dev/nixfiles
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases 1 Wiki Activity

nixos/shill: Add Mastodon

Browse Source
This commit is contained in:
Jack O'Sullivan
2022-11-20 02:43:48 +00:00
parent d31ec042c4
commit c42e836d52
31 changed files with 304 additions and 35 deletions
Download Patch File Download Diff File Expand all files Collapse all files

1
nixos/boxes/colony/vms/shill/containers/default.nix
View File

@@ -6,5 +6,6 @@
./chatterbox.nix
./jackflix
./object.nix
./toot.nix
];
}

3
nixos/boxes/colony/vms/shill/containers/middleman/default.nix
View File

@@ -240,6 +240,9 @@
${lib.my.nginx.proxyHeaders}
# caching
proxy_cache_path /var/cache/nginx levels=1:2 keys_zone=CACHE:10m inactive=7d max_size=4g;
vhost_traffic_status_zone;
map $upstream_status $nix_cache_control {

57
nixos/boxes/colony/vms/shill/containers/middleman/vhosts.nix
View File

@@ -42,6 +42,7 @@ let
autoindex on;
'';
};
"/.well-known/webfinger".return = "301 https://toot.nul.ie$request_uri";
};
in
{
@@ -299,6 +300,62 @@ in
};
useACMEHost = lib.my.pubDomain;
};
"toot.nul.ie" =
let
mkAssetLoc = name: {
tryFiles = "$uri =404";
extraConfig = ''
add_header Cache-Control "public, max-age=2419200, must-revalidate";
add_header Strict-Transport-Security "max-age=63072000; includeSubDomains";
'';
};
in
{
root = "${pkgs.mastodon}/public";
locations = mkMerge [
(genAttrs [
"= /sw.js"
"~ ^/assets/"
"~ ^/avatars/"
"~ ^/emoji/"
"~ ^/headers/"
"~ ^/packs/"
"~ ^/shortcuts/"
"~ ^/sounds/"
] mkAssetLoc)
{
"/".tryFiles = "$uri @proxy";
"^~ /api/v1/streaming" = {
proxyPass = "http://toot-ctr.${config.networking.domain}:55000";
proxyWebsockets = true;
extraConfig = ''
${lib.my.nginx.proxyHeaders}
proxy_set_header Proxy "";
add_header Strict-Transport-Security "max-age=63072000; includeSubDomains";
'';
};
"@proxy" = {
proxyPass = "http://toot-ctr.${config.networking.domain}:55001";
proxyWebsockets = true;
extraConfig = ''
${lib.my.nginx.proxyHeaders}
proxy_set_header Proxy "";
proxy_pass_header Server;
proxy_cache CACHE;
proxy_cache_valid 200 7d;
proxy_cache_valid 410 24h;
proxy_cache_use_stale error timeout updating http_500 http_502 http_503 http_504;
add_header X-Cached $upstream_cache_status;
'';
};
}
];
useACMEHost = lib.my.pubDomain;
};
};
minio =

144
nixos/boxes/colony/vms/shill/containers/toot.nix Normal file
View File

@@ -0,0 +1,144 @@
{ lib, ... }: {
nixos.systems.toot = {
system = "x86_64-linux";
nixpkgs = "mine";
assignments = {
internal = {
name = "toot-ctr";
domain = lib.my.colony.domain;
ipv4.address = "${lib.my.colony.start.ctrs.v4}8";
ipv6 = {
iid = "::8";
address = "${lib.my.colony.start.ctrs.v6}8";
};
};
};
configuration = { lib, pkgs, config, assignments, allAssignments, ... }:
let
inherit (lib) mkMerge mkIf genAttrs;
inherit (lib.my) networkdAssignment;
in
{
config = mkMerge [
{
my = {
deploy.enable = false;
server.enable = true;
secrets = {
key = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAILSslLkDe54AKYzxdtKD70zcU72W0EpYsfbdJ6UFq0QK";
files = genAttrs
(map (f: "toot/${f}") [
"postgres-password.txt"
"secret-key.txt"
"otp-secret.txt"
"vapid-key.txt"
"smtp-password.txt"
"s3-secret-key.txt"
])
(_: with config.services.mastodon; {
owner = user;
inherit group;
});
};
firewall = {
tcp.allowed = [
19999
config.services.mastodon.webPort
config.services.mastodon.streamingPort
];
};
};
systemd = {
network.networks."80-container-host0" = networkdAssignment "host0" assignments.internal;
services = {
# No option to provide an S3 secret access key file :(
mastodon-init-dirs.script = ''
echo "AWS_SECRET_ACCESS_KEY=\""$(< ${config.age.secrets."toot/s3-secret-key.txt".path})"\"" >> /var/lib/mastodon/.secrets_env
'';
# Can't use the extraConfig because these services expect a different format for the both family bind address...
mastodon-streaming.environment.BIND = "::";
mastodon-web.environment.BIND = "[::]";
};
};
services = {
netdata.enable = true;
mastodon = mkMerge [
{
enable = true;
localDomain = "nul.ie";
extraConfig.WEB_DOMAIN = "toot.nul.ie";
secretKeyBaseFile = config.age.secrets."toot/secret-key.txt".path;
otpSecretFile = config.age.secrets."toot/otp-secret.txt".path;
vapidPrivateKeyFile = config.age.secrets."toot/vapid-key.txt".path;
vapidPublicKeyFile = toString (pkgs.writeText
"vapid-pubkey.txt"
"BAyRyD2pnLQtMHr3J5AzjNMll_HDC6ra1ilOLAUmKyhkEdbm7_OwKZUgw1UefY4CHEcv4OOX9TnnN2DOYYuPZu8=");
enableUnixSocket = false;
configureNginx = false;
trustedProxy = allAssignments.middleman.internal.ipv6.address;
database = {
createLocally = false;
host = "colony-psql";
user = "mastodon";
passwordFile = config.age.secrets."toot/postgres-password.txt".path;
name = "mastodon";
};
smtp = {
createLocally = false;
fromAddress = "Mastodon <toot@nul.ie>";
host = "mail.nul.ie";
port = 587;
authenticate = true;
user = "toot@nul.ie";
passwordFile = config.age.secrets."toot/smtp-password.txt".path;
};
extraConfig.SMTP_ENABLE_STARTTLS_AUTO = "true";
redis.createLocally = true;
# TODO: Re-enable when nixpkgs is updated
#mediaAutoRemove = {
# enable = true;
# olderThanDays = 30;
#};
}
{
extraConfig = {
S3_ENABLED = "true";
S3_BUCKET = "mastodon";
AWS_ACCESS_KEY_ID = "mastodon";
S3_ENDPOINT = "https://s3.nul.ie/";
S3_REGION = "eu-central-1";
S3_PROTOCOL = "https";
S3_HOSTNAME = "mastodon.s3.nul.ie";
S3_ALIAS_HOST = "mastodon.s3.nul.ie";
};
}
];
};
}
(mkIf config.my.build.isDevVM {
virtualisation = {
forwardPorts = with config.services.mastodon; [
{ from = "host"; guest.port = webPort; }
{ from = "host"; guest.port = streamingPort; }
];
};
})
];
};
};
}