{ lib, pkgs, config, myconfig, ... }:
let
env = myconfig.env.tools.mastodon;
root = "/run/current-system/webapps/tools_mastodon";
cfg = config.myServices.websites.tools.mastodon;
mcfg = config.services.mastodon;
in {
options.myServices.websites.tools.mastodon = {
enable = lib.mkEnableOption "enable mastodon's website";
};
config = lib.mkIf cfg.enable {
services.duplyBackup.profiles.mastodon = {
rootDir = mcfg.dataDir;
};
secrets.keys = [{
dest = "webapps/tools-mastodon";
user = "mastodon";
group = "mastodon";
permissions = "0400";
text = ''
REDIS_HOST=${env.redis.host}
REDIS_PORT=${env.redis.port}
REDIS_DB=${env.redis.db}
DB_HOST=${env.postgresql.socket}
DB_USER=${env.postgresql.user}
DB_NAME=${env.postgresql.database}
DB_PASS=${env.postgresql.password}
DB_PORT=${env.postgresql.port}
LOCAL_DOMAIN=mastodon.immae.eu
LOCAL_HTTPS=true
ALTERNATE_DOMAINS=immae.eu
PAPERCLIP_SECRET=${env.paperclip_secret}
SECRET_KEY_BASE=${env.secret_key_base}
OTP_SECRET=${env.otp_secret}
VAPID_PRIVATE_KEY=${env.vapid.private}
VAPID_PUBLIC_KEY=${env.vapid.public}
SMTP_DELIVERY_METHOD=sendmail
SMTP_FROM_ADDRESS=mastodon@tools.immae.eu
SENDMAIL_LOCATION="/run/wrappers/bin/sendmail"
PAPERCLIP_ROOT_PATH=${mcfg.dataDir}
STREAMING_CLUSTER_NUM=1
RAILS_LOG_LEVEL=warn
# LDAP authentication (optional)
LDAP_ENABLED=true
LDAP_HOST=ldap.immae.eu
LDAP_PORT=636
LDAP_METHOD=simple_tls
LDAP_BASE="dc=immae,dc=eu"
LDAP_BIND_DN="cn=mastodon,ou=services,dc=immae,dc=eu"
LDAP_PASSWORD="${env.ldap.password}"
LDAP_UID="uid"
LDAP_SEARCH_FILTER="(&(%{uid}=%{email})(memberOf=cn=users,cn=mastodon,ou=services,dc=immae,dc=eu))"
'';
}];
services.mastodon = {
enable = true;
configFile = "/var/secrets/webapps/tools-mastodon";
socketsPrefix = "live_immae";
dataDir = "/var/lib/mastodon_immae";
};
services.filesWatcher.mastodon-streaming = {
restart = true;
paths = [ mcfg.configFile ];
};
services.filesWatcher.mastodon-web = {
restart = true;
paths = [ mcfg.configFile ];
};
services.filesWatcher.mastodon-sidekiq = {
restart = true;
paths = [ mcfg.configFile ];
};
services.websites.env.tools.modules = [
"headers" "proxy" "proxy_wstunnel" "proxy_http"
];
system.extraSystemBuilderCmds = ''
mkdir -p $out/webapps
ln -s ${mcfg.workdir}/public/ $out/webapps/tools_mastodon
'';
services.websites.env.tools.vhostConfs.mastodon = {
certName = "eldiron";
addToCerts = true;
hosts = ["mastodon.immae.eu" ];
root = root;
extraConfig = [ ''
Header always set Referrer-Policy "strict-origin-when-cross-origin"
Header always set Strict-Transport-Security "max-age=31536000"
Header always set Cache-Control "public, max-age=31536000, immutable"
Require all granted
ProxyPreserveHost On
RequestHeader set X-Forwarded-Proto "https"
RewriteEngine On
ProxyPass /500.html !
ProxyPass /sw.js !
ProxyPass /embed.js !
ProxyPass /robots.txt !
ProxyPass /manifest.json !
ProxyPass /browserconfig.xml !
ProxyPass /mask-icon.svg !
ProxyPassMatch ^(/.*\.(png|ico|gif)$) !
ProxyPassMatch ^/(assets|avatars|emoji|headers|packs|sounds|system|.well-known/acme-challenge) !
RewriteRule ^/api/v1/streaming/(.+)$ unix://${mcfg.sockets.node}|http://mastodon.immae.eu/api/v1/streaming/$1 [P,NE,QSA,L]
RewriteRule ^/api/v1/streaming/$ unix://${mcfg.sockets.node}|ws://mastodon.immae.eu/ [P,NE,QSA,L]
ProxyPass / unix://${mcfg.sockets.rails}|http://mastodon.immae.eu/
ProxyPassReverse / unix://${mcfg.sockets.rails}|http://mastodon.immae.eu/
Alias /system ${mcfg.dataDir}
Require all granted
Options -MultiViews
Require all granted
Options -MultiViews +FollowSymlinks
ErrorDocument 500 /500.html
ErrorDocument 501 /500.html
ErrorDocument 502 /500.html
ErrorDocument 503 /500.html
ErrorDocument 504 /500.html
'' ];
};
};
}