1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
|
{ lib, pkgs, config, myconfig, ... }:
let
env = myconfig.env.tools.mastodon;
root = "/run/current-system/webapps/tools_mastodon";
cfg = config.myServices.websites.tools.mastodon;
mcfg = config.services.mastodon;
in {
options.myServices.websites.tools.mastodon = {
enable = lib.mkEnableOption "enable mastodon's website";
};
config = lib.mkIf cfg.enable {
secrets.keys = [{
dest = "webapps/tools-mastodon";
user = "mastodon";
group = "mastodon";
permissions = "0400";
text = ''
REDIS_HOST=${env.redis.host}
REDIS_PORT=${env.redis.port}
REDIS_DB=${env.redis.db}
DB_HOST=${env.postgresql.socket}
DB_USER=${env.postgresql.user}
DB_NAME=${env.postgresql.database}
DB_PASS=${env.postgresql.password}
DB_PORT=${env.postgresql.port}
LOCAL_DOMAIN=mastodon.immae.eu
LOCAL_HTTPS=true
ALTERNATE_DOMAINS=immae.eu
PAPERCLIP_SECRET=${env.paperclip_secret}
SECRET_KEY_BASE=${env.secret_key_base}
OTP_SECRET=${env.otp_secret}
VAPID_PRIVATE_KEY=${env.vapid.private}
VAPID_PUBLIC_KEY=${env.vapid.public}
SMTP_DELIVERY_METHOD=sendmail
SMTP_FROM_ADDRESS=mastodon@tools.immae.eu
SENDMAIL_LOCATION="/run/wrappers/bin/sendmail"
PAPERCLIP_ROOT_PATH=${mcfg.dataDir}
STREAMING_CLUSTER_NUM=1
RAILS_LOG_LEVEL=warn
# LDAP authentication (optional)
LDAP_ENABLED=true
LDAP_HOST=ldap.immae.eu
LDAP_PORT=636
LDAP_METHOD=simple_tls
LDAP_BASE="dc=immae,dc=eu"
LDAP_BIND_DN="cn=mastodon,ou=services,dc=immae,dc=eu"
LDAP_PASSWORD="${env.ldap.password}"
LDAP_UID="uid"
LDAP_SEARCH_FILTER="(&(%{uid}=%{email})(memberOf=cn=users,cn=mastodon,ou=services,dc=immae,dc=eu))"
'';
}];
services.mastodon = {
enable = true;
configFile = "/var/secrets/webapps/tools-mastodon";
socketsPrefix = "live_immae";
dataDir = "/var/lib/mastodon_immae";
};
services.websites.tools.modules = [
"headers" "proxy" "proxy_wstunnel" "proxy_http"
];
system.extraSystemBuilderCmds = ''
mkdir -p $out/webapps
ln -s ${mcfg.workdir}/public/ $out/webapps/tools_mastodon
'';
services.websites.tools.vhostConfs.mastodon = {
certName = "eldiron";
addToCerts = true;
hosts = ["mastodon.immae.eu" ];
root = root;
extraConfig = [ ''
Header always set Referrer-Policy "strict-origin-when-cross-origin"
Header always set Strict-Transport-Security "max-age=31536000"
<LocationMatch "^/(assets|avatars|emoji|headers|packs|sounds|system)>
Header always set Cache-Control "public, max-age=31536000, immutable"
Require all granted
</LocationMatch>
ProxyPreserveHost On
RequestHeader set X-Forwarded-Proto "https"
RewriteEngine On
ProxyPass /500.html !
ProxyPass /sw.js !
ProxyPass /embed.js !
ProxyPass /robots.txt !
ProxyPass /manifest.json !
ProxyPass /browserconfig.xml !
ProxyPass /mask-icon.svg !
ProxyPassMatch ^(/.*\.(png|ico|gif)$) !
ProxyPassMatch ^/(assets|avatars|emoji|headers|packs|sounds|system|.well-known/acme-challenge) !
RewriteRule ^/api/v1/streaming/(.+)$ unix://${mcfg.sockets.node}|http://mastodon.immae.eu/api/v1/streaming/$1 [P,NE,QSA,L]
RewriteRule ^/api/v1/streaming/$ unix://${mcfg.sockets.node}|ws://mastodon.immae.eu/ [P,NE,QSA,L]
ProxyPass / unix://${mcfg.sockets.rails}|http://mastodon.immae.eu/
ProxyPassReverse / unix://${mcfg.sockets.rails}|http://mastodon.immae.eu/
Alias /system ${mcfg.dataDir}
<Directory ${mcfg.dataDir}>
Require all granted
Options -MultiViews
</Directory>
<Directory ${root}>
Require all granted
Options -MultiViews +FollowSymlinks
</Directory>
ErrorDocument 500 /500.html
ErrorDocument 501 /500.html
ErrorDocument 502 /500.html
ErrorDocument 503 /500.html
ErrorDocument 504 /500.html
'' ];
};
};
}
|
