1 { lib, pkgs, config, ... }:
3 env = config.myEnv.tools.mastodon;
4 root = "/run/current-system/webapps/tools_mastodon";
5 cfg = config.myServices.websites.tools.mastodon;
6 mcfg = config.services.mastodon;
8 options.myServices.websites.tools.mastodon = {
9 enable = lib.mkEnableOption "enable mastodon's website";
12 config = lib.mkIf cfg.enable {
13 services.duplyBackup.profiles.mastodon = {
14 rootDir = mcfg.dataDir;
16 secrets.keys."webapps/tools-mastodon" = {
21 REDIS_HOST=${env.redis.host}
22 REDIS_PORT=${env.redis.port}
23 REDIS_DB=${env.redis.db}
24 DB_HOST=${env.postgresql.socket}
25 DB_USER=${env.postgresql.user}
26 DB_NAME=${env.postgresql.database}
27 DB_PASS=${env.postgresql.password}
28 DB_PORT=${env.postgresql.port}
30 LOCAL_DOMAIN=mastodon.immae.eu
32 ALTERNATE_DOMAINS=immae.eu
34 PAPERCLIP_SECRET=${env.paperclip_secret}
35 SECRET_KEY_BASE=${env.secret_key_base}
36 OTP_SECRET=${env.otp_secret}
38 VAPID_PRIVATE_KEY=${env.vapid.private}
39 VAPID_PUBLIC_KEY=${env.vapid.public}
41 SMTP_DELIVERY_METHOD=sendmail
42 SMTP_FROM_ADDRESS=mastodon@tools.immae.eu
43 SENDMAIL_LOCATION="/run/wrappers/bin/sendmail"
44 PAPERCLIP_ROOT_PATH=${mcfg.dataDir}
46 STREAMING_CLUSTER_NUM=1
50 # LDAP authentication (optional)
52 LDAP_HOST=${env.ldap.host}
54 LDAP_METHOD=simple_tls
55 LDAP_BASE="${env.ldap.base}"
56 LDAP_BIND_DN="${env.ldap.dn}"
57 LDAP_PASSWORD="${env.ldap.password}"
59 LDAP_SEARCH_FILTER="${env.ldap.filter}"
64 configFile = config.secrets.fullPaths."webapps/tools-mastodon";
65 socketsPrefix = "live_immae";
66 dataDir = "/var/lib/mastodon_immae";
68 services.filesWatcher.mastodon-streaming = {
70 paths = [ mcfg.configFile ];
72 services.filesWatcher.mastodon-web = {
74 paths = [ mcfg.configFile ];
76 services.filesWatcher.mastodon-sidekiq = {
78 paths = [ mcfg.configFile ];
82 services.websites.env.tools.modules = [
83 "headers" "proxy" "proxy_wstunnel" "proxy_http"
85 system.extraSystemBuilderCmds = ''
87 ln -s ${mcfg.workdir}/public/ $out/webapps/tools_mastodon
89 services.websites.env.tools.vhostConfs.mastodon = {
92 hosts = ["mastodon.immae.eu" ];
95 Header always set Referrer-Policy "strict-origin-when-cross-origin"
96 Header always set Strict-Transport-Security "max-age=31536000"
98 <LocationMatch "^/(assets|avatars|emoji|headers|packs|sounds|system)>
99 Header always set Cache-Control "public, max-age=31536000, immutable"
104 RequestHeader set X-Forwarded-Proto "https"
108 ProxyPass /500.html !
110 ProxyPass /embed.js !
111 ProxyPass /robots.txt !
112 ProxyPass /manifest.json !
113 ProxyPass /browserconfig.xml !
114 ProxyPass /mask-icon.svg !
115 ProxyPassMatch ^(/.*\.(png|ico|gif)$) !
116 ProxyPassMatch ^/(assets|avatars|emoji|headers|packs|sounds|system|.well-known/acme-challenge) !
118 RewriteRule ^/api/v1/streaming/(.+)$ unix://${mcfg.sockets.node}|http://mastodon.immae.eu/api/v1/streaming/$1 [P,NE,QSA,L]
119 RewriteRule ^/api/v1/streaming/$ unix://${mcfg.sockets.node}|ws://mastodon.immae.eu/ [P,NE,QSA,L]
120 ProxyPass / unix://${mcfg.sockets.rails}|http://mastodon.immae.eu/
121 ProxyPassReverse / unix://${mcfg.sockets.rails}|http://mastodon.immae.eu/
123 Alias /system ${mcfg.dataDir}
125 <Directory ${mcfg.dataDir}>
132 Options -MultiViews +FollowSymlinks
135 ErrorDocument 500 /500.html
136 ErrorDocument 501 /500.html
137 ErrorDocument 502 /500.html
138 ErrorDocument 503 /500.html
139 ErrorDocument 504 /500.html