Move websites/tools to modules

author: Ismaël Bouya <ismael.bouya@normalesup.org> 2019-05-22 20:01:33 +0200
committer: Ismaël Bouya <ismael.bouya@normalesup.org> 2019-05-22 20:01:33 +0200
commit: 4288c2f2431fb782b0d512b1b3749187f2374b6a (patch)
tree: aaf812414f91d6b695a7507265e7572de8dc477c /modules/private/websites/tools/mastodon
parent: f40f5b235b890f46770a22f005f8a0f664cf0562 (diff)
download: Nix-4288c2f2431fb782b0d512b1b3749187f2374b6a.tar.gz
Nix-4288c2f2431fb782b0d512b1b3749187f2374b6a.tar.zst
Nix-4288c2f2431fb782b0d512b1b3749187f2374b6a.zip
1 files changed, 128 insertions, 0 deletions
diff --git a/modules/private/websites/tools/mastodon/default.nix b/modules/private/websites/tools/mastodon/default.nix
new file mode 100644
index 0000000..d742a33
--- /dev/null
+++ b/modules/private/websites/tools/mastodon/default.nix
@@ -0,0 +1,128 @@
+{ lib, pkgs, config, myconfig,  ... }:
+let
+  env = myconfig.env.tools.mastodon;
+  root = "/run/current-system/webapps/tools_mastodon";
+  cfg = config.myServices.websites.tools.mastodon;
+  mcfg = config.services.mastodon;
+in {
+  options.myServices.websites.tools.mastodon = {
+    enable = lib.mkEnableOption "enable mastodon's website";
+  };
+  config = lib.mkIf cfg.enable {
+    secrets.keys = [{
+      dest = "webapps/tools-mastodon";
+      user = "mastodon";
+      group = "mastodon";
+      permissions = "0400";
+      text = ''
+        REDIS_HOST=${env.redis.host}
+        REDIS_PORT=${env.redis.port}
+        REDIS_DB=${env.redis.db}
+        DB_HOST=${env.postgresql.socket}
+        DB_USER=${env.postgresql.user}
+        DB_NAME=${env.postgresql.database}
+        DB_PASS=${env.postgresql.password}
+        DB_PORT=${env.postgresql.port}
+        LOCAL_DOMAIN=mastodon.immae.eu
+        LOCAL_HTTPS=true
+        ALTERNATE_DOMAINS=immae.eu
+        PAPERCLIP_SECRET=${env.paperclip_secret}
+        SECRET_KEY_BASE=${env.secret_key_base}
+        OTP_SECRET=${env.otp_secret}
+        VAPID_PRIVATE_KEY=${env.vapid.private}
+        VAPID_PUBLIC_KEY=${env.vapid.public}
+        SMTP_DELIVERY_METHOD=sendmail
+        SMTP_FROM_ADDRESS=mastodon@tools.immae.eu
+        SENDMAIL_LOCATION="/run/wrappers/bin/sendmail"
+        PAPERCLIP_ROOT_PATH=${mcfg.dataDir}
+        STREAMING_CLUSTER_NUM=1
+        RAILS_LOG_LEVEL=warn
+        # LDAP authentication (optional)
+        LDAP_ENABLED=true
+        LDAP_HOST=ldap.immae.eu
+        LDAP_PORT=636
+        LDAP_METHOD=simple_tls
+        LDAP_BASE="dc=immae,dc=eu"
+        LDAP_BIND_DN="cn=mastodon,ou=services,dc=immae,dc=eu"
+        LDAP_PASSWORD="${env.ldap.password}"
+        LDAP_UID="uid"
+        LDAP_SEARCH_FILTER="(&(%{uid}=%{email})(memberOf=cn=users,cn=mastodon,ou=services,dc=immae,dc=eu))"
+      '';
+    }];
+    services.mastodon = {
+      enable = true;
+      configFile = "/var/secrets/webapps/tools-mastodon";
+      socketsPrefix = "live_immae";
+      dataDir = "/var/lib/mastodon_immae";
+    };
+    services.websites.tools.modules = [
+      "headers" "proxy" "proxy_wstunnel" "proxy_http"
+    ];
+    system.extraSystemBuilderCmds = ''
+      mkdir -p $out/webapps
+      ln -s ${mcfg.workdir}/public/ $out/webapps/tools_mastodon
+      '';
+    services.websites.tools.vhostConfs.mastodon = {
+      certName    = "eldiron";
+      addToCerts  = true;
+      hosts       = ["mastodon.immae.eu" ];
+      root        = root;
+      extraConfig = [ ''
+        Header always set Referrer-Policy "strict-origin-when-cross-origin"
+        Header always set Strict-Transport-Security "max-age=31536000"
+        <LocationMatch "^/(assets|avatars|emoji|headers|packs|sounds|system)>
+          Header always set Cache-Control "public, max-age=31536000, immutable"
+          Require all granted
+        </LocationMatch>
+        ProxyPreserveHost On
+        RequestHeader set X-Forwarded-Proto "https"
+        RewriteEngine On
+        ProxyPass /500.html !
+        ProxyPass /sw.js !
+        ProxyPass /embed.js !
+        ProxyPass /robots.txt !
+        ProxyPass /manifest.json !
+        ProxyPass /browserconfig.xml !
+        ProxyPass /mask-icon.svg !
+        ProxyPassMatch ^(/.*\.(png|ico|gif)$) !
+        ProxyPassMatch ^/(assets|avatars|emoji|headers|packs|sounds|system|.well-known/acme-challenge) !
+        RewriteRule ^/api/v1/streaming/(.+)$ unix://${mcfg.sockets.node}|http://mastodon.immae.eu/api/v1/streaming/$1 [P,NE,QSA,L]
+        RewriteRule ^/api/v1/streaming/$ unix://${mcfg.sockets.node}|ws://mastodon.immae.eu/ [P,NE,QSA,L]
+        ProxyPass / unix://${mcfg.sockets.rails}|http://mastodon.immae.eu/
+        ProxyPassReverse / unix://${mcfg.sockets.rails}|http://mastodon.immae.eu/
+        Alias /system ${mcfg.dataDir}
+        <Directory ${mcfg.dataDir}>
+          Require all granted
+          Options -MultiViews
+        </Directory>
+        <Directory ${root}>
+          Require all granted
+          Options -MultiViews +FollowSymlinks
+        </Directory>
+        ErrorDocument 500 /500.html
+        ErrorDocument 501 /500.html
+        ErrorDocument 502 /500.html
+        ErrorDocument 503 /500.html
+        ErrorDocument 504 /500.html
+      '' ];
+    };
+  };
+}
author	Ismaël Bouya <ismael.bouya@normalesup.org>	2019-05-22 20:01:33 +0200
committer	Ismaël Bouya <ismael.bouya@normalesup.org>	2019-05-22 20:01:33 +0200
commit	4288c2f2431fb782b0d512b1b3749187f2374b6a (patch)
tree	aaf812414f91d6b695a7507265e7572de8dc477c /modules/private/websites/tools/mastodon
parent	f40f5b235b890f46770a22f005f8a0f664cf0562 (diff)
download	Nix-4288c2f2431fb782b0d512b1b3749187f2374b6a.tar.gz Nix-4288c2f2431fb782b0d512b1b3749187f2374b6a.tar.zst Nix-4288c2f2431fb782b0d512b1b3749187f2374b6a.zip

diff --git a/modules/private/websites/tools/mastodon/default.nix b/modules/private/websites/tools/mastodon/default.nix new file mode 100644 index 0000000..d742a33 --- /dev/null +++ b/modules/private/websites/tools/mastodon/default.nix
@@ -0,0 +1,128 @@
	1	{ lib, pkgs, config, myconfig, ... }:
	2	let
	3	env = myconfig.env.tools.mastodon;
	4	root = "/run/current-system/webapps/tools_mastodon";
	5	cfg = config.myServices.websites.tools.mastodon;
	6	mcfg = config.services.mastodon;
	7	in {
	8	options.myServices.websites.tools.mastodon = {
	9	enable = lib.mkEnableOption "enable mastodon's website";
	10	};
	11
	12	config = lib.mkIf cfg.enable {
	13	secrets.keys = [{
	14	dest = "webapps/tools-mastodon";
	15	user = "mastodon";
	16	group = "mastodon";
	17	permissions = "0400";
	18	text = ''
	19	REDIS_HOST=${env.redis.host}
	20	REDIS_PORT=${env.redis.port}
	21	REDIS_DB=${env.redis.db}
	22	DB_HOST=${env.postgresql.socket}
	23	DB_USER=${env.postgresql.user}
	24	DB_NAME=${env.postgresql.database}
	25	DB_PASS=${env.postgresql.password}
	26	DB_PORT=${env.postgresql.port}
	27
	28	LOCAL_DOMAIN=mastodon.immae.eu
	29	LOCAL_HTTPS=true
	30	ALTERNATE_DOMAINS=immae.eu
	31
	32	PAPERCLIP_SECRET=${env.paperclip_secret}
	33	SECRET_KEY_BASE=${env.secret_key_base}
	34	OTP_SECRET=${env.otp_secret}
	35
	36	VAPID_PRIVATE_KEY=${env.vapid.private}
	37	VAPID_PUBLIC_KEY=${env.vapid.public}
	38
	39	SMTP_DELIVERY_METHOD=sendmail
	40	SMTP_FROM_ADDRESS=mastodon@tools.immae.eu
	41	SENDMAIL_LOCATION="/run/wrappers/bin/sendmail"
	42	PAPERCLIP_ROOT_PATH=${mcfg.dataDir}
	43
	44	STREAMING_CLUSTER_NUM=1
	45
	46	RAILS_LOG_LEVEL=warn
	47
	48	# LDAP authentication (optional)
	49	LDAP_ENABLED=true
	50	LDAP_HOST=ldap.immae.eu
	51	LDAP_PORT=636
	52	LDAP_METHOD=simple_tls
	53	LDAP_BASE="dc=immae,dc=eu"
	54	LDAP_BIND_DN="cn=mastodon,ou=services,dc=immae,dc=eu"
	55	LDAP_PASSWORD="${env.ldap.password}"
	56	LDAP_UID="uid"
	57	LDAP_SEARCH_FILTER="(&(%{uid}=%{email})(memberOf=cn=users,cn=mastodon,ou=services,dc=immae,dc=eu))"
	58	'';
	59	}];
	60	services.mastodon = {
	61	enable = true;
	62	configFile = "/var/secrets/webapps/tools-mastodon";
	63	socketsPrefix = "live_immae";
	64	dataDir = "/var/lib/mastodon_immae";
	65	};
	66
	67	services.websites.tools.modules = [
	68	"headers" "proxy" "proxy_wstunnel" "proxy_http"
	69	];
	70	system.extraSystemBuilderCmds = ''
	71	mkdir -p $out/webapps
	72	ln -s ${mcfg.workdir}/public/ $out/webapps/tools_mastodon
	73	'';
	74	services.websites.tools.vhostConfs.mastodon = {
	75	certName = "eldiron";
	76	addToCerts = true;
	77	hosts = ["mastodon.immae.eu" ];
	78	root = root;
	79	extraConfig = [ ''
	80	Header always set Referrer-Policy "strict-origin-when-cross-origin"
	81	Header always set Strict-Transport-Security "max-age=31536000"
	82
	83	<LocationMatch "^/(assets\|avatars\|emoji\|headers\|packs\|sounds\|system)>
	84	Header always set Cache-Control "public, max-age=31536000, immutable"
	85	Require all granted
	86	</LocationMatch>
	87
	88	ProxyPreserveHost On
	89	RequestHeader set X-Forwarded-Proto "https"
	90
	91	RewriteEngine On
	92
	93	ProxyPass /500.html !
	94	ProxyPass /sw.js !
	95	ProxyPass /embed.js !
	96	ProxyPass /robots.txt !
	97	ProxyPass /manifest.json !
	98	ProxyPass /browserconfig.xml !
	99	ProxyPass /mask-icon.svg !
	100	ProxyPassMatch ^(/.*\.(png\|ico\|gif)$) !
	101	ProxyPassMatch ^/(assets\|avatars\|emoji\|headers\|packs\|sounds\|system\|.well-known/acme-challenge) !
	102
	103	RewriteRule ^/api/v1/streaming/(.+)$ unix://${mcfg.sockets.node}\|http://mastodon.immae.eu/api/v1/streaming/$1 [P,NE,QSA,L]
	104	RewriteRule ^/api/v1/streaming/$ unix://${mcfg.sockets.node}\|ws://mastodon.immae.eu/ [P,NE,QSA,L]
	105	ProxyPass / unix://${mcfg.sockets.rails}\|http://mastodon.immae.eu/
	106	ProxyPassReverse / unix://${mcfg.sockets.rails}\|http://mastodon.immae.eu/
	107
	108	Alias /system ${mcfg.dataDir}
	109
	110	<Directory ${mcfg.dataDir}>
	111	Require all granted
	112	Options -MultiViews
	113	</Directory>
	114
	115	<Directory ${root}>
	116	Require all granted
	117	Options -MultiViews +FollowSymlinks
	118	</Directory>
	119
	120	ErrorDocument 500 /500.html
	121	ErrorDocument 501 /500.html
	122	ErrorDocument 502 /500.html
	123	ErrorDocument 503 /500.html
	124	ErrorDocument 504 /500.html
	125	'' ];
	126	};
	127	};
	128	}