diff options
Diffstat (limited to 'nixops/modules/websites')
-rw-r--r-- | nixops/modules/websites/tools/mastodon/default.nix | 99 | ||||
-rw-r--r-- | nixops/modules/websites/tools/mastodon/mastodon.nix | 61 |
2 files changed, 74 insertions, 86 deletions
diff --git a/nixops/modules/websites/tools/mastodon/default.nix b/nixops/modules/websites/tools/mastodon/default.nix index 919bac2..3279cf8 100644 --- a/nixops/modules/websites/tools/mastodon/default.nix +++ b/nixops/modules/websites/tools/mastodon/default.nix | |||
@@ -1,10 +1,13 @@ | |||
1 | { lib, pkgs, config, myconfig, mylibs, ... }: | 1 | { lib, pkgs, config, myconfig, mylibs, ... }: |
2 | let | 2 | let |
3 | mastodon = pkgs.callPackage ./mastodon.nix { | 3 | varDir = "/var/lib/mastodon_immae"; |
4 | inherit (pkgs.webapps) mastodon; | 4 | socketsDir = "/run/mastodon"; |
5 | env = myconfig.env.tools.mastodon; | 5 | nodeSocket = "${socketsDir}/live_immae_node.sock"; |
6 | }; | 6 | railsSocket = "${socketsDir}/live_immae_puma.sock"; |
7 | |||
8 | mastodon = pkgs.webapps.mastodon.override { inherit varDir; }; | ||
7 | 9 | ||
10 | env = myconfig.env.tools.mastodon; | ||
8 | root = "/run/current-system/webapps/tools_mastodon"; | 11 | root = "/run/current-system/webapps/tools_mastodon"; |
9 | cfg = config.services.myWebsites.tools.mastodon; | 12 | cfg = config.services.myWebsites.tools.mastodon; |
10 | in { | 13 | in { |
@@ -13,16 +16,62 @@ in { | |||
13 | }; | 16 | }; |
14 | 17 | ||
15 | config = lib.mkIf cfg.enable { | 18 | config = lib.mkIf cfg.enable { |
16 | mySecrets.keys = mastodon.keys; | 19 | mySecrets.keys = [{ |
17 | ids.uids.mastodon = myconfig.env.tools.mastodon.user.uid; | 20 | dest = "webapps/tools-mastodon"; |
18 | ids.gids.mastodon = myconfig.env.tools.mastodon.user.gid; | 21 | user = "mastodon"; |
22 | group = "mastodon"; | ||
23 | permissions = "0400"; | ||
24 | text = '' | ||
25 | REDIS_HOST=${env.redis.host} | ||
26 | REDIS_PORT=${env.redis.port} | ||
27 | REDIS_DB=${env.redis.db} | ||
28 | DB_HOST=${env.postgresql.socket} | ||
29 | DB_USER=${env.postgresql.user} | ||
30 | DB_NAME=${env.postgresql.database} | ||
31 | DB_PASS=${env.postgresql.password} | ||
32 | DB_PORT=${env.postgresql.port} | ||
33 | |||
34 | LOCAL_DOMAIN=mastodon.immae.eu | ||
35 | LOCAL_HTTPS=true | ||
36 | ALTERNATE_DOMAINS=immae.eu | ||
37 | |||
38 | PAPERCLIP_SECRET=${env.paperclip_secret} | ||
39 | SECRET_KEY_BASE=${env.secret_key_base} | ||
40 | OTP_SECRET=${env.otp_secret} | ||
41 | |||
42 | VAPID_PRIVATE_KEY=${env.vapid.private} | ||
43 | VAPID_PUBLIC_KEY=${env.vapid.public} | ||
44 | |||
45 | SMTP_DELIVERY_METHOD=sendmail | ||
46 | SMTP_FROM_ADDRESS=mastodon@tools.immae.eu | ||
47 | SENDMAIL_LOCATION="/run/wrappers/bin/sendmail" | ||
48 | PAPERCLIP_ROOT_PATH=${varDir} | ||
49 | |||
50 | STREAMING_CLUSTER_NUM=1 | ||
51 | |||
52 | RAILS_LOG_LEVEL=warn | ||
53 | |||
54 | # LDAP authentication (optional) | ||
55 | LDAP_ENABLED=true | ||
56 | LDAP_HOST=ldap.immae.eu | ||
57 | LDAP_PORT=636 | ||
58 | LDAP_METHOD=simple_tls | ||
59 | LDAP_BASE="dc=immae,dc=eu" | ||
60 | LDAP_BIND_DN="cn=mastodon,ou=services,dc=immae,dc=eu" | ||
61 | LDAP_PASSWORD="${env.ldap.password}" | ||
62 | LDAP_UID="uid" | ||
63 | LDAP_SEARCH_FILTER="(&(%{uid}=%{email})(memberOf=cn=users,cn=mastodon,ou=services,dc=immae,dc=eu))" | ||
64 | ''; | ||
65 | }]; | ||
66 | ids.uids.mastodon = env.user.uid; | ||
67 | ids.gids.mastodon = env.user.gid; | ||
19 | 68 | ||
20 | users.users.mastodon = { | 69 | users.users.mastodon = { |
21 | name = "mastodon"; | 70 | name = "mastodon"; |
22 | uid = config.ids.uids.mastodon; | 71 | uid = config.ids.uids.mastodon; |
23 | group = "mastodon"; | 72 | group = "mastodon"; |
24 | description = "Mastodon user"; | 73 | description = "Mastodon user"; |
25 | home = mastodon.varDir; | 74 | home = varDir; |
26 | useDefaultShell = true; | 75 | useDefaultShell = true; |
27 | }; | 76 | }; |
28 | 77 | ||
@@ -34,7 +83,7 @@ in { | |||
34 | after = [ "network.target" "mastodon-web.service" ]; | 83 | after = [ "network.target" "mastodon-web.service" ]; |
35 | 84 | ||
36 | environment.NODE_ENV = "production"; | 85 | environment.NODE_ENV = "production"; |
37 | environment.SOCKET = mastodon.nodeSocket; | 86 | environment.SOCKET = nodeSocket; |
38 | 87 | ||
39 | path = [ pkgs.nodejs pkgs.bashInteractive ]; | 88 | path = [ pkgs.nodejs pkgs.bashInteractive ]; |
40 | 89 | ||
@@ -60,10 +109,10 @@ in { | |||
60 | Restart = "always"; | 109 | Restart = "always"; |
61 | TimeoutSec = 15; | 110 | TimeoutSec = 15; |
62 | Type = "simple"; | 111 | Type = "simple"; |
63 | WorkingDirectory = mastodon.railsRoot; | 112 | WorkingDirectory = mastodon; |
64 | }; | 113 | }; |
65 | 114 | ||
66 | unitConfig.RequiresMountsFor = mastodon.varDir; | 115 | unitConfig.RequiresMountsFor = varDir; |
67 | }; | 116 | }; |
68 | 117 | ||
69 | systemd.services.mastodon-web = { | 118 | systemd.services.mastodon-web = { |
@@ -74,7 +123,7 @@ in { | |||
74 | environment.RAILS_ENV = "production"; | 123 | environment.RAILS_ENV = "production"; |
75 | environment.BUNDLE_PATH = "${mastodon.gems}/${mastodon.gems.ruby.gemPath}"; | 124 | environment.BUNDLE_PATH = "${mastodon.gems}/${mastodon.gems.ruby.gemPath}"; |
76 | environment.BUNDLE_GEMFILE = "${mastodon.gems.confFiles}/Gemfile"; | 125 | environment.BUNDLE_GEMFILE = "${mastodon.gems.confFiles}/Gemfile"; |
77 | environment.SOCKET = mastodon.railsSocket; | 126 | environment.SOCKET = railsSocket; |
78 | 127 | ||
79 | path = [ mastodon.gems mastodon.gems.ruby pkgs.file ]; | 128 | path = [ mastodon.gems mastodon.gems.ruby pkgs.file ]; |
80 | 129 | ||
@@ -93,10 +142,10 @@ in { | |||
93 | Restart = "always"; | 142 | Restart = "always"; |
94 | TimeoutSec = 60; | 143 | TimeoutSec = 60; |
95 | Type = "simple"; | 144 | Type = "simple"; |
96 | WorkingDirectory = mastodon.railsRoot; | 145 | WorkingDirectory = mastodon; |
97 | }; | 146 | }; |
98 | 147 | ||
99 | unitConfig.RequiresMountsFor = mastodon.varDir; | 148 | unitConfig.RequiresMountsFor = varDir; |
100 | }; | 149 | }; |
101 | 150 | ||
102 | systemd.services.mastodon-sidekiq = { | 151 | systemd.services.mastodon-sidekiq = { |
@@ -122,17 +171,17 @@ in { | |||
122 | Restart = "always"; | 171 | Restart = "always"; |
123 | TimeoutSec = 15; | 172 | TimeoutSec = 15; |
124 | Type = "simple"; | 173 | Type = "simple"; |
125 | WorkingDirectory = mastodon.railsRoot; | 174 | WorkingDirectory = mastodon; |
126 | }; | 175 | }; |
127 | 176 | ||
128 | unitConfig.RequiresMountsFor = mastodon.varDir; | 177 | unitConfig.RequiresMountsFor = varDir; |
129 | }; | 178 | }; |
130 | 179 | ||
131 | system.activationScripts.mastodon = { | 180 | system.activationScripts.mastodon = { |
132 | deps = [ "users" ]; | 181 | deps = [ "users" ]; |
133 | text = '' | 182 | text = '' |
134 | install -m 0755 -o mastodon -g mastodon -d ${mastodon.socketsDir} | 183 | install -m 0755 -o mastodon -g mastodon -d ${socketsDir} |
135 | install -m 0755 -o mastodon -g mastodon -d ${mastodon.varDir} ${mastodon.varDir}/tmp/cache | 184 | install -m 0755 -o mastodon -g mastodon -d ${varDir} ${varDir}/tmp/cache |
136 | ''; | 185 | ''; |
137 | }; | 186 | }; |
138 | 187 | ||
@@ -142,7 +191,7 @@ in { | |||
142 | security.acme.certs."eldiron".extraDomains."mastodon.immae.eu" = null; | 191 | security.acme.certs."eldiron".extraDomains."mastodon.immae.eu" = null; |
143 | system.extraSystemBuilderCmds = '' | 192 | system.extraSystemBuilderCmds = '' |
144 | mkdir -p $out/webapps | 193 | mkdir -p $out/webapps |
145 | ln -s ${mastodon.railsRoot}/public/ $out/webapps/tools_mastodon | 194 | ln -s ${mastodon}/public/ $out/webapps/tools_mastodon |
146 | ''; | 195 | ''; |
147 | services.myWebsites.tools.vhostConfs.mastodon = { | 196 | services.myWebsites.tools.vhostConfs.mastodon = { |
148 | certName = "eldiron"; | 197 | certName = "eldiron"; |
@@ -172,14 +221,14 @@ in { | |||
172 | ProxyPassMatch ^(/.*\.(png|ico|gif)$) ! | 221 | ProxyPassMatch ^(/.*\.(png|ico|gif)$) ! |
173 | ProxyPassMatch ^/(assets|avatars|emoji|headers|packs|sounds|system|.well-known/acme-challenge) ! | 222 | ProxyPassMatch ^/(assets|avatars|emoji|headers|packs|sounds|system|.well-known/acme-challenge) ! |
174 | 223 | ||
175 | RewriteRule ^/api/v1/streaming/(.+)$ unix://${mastodon.nodeSocket}|http://mastodon.immae.eu/api/v1/streaming/$1 [P,NE,QSA,L] | 224 | RewriteRule ^/api/v1/streaming/(.+)$ unix://${nodeSocket}|http://mastodon.immae.eu/api/v1/streaming/$1 [P,NE,QSA,L] |
176 | RewriteRule ^/api/v1/streaming/$ unix://${mastodon.nodeSocket}|ws://mastodon.immae.eu/ [P,NE,QSA,L] | 225 | RewriteRule ^/api/v1/streaming/$ unix://${nodeSocket}|ws://mastodon.immae.eu/ [P,NE,QSA,L] |
177 | ProxyPass / unix://${mastodon.railsSocket}|http://mastodon.immae.eu/ | 226 | ProxyPass / unix://${railsSocket}|http://mastodon.immae.eu/ |
178 | ProxyPassReverse / unix://${mastodon.railsSocket}|http://mastodon.immae.eu/ | 227 | ProxyPassReverse / unix://${railsSocket}|http://mastodon.immae.eu/ |
179 | 228 | ||
180 | Alias /system ${mastodon.varDir} | 229 | Alias /system ${varDir} |
181 | 230 | ||
182 | <Directory ${mastodon.varDir}> | 231 | <Directory ${varDir}> |
183 | Require all granted | 232 | Require all granted |
184 | Options -MultiViews | 233 | Options -MultiViews |
185 | </Directory> | 234 | </Directory> |
diff --git a/nixops/modules/websites/tools/mastodon/mastodon.nix b/nixops/modules/websites/tools/mastodon/mastodon.nix deleted file mode 100644 index 83e3a54..0000000 --- a/nixops/modules/websites/tools/mastodon/mastodon.nix +++ /dev/null | |||
@@ -1,61 +0,0 @@ | |||
1 | { env, mastodon }: | ||
2 | let | ||
3 | varDir = "/var/lib/mastodon_immae"; | ||
4 | socketsDir = "/run/mastodon"; | ||
5 | keys.mastodon = { | ||
6 | dest = "webapps/tools-mastodon"; | ||
7 | user = "mastodon"; | ||
8 | group = "mastodon"; | ||
9 | permissions = "0400"; | ||
10 | text = '' | ||
11 | REDIS_HOST=${env.redis.host} | ||
12 | REDIS_PORT=${env.redis.port} | ||
13 | REDIS_DB=${env.redis.db} | ||
14 | DB_HOST=${env.postgresql.socket} | ||
15 | DB_USER=${env.postgresql.user} | ||
16 | DB_NAME=${env.postgresql.database} | ||
17 | DB_PASS=${env.postgresql.password} | ||
18 | DB_PORT=${env.postgresql.port} | ||
19 | |||
20 | LOCAL_DOMAIN=mastodon.immae.eu | ||
21 | LOCAL_HTTPS=true | ||
22 | ALTERNATE_DOMAINS=immae.eu | ||
23 | |||
24 | PAPERCLIP_SECRET=${env.paperclip_secret} | ||
25 | SECRET_KEY_BASE=${env.secret_key_base} | ||
26 | OTP_SECRET=${env.otp_secret} | ||
27 | |||
28 | VAPID_PRIVATE_KEY=${env.vapid.private} | ||
29 | VAPID_PUBLIC_KEY=${env.vapid.public} | ||
30 | |||
31 | SMTP_DELIVERY_METHOD=sendmail | ||
32 | SMTP_FROM_ADDRESS=mastodon@tools.immae.eu | ||
33 | SENDMAIL_LOCATION="/run/wrappers/bin/sendmail" | ||
34 | PAPERCLIP_ROOT_PATH=${varDir} | ||
35 | |||
36 | STREAMING_CLUSTER_NUM=1 | ||
37 | |||
38 | RAILS_LOG_LEVEL=warn | ||
39 | |||
40 | # LDAP authentication (optional) | ||
41 | LDAP_ENABLED=true | ||
42 | LDAP_HOST=ldap.immae.eu | ||
43 | LDAP_PORT=636 | ||
44 | LDAP_METHOD=simple_tls | ||
45 | LDAP_BASE="dc=immae,dc=eu" | ||
46 | LDAP_BIND_DN="cn=mastodon,ou=services,dc=immae,dc=eu" | ||
47 | LDAP_PASSWORD="${env.ldap.password}" | ||
48 | LDAP_UID="uid" | ||
49 | LDAP_SEARCH_FILTER="(&(%{uid}=%{email})(memberOf=cn=users,cn=mastodon,ou=services,dc=immae,dc=eu))" | ||
50 | ''; | ||
51 | }; | ||
52 | |||
53 | railsRoot = mastodon.override { inherit varDir; }; | ||
54 | in | ||
55 | { | ||
56 | inherit varDir railsRoot socketsDir; | ||
57 | inherit (railsRoot.passthru) gems; | ||
58 | keys = builtins.attrValues keys; | ||
59 | nodeSocket = "${socketsDir}/live_immae_node.sock"; | ||
60 | railsSocket = "${socketsDir}/live_immae_puma.sock"; | ||
61 | } | ||