nixos/shill: Add Mastodon
This commit is contained in:
@@ -6,5 +6,6 @@
|
||||
./chatterbox.nix
|
||||
./jackflix
|
||||
./object.nix
|
||||
./toot.nix
|
||||
];
|
||||
}
|
||||
|
||||
@@ -240,6 +240,9 @@
|
||||
|
||||
${lib.my.nginx.proxyHeaders}
|
||||
|
||||
# caching
|
||||
proxy_cache_path /var/cache/nginx levels=1:2 keys_zone=CACHE:10m inactive=7d max_size=4g;
|
||||
|
||||
vhost_traffic_status_zone;
|
||||
|
||||
map $upstream_status $nix_cache_control {
|
||||
|
||||
@@ -42,6 +42,7 @@ let
|
||||
autoindex on;
|
||||
'';
|
||||
};
|
||||
"/.well-known/webfinger".return = "301 https://toot.nul.ie$request_uri";
|
||||
};
|
||||
in
|
||||
{
|
||||
@@ -299,6 +300,62 @@ in
|
||||
};
|
||||
useACMEHost = lib.my.pubDomain;
|
||||
};
|
||||
|
||||
"toot.nul.ie" =
|
||||
let
|
||||
mkAssetLoc = name: {
|
||||
tryFiles = "$uri =404";
|
||||
extraConfig = ''
|
||||
add_header Cache-Control "public, max-age=2419200, must-revalidate";
|
||||
add_header Strict-Transport-Security "max-age=63072000; includeSubDomains";
|
||||
'';
|
||||
};
|
||||
in
|
||||
{
|
||||
root = "${pkgs.mastodon}/public";
|
||||
locations = mkMerge [
|
||||
(genAttrs [
|
||||
"= /sw.js"
|
||||
"~ ^/assets/"
|
||||
"~ ^/avatars/"
|
||||
"~ ^/emoji/"
|
||||
"~ ^/headers/"
|
||||
"~ ^/packs/"
|
||||
"~ ^/shortcuts/"
|
||||
"~ ^/sounds/"
|
||||
] mkAssetLoc)
|
||||
{
|
||||
"/".tryFiles = "$uri @proxy";
|
||||
|
||||
"^~ /api/v1/streaming" = {
|
||||
proxyPass = "http://toot-ctr.${config.networking.domain}:55000";
|
||||
proxyWebsockets = true;
|
||||
extraConfig = ''
|
||||
${lib.my.nginx.proxyHeaders}
|
||||
proxy_set_header Proxy "";
|
||||
|
||||
add_header Strict-Transport-Security "max-age=63072000; includeSubDomains";
|
||||
'';
|
||||
};
|
||||
"@proxy" = {
|
||||
proxyPass = "http://toot-ctr.${config.networking.domain}:55001";
|
||||
proxyWebsockets = true;
|
||||
extraConfig = ''
|
||||
${lib.my.nginx.proxyHeaders}
|
||||
proxy_set_header Proxy "";
|
||||
proxy_pass_header Server;
|
||||
|
||||
proxy_cache CACHE;
|
||||
proxy_cache_valid 200 7d;
|
||||
proxy_cache_valid 410 24h;
|
||||
proxy_cache_use_stale error timeout updating http_500 http_502 http_503 http_504;
|
||||
add_header X-Cached $upstream_cache_status;
|
||||
'';
|
||||
};
|
||||
}
|
||||
];
|
||||
useACMEHost = lib.my.pubDomain;
|
||||
};
|
||||
};
|
||||
|
||||
minio =
|
||||
|
||||
144
nixos/boxes/colony/vms/shill/containers/toot.nix
Normal file
144
nixos/boxes/colony/vms/shill/containers/toot.nix
Normal file
@@ -0,0 +1,144 @@
|
||||
{ lib, ... }: {
|
||||
nixos.systems.toot = {
|
||||
system = "x86_64-linux";
|
||||
nixpkgs = "mine";
|
||||
|
||||
assignments = {
|
||||
internal = {
|
||||
name = "toot-ctr";
|
||||
domain = lib.my.colony.domain;
|
||||
ipv4.address = "${lib.my.colony.start.ctrs.v4}8";
|
||||
ipv6 = {
|
||||
iid = "::8";
|
||||
address = "${lib.my.colony.start.ctrs.v6}8";
|
||||
};
|
||||
};
|
||||
};
|
||||
|
||||
configuration = { lib, pkgs, config, assignments, allAssignments, ... }:
|
||||
let
|
||||
inherit (lib) mkMerge mkIf genAttrs;
|
||||
inherit (lib.my) networkdAssignment;
|
||||
in
|
||||
{
|
||||
config = mkMerge [
|
||||
{
|
||||
my = {
|
||||
deploy.enable = false;
|
||||
server.enable = true;
|
||||
|
||||
secrets = {
|
||||
key = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAILSslLkDe54AKYzxdtKD70zcU72W0EpYsfbdJ6UFq0QK";
|
||||
files = genAttrs
|
||||
(map (f: "toot/${f}") [
|
||||
"postgres-password.txt"
|
||||
"secret-key.txt"
|
||||
"otp-secret.txt"
|
||||
"vapid-key.txt"
|
||||
"smtp-password.txt"
|
||||
"s3-secret-key.txt"
|
||||
])
|
||||
(_: with config.services.mastodon; {
|
||||
owner = user;
|
||||
inherit group;
|
||||
});
|
||||
};
|
||||
|
||||
firewall = {
|
||||
tcp.allowed = [
|
||||
19999
|
||||
|
||||
config.services.mastodon.webPort
|
||||
config.services.mastodon.streamingPort
|
||||
];
|
||||
};
|
||||
};
|
||||
|
||||
systemd = {
|
||||
network.networks."80-container-host0" = networkdAssignment "host0" assignments.internal;
|
||||
services = {
|
||||
# No option to provide an S3 secret access key file :(
|
||||
mastodon-init-dirs.script = ''
|
||||
echo "AWS_SECRET_ACCESS_KEY=\""$(< ${config.age.secrets."toot/s3-secret-key.txt".path})"\"" >> /var/lib/mastodon/.secrets_env
|
||||
'';
|
||||
|
||||
# Can't use the extraConfig because these services expect a different format for the both family bind address...
|
||||
mastodon-streaming.environment.BIND = "::";
|
||||
mastodon-web.environment.BIND = "[::]";
|
||||
};
|
||||
};
|
||||
|
||||
services = {
|
||||
netdata.enable = true;
|
||||
mastodon = mkMerge [
|
||||
{
|
||||
enable = true;
|
||||
localDomain = "nul.ie";
|
||||
extraConfig.WEB_DOMAIN = "toot.nul.ie";
|
||||
|
||||
secretKeyBaseFile = config.age.secrets."toot/secret-key.txt".path;
|
||||
otpSecretFile = config.age.secrets."toot/otp-secret.txt".path;
|
||||
vapidPrivateKeyFile = config.age.secrets."toot/vapid-key.txt".path;
|
||||
vapidPublicKeyFile = toString (pkgs.writeText
|
||||
"vapid-pubkey.txt"
|
||||
"BAyRyD2pnLQtMHr3J5AzjNMll_HDC6ra1ilOLAUmKyhkEdbm7_OwKZUgw1UefY4CHEcv4OOX9TnnN2DOYYuPZu8=");
|
||||
|
||||
enableUnixSocket = false;
|
||||
configureNginx = false;
|
||||
trustedProxy = allAssignments.middleman.internal.ipv6.address;
|
||||
|
||||
database = {
|
||||
createLocally = false;
|
||||
host = "colony-psql";
|
||||
user = "mastodon";
|
||||
passwordFile = config.age.secrets."toot/postgres-password.txt".path;
|
||||
name = "mastodon";
|
||||
};
|
||||
|
||||
smtp = {
|
||||
createLocally = false;
|
||||
fromAddress = "Mastodon <toot@nul.ie>";
|
||||
host = "mail.nul.ie";
|
||||
port = 587;
|
||||
authenticate = true;
|
||||
user = "toot@nul.ie";
|
||||
passwordFile = config.age.secrets."toot/smtp-password.txt".path;
|
||||
};
|
||||
extraConfig.SMTP_ENABLE_STARTTLS_AUTO = "true";
|
||||
|
||||
redis.createLocally = true;
|
||||
|
||||
# TODO: Re-enable when nixpkgs is updated
|
||||
#mediaAutoRemove = {
|
||||
# enable = true;
|
||||
# olderThanDays = 30;
|
||||
#};
|
||||
}
|
||||
{
|
||||
extraConfig = {
|
||||
S3_ENABLED = "true";
|
||||
S3_BUCKET = "mastodon";
|
||||
AWS_ACCESS_KEY_ID = "mastodon";
|
||||
S3_ENDPOINT = "https://s3.nul.ie/";
|
||||
S3_REGION = "eu-central-1";
|
||||
S3_PROTOCOL = "https";
|
||||
S3_HOSTNAME = "mastodon.s3.nul.ie";
|
||||
|
||||
S3_ALIAS_HOST = "mastodon.s3.nul.ie";
|
||||
};
|
||||
}
|
||||
];
|
||||
};
|
||||
}
|
||||
(mkIf config.my.build.isDevVM {
|
||||
virtualisation = {
|
||||
forwardPorts = with config.services.mastodon; [
|
||||
{ from = "host"; guest.port = webPort; }
|
||||
{ from = "host"; guest.port = streamingPort; }
|
||||
];
|
||||
};
|
||||
})
|
||||
];
|
||||
};
|
||||
};
|
||||
}
|
||||
@@ -155,6 +155,7 @@
|
||||
"/mnt/minio".readOnly = false;
|
||||
};
|
||||
};
|
||||
toot = {};
|
||||
};
|
||||
in
|
||||
mkMerge [
|
||||
|
||||
@@ -189,6 +189,12 @@ in
|
||||
(mkIf config.services.resolved.enable {
|
||||
my.tmproot.unsaved.ignore = [ "/etc/resolv.conf" ];
|
||||
})
|
||||
(mkIf config.services.nginx.enable {
|
||||
my.tmproot.unsaved.ignore = [ "/var/cache/nginx" ];
|
||||
})
|
||||
(mkIf config.services.mastodon.enable {
|
||||
my.tmproot.unsaved.ignore = [ "/var/lib/mastodon/.secrets_env" ];
|
||||
})
|
||||
(mkIf config.my.build.isDevVM {
|
||||
my.tmproot.unsaved.ignore = [ "/nix" ];
|
||||
|
||||
@@ -366,6 +372,20 @@ in
|
||||
};
|
||||
};
|
||||
})
|
||||
(mkIf config.services.mastodon.enable {
|
||||
my.tmproot.persistence.config.directories = with config.services.mastodon; [
|
||||
{
|
||||
directory = "/var/lib/mastodon/public-system";
|
||||
inherit user group;
|
||||
}
|
||||
{
|
||||
directory = "/var/lib/redis-mastodon";
|
||||
mode = "700";
|
||||
user = "redis-mastodon";
|
||||
group = "redis-mastodon";
|
||||
}
|
||||
];
|
||||
})
|
||||
]))
|
||||
]);
|
||||
|
||||
|
||||
Reference in New Issue
Block a user