aboutsummaryrefslogtreecommitdiff
path: root/modules/private/websites/tools/mastodon
diff options
context:
space:
mode:
authorIsmaël Bouya <ismael.bouya@normalesup.org>2019-05-22 20:01:33 +0200
committerIsmaël Bouya <ismael.bouya@normalesup.org>2019-05-22 20:01:33 +0200
commit4288c2f2431fb782b0d512b1b3749187f2374b6a (patch)
treeaaf812414f91d6b695a7507265e7572de8dc477c /modules/private/websites/tools/mastodon
parentf40f5b235b890f46770a22f005f8a0f664cf0562 (diff)
downloadNix-4288c2f2431fb782b0d512b1b3749187f2374b6a.tar.gz
Nix-4288c2f2431fb782b0d512b1b3749187f2374b6a.tar.zst
Nix-4288c2f2431fb782b0d512b1b3749187f2374b6a.zip
Move websites/tools to modules
Diffstat (limited to 'modules/private/websites/tools/mastodon')
-rw-r--r--modules/private/websites/tools/mastodon/default.nix128
1 files changed, 128 insertions, 0 deletions
diff --git a/modules/private/websites/tools/mastodon/default.nix b/modules/private/websites/tools/mastodon/default.nix
new file mode 100644
index 0000000..d742a33
--- /dev/null
+++ b/modules/private/websites/tools/mastodon/default.nix
@@ -0,0 +1,128 @@
1{ lib, pkgs, config, myconfig, ... }:
2let
3 env = myconfig.env.tools.mastodon;
4 root = "/run/current-system/webapps/tools_mastodon";
5 cfg = config.myServices.websites.tools.mastodon;
6 mcfg = config.services.mastodon;
7in {
8 options.myServices.websites.tools.mastodon = {
9 enable = lib.mkEnableOption "enable mastodon's website";
10 };
11
12 config = lib.mkIf cfg.enable {
13 secrets.keys = [{
14 dest = "webapps/tools-mastodon";
15 user = "mastodon";
16 group = "mastodon";
17 permissions = "0400";
18 text = ''
19 REDIS_HOST=${env.redis.host}
20 REDIS_PORT=${env.redis.port}
21 REDIS_DB=${env.redis.db}
22 DB_HOST=${env.postgresql.socket}
23 DB_USER=${env.postgresql.user}
24 DB_NAME=${env.postgresql.database}
25 DB_PASS=${env.postgresql.password}
26 DB_PORT=${env.postgresql.port}
27
28 LOCAL_DOMAIN=mastodon.immae.eu
29 LOCAL_HTTPS=true
30 ALTERNATE_DOMAINS=immae.eu
31
32 PAPERCLIP_SECRET=${env.paperclip_secret}
33 SECRET_KEY_BASE=${env.secret_key_base}
34 OTP_SECRET=${env.otp_secret}
35
36 VAPID_PRIVATE_KEY=${env.vapid.private}
37 VAPID_PUBLIC_KEY=${env.vapid.public}
38
39 SMTP_DELIVERY_METHOD=sendmail
40 SMTP_FROM_ADDRESS=mastodon@tools.immae.eu
41 SENDMAIL_LOCATION="/run/wrappers/bin/sendmail"
42 PAPERCLIP_ROOT_PATH=${mcfg.dataDir}
43
44 STREAMING_CLUSTER_NUM=1
45
46 RAILS_LOG_LEVEL=warn
47
48 # LDAP authentication (optional)
49 LDAP_ENABLED=true
50 LDAP_HOST=ldap.immae.eu
51 LDAP_PORT=636
52 LDAP_METHOD=simple_tls
53 LDAP_BASE="dc=immae,dc=eu"
54 LDAP_BIND_DN="cn=mastodon,ou=services,dc=immae,dc=eu"
55 LDAP_PASSWORD="${env.ldap.password}"
56 LDAP_UID="uid"
57 LDAP_SEARCH_FILTER="(&(%{uid}=%{email})(memberOf=cn=users,cn=mastodon,ou=services,dc=immae,dc=eu))"
58 '';
59 }];
60 services.mastodon = {
61 enable = true;
62 configFile = "/var/secrets/webapps/tools-mastodon";
63 socketsPrefix = "live_immae";
64 dataDir = "/var/lib/mastodon_immae";
65 };
66
67 services.websites.tools.modules = [
68 "headers" "proxy" "proxy_wstunnel" "proxy_http"
69 ];
70 system.extraSystemBuilderCmds = ''
71 mkdir -p $out/webapps
72 ln -s ${mcfg.workdir}/public/ $out/webapps/tools_mastodon
73 '';
74 services.websites.tools.vhostConfs.mastodon = {
75 certName = "eldiron";
76 addToCerts = true;
77 hosts = ["mastodon.immae.eu" ];
78 root = root;
79 extraConfig = [ ''
80 Header always set Referrer-Policy "strict-origin-when-cross-origin"
81 Header always set Strict-Transport-Security "max-age=31536000"
82
83 <LocationMatch "^/(assets|avatars|emoji|headers|packs|sounds|system)>
84 Header always set Cache-Control "public, max-age=31536000, immutable"
85 Require all granted
86 </LocationMatch>
87
88 ProxyPreserveHost On
89 RequestHeader set X-Forwarded-Proto "https"
90
91 RewriteEngine On
92
93 ProxyPass /500.html !
94 ProxyPass /sw.js !
95 ProxyPass /embed.js !
96 ProxyPass /robots.txt !
97 ProxyPass /manifest.json !
98 ProxyPass /browserconfig.xml !
99 ProxyPass /mask-icon.svg !
100 ProxyPassMatch ^(/.*\.(png|ico|gif)$) !
101 ProxyPassMatch ^/(assets|avatars|emoji|headers|packs|sounds|system|.well-known/acme-challenge) !
102
103 RewriteRule ^/api/v1/streaming/(.+)$ unix://${mcfg.sockets.node}|http://mastodon.immae.eu/api/v1/streaming/$1 [P,NE,QSA,L]
104 RewriteRule ^/api/v1/streaming/$ unix://${mcfg.sockets.node}|ws://mastodon.immae.eu/ [P,NE,QSA,L]
105 ProxyPass / unix://${mcfg.sockets.rails}|http://mastodon.immae.eu/
106 ProxyPassReverse / unix://${mcfg.sockets.rails}|http://mastodon.immae.eu/
107
108 Alias /system ${mcfg.dataDir}
109
110 <Directory ${mcfg.dataDir}>
111 Require all granted
112 Options -MultiViews
113 </Directory>
114
115 <Directory ${root}>
116 Require all granted
117 Options -MultiViews +FollowSymlinks
118 </Directory>
119
120 ErrorDocument 500 /500.html
121 ErrorDocument 501 /500.html
122 ErrorDocument 502 /500.html
123 ErrorDocument 503 /500.html
124 ErrorDocument 504 /500.html
125 '' ];
126 };
127 };
128}