]>
Commit | Line | Data |
---|---|---|
a4993193 | 1 | { lib, pkgs, config, myconfig, mylibs, ... }: |
35a397cd | 2 | let |
eb14b976 | 3 | env = myconfig.env.tools.mastodon; |
a95ab089 | 4 | root = "/run/current-system/webapps/tools_mastodon"; |
35a397cd | 5 | cfg = config.services.myWebsites.tools.mastodon; |
613aea56 | 6 | mcfg = config.services.mastodon; |
35a397cd IB |
7 | in { |
8 | options.services.myWebsites.tools.mastodon = { | |
9 | enable = lib.mkEnableOption "enable mastodon's website"; | |
10 | }; | |
11 | ||
12 | config = lib.mkIf cfg.enable { | |
1a718805 | 13 | secrets.keys = [{ |
eb14b976 IB |
14 | dest = "webapps/tools-mastodon"; |
15 | user = "mastodon"; | |
16 | group = "mastodon"; | |
17 | permissions = "0400"; | |
18 | text = '' | |
19 | REDIS_HOST=${env.redis.host} | |
20 | REDIS_PORT=${env.redis.port} | |
21 | REDIS_DB=${env.redis.db} | |
22 | DB_HOST=${env.postgresql.socket} | |
23 | DB_USER=${env.postgresql.user} | |
24 | DB_NAME=${env.postgresql.database} | |
25 | DB_PASS=${env.postgresql.password} | |
26 | DB_PORT=${env.postgresql.port} | |
27 | ||
28 | LOCAL_DOMAIN=mastodon.immae.eu | |
29 | LOCAL_HTTPS=true | |
30 | ALTERNATE_DOMAINS=immae.eu | |
31 | ||
32 | PAPERCLIP_SECRET=${env.paperclip_secret} | |
33 | SECRET_KEY_BASE=${env.secret_key_base} | |
34 | OTP_SECRET=${env.otp_secret} | |
35 | ||
36 | VAPID_PRIVATE_KEY=${env.vapid.private} | |
37 | VAPID_PUBLIC_KEY=${env.vapid.public} | |
38 | ||
39 | SMTP_DELIVERY_METHOD=sendmail | |
40 | SMTP_FROM_ADDRESS=mastodon@tools.immae.eu | |
41 | SENDMAIL_LOCATION="/run/wrappers/bin/sendmail" | |
613aea56 | 42 | PAPERCLIP_ROOT_PATH=${mcfg.dataDir} |
eb14b976 IB |
43 | |
44 | STREAMING_CLUSTER_NUM=1 | |
45 | ||
46 | RAILS_LOG_LEVEL=warn | |
47 | ||
48 | # LDAP authentication (optional) | |
49 | LDAP_ENABLED=true | |
50 | LDAP_HOST=ldap.immae.eu | |
51 | LDAP_PORT=636 | |
52 | LDAP_METHOD=simple_tls | |
53 | LDAP_BASE="dc=immae,dc=eu" | |
54 | LDAP_BIND_DN="cn=mastodon,ou=services,dc=immae,dc=eu" | |
55 | LDAP_PASSWORD="${env.ldap.password}" | |
56 | LDAP_UID="uid" | |
57 | LDAP_SEARCH_FILTER="(&(%{uid}=%{email})(memberOf=cn=users,cn=mastodon,ou=services,dc=immae,dc=eu))" | |
58 | ''; | |
59 | }]; | |
613aea56 IB |
60 | services.mastodon = { |
61 | enable = true; | |
62 | configFile = "/var/secrets/webapps/tools-mastodon"; | |
63 | socketsPrefix = "live_immae"; | |
64 | dataDir = "/var/lib/mastodon_immae"; | |
35a397cd IB |
65 | }; |
66 | ||
67 | services.myWebsites.tools.modules = [ | |
a952acc4 | 68 | "headers" "proxy" "proxy_wstunnel" "proxy_http" |
35a397cd IB |
69 | ]; |
70 | security.acme.certs."eldiron".extraDomains."mastodon.immae.eu" = null; | |
a95ab089 IB |
71 | system.extraSystemBuilderCmds = '' |
72 | mkdir -p $out/webapps | |
613aea56 | 73 | ln -s ${mcfg.workdir}/public/ $out/webapps/tools_mastodon |
a95ab089 | 74 | ''; |
35a397cd IB |
75 | services.myWebsites.tools.vhostConfs.mastodon = { |
76 | certName = "eldiron"; | |
77 | hosts = ["mastodon.immae.eu" ]; | |
a95ab089 | 78 | root = root; |
35a397cd IB |
79 | extraConfig = [ '' |
80 | Header always set Referrer-Policy "strict-origin-when-cross-origin" | |
81 | Header always set Strict-Transport-Security "max-age=31536000" | |
82 | ||
83 | <LocationMatch "^/(assets|avatars|emoji|headers|packs|sounds|system)> | |
84 | Header always set Cache-Control "public, max-age=31536000, immutable" | |
85 | Require all granted | |
86 | </LocationMatch> | |
87 | ||
88 | ProxyPreserveHost On | |
89 | RequestHeader set X-Forwarded-Proto "https" | |
90 | ||
91 | RewriteEngine On | |
92 | ||
93 | ProxyPass /500.html ! | |
94 | ProxyPass /sw.js ! | |
95 | ProxyPass /embed.js ! | |
96 | ProxyPass /robots.txt ! | |
97 | ProxyPass /manifest.json ! | |
98 | ProxyPass /browserconfig.xml ! | |
99 | ProxyPass /mask-icon.svg ! | |
100 | ProxyPassMatch ^(/.*\.(png|ico|gif)$) ! | |
101 | ProxyPassMatch ^/(assets|avatars|emoji|headers|packs|sounds|system|.well-known/acme-challenge) ! | |
102 | ||
613aea56 IB |
103 | RewriteRule ^/api/v1/streaming/(.+)$ unix://${mcfg.sockets.node}|http://mastodon.immae.eu/api/v1/streaming/$1 [P,NE,QSA,L] |
104 | RewriteRule ^/api/v1/streaming/$ unix://${mcfg.sockets.node}|ws://mastodon.immae.eu/ [P,NE,QSA,L] | |
105 | ProxyPass / unix://${mcfg.sockets.rails}|http://mastodon.immae.eu/ | |
106 | ProxyPassReverse / unix://${mcfg.sockets.rails}|http://mastodon.immae.eu/ | |
35a397cd | 107 | |
613aea56 | 108 | Alias /system ${mcfg.dataDir} |
35a397cd | 109 | |
613aea56 | 110 | <Directory ${mcfg.dataDir}> |
35a397cd IB |
111 | Require all granted |
112 | Options -MultiViews | |
113 | </Directory> | |
114 | ||
a95ab089 | 115 | <Directory ${root}> |
35a397cd IB |
116 | Require all granted |
117 | Options -MultiViews +FollowSymlinks | |
118 | </Directory> | |
119 | ||
120 | ErrorDocument 500 /500.html | |
121 | ErrorDocument 501 /500.html | |
122 | ErrorDocument 502 /500.html | |
123 | ErrorDocument 503 /500.html | |
124 | ErrorDocument 504 /500.html | |
125 | '' ]; | |
126 | }; | |
127 | }; | |
128 | } |