{ lib, pkgs, config, myconfig, mylibs, ... }:
let
- mastodon = pkgs.callPackage ./mastodon.nix {
- inherit (pkgs.webapps) mastodon;
- env = myconfig.env.tools.mastodon;
- };
+ varDir = "/var/lib/mastodon_immae";
+ socketsDir = "/run/mastodon";
+ nodeSocket = "${socketsDir}/live_immae_node.sock";
+ railsSocket = "${socketsDir}/live_immae_puma.sock";
+
+ mastodon = pkgs.webapps.mastodon.override { inherit varDir; };
+ env = myconfig.env.tools.mastodon;
root = "/run/current-system/webapps/tools_mastodon";
cfg = config.services.myWebsites.tools.mastodon;
in {
};
config = lib.mkIf cfg.enable {
- mySecrets.keys = mastodon.keys;
- ids.uids.mastodon = myconfig.env.tools.mastodon.user.uid;
- ids.gids.mastodon = myconfig.env.tools.mastodon.user.gid;
+ mySecrets.keys = [{
+ dest = "webapps/tools-mastodon";
+ user = "mastodon";
+ group = "mastodon";
+ permissions = "0400";
+ text = ''
+ REDIS_HOST=${env.redis.host}
+ REDIS_PORT=${env.redis.port}
+ REDIS_DB=${env.redis.db}
+ DB_HOST=${env.postgresql.socket}
+ DB_USER=${env.postgresql.user}
+ DB_NAME=${env.postgresql.database}
+ DB_PASS=${env.postgresql.password}
+ DB_PORT=${env.postgresql.port}
+
+ LOCAL_DOMAIN=mastodon.immae.eu
+ LOCAL_HTTPS=true
+ ALTERNATE_DOMAINS=immae.eu
+
+ PAPERCLIP_SECRET=${env.paperclip_secret}
+ SECRET_KEY_BASE=${env.secret_key_base}
+ OTP_SECRET=${env.otp_secret}
+
+ VAPID_PRIVATE_KEY=${env.vapid.private}
+ VAPID_PUBLIC_KEY=${env.vapid.public}
+
+ SMTP_DELIVERY_METHOD=sendmail
+ SMTP_FROM_ADDRESS=mastodon@tools.immae.eu
+ SENDMAIL_LOCATION="/run/wrappers/bin/sendmail"
+ PAPERCLIP_ROOT_PATH=${varDir}
+
+ STREAMING_CLUSTER_NUM=1
+
+ RAILS_LOG_LEVEL=warn
+
+ # LDAP authentication (optional)
+ LDAP_ENABLED=true
+ LDAP_HOST=ldap.immae.eu
+ LDAP_PORT=636
+ LDAP_METHOD=simple_tls
+ LDAP_BASE="dc=immae,dc=eu"
+ LDAP_BIND_DN="cn=mastodon,ou=services,dc=immae,dc=eu"
+ LDAP_PASSWORD="${env.ldap.password}"
+ LDAP_UID="uid"
+ LDAP_SEARCH_FILTER="(&(%{uid}=%{email})(memberOf=cn=users,cn=mastodon,ou=services,dc=immae,dc=eu))"
+ '';
+ }];
+ ids.uids.mastodon = env.user.uid;
+ ids.gids.mastodon = env.user.gid;
users.users.mastodon = {
name = "mastodon";
uid = config.ids.uids.mastodon;
group = "mastodon";
description = "Mastodon user";
- home = mastodon.varDir;
+ home = varDir;
useDefaultShell = true;
};
after = [ "network.target" "mastodon-web.service" ];
environment.NODE_ENV = "production";
- environment.SOCKET = mastodon.nodeSocket;
+ environment.SOCKET = nodeSocket;
path = [ pkgs.nodejs pkgs.bashInteractive ];
Restart = "always";
TimeoutSec = 15;
Type = "simple";
- WorkingDirectory = mastodon.railsRoot;
+ WorkingDirectory = mastodon;
};
- unitConfig.RequiresMountsFor = mastodon.varDir;
+ unitConfig.RequiresMountsFor = varDir;
};
systemd.services.mastodon-web = {
environment.RAILS_ENV = "production";
environment.BUNDLE_PATH = "${mastodon.gems}/${mastodon.gems.ruby.gemPath}";
environment.BUNDLE_GEMFILE = "${mastodon.gems.confFiles}/Gemfile";
- environment.SOCKET = mastodon.railsSocket;
+ environment.SOCKET = railsSocket;
path = [ mastodon.gems mastodon.gems.ruby pkgs.file ];
Restart = "always";
TimeoutSec = 60;
Type = "simple";
- WorkingDirectory = mastodon.railsRoot;
+ WorkingDirectory = mastodon;
};
- unitConfig.RequiresMountsFor = mastodon.varDir;
+ unitConfig.RequiresMountsFor = varDir;
};
systemd.services.mastodon-sidekiq = {
Restart = "always";
TimeoutSec = 15;
Type = "simple";
- WorkingDirectory = mastodon.railsRoot;
+ WorkingDirectory = mastodon;
};
- unitConfig.RequiresMountsFor = mastodon.varDir;
+ unitConfig.RequiresMountsFor = varDir;
};
system.activationScripts.mastodon = {
deps = [ "users" ];
text = ''
- install -m 0755 -o mastodon -g mastodon -d ${mastodon.socketsDir}
- install -m 0755 -o mastodon -g mastodon -d ${mastodon.varDir} ${mastodon.varDir}/tmp/cache
+ install -m 0755 -o mastodon -g mastodon -d ${socketsDir}
+ install -m 0755 -o mastodon -g mastodon -d ${varDir} ${varDir}/tmp/cache
'';
};
security.acme.certs."eldiron".extraDomains."mastodon.immae.eu" = null;
system.extraSystemBuilderCmds = ''
mkdir -p $out/webapps
- ln -s ${mastodon.railsRoot}/public/ $out/webapps/tools_mastodon
+ ln -s ${mastodon}/public/ $out/webapps/tools_mastodon
'';
services.myWebsites.tools.vhostConfs.mastodon = {
certName = "eldiron";
ProxyPassMatch ^(/.*\.(png|ico|gif)$) !
ProxyPassMatch ^/(assets|avatars|emoji|headers|packs|sounds|system|.well-known/acme-challenge) !
- RewriteRule ^/api/v1/streaming/(.+)$ unix://${mastodon.nodeSocket}|http://mastodon.immae.eu/api/v1/streaming/$1 [P,NE,QSA,L]
- RewriteRule ^/api/v1/streaming/$ unix://${mastodon.nodeSocket}|ws://mastodon.immae.eu/ [P,NE,QSA,L]
- ProxyPass / unix://${mastodon.railsSocket}|http://mastodon.immae.eu/
- ProxyPassReverse / unix://${mastodon.railsSocket}|http://mastodon.immae.eu/
+ RewriteRule ^/api/v1/streaming/(.+)$ unix://${nodeSocket}|http://mastodon.immae.eu/api/v1/streaming/$1 [P,NE,QSA,L]
+ RewriteRule ^/api/v1/streaming/$ unix://${nodeSocket}|ws://mastodon.immae.eu/ [P,NE,QSA,L]
+ ProxyPass / unix://${railsSocket}|http://mastodon.immae.eu/
+ ProxyPassReverse / unix://${railsSocket}|http://mastodon.immae.eu/
- Alias /system ${mastodon.varDir}
+ Alias /system ${varDir}
- <Directory ${mastodon.varDir}>
+ <Directory ${varDir}>
Require all granted
Options -MultiViews
</Directory>
projects / perso / Immae / Config / Nix.git / blobdiff