diff options
Diffstat (limited to 'systems/eldiron/websites/mastodon/default.nix')
-rw-r--r-- | systems/eldiron/websites/mastodon/default.nix | 174 |
1 files changed, 174 insertions, 0 deletions
diff --git a/systems/eldiron/websites/mastodon/default.nix b/systems/eldiron/websites/mastodon/default.nix new file mode 100644 index 0000000..603fc9e --- /dev/null +++ b/systems/eldiron/websites/mastodon/default.nix | |||
@@ -0,0 +1,174 @@ | |||
1 | { lib, pkgs, config, ... }: | ||
2 | let | ||
3 | env = config.myEnv.tools.mastodon; | ||
4 | root = "${mcfg.workdir}/public/"; | ||
5 | cfg = config.myServices.websites.tools.mastodon; | ||
6 | mcfg = config.immaeServices.mastodon; | ||
7 | in { | ||
8 | options.myServices.websites.tools.mastodon = { | ||
9 | enable = lib.mkEnableOption "enable mastodon's website"; | ||
10 | }; | ||
11 | |||
12 | config = lib.mkIf cfg.enable { | ||
13 | myServices.dns.zones."immae.eu".subdomains.mastodon = | ||
14 | with config.myServices.dns.helpers; ips servers.eldiron.ips.main; | ||
15 | |||
16 | myServices.chatonsProperties.services.mastodon = { | ||
17 | file.datetime = "2022-08-21T19:50:00"; | ||
18 | service = { | ||
19 | name = "Mastodon"; | ||
20 | description = "Your self-hosted, globally interconnected microblogging community"; | ||
21 | website = "https://mastodon.immae.eu/"; | ||
22 | logo = "https://mastodon.immae.eu/apple-touch-icon.png"; | ||
23 | status.level = "OK"; | ||
24 | status.description = "OK"; | ||
25 | registration."" = ["MEMBER" "CLIENT"]; | ||
26 | registration.load = "OPEN"; | ||
27 | install.type = "PACKAGE"; | ||
28 | }; | ||
29 | software = { | ||
30 | name = "Mastodon"; | ||
31 | website = "https://joinmastodon.org/"; | ||
32 | license.url = "https://github.com/tootsuite/mastodon/blob/master/LICENSE"; | ||
33 | license.name = "GNU General Public License v3.0"; | ||
34 | version = mcfg.package.version; | ||
35 | source.url = "https://github.com/tootsuite/mastodon"; | ||
36 | }; | ||
37 | }; | ||
38 | secrets.keys."webapps/tools-mastodon" = { | ||
39 | user = "mastodon"; | ||
40 | group = "mastodon"; | ||
41 | permissions = "0400"; | ||
42 | text = '' | ||
43 | REDIS_HOST=${env.redis.host} | ||
44 | REDIS_PORT=${env.redis.port} | ||
45 | REDIS_DB=${env.redis.db} | ||
46 | DB_HOST=${env.postgresql.socket} | ||
47 | DB_USER=${env.postgresql.user} | ||
48 | DB_NAME=${env.postgresql.database} | ||
49 | DB_PASS=${env.postgresql.password} | ||
50 | DB_PORT=${env.postgresql.port} | ||
51 | |||
52 | LOCAL_DOMAIN=mastodon.immae.eu | ||
53 | LOCAL_HTTPS=true | ||
54 | ALTERNATE_DOMAINS=immae.eu | ||
55 | |||
56 | PAPERCLIP_SECRET=${env.paperclip_secret} | ||
57 | SECRET_KEY_BASE=${env.secret_key_base} | ||
58 | OTP_SECRET=${env.otp_secret} | ||
59 | |||
60 | VAPID_PRIVATE_KEY=${env.vapid.private} | ||
61 | VAPID_PUBLIC_KEY=${env.vapid.public} | ||
62 | |||
63 | SMTP_DELIVERY_METHOD=sendmail | ||
64 | SMTP_FROM_ADDRESS=mastodon@tools.immae.eu | ||
65 | SENDMAIL_LOCATION="/run/wrappers/bin/sendmail" | ||
66 | PAPERCLIP_ROOT_PATH=${mcfg.dataDir} | ||
67 | |||
68 | STREAMING_CLUSTER_NUM=1 | ||
69 | |||
70 | RAILS_LOG_LEVEL=warn | ||
71 | |||
72 | # LDAP authentication (optional) | ||
73 | LDAP_ENABLED=true | ||
74 | LDAP_HOST=${env.ldap.host} | ||
75 | LDAP_PORT=636 | ||
76 | LDAP_METHOD=simple_tls | ||
77 | LDAP_BASE="${env.ldap.base}" | ||
78 | LDAP_BIND_DN="${env.ldap.dn}" | ||
79 | LDAP_PASSWORD="${env.ldap.password}" | ||
80 | LDAP_UID="uid" | ||
81 | LDAP_SEARCH_FILTER="${env.ldap.filter}" | ||
82 | ''; | ||
83 | }; | ||
84 | immaeServices.mastodon = { | ||
85 | enable = true; | ||
86 | configFile = config.secrets.fullPaths."webapps/tools-mastodon"; | ||
87 | socketsPrefix = "live_immae"; | ||
88 | dataDir = "/var/lib/mastodon_immae"; | ||
89 | }; | ||
90 | services.filesWatcher.mastodon-streaming = { | ||
91 | restart = true; | ||
92 | paths = [ mcfg.configFile ]; | ||
93 | }; | ||
94 | services.filesWatcher.mastodon-web = { | ||
95 | restart = true; | ||
96 | paths = [ mcfg.configFile ]; | ||
97 | }; | ||
98 | services.filesWatcher.mastodon-sidekiq = { | ||
99 | restart = true; | ||
100 | paths = [ mcfg.configFile ]; | ||
101 | }; | ||
102 | |||
103 | |||
104 | services.websites.env.tools.modules = [ | ||
105 | "headers" "proxy" "proxy_wstunnel" "proxy_http" | ||
106 | ]; | ||
107 | security.acme.certs.eldiron.extraDomainNames = [ "mastodon.immae.eu" ]; | ||
108 | services.websites.env.tools.vhostConfs.mastodon = { | ||
109 | certName = "eldiron"; | ||
110 | hosts = ["mastodon.immae.eu" ]; | ||
111 | root = root; | ||
112 | extraConfig = [ '' | ||
113 | Header always set Referrer-Policy "strict-origin-when-cross-origin" | ||
114 | Header always set Strict-Transport-Security "max-age=31536000" | ||
115 | |||
116 | <LocationMatch "^/(assets|avatars|emoji|headers|packs|sounds|system)> | ||
117 | Header always set Cache-Control "public, max-age=31536000, immutable" | ||
118 | Require all granted | ||
119 | </LocationMatch> | ||
120 | |||
121 | ProxyPreserveHost On | ||
122 | RequestHeader set X-Forwarded-Proto "https" | ||
123 | |||
124 | RewriteEngine On | ||
125 | |||
126 | RewriteRule ^/api/v1/streaming/(.+)$ unix://${mcfg.sockets.node}|http://mastodon.immae.eu/api/v1/streaming/$1 [P,NE,QSA,L] | ||
127 | RewriteRule ^/api/v1/streaming/public$ unix://${mcfg.sockets.node}|http://mastodon.immae.eu/api/v1/streaming/public [P,NE,QSA,L] | ||
128 | RewriteRule ^/api/v1/streaming/$ unix://${mcfg.sockets.node}|ws://mastodon.immae.eu/ [P,NE,QSA,L] | ||
129 | RewriteCond %{REQUEST_URI} !/500.html | ||
130 | RewriteCond %{REQUEST_URI} !/sw.js | ||
131 | RewriteCond %{REQUEST_URI} !/embed.js | ||
132 | RewriteCond %{REQUEST_URI} !/robots.txt | ||
133 | RewriteCond %{REQUEST_URI} !/manifest.json | ||
134 | RewriteCond %{REQUEST_URI} !/browserconfig.xml | ||
135 | RewriteCond %{REQUEST_URI} !/mask-icon.svg | ||
136 | RewriteCond %{REQUEST_URI} !^(/.*\.(png|ico|gif)$) | ||
137 | RewriteCond %{REQUEST_URI} !^/(assets|avatars|emoji|headers|packs|sounds|system|.well-known/acme-challenge) | ||
138 | RewriteRule ^/(.*)$ unix:///run/mastodon/live_immae_puma.sock|http://mastodon.immae.eu/$1 [P,NE,QSA,L] | ||
139 | ProxyPassReverse / unix://${mcfg.sockets.rails}|http://mastodon.immae.eu/ | ||
140 | |||
141 | Alias /system ${mcfg.dataDir} | ||
142 | |||
143 | <Directory ${mcfg.dataDir}> | ||
144 | Require all granted | ||
145 | Options -MultiViews | ||
146 | </Directory> | ||
147 | |||
148 | <Directory ${root}> | ||
149 | Require all granted | ||
150 | Options -MultiViews +FollowSymlinks | ||
151 | </Directory> | ||
152 | |||
153 | ErrorDocument 500 /500.html | ||
154 | ErrorDocument 501 /500.html | ||
155 | ErrorDocument 502 /500.html | ||
156 | ErrorDocument 503 /500.html | ||
157 | ErrorDocument 504 /500.html | ||
158 | '' ]; | ||
159 | }; | ||
160 | myServices.monitoring.fromMasterActivatedPlugins = [ "http" ]; | ||
161 | myServices.monitoring.fromMasterObjects.service = [ | ||
162 | { | ||
163 | service_description = "mastodon website is running on mastodon.immae.eu"; | ||
164 | host_name = config.hostEnv.fqdn; | ||
165 | use = "external-web-service"; | ||
166 | check_command = ["check_https" "mastodon.immae.eu" "/" "Mastodon</title>"]; | ||
167 | |||
168 | servicegroups = "webstatus-webapps"; | ||
169 | _webstatus_name = "Mastodon"; | ||
170 | _webstatus_url = "https://mastodon.immae.eu/"; | ||
171 | } | ||
172 | ]; | ||
173 | }; | ||
174 | } | ||