modules/private/websites/tools/mastodon/default.nix

   1 { lib, pkgs, config,  ... }:
   2 let
   3   env = config.myEnv.tools.mastodon;
   4   root = "${mcfg.workdir}/public/";
   5   cfg = config.myServices.websites.tools.mastodon;
   6   mcfg = config.services.mastodon;
   7 in {
   8   options.myServices.websites.tools.mastodon = {
   9     enable = lib.mkEnableOption "enable mastodon's website";
  10   };
  11
  12   config = lib.mkIf cfg.enable {
  13     services.duplyBackup.profiles.mastodon = {
  14       rootDir = mcfg.dataDir;
  15     };
  16     secrets.keys."webapps/tools-mastodon" = {
  17       user = "mastodon";
  18       group = "mastodon";
  19       permissions = "0400";
  20       text = ''
  21         REDIS_HOST=${env.redis.host}
  22         REDIS_PORT=${env.redis.port}
  23         REDIS_DB=${env.redis.db}
  24         DB_HOST=${env.postgresql.socket}
  25         DB_USER=${env.postgresql.user}
  26         DB_NAME=${env.postgresql.database}
  27         DB_PASS=${env.postgresql.password}
  28         DB_PORT=${env.postgresql.port}
  29
  30         LOCAL_DOMAIN=mastodon.immae.eu
  31         LOCAL_HTTPS=true
  32         ALTERNATE_DOMAINS=immae.eu
  33
  34         PAPERCLIP_SECRET=${env.paperclip_secret}
  35         SECRET_KEY_BASE=${env.secret_key_base}
  36         OTP_SECRET=${env.otp_secret}
  37
  38         VAPID_PRIVATE_KEY=${env.vapid.private}
  39         VAPID_PUBLIC_KEY=${env.vapid.public}
  40
  41         SMTP_DELIVERY_METHOD=sendmail
  42         SMTP_FROM_ADDRESS=mastodon@tools.immae.eu
  43         SENDMAIL_LOCATION="/run/wrappers/bin/sendmail"
  44         PAPERCLIP_ROOT_PATH=${mcfg.dataDir}
  45
  46         STREAMING_CLUSTER_NUM=1
  47
  48         RAILS_LOG_LEVEL=warn
  49
  50         # LDAP authentication (optional)
  51         LDAP_ENABLED=true
  52         LDAP_HOST=${env.ldap.host}
  53         LDAP_PORT=636
  54         LDAP_METHOD=simple_tls
  55         LDAP_BASE="${env.ldap.base}"
  56         LDAP_BIND_DN="${env.ldap.dn}"
  57         LDAP_PASSWORD="${env.ldap.password}"
  58         LDAP_UID="uid"
  59         LDAP_SEARCH_FILTER="${env.ldap.filter}"
  60       '';
  61     };
  62     services.mastodon = {
  63       enable = true;
  64       configFile = config.secrets.fullPaths."webapps/tools-mastodon";
  65       socketsPrefix = "live_immae";
  66       dataDir = "/var/lib/mastodon_immae";
  67     };
  68     services.filesWatcher.mastodon-streaming = {
  69       restart = true;
  70       paths = [ mcfg.configFile ];
  71     };
  72     services.filesWatcher.mastodon-web = {
  73       restart = true;
  74       paths = [ mcfg.configFile ];
  75     };
  76     services.filesWatcher.mastodon-sidekiq = {
  77       restart = true;
  78       paths = [ mcfg.configFile ];
  79     };
  80
  81
  82     services.websites.env.tools.modules = [
  83       "headers" "proxy" "proxy_wstunnel" "proxy_http"
  84     ];
  85     services.websites.env.tools.vhostConfs.mastodon = {
  86       certName    = "eldiron";
  87       addToCerts  = true;
  88       hosts       = ["mastodon.immae.eu" ];
  89       root        = root;
  90       extraConfig = [ ''
  91         Header always set Referrer-Policy "strict-origin-when-cross-origin"
  92         Header always set Strict-Transport-Security "max-age=31536000"
  93
  94         <LocationMatch "^/(assets|avatars|emoji|headers|packs|sounds|system)>
  95           Header always set Cache-Control "public, max-age=31536000, immutable"
  96           Require all granted
  97         </LocationMatch>
  98
  99         ProxyPreserveHost On
 100         RequestHeader set X-Forwarded-Proto "https"
 101
 102         RewriteEngine On
 103
 104         ProxyPass /500.html !
 105         ProxyPass /sw.js !
 106         ProxyPass /embed.js !
 107         ProxyPass /robots.txt !
 108         ProxyPass /manifest.json !
 109         ProxyPass /browserconfig.xml !
 110         ProxyPass /mask-icon.svg !
 111         ProxyPassMatch ^(/.*\.(png|ico|gif)$) !
 112         ProxyPassMatch ^/(assets|avatars|emoji|headers|packs|sounds|system|.well-known/acme-challenge) !
 113
 114         RewriteRule ^/api/v1/streaming/(.+)$ unix://${mcfg.sockets.node}|http://mastodon.immae.eu/api/v1/streaming/$1 [P,NE,QSA,L]
 115         RewriteRule ^/api/v1/streaming/$ unix://${mcfg.sockets.node}|ws://mastodon.immae.eu/ [P,NE,QSA,L]
 116         ProxyPass / unix://${mcfg.sockets.rails}|http://mastodon.immae.eu/
 117         ProxyPassReverse / unix://${mcfg.sockets.rails}|http://mastodon.immae.eu/
 118
 119         Alias /system ${mcfg.dataDir}
 120
 121         <Directory ${mcfg.dataDir}>
 122           Require all granted
 123           Options -MultiViews
 124         </Directory>
 125
 126         <Directory ${root}>
 127           Require all granted
 128           Options -MultiViews +FollowSymlinks
 129         </Directory>
 130
 131         ErrorDocument 500 /500.html
 132         ErrorDocument 501 /500.html
 133         ErrorDocument 502 /500.html
 134         ErrorDocument 503 /500.html
 135         ErrorDocument 504 /500.html
 136       '' ];
 137     };
 138   };
 139 }