nixos/shill: Add Mastodon

This commit is contained in:
2022-11-20 02:43:48 +00:00
parent d31ec042c4
commit c42e836d52
31 changed files with 304 additions and 35 deletions

View File

@@ -6,5 +6,6 @@
./chatterbox.nix ./chatterbox.nix
./jackflix ./jackflix
./object.nix ./object.nix
./toot.nix
]; ];
} }

View File

@@ -240,6 +240,9 @@
${lib.my.nginx.proxyHeaders} ${lib.my.nginx.proxyHeaders}
# caching
proxy_cache_path /var/cache/nginx levels=1:2 keys_zone=CACHE:10m inactive=7d max_size=4g;
vhost_traffic_status_zone; vhost_traffic_status_zone;
map $upstream_status $nix_cache_control { map $upstream_status $nix_cache_control {

View File

@@ -42,6 +42,7 @@ let
autoindex on; autoindex on;
''; '';
}; };
"/.well-known/webfinger".return = "301 https://toot.nul.ie$request_uri";
}; };
in in
{ {
@@ -299,6 +300,62 @@ in
}; };
useACMEHost = lib.my.pubDomain; useACMEHost = lib.my.pubDomain;
}; };
"toot.nul.ie" =
let
mkAssetLoc = name: {
tryFiles = "$uri =404";
extraConfig = ''
add_header Cache-Control "public, max-age=2419200, must-revalidate";
add_header Strict-Transport-Security "max-age=63072000; includeSubDomains";
'';
};
in
{
root = "${pkgs.mastodon}/public";
locations = mkMerge [
(genAttrs [
"= /sw.js"
"~ ^/assets/"
"~ ^/avatars/"
"~ ^/emoji/"
"~ ^/headers/"
"~ ^/packs/"
"~ ^/shortcuts/"
"~ ^/sounds/"
] mkAssetLoc)
{
"/".tryFiles = "$uri @proxy";
"^~ /api/v1/streaming" = {
proxyPass = "http://toot-ctr.${config.networking.domain}:55000";
proxyWebsockets = true;
extraConfig = ''
${lib.my.nginx.proxyHeaders}
proxy_set_header Proxy "";
add_header Strict-Transport-Security "max-age=63072000; includeSubDomains";
'';
};
"@proxy" = {
proxyPass = "http://toot-ctr.${config.networking.domain}:55001";
proxyWebsockets = true;
extraConfig = ''
${lib.my.nginx.proxyHeaders}
proxy_set_header Proxy "";
proxy_pass_header Server;
proxy_cache CACHE;
proxy_cache_valid 200 7d;
proxy_cache_valid 410 24h;
proxy_cache_use_stale error timeout updating http_500 http_502 http_503 http_504;
add_header X-Cached $upstream_cache_status;
'';
};
}
];
useACMEHost = lib.my.pubDomain;
};
}; };
minio = minio =

View File

@@ -0,0 +1,144 @@
{ lib, ... }: {
nixos.systems.toot = {
system = "x86_64-linux";
nixpkgs = "mine";
assignments = {
internal = {
name = "toot-ctr";
domain = lib.my.colony.domain;
ipv4.address = "${lib.my.colony.start.ctrs.v4}8";
ipv6 = {
iid = "::8";
address = "${lib.my.colony.start.ctrs.v6}8";
};
};
};
configuration = { lib, pkgs, config, assignments, allAssignments, ... }:
let
inherit (lib) mkMerge mkIf genAttrs;
inherit (lib.my) networkdAssignment;
in
{
config = mkMerge [
{
my = {
deploy.enable = false;
server.enable = true;
secrets = {
key = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAILSslLkDe54AKYzxdtKD70zcU72W0EpYsfbdJ6UFq0QK";
files = genAttrs
(map (f: "toot/${f}") [
"postgres-password.txt"
"secret-key.txt"
"otp-secret.txt"
"vapid-key.txt"
"smtp-password.txt"
"s3-secret-key.txt"
])
(_: with config.services.mastodon; {
owner = user;
inherit group;
});
};
firewall = {
tcp.allowed = [
19999
config.services.mastodon.webPort
config.services.mastodon.streamingPort
];
};
};
systemd = {
network.networks."80-container-host0" = networkdAssignment "host0" assignments.internal;
services = {
# No option to provide an S3 secret access key file :(
mastodon-init-dirs.script = ''
echo "AWS_SECRET_ACCESS_KEY=\""$(< ${config.age.secrets."toot/s3-secret-key.txt".path})"\"" >> /var/lib/mastodon/.secrets_env
'';
# Can't use the extraConfig because these services expect a different format for the both family bind address...
mastodon-streaming.environment.BIND = "::";
mastodon-web.environment.BIND = "[::]";
};
};
services = {
netdata.enable = true;
mastodon = mkMerge [
{
enable = true;
localDomain = "nul.ie";
extraConfig.WEB_DOMAIN = "toot.nul.ie";
secretKeyBaseFile = config.age.secrets."toot/secret-key.txt".path;
otpSecretFile = config.age.secrets."toot/otp-secret.txt".path;
vapidPrivateKeyFile = config.age.secrets."toot/vapid-key.txt".path;
vapidPublicKeyFile = toString (pkgs.writeText
"vapid-pubkey.txt"
"BAyRyD2pnLQtMHr3J5AzjNMll_HDC6ra1ilOLAUmKyhkEdbm7_OwKZUgw1UefY4CHEcv4OOX9TnnN2DOYYuPZu8=");
enableUnixSocket = false;
configureNginx = false;
trustedProxy = allAssignments.middleman.internal.ipv6.address;
database = {
createLocally = false;
host = "colony-psql";
user = "mastodon";
passwordFile = config.age.secrets."toot/postgres-password.txt".path;
name = "mastodon";
};
smtp = {
createLocally = false;
fromAddress = "Mastodon <toot@nul.ie>";
host = "mail.nul.ie";
port = 587;
authenticate = true;
user = "toot@nul.ie";
passwordFile = config.age.secrets."toot/smtp-password.txt".path;
};
extraConfig.SMTP_ENABLE_STARTTLS_AUTO = "true";
redis.createLocally = true;
# TODO: Re-enable when nixpkgs is updated
#mediaAutoRemove = {
# enable = true;
# olderThanDays = 30;
#};
}
{
extraConfig = {
S3_ENABLED = "true";
S3_BUCKET = "mastodon";
AWS_ACCESS_KEY_ID = "mastodon";
S3_ENDPOINT = "https://s3.nul.ie/";
S3_REGION = "eu-central-1";
S3_PROTOCOL = "https";
S3_HOSTNAME = "mastodon.s3.nul.ie";
S3_ALIAS_HOST = "mastodon.s3.nul.ie";
};
}
];
};
}
(mkIf config.my.build.isDevVM {
virtualisation = {
forwardPorts = with config.services.mastodon; [
{ from = "host"; guest.port = webPort; }
{ from = "host"; guest.port = streamingPort; }
];
};
})
];
};
};
}

View File

@@ -155,6 +155,7 @@
"/mnt/minio".readOnly = false; "/mnt/minio".readOnly = false;
}; };
}; };
toot = {};
}; };
in in
mkMerge [ mkMerge [

View File

@@ -189,6 +189,12 @@ in
(mkIf config.services.resolved.enable { (mkIf config.services.resolved.enable {
my.tmproot.unsaved.ignore = [ "/etc/resolv.conf" ]; my.tmproot.unsaved.ignore = [ "/etc/resolv.conf" ];
}) })
(mkIf config.services.nginx.enable {
my.tmproot.unsaved.ignore = [ "/var/cache/nginx" ];
})
(mkIf config.services.mastodon.enable {
my.tmproot.unsaved.ignore = [ "/var/lib/mastodon/.secrets_env" ];
})
(mkIf config.my.build.isDevVM { (mkIf config.my.build.isDevVM {
my.tmproot.unsaved.ignore = [ "/nix" ]; my.tmproot.unsaved.ignore = [ "/nix" ];
@@ -366,6 +372,20 @@ in
}; };
}; };
}) })
(mkIf config.services.mastodon.enable {
my.tmproot.persistence.config.directories = with config.services.mastodon; [
{
directory = "/var/lib/mastodon/public-system";
inherit user group;
}
{
directory = "/var/lib/redis-mastodon";
mode = "700";
user = "redis-mastodon";
group = "redis-mastodon";
}
];
})
])) ]))
]); ]);

Binary file not shown.

Binary file not shown.

View File

@@ -1,10 +1,9 @@
age-encryption.org/v1 age-encryption.org/v1
-> ssh-ed25519 n8CpUw iETDBtdye4piq/xqWpbInrU2FOPEEKea4k4lVzAwSjo -> ssh-ed25519 n8CpUw 3b8J/xL277WAajHymjDJobariLmoDAhUyQpLdB9cfXo
azZL62Gq2MZP8ix0HiySJvAD6cAHkL3Be20We8OQQM4 i3vbIUk+NawecuYN24PYPkeCcPU6tcSv2uyeThUXLxM
-> X25519 NRs9OnWiXplaM8CnZqmOUNsPThBOIEsnr9FDzMrlVDI -> X25519 e7KpW0DuROUPbJnwH9bmuukI4CssFChIlGiQZ9eJ2m8
ZTXNz2tHYMEbkOKMMmu7IPoAq6Bivn0iyso5dGi/aew 95FinF9t9H14AaWEsZrboHvVjDpawT438N8x0u9aqEM
-> C%.jkH-grease 47 -> SQ-grease yKgA| >{Zf` %\ }#]TR;rx
ZZhoIPOgltI7bYaGSDHUQLU ufI0F4kKHxaxb6ulmD2nwef1y9I
--- IOE3R6sGvuDXeUyYtGuf5DDEMIzBjAEI3hD8yHnRibU --- N9HQTIQ5VVZI/MQnddn+iic0NpcXDVn+y+TsdJmqfYM
uyb<EFBFBD><EFBFBD>\><01>"!$)m<><6D><EFBFBD><EFBFBD><EFBFBD>i<EFBFBD><EFBFBD>ڋD}<01> <20><> =<3D><><EFBFBD>*<2A><05>I<EFBFBD>0<EFBFBD><30><EFBFBD>^Ft:<3A>7<<<3C><><05>ޥ<16>K<EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>l<08><><EFBFBD>><3E><>ƌd<C68C>.1~a_O<5F>nwB.<2E>G5m<35>eC.$ <EFBFBD>gn<EFBFBD><EFBFBD><EFBFBD>=j<>>O<>d<EFBFBD><EFBFBD>:<EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD>O<EFBFBD><4F><EFBFBD>J<EFBFBD><4A>0N^<5E><0E>ˤ<EFBFBD><CBA4><EFBFBD>U~ (<28><>Q<EFBFBD> ^:0B<18>d<><64><EFBFBD><13>FB=v[<5B><> <0B><><EFBFBD><EFBFBD><EFBFBD><EFBFBD>.<16><><EFBFBD><EFBFBD><EFBFBD><EFBFBD>M<EFBFBD>C<EFBFBD>2<EFBFBD>ʿ<EFBFBD>E=<3D><>Y/%<05>K|Cڵ}<7D>&!w<>><>}o<> S??<3F>^!<21>B<EFBFBD><42><EFBFBD>в
<EFBFBD>[<5B><>{'<27><07><><EFBFBD><EFBFBD><EFBFBD>/

View File

@@ -1,10 +1,11 @@
age-encryption.org/v1 age-encryption.org/v1
-> ssh-ed25519 n8CpUw 4Uz8X3DA0qi11jxT9YNhKoeEeDPzwo4NJH9k4eM08Xo -> ssh-ed25519 n8CpUw 6uHZyoyVt2gGwiKcnXNoYKhKRe4VoruWKEKKhDZGWE4
PCHTFDA4A0tzGjgrkYOmIyrtNK0uV+rHNdZW/ntRNAc Koe5ZXD5VXbxN54uhLAZgjOJDd898gxoAv8eug57n6A
-> X25519 3sNBOVg/VLvSP+Eezi+qdrKgvUfQCpCjfSRw6F+Vb1U -> X25519 7HmjFGzmHrcLL4OoylHByV9HQEjLoHJI3aL1KQPa40U
ixF2OOSSX6YdrJ1dBRZHMJA7cuZMU9l2kAm7Vp28W7g kmlyNDJy4wZUlQuIMYXjGGa8goX6p0kqCmctcvjhZg8
-> j(Bq}H-m-grease ZYUY SPd -> Qt-grease
wpnnHgPzm87eHBnd64JWPvCXyGejDcFGpQ1ny1DxIeQLJGpz/neBMrkpjMz7i4vF gFRjzic9zrBNWUd/9b8dcMhrf4I8B2dsXFnkXMJJ/QTXH3Vwo0x78VQrcsDCBeFQ
/Ad3IzRvmWo1ZHbk bFoadWMaFb8tiEzOTUmL4D3v8cUoQNik
--- 06ibUv3aHvqyXOp6dIibVq3TWH4TGwKYDIxOcDI7p9o --- 5K/uMQHfY+rbs+XlqWjPoIkZWiNcaqcd2PJxwbDP4GI
)l<><6C><EFBFBD><EFBFBD><EFBFBD><EFBFBD> F<>1B<31><42><EFBFBD>4C<34>@,WcJp<4A><70><EFBFBD>c<EFBFBD>^<EFBFBD> -<2D>?Ks<4B>a<EFBFBD>e<EFBFBD><65>IJ<49>ޖ<EFBFBD><DE96>M<><4D><EFBFBD><EFBFBD><EFBFBD>1Z3T<33><54><EFBFBD>0<EFBFBD><30>"<22>-<2D><>Q;<3B><><EFBFBD>t<1C>~<7E>*oT<0E>Su<EFBFBD>
%<25>-<2D>?ƈ<<3C><79><D1AB><01>5<0E><><EFBFBD><17><><EFBFBD><EFBFBD><EFBFBD><EFBFBD>^u<><75>R<EFBFBD><52><EFBFBD><EFBFBD>T<EFBFBD><54><EFBFBD><EFBFBD>M&T<>Ő<EFBFBD>tLC<4C>

Binary file not shown.

View File

@@ -1,9 +1,9 @@
age-encryption.org/v1 age-encryption.org/v1
-> ssh-ed25519 n8CpUw NFyy9tfPWXMqC4fUHFTISB3N3m1P6/5w5CsbHW3uGwA -> ssh-ed25519 n8CpUw 1h5DOKUmcFLWvD09R9Hg+kPtKskdJuIS0/Y+TJ4XlRs
BsURcFPmnc6pJC73JlC1JullIIr1cEm7LISctfR2HCY tD9fRfDHl/CPjeN17xAWQhd1KWcoqDmf6bstgb6HRsU
-> X25519 6pX8pYBHpt7a8I62IbS5a/JoyME7C4wSNVq9R/B4olA -> X25519 vt8XCj+Ju/TeP7JwEZrofUtatTRjxD3ROngwQbTkhzE
mQqqFa7aGn0PJGb+3CwaE/0/VxmP0qzFkDTiV1EpDvE iKSnIjHuYy3apf45NZ6kLgIV5dVIhc4fOCflVh7D9Sg
-> JusY"4K4-grease 0p9 +_0 -> @\)-6C-grease vcL@ yq^]X
MUgjTTYvQmfSeT12H20EbDSGTWXmukYPCdGfH1WInr5bbZJI 08U2EyiwGEU9t+P4s8Vu+mTH7UZuaDCUpiv4w9KbTGV+dAe2Fw
--- siLfYgb7hAdIkqPT9M8SdZrUwLlmiiMEb2EHobEFUDA --- ux9a8/Et2aI1Lmkmvn+xkemaWcW/wghIb/Jcz/h6rNE
5<EFBFBD><EFBFBD><12>!<13>;<3B>z<01>-<2D>3<EFBFBD><33><EFBFBD>|rRկ<>V<EFBFBD>r<EFBFBD>5<EFBFBD><35><EFBFBD>3~<7E>%9<><39><EFBFBD>Ix<49>n#ӫ<>kv$z!<21><>l;PL&><3E><02>;<3B><06>9<EFBFBD><39>;<EFBFBD> Ŏ<EFBFBD><EFBFBD>c<EFBFBD>_Q1b<>MNB<01> <0C>\<5C><>DT<44>m`<60>.\<5C>*<2A><>[<5B>҂x֙JS<4A><53><EFBFBD>H#<23> yDn<44>z<1D><02><>}<7D><>%6'<27><EFBFBD>

Binary file not shown.

Binary file not shown.

Binary file not shown.

Binary file not shown.

Binary file not shown.

View File

@@ -0,0 +1,10 @@
age-encryption.org/v1
-> ssh-ed25519 62JccA hYLNjdUSu6k/3UWmZ8KUWGgp8oCKg8mXuWbssRJKNGk
bixOLSjVKS4HCC4BpH3FVioqfrZFKu1gU3CrFR5GLxI
-> X25519 SPjyPzWZhxysp+orn9MRLbMgF0bmGJrCyEhwYuGwfA4
ar3h3erVZheWkRgd4si/LFKrJGhsxFNvP+hpcX4UAyA
-> ;>8csh04-grease
2MVNSFMb/p8+CPGD6yJypa3hAXylVl9V805WrBXP8mGy1AYrg213xqiUKhHp93BB
VuT7rcCaurSxmusUwAoflUowUZ/bWBn/
--- QzLGsIO6xVPKIxS0kKn9h6yl4tx4jGHgDqKHR/WtCF4
<EFBFBD><EFBFBD>e0 A<>i<EFBFBD>Ή <20><>xy2I<32><05><>NC<4E>I<EFBFBD><49>S<EFBFBD><53><EFBFBD><EFBFBD><EFBFBD><EFBFBD><18><><EFBFBD><EFBFBD><05><mS*z<><7A>><3E><><EFBFBD><EFBFBD>P<EFBFBD><14><><EFBFBD>f r<><72><EFBFBD>pN<70><4E>8<EFBFBD><11>F,Z<><5A><EFBFBD><15><><EFBFBD><EFBFBD><EFBFBD>P8jc<6A><63><EFBFBD>H<EFBFBD>Rri<72><69>}<7D>N

View File

@@ -0,0 +1,10 @@
age-encryption.org/v1
-> ssh-ed25519 62JccA QhhGF5N6sMP+P3IdUpmJzNRz2Hm00ZncbuakeU8iQU4
YF/OzLaTwVHF6TAiQ0DS62T4YB6mbzwGUBKiC57tttQ
-> X25519 Pm6IdBMnfg2dXyShGK/rab40kgaHntQl2i1+U6mdXDk
juv9BOJ30uI4i86v1FK0mD2m09FO1H6fgBS3Hd4LKc0
-> ?U`0-grease
tBHyO/6iUm7Dce1vJeez7ojMHxyBtgBCX/GoFkvZR5MbC0L0lwDaKYV/iNtyI/mz
lX65tP5ZM0RRMb8OduMLOtd0fGz0SO2CwlwyVbMcYptJoFvH2Nk
--- 8StTTi8cIRWmha1obVORyGBiSga4pIocUrKMiNHPIEk
<EFBFBD> <01><>M<EFBFBD><4D>\<5C><><EFBFBD> 0<>me<6D> Af<41><66>L<EFBFBD><4C><EFBFBD>>4}2<><32><EFBFBD>^v<><15>k<>P#X<>R

View File

@@ -0,0 +1,13 @@
age-encryption.org/v1
-> ssh-ed25519 62JccA 5pH4eHN72U1/YuyqlT8f7+K2LflVAcSmdhgcYJaEbA8
h6Psi0r7rQ3vR4QidV31ooOQDSz/jDU/JONG+v7g/nY
-> X25519 wv8cuge1iRgd/wBUDPsEIxveR2/POc64KKS7l9vGSjc
rqcKowLY3seymydklTmQoLORb3H47Oqmg15hmu3Q+UM
-> ;=-grease \K*OpV
yJ/JvmkgmjspPcq5QckIB9zgSbHVPHhGUnvAWDlp4l8DJPFZfyj+u43eAr5z2q08
I1NF/kRRj4rdinLFRlAI8fKCQj6ifcZ7vg1fe0CB/QRTx/4t6ekJp05z/wRP7ZLz
vw
--- sUj+V1ze8uxcObXJOPYsk/F8bz72vUWrj7VM9BLC478
h(<28><>ڤ<>K^-㚂QQͯD@`l<><6C><EFBFBD>!<21><><EFBFBD>
<EFBFBD><EFBFBD><EFBFBD>ۀ<EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>
<EFBFBD><EFBFBD>*

Binary file not shown.

View File

@@ -0,0 +1,10 @@
age-encryption.org/v1
-> ssh-ed25519 62JccA CMVPtLHq9uZiwxGStO2uG2EjdIsDtT8EBpg+FqcpwRk
BdpqFObr1lIpFSI8JGbw2ZY7ytCzHJbnlcG1inENwC8
-> X25519 p0bB1J+ilWsouqw0WfzUShDHdHYE4rDYypT8WIhx12k
FnQGRuclUZQyv6EgXGS5whj0oQ7cXuWBVPb8SNYRFrE
-> yIy>EDE-grease eYO +;!yF] cv#J vMrf
XglB4bN9hrclLT6HDgyggakuIg
--- hZbvazlSkllx3S//GGiCiKiFzIqpczGoyYutfa+ACBo
<11><>(<28><>Eg.<2E>=<3D>i
(u<><75>`<60><> <0C><><EFBFBD>"Q<05><><EFBFBD>d<EFBFBD>@<40>׽+[<5B>e<EFBFBD>Z<EFBFBD>#<23>

Binary file not shown.

Binary file not shown.

Binary file not shown.

View File

@@ -1,10 +1,10 @@
age-encryption.org/v1 age-encryption.org/v1
-> ssh-ed25519 /EJXvg zqgNJtsJoogjGP75yueFFWd3oe0H64W5CQcujNCWZ0M -> ssh-ed25519 /EJXvg BJZrrIl9HdCRVcGbolryOYl07K/Af4lwdo0kcdfi1nE
cVeKmN0jo/y7n5QS2Dp4U0uxK+jGwlQnwXNxR87z020 Z/zOV6v9llrTCguPg2pFSmJFFlY2Bv7rLYF8ynHT+gA
-> X25519 J2MeXbL+kGLV3MePB1RMphd7XUfAiL7BTfRWut5lkTE -> X25519 Mxyf7SL+faoCveud/lCQFcjyKMNxTnKsqwKTbznaPic
PlaRjS9QfL0R1wTx5XJNhjOn2PCG/6QIT3x8I5QG9wo oDSnX4u5ked4Rfnt0giv1MQKPNChuvyd9hqnPX1JPTQ
-> |#-grease t|Z9XXy p:XF -> 1*T*F|}-grease '`: I"ixoC k~b=\i%m mPT2XC
LPPVfms2cH4f51GHS7rSwzBOBQulDAANNYGwl22AkZfSNHotvpHdguuJ0S1D+aEj E3KZgVKf5pW4H6o1lQcxWTFNL7M1BBIYjrGO5g2BAEXJRi4klfzRL9DwRXrs2/Rm
d7jlo/xce10TcNJwKYNeTn775g pJHAEuTpdD0j1JegZpB9ObocIy6UuL+/Ng5yDQk
--- l2P0/sNogMDU0AmwSuK8BPJnXTj3a7jwwQ0P7ho8Etw --- ODMxWjzAalxE3jjTHTest+r6B0tnS5xKScTzzAbEJgg
52F4<EFBFBD>bC涹<EFBFBD><02>&<26><>iK<69><4B>/<2F><><EFBFBD>AY<41><59>x&ԭ/<2F><>g<17><>Q&zI<7A>g<EFBFBD>$d<><64><EFBFBD>md<6D><EFBFBD> <EFBFBD><EFBFBD><EFBFBD>G<EFBFBD>5<EFBFBD><04>s=^ؖs<D896><73><EFBFBD>r<EFBFBD>)q<>ך"<22>4<EFBFBD><34>p<EFBFBD><70><EFBFBD>3<EFBFBD><33>Kv<4B><76>Q<EFBFBD>Ą<EFBFBD><01><>6<EFBFBD><36>@<40>0<EFBFBD>}<EFBFBD>