nixos/shill: Add Mastodon

nixos/boxes/colony/vms/shill/containers/default.nix

@@ -6,5 +6,6 @@
     ./chatterbox.nix
     ./jackflix
     ./object.nix
+    ./toot.nix
   ];
 }

nixos/boxes/colony/vms/shill/containers/middleman/default.nix

@@ -240,6 +240,9 @@
 
                 ${lib.my.nginx.proxyHeaders}
 
+                # caching
+                proxy_cache_path /var/cache/nginx levels=1:2 keys_zone=CACHE:10m inactive=7d max_size=4g;
+
                 vhost_traffic_status_zone;
 
                 map $upstream_status $nix_cache_control {

nixos/boxes/colony/vms/shill/containers/middleman/vhosts.nix

@@ -42,6 +42,7 @@ let
         autoindex on;
       '';
     };
+    "/.well-known/webfinger".return = "301 https://toot.nul.ie$request_uri";
   };
 in
 {
@@ -299,6 +300,62 @@ in
         };
         useACMEHost = lib.my.pubDomain;
       };
+
+      "toot.nul.ie" =
+      let
+        mkAssetLoc = name: {
+          tryFiles = "$uri =404";
+          extraConfig = ''
+            add_header Cache-Control "public, max-age=2419200, must-revalidate";
+            add_header Strict-Transport-Security "max-age=63072000; includeSubDomains";
+          '';
+        };
+      in
+      {
+        root = "${pkgs.mastodon}/public";
+        locations = mkMerge [
+          (genAttrs [
+            "= /sw.js"
+            "~ ^/assets/"
+            "~ ^/avatars/"
+            "~ ^/emoji/"
+            "~ ^/headers/"
+            "~ ^/packs/"
+            "~ ^/shortcuts/"
+            "~ ^/sounds/"
+          ] mkAssetLoc)
+          {
+            "/".tryFiles = "$uri @proxy";
+
+            "^~ /api/v1/streaming" = {
+              proxyPass = "http://toot-ctr.${config.networking.domain}:55000";
+              proxyWebsockets = true;
+              extraConfig = ''
+                ${lib.my.nginx.proxyHeaders}
+                proxy_set_header Proxy "";
+
+                add_header Strict-Transport-Security "max-age=63072000; includeSubDomains";
+              '';
+            };
+            "@proxy" = {
+              proxyPass = "http://toot-ctr.${config.networking.domain}:55001";
+              proxyWebsockets = true;
+              extraConfig = ''
+                ${lib.my.nginx.proxyHeaders}
+                proxy_set_header Proxy "";
+                proxy_pass_header Server;
+
+                proxy_cache CACHE;
+                proxy_cache_valid 200 7d;
+                proxy_cache_valid 410 24h;
+                proxy_cache_use_stale error timeout updating http_500 http_502 http_503 http_504;
+                add_header X-Cached $upstream_cache_status;
+              '';
+            };
+          }
+        ];
+        useACMEHost = lib.my.pubDomain;
+      };
     };
 
     minio =

nixos/boxes/colony/vms/shill/containers/toot.nix

@@ -0,0 +1,144 @@
+{ lib, ... }: {
+  nixos.systems.toot = {
+    system = "x86_64-linux";
+    nixpkgs = "mine";
+
+    assignments = {
+      internal = {
+        name = "toot-ctr";
+        domain = lib.my.colony.domain;
+        ipv4.address = "${lib.my.colony.start.ctrs.v4}8";
+        ipv6 = {
+          iid = "::8";
+          address = "${lib.my.colony.start.ctrs.v6}8";
+        };
+      };
+    };
+
+    configuration = { lib, pkgs, config, assignments, allAssignments, ... }:
+    let
+      inherit (lib) mkMerge mkIf genAttrs;
+      inherit (lib.my) networkdAssignment;
+    in
+    {
+      config = mkMerge [
+        {
+          my = {
+            deploy.enable = false;
+            server.enable = true;
+
+            secrets = {
+              key = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAILSslLkDe54AKYzxdtKD70zcU72W0EpYsfbdJ6UFq0QK";
+              files = genAttrs
+                (map (f: "toot/${f}") [
+                  "postgres-password.txt"
+                  "secret-key.txt"
+                  "otp-secret.txt"
+                  "vapid-key.txt"
+                  "smtp-password.txt"
+                  "s3-secret-key.txt"
+                ])
+                (_: with config.services.mastodon; {
+                  owner = user;
+                  inherit group;
+                });
+            };
+
+            firewall = {
+              tcp.allowed = [
+                19999
+
+                config.services.mastodon.webPort
+                config.services.mastodon.streamingPort
+              ];
+            };
+          };
+
+          systemd = {
+            network.networks."80-container-host0" = networkdAssignment "host0" assignments.internal;
+            services = {
+              # No option to provide an S3 secret access key file :(
+              mastodon-init-dirs.script = ''
+                echo "AWS_SECRET_ACCESS_KEY=\""$(< ${config.age.secrets."toot/s3-secret-key.txt".path})"\"" >> /var/lib/mastodon/.secrets_env
+              '';
+
+              # Can't use the extraConfig because these services expect a different format for the both family bind address...
+              mastodon-streaming.environment.BIND = "::";
+              mastodon-web.environment.BIND = "[::]";
+            };
+          };
+
+          services = {
+            netdata.enable = true;
+            mastodon = mkMerge [
+              {
+                enable = true;
+                localDomain = "nul.ie";
+                extraConfig.WEB_DOMAIN = "toot.nul.ie";
+
+                secretKeyBaseFile = config.age.secrets."toot/secret-key.txt".path;
+                otpSecretFile = config.age.secrets."toot/otp-secret.txt".path;
+                vapidPrivateKeyFile = config.age.secrets."toot/vapid-key.txt".path;
+                vapidPublicKeyFile = toString (pkgs.writeText
+                  "vapid-pubkey.txt"
+                  "BAyRyD2pnLQtMHr3J5AzjNMll_HDC6ra1ilOLAUmKyhkEdbm7_OwKZUgw1UefY4CHEcv4OOX9TnnN2DOYYuPZu8=");
+
+                enableUnixSocket = false;
+                configureNginx = false;
+                trustedProxy = allAssignments.middleman.internal.ipv6.address;
+
+                database = {
+                  createLocally = false;
+                  host = "colony-psql";
+                  user = "mastodon";
+                  passwordFile = config.age.secrets."toot/postgres-password.txt".path;
+                  name = "mastodon";
+                };
+
+                smtp = {
+                  createLocally = false;
+                  fromAddress = "Mastodon <toot@nul.ie>";
+                  host = "mail.nul.ie";
+                  port = 587;
+                  authenticate = true;
+                  user = "toot@nul.ie";
+                  passwordFile = config.age.secrets."toot/smtp-password.txt".path;
+                };
+                extraConfig.SMTP_ENABLE_STARTTLS_AUTO = "true";
+
+                redis.createLocally = true;
+
+                # TODO: Re-enable when nixpkgs is updated
+                #mediaAutoRemove = {
+                #  enable = true;
+                #  olderThanDays = 30;
+                #};
+              }
+              {
+                extraConfig = {
+                  S3_ENABLED = "true";
+                  S3_BUCKET = "mastodon";
+                  AWS_ACCESS_KEY_ID = "mastodon";
+                  S3_ENDPOINT = "https://s3.nul.ie/";
+                  S3_REGION = "eu-central-1";
+                  S3_PROTOCOL = "https";
+                  S3_HOSTNAME = "mastodon.s3.nul.ie";
+
+                  S3_ALIAS_HOST = "mastodon.s3.nul.ie";
+                };
+              }
+            ];
+          };
+        }
+        (mkIf config.my.build.isDevVM {
+          virtualisation = {
+            forwardPorts = with config.services.mastodon; [
+              { from = "host"; guest.port = webPort; }
+              { from = "host"; guest.port = streamingPort; }
+            ];
+          };
+        })
+      ];
+    };
+  };
+}

nixos/boxes/colony/vms/shill/default.nix

@@ -155,6 +155,7 @@
                       "/mnt/minio".readOnly = false;
                     };
                   };
+                  toot = {};
                 };
               in
               mkMerge [

nixos/modules/tmproot.nix

@@ -189,6 +189,12 @@ in
     (mkIf config.services.resolved.enable {
       my.tmproot.unsaved.ignore = [ "/etc/resolv.conf" ];
     })
+    (mkIf config.services.nginx.enable {
+      my.tmproot.unsaved.ignore = [ "/var/cache/nginx" ];
+    })
+    (mkIf config.services.mastodon.enable {
+      my.tmproot.unsaved.ignore = [ "/var/lib/mastodon/.secrets_env" ];
+    })
     (mkIf config.my.build.isDevVM {
       my.tmproot.unsaved.ignore = [ "/nix" ];
 
@@ -366,6 +372,20 @@ in
           };
         };
       })
+      (mkIf config.services.mastodon.enable {
+        my.tmproot.persistence.config.directories = with config.services.mastodon; [
+          {
+            directory = "/var/lib/mastodon/public-system";
+            inherit user group;
+          }
+          {
+            directory = "/var/lib/redis-mastodon";
+            mode = "700";
+            user = "redis-mastodon";
+            group = "redis-mastodon";
+          }
+        ];
+      })
     ]))
   ]);
 

secrets/estuary/netdata/powerdns.conf.age

@@ -1,10 +1,9 @@
 age-encryption.org/v1
--> ssh-ed25519 n8CpUw iETDBtdye4piq/xqWpbInrU2FOPEEKea4k4lVzAwSjo
+-> ssh-ed25519 n8CpUw 3b8J/xL277WAajHymjDJobariLmoDAhUyQpLdB9cfXo
-azZL62Gq2MZP8ix0HiySJvAD6cAHkL3Be20We8OQQM4
+i3vbIUk+NawecuYN24PYPkeCcPU6tcSv2uyeThUXLxM
--> X25519 NRs9OnWiXplaM8CnZqmOUNsPThBOIEsnr9FDzMrlVDI
+-> X25519 e7KpW0DuROUPbJnwH9bmuukI4CssFChIlGiQZ9eJ2m8
-ZTXNz2tHYMEbkOKMMmu7IPoAq6Bivn0iyso5dGi/aew
+95FinF9t9H14AaWEsZrboHvVjDpawT438N8x0u9aqEM
--> C%.jkH-grease 47
+-> SQ-grease yKgA| >{Zf` %\ }#]TR;rx
-ZZhoIPOgltI7bYaGSDHUQLU
+ufI0F4kKHxaxb6ulmD2nwef1y9I
---- IOE3R6sGvuDXeUyYtGuf5DDEMIzBjAEI3hD8yHnRibU
+--- N9HQTIQ5VVZI/MQnddn+iic0NpcXDVn+y+TsdJmqfYM
-uybĐă\>
Ć"!$)m˝ýéĹŔiąĹÚ‹D}
ź đź=üÖă*ňÔIÉ0<C389>ˇ¨^Ft:ô7<<ř™˝ŢĄ­K¦‘ŹĽŹ­ľłţl›­ě>ëřĆŚdň.1~a_OęnwB.‚G5m†eC.$
+´gnôą€=j©>O´d‚Ó:ů…É ĆĚËçŠůOĆňţJ<C5A3>Ć0N^Č‘ˤĂĐĺU~	(ăęQ†	^:0BŹd»ŇřüFB=v
[ůŻë”őŔ¶˘.´˙ëĘÁ»M‰C•2˙ĘżŚE=‚ôY/%ÍK|CÚµ}î&!w´>÷}o´S??Ö^!ţBÍŰÍв
-…[ďĐ{'Ś­…ňńç/
Âň€Üë2*c递˘«şÇ1<C387><31>vß´ů

secrets/estuary/netdata/powerdns_recursor.conf.age

@@ -1,10 +1,11 @@
 age-encryption.org/v1
--> ssh-ed25519 n8CpUw 4Uz8X3DA0qi11jxT9YNhKoeEeDPzwo4NJH9k4eM08Xo
+-> ssh-ed25519 n8CpUw 6uHZyoyVt2gGwiKcnXNoYKhKRe4VoruWKEKKhDZGWE4
-PCHTFDA4A0tzGjgrkYOmIyrtNK0uV+rHNdZW/ntRNAc
+Koe5ZXD5VXbxN54uhLAZgjOJDd898gxoAv8eug57n6A
--> X25519 3sNBOVg/VLvSP+Eezi+qdrKgvUfQCpCjfSRw6F+Vb1U
+-> X25519 7HmjFGzmHrcLL4OoylHByV9HQEjLoHJI3aL1KQPa40U
-ixF2OOSSX6YdrJ1dBRZHMJA7cuZMU9l2kAm7Vp28W7g
+kmlyNDJy4wZUlQuIMYXjGGa8goX6p0kqCmctcvjhZg8
--> j(Bq}H-m-grease ZYUY SPd
+-> Qt-grease
-wpnnHgPzm87eHBnd64JWPvCXyGejDcFGpQ1ny1DxIeQLJGpz/neBMrkpjMz7i4vF
+gFRjzic9zrBNWUd/9b8dcMhrf4I8B2dsXFnkXMJJ/QTXH3Vwo0x78VQrcsDCBeFQ
-/Ad3IzRvmWo1ZHbk
+bFoadWMaFb8tiEzOTUmL4D3v8cUoQNik
---- 06ibUv3aHvqyXOp6dIibVq3TWH4TGwKYDIxOcDI7p9o
+--- 5K/uMQHfY+rbs+XlqWjPoIkZWiNcaqcd2PJxwbDP4GI
-)l<>’ë±ûÎFß1B<31>úÅ4C¥@,WcJpéµácê^…
“šCÃ:–øe¢MœÂ¡i¶ÛæºÉ–ß6©T<íé4<&T„yÌáqÚEƒÆ̤¯ôxV7š
ÙË‚Uhà]Ž×ÍLöm3<6D>WdÙî¦ùážÜ/h£àäÉà«`ðÁªM–>è–"±¬²DNkÝôò²=]@
+-ç?KsÞaæe™ÉIJ<49>Þ–¿íMáßÿ¿¡1Z3T”«Ø0þÈ"Œ-³ÖQ;¤©ätº~ù*oTÚSuÓ
%¬-ë?ƈ<…yÑ«”±
Õ5¥<>ñŒ¢œýßä^uÊÇRá×ÂÒTÚè¨ÚM&TžÅ<C5BE>ítLCÑ
+ÆbiºsϽ¹F]kµ\ÃÎ vÔLgìÁýL qä

secrets/estuary/pdns/recursor.conf.age

@@ -1,9 +1,9 @@
 age-encryption.org/v1
--> ssh-ed25519 n8CpUw NFyy9tfPWXMqC4fUHFTISB3N3m1P6/5w5CsbHW3uGwA
+-> ssh-ed25519 n8CpUw 1h5DOKUmcFLWvD09R9Hg+kPtKskdJuIS0/Y+TJ4XlRs
-BsURcFPmnc6pJC73JlC1JullIIr1cEm7LISctfR2HCY
+tD9fRfDHl/CPjeN17xAWQhd1KWcoqDmf6bstgb6HRsU
--> X25519 6pX8pYBHpt7a8I62IbS5a/JoyME7C4wSNVq9R/B4olA
+-> X25519 vt8XCj+Ju/TeP7JwEZrofUtatTRjxD3ROngwQbTkhzE
-mQqqFa7aGn0PJGb+3CwaE/0/VxmP0qzFkDTiV1EpDvE
+iKSnIjHuYy3apf45NZ6kLgIV5dVIhc4fOCflVh7D9Sg
--> JusY"4K4-grease 0p9 +_0
+-> @\)-6C-grease vcL@ yq^]X
-MUgjTTYvQmfSeT12H20EbDSGTWXmukYPCdGfH1WInr5bbZJI
+08U2EyiwGEU9t+P4s8Vu+mTH7UZuaDCUpiv4w9KbTGV+dAe2Fw
---- siLfYgb7hAdIkqPT9M8SdZrUwLlmiiMEb2EHobEFUDA
+--- ux9a8/Et2aI1Lmkmvn+xkemaWcW/wghIb/Jcz/h6rNE
-5¬€®!Ý;şz
Ń-ť3¦šż|rRŐŻ•V›rŤ5˝ĄÄ3~°%9đÔÁIxÎn#Ó«ůkv$z!¤»l;PL&><3E><02>;›¦9„÷;˝
+ÅŽº®c<EFBFBD>_Q1bÇMNB
¡Ý\…×DTÉm`ú.\¼*<2A>€[ûÒ‚xÖ™JSú•²H#ç	yDnÅz“ä<>}–ø%6'Ôç

secrets/toot/otp-secret.txt.age

@@ -0,0 +1,10 @@
+age-encryption.org/v1
+-> ssh-ed25519 62JccA hYLNjdUSu6k/3UWmZ8KUWGgp8oCKg8mXuWbssRJKNGk
+bixOLSjVKS4HCC4BpH3FVioqfrZFKu1gU3CrFR5GLxI
+-> X25519 SPjyPzWZhxysp+orn9MRLbMgF0bmGJrCyEhwYuGwfA4
+ar3h3erVZheWkRgd4si/LFKrJGhsxFNvP+hpcX4UAyA
+-> ;>8csh04-grease
+2MVNSFMb/p8+CPGD6yJypa3hAXylVl9V805WrBXP8mGy1AYrg213xqiUKhHp93BB
+VuT7rcCaurSxmusUwAoflUowUZ/bWBn/
+--- QzLGsIO6xVPKIxS0kKn9h6yl4tx4jGHgDqKHR/WtCF4
+é©e0 AÓiÐΉ €Ðxy2IˆÇÅNCéI<C3A9>ÏS›œ ¹“–ª¨ŽŠÄ<mS*zêˆ>–¤øŸP<C5B8><14>ï­f	r¸³´pNæ<4E>8Ä’dÅ›F,Zåæó<15>§ú•îP8jcö¯‡HàRriŸ‘}ÊN
ð£h¶+û†x<E280A0>.6†åið9h1ÍØ3ëÐdž?'­Ø5!Àµéѵ͸И©u

secrets/toot/postgres-password.txt.age

@@ -0,0 +1,10 @@
+age-encryption.org/v1
+-> ssh-ed25519 62JccA QhhGF5N6sMP+P3IdUpmJzNRz2Hm00ZncbuakeU8iQU4
+YF/OzLaTwVHF6TAiQ0DS62T4YB6mbzwGUBKiC57tttQ
+-> X25519 Pm6IdBMnfg2dXyShGK/rab40kgaHntQl2i1+U6mdXDk
+juv9BOJ30uI4i86v1FK0mD2m09FO1H6fgBS3Hd4LKc0
+-> ?U`0-grease
+tBHyO/6iUm7Dce1vJeez7ojMHxyBtgBCX/GoFkvZR5MbC0L0lwDaKYV/iNtyI/mz
+lX65tP5ZM0RRMb8OduMLOtd0fGz0SO2CwlwyVbMcYptJoFvH2Nk
+--- 8StTTi8cIRWmha1obVORyGBiSga4pIocUrKMiNHPIEk
+<EFBFBD>	
¸ýM<C3BD><4D>\÷—·0·meÏ	AfãÛLÎóã>4}2ô¨¤^v•¯kÁP#X‹R

secrets/toot/s3-secret-key.txt.age

@@ -0,0 +1,13 @@
+age-encryption.org/v1
+-> ssh-ed25519 62JccA 5pH4eHN72U1/YuyqlT8f7+K2LflVAcSmdhgcYJaEbA8
+h6Psi0r7rQ3vR4QidV31ooOQDSz/jDU/JONG+v7g/nY
+-> X25519 wv8cuge1iRgd/wBUDPsEIxveR2/POc64KKS7l9vGSjc
+rqcKowLY3seymydklTmQoLORb3H47Oqmg15hmu3Q+UM
+-> ;=-grease \K*OpV
+yJ/JvmkgmjspPcq5QckIB9zgSbHVPHhGUnvAWDlp4l8DJPFZfyj+u43eAr5z2q08
+I1NF/kRRj4rdinLFRlAI8fKCQj6ifcZ7vg1fe0CB/QRTx/4t6ekJp05z/wRP7ZLz
+vw
+--- sUj+V1ze8uxcObXJOPYsk/F8bz72vUWrj7VM9BLC478
+h(繁ﾚ､<EFBE9A>K^-纎２QﾍｯD@`l<>ﾎ!ｿ圓
+ﾃ<EFBFBD>ﾛ€鉋<EFBFBD>ｷ笵ﾇ
+憖*

secrets/toot/smtp-password.txt.age

@@ -0,0 +1,10 @@
+age-encryption.org/v1
+-> ssh-ed25519 62JccA CMVPtLHq9uZiwxGStO2uG2EjdIsDtT8EBpg+FqcpwRk
+BdpqFObr1lIpFSI8JGbw2ZY7ytCzHJbnlcG1inENwC8
+-> X25519 p0bB1J+ilWsouqw0WfzUShDHdHYE4rDYypT8WIhx12k
+FnQGRuclUZQyv6EgXGS5whj0oQ7cXuWBVPb8SNYRFrE
+-> yIy>EDE-grease eYO +;!yF] cv#J vMrf
+XglB4bN9hrclLT6HDgyggakuIg
+--- hZbvazlSkllx3S//GGiCiKiFzIqpczGoyYutfa+ACBo
+Çí(üžEg.„=Éi
+(uæš`ñº„î€"Q‡¢ìdÀ@ð×½+[<5B>eØZå#½

secrets/whale2/valheim.env.age

@@ -1,10 +1,10 @@
 age-encryption.org/v1
--> ssh-ed25519 /EJXvg zqgNJtsJoogjGP75yueFFWd3oe0H64W5CQcujNCWZ0M
+-> ssh-ed25519 /EJXvg BJZrrIl9HdCRVcGbolryOYl07K/Af4lwdo0kcdfi1nE
-cVeKmN0jo/y7n5QS2Dp4U0uxK+jGwlQnwXNxR87z020
+Z/zOV6v9llrTCguPg2pFSmJFFlY2Bv7rLYF8ynHT+gA
--> X25519 J2MeXbL+kGLV3MePB1RMphd7XUfAiL7BTfRWut5lkTE
+-> X25519 Mxyf7SL+faoCveud/lCQFcjyKMNxTnKsqwKTbznaPic
-PlaRjS9QfL0R1wTx5XJNhjOn2PCG/6QIT3x8I5QG9wo
+oDSnX4u5ked4Rfnt0giv1MQKPNChuvyd9hqnPX1JPTQ
--> |#-grease t|Z9XXy p:XF
+-> 1*T*F|}-grease '`: I"ixoC k~b=\i%m mPT2XC
-LPPVfms2cH4f51GHS7rSwzBOBQulDAANNYGwl22AkZfSNHotvpHdguuJ0S1D+aEj
+E3KZgVKf5pW4H6o1lQcxWTFNL7M1BBIYjrGO5g2BAEXJRi4klfzRL9DwRXrs2/Rm
-d7jlo/xce10TcNJwKYNeTn775g
+pJHAEuTpdD0j1JegZpB9ObocIy6UuL+/Ng5yDQk
---- l2P0/sNogMDU0AmwSuK8BPJnXTj3a7jwwQ0P7ho8Etw
+--- ODMxWjzAalxE3jjTHTest+r6B0tnS5xKScTzzAbEJgg
-52F4ÁbC涹‘¹&à…iKÛÑ/†™§AYÇÕ
x&Ô­/ŸŒg›ðQ&zIògÌ$d<>ÐÄmdùÙ
+¡ÖÿG±5÷Ûs=^Ø–s£˜ÊrŠ)qÊך"‚4àˆp‚Æø3à—KvýÿQ<C3BF>Ä„Þ
Š‡6Àþ@§0²}¶