Add mastodon service

[perso/Immae/Config/Nix.git] / virtual / modules / websites / tools / mastodon / mastodon.nix

diff --git a/virtual/modules/websites/tools/mastodon/mastodon.nix b/virtual/modules/websites/tools/mastodon/mastodon.nix
new file mode 100644 (file)
index 0000000..e948852
--- /dev/null
+++ b/virtual/modules/websites/tools/mastodon/mastodon.nix
@@ -0,0 +1,100 @@
+{ checkEnv, fetchedGithub, stdenv, writeText, pkgs, cacert }:
+let
+  varDir = "/var/lib/mastodon_immae";
+  socketsDir = "/run/mastodon";
+  mastodon = stdenv.mkDerivation (fetchedGithub ./mastodon.json // rec {
+    buildPhase = ''
+      export GIT_SSL_CAINFO=${cacert}/etc/ssl/certs/ca-bundle.crt
+      export SSL_CERT_FILE=${cacert}/etc/ssl/certs/ca-bundle.crt
+
+      bundle install --deployment --without development test
+      yarn install --pure-lockfile
+    '';
+    installPhase = ''
+      cp -a . $out
+    '';
+    propagatedBuildInputs = with pkgs; [
+      zlib icu libchardet git bundler yarn
+      protobuf protobufc libidn libpqxx nodejs
+      imagemagick ffmpeg libxml2 libxslt pkgconfig
+      autoconf bison libyaml readline ncurses libffi gdbm
+      jemalloc which postgresql python3 cacert
+    ];
+  });
+  config =
+      assert checkEnv "NIXOPS_MASTODON_DB_PASS";
+      assert checkEnv "NIXOPS_MASTODON_PAPERCLIP_SECRET";
+      assert checkEnv "NIXOPS_MASTODON_SECRET_KEY_BASE";
+      assert checkEnv "NIXOPS_MASTODON_OTP_SECRET";
+      assert checkEnv "NIXOPS_MASTODON_VAPID_PRIVATE_KEY";
+      assert checkEnv "NIXOPS_MASTODON_VAPID_PUBLIC_KEY";
+      assert checkEnv "NIXOPS_MASTODON_OTP_SECRET";
+      assert checkEnv "NIXOPS_MASTODON_LDAP_PASSWORD";
+      writeText "mastodon_environment" ''
+    REDIS_HOST=localhost
+    REDIS_PORT=6379
+    REDIS_DB=13
+    DB_HOST=/run/postgresql
+    DB_USER=mastodon
+    DB_NAME=mastodon
+    DB_PASS=${builtins.getEnv "NIXOPS_MASTODON_DB_PASS"}
+    DB_PORT=5432
+
+    LOCAL_DOMAIN=mastodon.immae.eu
+    LOCAL_HTTPS=true
+    ALTERNATE_DOMAINS=immae.eu
+
+    PAPERCLIP_SECRET=${builtins.getEnv "NIXOPS_MASTODON_PAPERCLIP_SECRET"}
+    SECRET_KEY_BASE=${builtins.getEnv "NIXOPS_MASTODON_SECRET_KEY_BASE"}
+    OTP_SECRET=${builtins.getEnv "NIXOPS_MASTODON_OTP_SECRET"}
+
+    VAPID_PRIVATE_KEY=${builtins.getEnv "NIXOPS_MASTODON_VAPID_PRIVATE_KEY"}
+    VAPID_PUBLIC_KEY=${builtins.getEnv "NIXOPS_MASTODON_VAPID_PUBLIC_KEY"}
+
+    SMTP_SERVER=mail.immae.eu
+    SMTP_PORT=587
+    SMTP_FROM_ADDRESS=notifications@mastodon.immae.eu
+    SMTP_DELIVERY_METHOD=smtp
+    PAPERCLIP_ROOT_PATH=${varDir}
+
+    STREAMING_CLUSTER_NUM=1
+
+    # LDAP authentication (optional)
+    LDAP_ENABLED=true
+    LDAP_HOST=ldap.immae.eu
+    LDAP_PORT=636
+    LDAP_METHOD=simple_tls
+    LDAP_BASE="dc=immae,dc=eu"
+    LDAP_BIND_DN="cn=mastodon,ou=services,dc=immae,dc=eu"
+    LDAP_PASSWORD="${builtins.getEnv "NIXOPS_MASTODON_LDAP_PASSWORD"}"
+    LDAP_UID="uid"
+    LDAP_SEARCH_FILTER="(&(%{uid}=%{email})(memberOf=cn=users,cn=mastodon,ou=services,dc=immae,dc=eu))"
+    '';
+
+    railsRoot = stdenv.mkDerivation {
+      name = "mastodon_immae";
+      inherit config mastodon;
+      builder = writeText "build_mastodon_immae" ''
+        source $stdenv/setup
+        set -a
+        source $config
+        set +a
+        cp -a $mastodon $out
+        cd $out
+        chmod u+rwX . node_modules public
+        RAILS_ENV=production bundle exec rails assets:precompile
+        '';
+      propagatedBuildInputs = with pkgs; [
+        zlib icu libchardet git bundler yarn
+        protobuf protobufc libidn libpqxx nodejs
+        imagemagick ffmpeg libxml2 libxslt pkgconfig
+        autoconf bison libyaml readline ncurses libffi gdbm
+        jemalloc which postgresql python3 cacert
+      ];
+    };
+in
+  {
+    inherit railsRoot config varDir socketsDir;
+    nodeSocket = "${socketsDir}/live_immae_node.sock";
+    railsSocket = "${socketsDir}/live_immae_puma.sock";
+  }