1 { lib, pkgs, config, ... }:
3 env = config.myEnv.tools.mastodon;
4 root = "${mcfg.workdir}/public/";
5 cfg = config.myServices.websites.tools.mastodon;
6 mcfg = config.services.mastodon;
8 options.myServices.websites.tools.mastodon = {
9 enable = lib.mkEnableOption "enable mastodon's website";
12 config = lib.mkIf cfg.enable {
13 services.duplyBackup.profiles.mastodon = {
14 rootDir = mcfg.dataDir;
16 secrets.keys."webapps/tools-mastodon" = {
21 REDIS_HOST=${env.redis.host}
22 REDIS_PORT=${env.redis.port}
23 REDIS_DB=${env.redis.db}
24 DB_HOST=${env.postgresql.socket}
25 DB_USER=${env.postgresql.user}
26 DB_NAME=${env.postgresql.database}
27 DB_PASS=${env.postgresql.password}
28 DB_PORT=${env.postgresql.port}
30 LOCAL_DOMAIN=mastodon.immae.eu
32 ALTERNATE_DOMAINS=immae.eu
34 PAPERCLIP_SECRET=${env.paperclip_secret}
35 SECRET_KEY_BASE=${env.secret_key_base}
36 OTP_SECRET=${env.otp_secret}
38 VAPID_PRIVATE_KEY=${env.vapid.private}
39 VAPID_PUBLIC_KEY=${env.vapid.public}
41 SMTP_DELIVERY_METHOD=sendmail
42 SMTP_FROM_ADDRESS=mastodon@tools.immae.eu
43 SENDMAIL_LOCATION="/run/wrappers/bin/sendmail"
44 PAPERCLIP_ROOT_PATH=${mcfg.dataDir}
46 STREAMING_CLUSTER_NUM=1
50 # LDAP authentication (optional)
52 LDAP_HOST=${env.ldap.host}
54 LDAP_METHOD=simple_tls
55 LDAP_BASE="${env.ldap.base}"
56 LDAP_BIND_DN="${env.ldap.dn}"
57 LDAP_PASSWORD="${env.ldap.password}"
59 LDAP_SEARCH_FILTER="${env.ldap.filter}"
64 configFile = config.secrets.fullPaths."webapps/tools-mastodon";
65 socketsPrefix = "live_immae";
66 dataDir = "/var/lib/mastodon_immae";
68 services.filesWatcher.mastodon-streaming = {
70 paths = [ mcfg.configFile ];
72 services.filesWatcher.mastodon-web = {
74 paths = [ mcfg.configFile ];
76 services.filesWatcher.mastodon-sidekiq = {
78 paths = [ mcfg.configFile ];
82 services.websites.env.tools.modules = [
83 "headers" "proxy" "proxy_wstunnel" "proxy_http"
85 services.websites.env.tools.vhostConfs.mastodon = {
88 hosts = ["mastodon.immae.eu" ];
91 Header always set Referrer-Policy "strict-origin-when-cross-origin"
92 Header always set Strict-Transport-Security "max-age=31536000"
94 <LocationMatch "^/(assets|avatars|emoji|headers|packs|sounds|system)>
95 Header always set Cache-Control "public, max-age=31536000, immutable"
100 RequestHeader set X-Forwarded-Proto "https"
104 ProxyPass /500.html !
106 ProxyPass /embed.js !
107 ProxyPass /robots.txt !
108 ProxyPass /manifest.json !
109 ProxyPass /browserconfig.xml !
110 ProxyPass /mask-icon.svg !
111 ProxyPassMatch ^(/.*\.(png|ico|gif)$) !
112 ProxyPassMatch ^/(assets|avatars|emoji|headers|packs|sounds|system|.well-known/acme-challenge) !
114 RewriteRule ^/api/v1/streaming/(.+)$ unix://${mcfg.sockets.node}|http://mastodon.immae.eu/api/v1/streaming/$1 [P,NE,QSA,L]
115 RewriteRule ^/api/v1/streaming/$ unix://${mcfg.sockets.node}|ws://mastodon.immae.eu/ [P,NE,QSA,L]
116 ProxyPass / unix://${mcfg.sockets.rails}|http://mastodon.immae.eu/
117 ProxyPassReverse / unix://${mcfg.sockets.rails}|http://mastodon.immae.eu/
119 Alias /system ${mcfg.dataDir}
121 <Directory ${mcfg.dataDir}>
128 Options -MultiViews +FollowSymlinks
131 ErrorDocument 500 /500.html
132 ErrorDocument 501 /500.html
133 ErrorDocument 502 /500.html
134 ErrorDocument 503 /500.html
135 ErrorDocument 504 /500.html