-{ lib, pkgs, config, myconfig, ... }:
-let
- env = myconfig.env.tools.mastodon;
- root = "/run/current-system/webapps/tools_mastodon";
- cfg = config.services.myWebsites.tools.mastodon;
- mcfg = config.services.mastodon;
-in {
- options.services.myWebsites.tools.mastodon = {
- enable = lib.mkEnableOption "enable mastodon's website";
- };
-
- config = lib.mkIf cfg.enable {
- secrets.keys = [{
- dest = "webapps/tools-mastodon";
- user = "mastodon";
- group = "mastodon";
- permissions = "0400";
- text = ''
- REDIS_HOST=${env.redis.host}
- REDIS_PORT=${env.redis.port}
- REDIS_DB=${env.redis.db}
- DB_HOST=${env.postgresql.socket}
- DB_USER=${env.postgresql.user}
- DB_NAME=${env.postgresql.database}
- DB_PASS=${env.postgresql.password}
- DB_PORT=${env.postgresql.port}
-
- LOCAL_DOMAIN=mastodon.immae.eu
- LOCAL_HTTPS=true
- ALTERNATE_DOMAINS=immae.eu
-
- PAPERCLIP_SECRET=${env.paperclip_secret}
- SECRET_KEY_BASE=${env.secret_key_base}
- OTP_SECRET=${env.otp_secret}
-
- VAPID_PRIVATE_KEY=${env.vapid.private}
- VAPID_PUBLIC_KEY=${env.vapid.public}
-
- SMTP_DELIVERY_METHOD=sendmail
- SMTP_FROM_ADDRESS=mastodon@tools.immae.eu
- SENDMAIL_LOCATION="/run/wrappers/bin/sendmail"
- PAPERCLIP_ROOT_PATH=${mcfg.dataDir}
-
- STREAMING_CLUSTER_NUM=1
-
- RAILS_LOG_LEVEL=warn
-
- # LDAP authentication (optional)
- LDAP_ENABLED=true
- LDAP_HOST=ldap.immae.eu
- LDAP_PORT=636
- LDAP_METHOD=simple_tls
- LDAP_BASE="dc=immae,dc=eu"
- LDAP_BIND_DN="cn=mastodon,ou=services,dc=immae,dc=eu"
- LDAP_PASSWORD="${env.ldap.password}"
- LDAP_UID="uid"
- LDAP_SEARCH_FILTER="(&(%{uid}=%{email})(memberOf=cn=users,cn=mastodon,ou=services,dc=immae,dc=eu))"
- '';
- }];
- services.mastodon = {
- enable = true;
- configFile = "/var/secrets/webapps/tools-mastodon";
- socketsPrefix = "live_immae";
- dataDir = "/var/lib/mastodon_immae";
- };
-
- services.websites.tools.modules = [
- "headers" "proxy" "proxy_wstunnel" "proxy_http"
- ];
- system.extraSystemBuilderCmds = ''
- mkdir -p $out/webapps
- ln -s ${mcfg.workdir}/public/ $out/webapps/tools_mastodon
- '';
- services.websites.tools.vhostConfs.mastodon = {
- certName = "eldiron";
- addToCerts = true;
- hosts = ["mastodon.immae.eu" ];
- root = root;
- extraConfig = [ ''
- Header always set Referrer-Policy "strict-origin-when-cross-origin"
- Header always set Strict-Transport-Security "max-age=31536000"
-
- <LocationMatch "^/(assets|avatars|emoji|headers|packs|sounds|system)>
- Header always set Cache-Control "public, max-age=31536000, immutable"
- Require all granted
- </LocationMatch>
-
- ProxyPreserveHost On
- RequestHeader set X-Forwarded-Proto "https"
-
- RewriteEngine On
-
- ProxyPass /500.html !
- ProxyPass /sw.js !
- ProxyPass /embed.js !
- ProxyPass /robots.txt !
- ProxyPass /manifest.json !
- ProxyPass /browserconfig.xml !
- ProxyPass /mask-icon.svg !
- ProxyPassMatch ^(/.*\.(png|ico|gif)$) !
- ProxyPassMatch ^/(assets|avatars|emoji|headers|packs|sounds|system|.well-known/acme-challenge) !
-
- RewriteRule ^/api/v1/streaming/(.+)$ unix://${mcfg.sockets.node}|http://mastodon.immae.eu/api/v1/streaming/$1 [P,NE,QSA,L]
- RewriteRule ^/api/v1/streaming/$ unix://${mcfg.sockets.node}|ws://mastodon.immae.eu/ [P,NE,QSA,L]
- ProxyPass / unix://${mcfg.sockets.rails}|http://mastodon.immae.eu/
- ProxyPassReverse / unix://${mcfg.sockets.rails}|http://mastodon.immae.eu/
-
- Alias /system ${mcfg.dataDir}
-
- <Directory ${mcfg.dataDir}>
- Require all granted
- Options -MultiViews
- </Directory>
-
- <Directory ${root}>
- Require all granted
- Options -MultiViews +FollowSymlinks
- </Directory>
-
- ErrorDocument 500 /500.html
- ErrorDocument 501 /500.html
- ErrorDocument 502 /500.html
- ErrorDocument 503 /500.html
- ErrorDocument 504 /500.html
- '' ];
- };
- };
-}