@nul.ie>";
                  host = "mail.nul.ie";
                  port = 587;
                  authenticate = true;
                  user = "toot@nul.ie";
                  passwordFile = config.age.secrets."toot/smtp-password.txt".path;
                };
                extraConfig.SMTP_ENABLE_STARTTLS_AUTO = "true";

                redis.createLocally = true;

                mediaAutoRemove = {
                  enable = true;
                  olderThanDays = 30;
                };
              }
              {
                extraConfig = {
                  S3_ENABLED = "true";
                  S3_BUCKET = "mastodon";
                  AWS_ACCESS_KEY_ID = "mastodon";
                  S3_ENDPOINT = "https://s3.nul.ie/";
                  S3_REGION = "eu-central-1";
                  S3_PROTOCOL = "https";
                  S3_HOSTNAME = "mastodon.s3.nul.ie";

                  S3_ALIAS_HOST = "mastodon.s3.nul.ie";
                };
              }
            ];

            # Override some stuff since we are proxying upstream
            nginx = {
              recommendedProxySettings = mkForce false;
              virtualHosts."${config.services.mastodon.localDomain}" =
              let
                extraConfig = ''
                  proxy_set_header Host $host;
                '';
              in
              {
                forceSSL = false;
                enableACME = false;
                locations = {
                  "@proxy" = { inherit extraConfig; };
                  "/api/v1/streaming/" = { inherit extraConfig; };
                };
              };
            };
          };
        }
        (mkIf config.my.build.isDevVM {
          virtualisation = {
            forwardPorts = with config.services.mastodon; [
              { from = "host"; guest.port = webPort; }
            ];
          };
        })
      ];
    };
  };
}
nixos: Add actual IP / CIDR calculation 2023-05-27 16:57:28 +01:00			`{ lib, ... }:`
			`let`
Upgrade nixpkgs and NixOS stable to 23.11 2023-12-03 15:06:11 +00:00			`inherit (lib) mkForce;`
nixos: Add actual IP / CIDR calculation 2023-05-27 16:57:28 +01:00			`inherit (lib.my) net;`
Split constants into separate lib file 2023-11-02 13:41:50 +00:00			`inherit (lib.my.c.colony) domain prefixes;`
nixos: Add actual IP / CIDR calculation 2023-05-27 16:57:28 +01:00			`in`
			`{`
Update nixosConfigurations to reference a preferred default config 2023-11-16 21:42:30 +00:00			`nixos.systems.toot = { config, ... }: {`
nixos/shill: Add Mastodon 2022-11-20 02:43:48 +00:00			`system = "x86_64-linux";`
			`nixpkgs = "mine";`
Update nixosConfigurations to reference a preferred default config 2023-11-16 21:42:30 +00:00			`rendered = config.configuration.config.my.asContainer;`
nixos/shill: Add Mastodon 2022-11-20 02:43:48 +00:00
			`assignments = {`
			`internal = {`
			`name = "toot-ctr";`
nixos: Add actual IP / CIDR calculation 2023-05-27 16:57:28 +01:00			`inherit domain;`
			`ipv4.address = net.cidr.host 8 prefixes.ctrs.v4;`
nixos/shill: Add Mastodon 2022-11-20 02:43:48 +00:00			`ipv6 = {`
			`iid = "::8";`
nixos: Add actual IP / CIDR calculation 2023-05-27 16:57:28 +01:00			`address = net.cidr.host 8 prefixes.ctrs.v6;`
nixos/shill: Add Mastodon 2022-11-20 02:43:48 +00:00			`};`
			`};`
			`};`

			`configuration = { lib, pkgs, config, assignments, allAssignments, ... }:`
			`let`
nixos/{object,toot}: Ensure postgres is accessible on service start 2023-02-19 17:39:15 +00:00			`inherit (lib) mkMerge mkIf genAttrs;`
			`inherit (lib.my) networkdAssignment systemdAwaitPostgres;`
nixos/shill: Add Mastodon 2022-11-20 02:43:48 +00:00			`in`
			`{`
			`config = mkMerge [`
			`{`
			`my = {`
			`deploy.enable = false;`
			`server.enable = true;`

			`secrets = {`
			`key = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAILSslLkDe54AKYzxdtKD70zcU72W0EpYsfbdJ6UFq0QK";`
			`files = genAttrs`
			`(map (f: "toot/${f}") [`
			`"postgres-password.txt"`
			`"secret-key.txt"`
			`"otp-secret.txt"`
			`"vapid-key.txt"`
			`"smtp-password.txt"`
			`"s3-secret-key.txt"`
			`])`
			`(_: with config.services.mastodon; {`
			`owner = user;`
			`inherit group;`
			`});`
			`};`

			`firewall = {`
			`tcp.allowed = [`
			`19999`

Upgrade nixpkgs and NixOS stable to 23.11 2023-12-03 15:06:11 +00:00			`"http"`
nixos/shill: Add Mastodon 2022-11-20 02:43:48 +00:00			`];`
			`};`
			`};`

			`systemd = {`
			`network.networks."80-container-host0" = networkdAssignment "host0" assignments.internal;`
			`services = {`
			`# No option to provide an S3 secret access key file :(`
			`mastodon-init-dirs.script = ''`
			`echo "AWS_SECRET_ACCESS_KEY=\""$(< ${config.age.secrets."toot/s3-secret-key.txt".path})"\"" >> /var/lib/mastodon/.secrets_env`
			`'';`
nixos/{object,toot}: Ensure postgres is accessible on service start 2023-02-19 17:39:15 +00:00			`mastodon-init-db = systemdAwaitPostgres pkgs.postgresql "colony-psql";`
nixos/shill: Add Mastodon 2022-11-20 02:43:48 +00:00
			`# Can't use the extraConfig because these services expect a different format for the both family bind address...`
			`mastodon-streaming.environment.BIND = "::";`
			`mastodon-web.environment.BIND = "[::]";`
			`};`
			`};`

			`services = {`
			`netdata.enable = true;`
			`mastodon = mkMerge [`
Upgrade nixpkgs and NixOS stable to 23.11 2023-12-03 15:06:11 +00:00			`rec {`
nixos/shill: Add Mastodon 2022-11-20 02:43:48 +00:00			`enable = true;`
Upgrade nixpkgs and NixOS stable to 23.11 2023-12-03 15:06:11 +00:00			`localDomain = extraConfig.WEB_DOMAIN; # for nginx config`
			`extraConfig = {`
			`LOCAL_DOMAIN = "nul.ie";`
			`WEB_DOMAIN = "toot.nul.ie";`
			`};`
nixos/shill: Add Mastodon 2022-11-20 02:43:48 +00:00
			`secretKeyBaseFile = config.age.secrets."toot/secret-key.txt".path;`
			`otpSecretFile = config.age.secrets."toot/otp-secret.txt".path;`
			`vapidPrivateKeyFile = config.age.secrets."toot/vapid-key.txt".path;`
			`vapidPublicKeyFile = toString (pkgs.writeText`
			`"vapid-pubkey.txt"`
			`"BAyRyD2pnLQtMHr3J5AzjNMll_HDC6ra1ilOLAUmKyhkEdbm7_OwKZUgw1UefY4CHEcv4OOX9TnnN2DOYYuPZu8=");`

Upgrade nixpkgs and NixOS stable to 23.11 2023-12-03 15:06:11 +00:00			`streamingProcesses = 4;`
			`configureNginx = true;`
nixos/shill: Add Mastodon 2022-11-20 02:43:48 +00:00
			`database = {`
			`createLocally = false;`
			`host = "colony-psql";`
			`user = "mastodon";`
			`passwordFile = config.age.secrets."toot/postgres-password.txt".path;`
			`name = "mastodon";`
			`};`

			`smtp = {`
			`createLocally = false;`
			`fromAddress = "Mastodon <toot@nul.ie>";`
			`host = "mail.nul.ie";`
			`port = 587;`
			`authenticate = true;`
			`user = "toot@nul.ie";`
			`passwordFile = config.age.secrets."toot/smtp-password.txt".path;`
			`};`
			`extraConfig.SMTP_ENABLE_STARTTLS_AUTO = "true";`

			`redis.createLocally = true;`

Update nixpkgs and home-manager 2022-11-20 04:44:22 +00:00			`mediaAutoRemove = {`
			`enable = true;`
			`olderThanDays = 30;`
			`};`
nixos/shill: Add Mastodon 2022-11-20 02:43:48 +00:00			`}`
			`{`
			`extraConfig = {`
			`S3_ENABLED = "true";`
			`S3_BUCKET = "mastodon";`
			`AWS_ACCESS_KEY_ID = "mastodon";`
			`S3_ENDPOINT = "https://s3.nul.ie/";`
			`S3_REGION = "eu-central-1";`
			`S3_PROTOCOL = "https";`
			`S3_HOSTNAME = "mastodon.s3.nul.ie";`

			`S3_ALIAS_HOST = "mastodon.s3.nul.ie";`
			`};`
			`}`
			`];`
Upgrade nixpkgs and NixOS stable to 23.11 2023-12-03 15:06:11 +00:00
			`# Override some stuff since we are proxying upstream`
			`nginx = {`
			`recommendedProxySettings = mkForce false;`
			`virtualHosts."${config.services.mastodon.localDomain}" =`
			`let`
			`extraConfig = ''`
			`proxy_set_header Host $host;`
			`'';`
			`in`
			`{`
			`forceSSL = false;`
			`enableACME = false;`
			`locations = {`
			`"@proxy" = { inherit extraConfig; };`
			`"/api/v1/streaming/" = { inherit extraConfig; };`
			`};`
			`};`
			`};`
nixos/shill: Add Mastodon 2022-11-20 02:43:48 +00:00			`};`
			`}`
			`(mkIf config.my.build.isDevVM {`
			`virtualisation = {`
			`forwardPorts = with config.services.mastodon; [`
			`{ from = "host"; guest.port = webPort; }`
			`];`
			`};`
			`})`
			`];`
			`};`
			`};`
			`}`