--- /dev/null
+{ lib, pkgs, config, myconfig, ... }:
+let
+ env = myconfig.env.tools.mastodon;
+ root = "/run/current-system/webapps/tools_mastodon";
+ cfg = config.myServices.websites.tools.mastodon;
+ mcfg = config.services.mastodon;
+in {
+ options.myServices.websites.tools.mastodon = {
+ enable = lib.mkEnableOption "enable mastodon's website";
+ };
+
+ config = lib.mkIf cfg.enable {
+ secrets.keys = [{
+ dest = "webapps/tools-mastodon";
+ user = "mastodon";
+ group = "mastodon";
+ permissions = "0400";
+ text = ''
+ REDIS_HOST=${env.redis.host}
+ REDIS_PORT=${env.redis.port}
+ REDIS_DB=${env.redis.db}
+ DB_HOST=${env.postgresql.socket}
+ DB_USER=${env.postgresql.user}
+ DB_NAME=${env.postgresql.database}
+ DB_PASS=${env.postgresql.password}
+ DB_PORT=${env.postgresql.port}
+
+ LOCAL_DOMAIN=mastodon.immae.eu
+ LOCAL_HTTPS=true
+ ALTERNATE_DOMAINS=immae.eu
+
+ PAPERCLIP_SECRET=${env.paperclip_secret}
+ SECRET_KEY_BASE=${env.secret_key_base}
+ OTP_SECRET=${env.otp_secret}
+
+ VAPID_PRIVATE_KEY=${env.vapid.private}
+ VAPID_PUBLIC_KEY=${env.vapid.public}
+
+ SMTP_DELIVERY_METHOD=sendmail
+ SMTP_FROM_ADDRESS=mastodon@tools.immae.eu
+ SENDMAIL_LOCATION="/run/wrappers/bin/sendmail"
+ PAPERCLIP_ROOT_PATH=${mcfg.dataDir}
+
+ STREAMING_CLUSTER_NUM=1
+
+ RAILS_LOG_LEVEL=warn
+
+ # LDAP authentication (optional)
+ LDAP_ENABLED=true
+ LDAP_HOST=ldap.immae.eu
+ LDAP_PORT=636
+ LDAP_METHOD=simple_tls
+ LDAP_BASE="dc=immae,dc=eu"
+ LDAP_BIND_DN="cn=mastodon,ou=services,dc=immae,dc=eu"
+ LDAP_PASSWORD="${env.ldap.password}"
+ LDAP_UID="uid"
+ LDAP_SEARCH_FILTER="(&(%{uid}=%{email})(memberOf=cn=users,cn=mastodon,ou=services,dc=immae,dc=eu))"
+ '';
+ }];
+ services.mastodon = {
+ enable = true;
+ configFile = "/var/secrets/webapps/tools-mastodon";
+ socketsPrefix = "live_immae";
+ dataDir = "/var/lib/mastodon_immae";
+ };
+
+ services.websites.tools.modules = [
+ "headers" "proxy" "proxy_wstunnel" "proxy_http"
+ ];
+ system.extraSystemBuilderCmds = ''
+ mkdir -p $out/webapps
+ ln -s ${mcfg.workdir}/public/ $out/webapps/tools_mastodon
+ '';
+ services.websites.tools.vhostConfs.mastodon = {
+ certName = "eldiron";
+ addToCerts = true;
+ hosts = ["mastodon.immae.eu" ];
+ root = root;
+ extraConfig = [ ''
+ Header always set Referrer-Policy "strict-origin-when-cross-origin"
+ Header always set Strict-Transport-Security "max-age=31536000"
+
+ <LocationMatch "^/(assets|avatars|emoji|headers|packs|sounds|system)>
+ Header always set Cache-Control "public, max-age=31536000, immutable"
+ Require all granted
+ </LocationMatch>
+
+ ProxyPreserveHost On
+ RequestHeader set X-Forwarded-Proto "https"
+
+ RewriteEngine On
+
+ ProxyPass /500.html !
+ ProxyPass /sw.js !
+ ProxyPass /embed.js !
+ ProxyPass /robots.txt !
+ ProxyPass /manifest.json !
+ ProxyPass /browserconfig.xml !
+ ProxyPass /mask-icon.svg !
+ ProxyPassMatch ^(/.*\.(png|ico|gif)$) !
+ ProxyPassMatch ^/(assets|avatars|emoji|headers|packs|sounds|system|.well-known/acme-challenge) !
+
+ RewriteRule ^/api/v1/streaming/(.+)$ unix://${mcfg.sockets.node}|http://mastodon.immae.eu/api/v1/streaming/$1 [P,NE,QSA,L]
+ RewriteRule ^/api/v1/streaming/$ unix://${mcfg.sockets.node}|ws://mastodon.immae.eu/ [P,NE,QSA,L]
+ ProxyPass / unix://${mcfg.sockets.rails}|http://mastodon.immae.eu/
+ ProxyPassReverse / unix://${mcfg.sockets.rails}|http://mastodon.immae.eu/
+
+ Alias /system ${mcfg.dataDir}
+
+ <Directory ${mcfg.dataDir}>
+ Require all granted
+ Options -MultiViews
+ </Directory>
+
+ <Directory ${root}>
+ Require all granted
+ Options -MultiViews +FollowSymlinks
+ </Directory>
+
+ ErrorDocument 500 /500.html
+ ErrorDocument 501 /500.html
+ ErrorDocument 502 /500.html
+ ErrorDocument 503 /500.html
+ ErrorDocument 504 /500.html
+ '' ];
+ };
+ };
+}