From 04bb4c2ed0fa7fd997f49201af13788e18e12c1f Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Cyryl=20P=C5=82otnicki?= Date: Sat, 9 Dec 2023 09:18:29 +0000 Subject: [PATCH] start moving masto to bolty --- nixos/boxes/bolty/default.nix | 1 + nixos/boxes/bolty/mailgun.sops.yaml | 94 +++++++++++++ nixos/boxes/bolty/mastodon-db.sops.yaml | 93 +++++++++++++ nixos/boxes/bolty/mastodon.nix | 168 ++++++++++++++++++++++++ nixos/boxes/bolty/videos.nix | 4 +- nixos/boxes/vpsfree1/mastodon.nix | 2 +- 6 files changed, 360 insertions(+), 2 deletions(-) create mode 100644 nixos/boxes/bolty/mailgun.sops.yaml create mode 100644 nixos/boxes/bolty/mastodon-db.sops.yaml create mode 100644 nixos/boxes/bolty/mastodon.nix diff --git a/nixos/boxes/bolty/default.nix b/nixos/boxes/bolty/default.nix index c90d3092..29387df7 100644 --- a/nixos/boxes/bolty/default.nix +++ b/nixos/boxes/bolty/default.nix @@ -13,6 +13,7 @@ ./home-security.nix ./influxdb.nix ./logs.nix + ./mastodon.nix ./nas.nix ./networking.nix ./nix-store-server.nix diff --git a/nixos/boxes/bolty/mailgun.sops.yaml b/nixos/boxes/bolty/mailgun.sops.yaml new file mode 100644 index 00000000..048055d0 --- /dev/null +++ b/nixos/boxes/bolty/mailgun.sops.yaml @@ -0,0 +1,94 @@ +gitea-mailgun-smtp-password: ENC[AES256_GCM,data:90aeGpoadDETlj3asOynIGFl0Fypsp0Eq7aKnGRR3+NGQr5DFg54gKrlX3KMZgddnSE=,iv:xjtVQEILVl+XFel+thoS8OvF/fpFYSNtt5MTRUhgyrI=,tag:8+KaSsB6/65TonpTl9Mi/A==,type:str] +mastodon-mailgun-smtp-password: ENC[AES256_GCM,data:Ln3rFbrddNtbnpqsG3i241BpT1B6sUXCPRpoV9QZxiKEF+E6AZjZw2LBXVcwgIm9Dd0=,iv:9BJuVSfOC48K69kDLUjr1oK3g0xSKAxlzDI/py3STt8=,tag:geLjytd+xC4dtf7hUMJ/8Q==,type:str] +sops: + kms: [] + gcp_kms: [] + azure_kv: [] + hc_vault: [] + age: + - recipient: age1qpxvqf2254vynw7aah2pyd8tm0lqtfqr9maguewdj3uqjp8smqvssjp43n + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBSeWVuY3Evcm1taWFSM3Jv + aFdUSGVCcXZ0MkFWbUhYMVlMKzNWbkw1WlVvClkrMUVrcjEzQ0tjN2hSOUdPdXNE + cnpnN3BqN1QwTVMvbklkL3B3ZlJOd00KLS0tIEdyMmp5VmpZdGZXRS9WdDBrWHE0 + aXZ0ZFJLZUplQVltS0VkMCtlMGdleFEK0aAWEkyRzM0SdR+eNTurVvD70yhJJxC7 + oRNuo5SD5XU4AMakCLffc1I4XkM8L6SwffS20yP+s9UY/D1n9FBZAg== + -----END AGE ENCRYPTED FILE----- + - recipient: age1s3z2rfske90kt93a3z7twp6kew6mqd08sgunupym0gpmuh8ezqqscdrv7m + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBFWUFBaHBZdmVIWnRuaHpT + WVBOLzJKNERBQXhrNVEyWVcyZllPSFV6bG40CisrQWU4R3plcHJ3ODRTbXNvL2dr + TXV0R3loVjUxcFI2dnJqaURMOXJqQWsKLS0tIHhpMkNlckc3VDNRelBmMTVNZy94 + T0hxY1hOLzNTYithQ0g0YlBuUExlK1UKOCUEwKPlXL+im23fxkbHY5iMD7tSaEq5 + qF686lZHPJ9hil/8O+cmQ/qQPOiEqJBh9cvw9deWo+T65pp7aeixRQ== + -----END AGE ENCRYPTED FILE----- + - recipient: age1p76577kkfttxxj8ckwwkhyhhz7qq2d7qf2lenyaa0g3v2gd3eecqhhf9jn + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBwVTBodlh0cXl4MEc3cXli + ZndJV21aV2U3OEJLZXkrNmVPNy93T2tXbURBCnhBQVRGSXVaMXJiWG9jbU5kR1Jk + Um1seVd5L1FkK3YxRmp2ZExUekwzMTAKLS0tIHoyK0FwVG1HQ3BFc0huRUZneGFR + QUh6NGdtZ2xkbUhXeXdpeVdjZTdHZ1kK/DeOe18HwJpoRNxo4JvdNGc8Ema61J4w + oxTZpqszWeNItmLtTvWJk9kahR1PhUwReG3zhVpxa+SzJTkLLy9amQ== + -----END AGE ENCRYPTED FILE----- + - recipient: age1mpgtj57e256q9nqz8jt0jt9ntxrldu0p7aunxx3y5vnerfz04vqqdst2gt + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBCaVVpeVphcENhN1RNV0JK + MUFDTFo0aEZuN0dYOGU4YmQwampPdTJQcUEwCld1WlhFUG11bzZTL3MzOVhNa1J6 + RmhpeUN0Sm0xK1B6WTJsUjdCNXRzU2cKLS0tIHpNd1d4bVBXVlYyMG5hVjRkVi9Z + SFN5TUhqWWxHd2ZMeEdtUGV3SmljOUUKKPazmCwOsqYVLTW1wo6ie1+l910X5o6I + ygmi3TSv0ztwgqi94x3ma/1v82pPT/GCtGe22tCUOOiR+qn70mOGZw== + -----END AGE ENCRYPTED FILE----- + - recipient: age1msgz4lzqj3wd4yu3mfgxyl5gz0y94al59njv8fqu7s0dvwt9yuvsctlhvu + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBBRmFJMVJlMHBrNzltNDdq + RVZKYUJlMEcwVGtwaEI1RTloOHowbVNZREQ4CkFnSGlzM1VkWW5pcVNDWSsrQ1NI + dkVGaWhhaWd4VTA4RmplSUV0NTFpa0EKLS0tIEpqV1hWUEpvbytOOXNVeFhYWHNF + N0tHazQ3VEl2c1kwODNBd3lpS2NkM1kKt3uWMg2LuCeEquyYB5FNzEfI2qv7D1d2 + 8KD3X9mangmITwmLumdzcmxwEYmz0SD6im9fy413S1JZxDZonvZ8lA== + -----END AGE ENCRYPTED FILE----- + - recipient: age10f7djsyu5fwew2l2x89a4st4qw4xdkyr3z7qd8frs54yqz7cayvqruttla + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBFaVI0N3JBbmFCdk9CMDk1 + bTB0NTJLb1J3S3JKcjk2dzFzdmJmQkpvbFdJCklFSW9PL2NSSFRSeGlkZmJqR1Av + dDlrMmw2L21kZDFFT0ZTNG5aK1YvSncKLS0tIEFVZlNOSVduUHhOMDI2Z1Z5R2Uw + TytkQnZ5RXp3R1pCSThjM0VYdnkxcncKGM4ceBAfyXpgRGLAvTdEpE31uXJSCktR + KhfUZ/3lvuu7M12ju4ogqdoTND88IWDL2sewmgkyFRRbuBMHfEbKBg== + -----END AGE ENCRYPTED FILE----- + - recipient: age10f7djsyu5fwew2l2x89a4st4qw4xdkyr3z7qd8frs54yqz7cayvqruttla + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBiRDhsU2tLRDU2Zm8zTkpy + d3Y4RGtPc3IzM1h3TVBHYi90eElDM25qZTBrCkdSL2I1SGxNaktZMzF0V0xiOHVy + ZXdGc095ZWRLWjNTdkMzVFlXMUNVY00KLS0tIFF2S3V2Y3hpMFN6Sm54dW9PVUVI + UjE1NXVYa2RzZHhmN2ZiTFltTERtd2sKmHDLboVclE9tn/2dtA21SWWQ8an27HEd + 6iUOFVPQ7Yy3wd64CU7sd+vUq7w24NMORjj+ltQJXnpDfedmoecALQ== + -----END AGE ENCRYPTED FILE----- + - recipient: age1n09swn3qekcuw23vksp7hv4hpg0krlag3c5qcjjaf08m99c3ysqs6sxeyk + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBjVVlPeFkrdWN1aG9uWi9j + YVZacG1lRHA3VXpTWUlBSmFLbkxZemg0eFFvClZXcjJNLzVDVCtrZ3ZRNi92VWFM + VmJNeE1FWEVYWTZqQTdIYkYvUDhsZnMKLS0tIEg1RFNJUkJmNjVHMUQwMjBYb282 + NmQrUk15LzZrcHQzV2c0K3VPOVc4V2cKXDggWmSB4WZbAqFoc+rGTRrpbG25L6Xz + 7R3AD52Ul2dE60CdrPACoi7zJWKfr/QjJ5qfUi3xxhNn906qYRVQXQ== + -----END AGE ENCRYPTED FILE----- + - recipient: age1tt4c8t72fha2fj7xlm0dew5avmkdxujmgplte4qm7sxlcucggedq0eyk7t + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBId1FBN0Y5dHY3S2c1cEhi + eFNGTkdrQ0luMEliYU0zOVJpdmFENy9iOHhrClNmTHdsK01EeFlTWGk3Y1R3YTMx + SERzbTZ2YUdreWFVaGlXdlh1aC91U1EKLS0tIFR3RzRJZHIyR1IxZG13SFlUeTdI + SVNKZ0psWE9LVG9qaVZ6cUJhYVFxVEkKEai4IXJstKRavu4hrV4PFWv69kjdvWit + Y7xHFrR5OS5/Elfg5uPk6fkF91H+niY5XPytuRAkNdkIJh29sDClvg== + -----END AGE ENCRYPTED FILE----- + lastmodified: "2022-12-03T22:10:58Z" + mac: ENC[AES256_GCM,data:gKoPQdINeMfQsofqxGLMRzikWfYqd9DFzR5JS7YQFHzlSrjxed6GFKr4YtKClBvfZU67AvE9OV6CyCweG9M5BFl9nDwjr8y85Lj0CvWrCtOVaQQ0nVloayrF4c1IKA2TH4BrXJA+kV9mSgc8eRYmwI6dY988nMLRsSp+oEgAJQk=,iv:d73wS8SaRao2L8MpRst1PXAtrjl8ViqiqoIFMzWKRv0=,tag:fMvq4Pp5BmM4A85VFBMlog==,type:str] + pgp: [] + unencrypted_suffix: _unencrypted + version: 3.7.3 diff --git a/nixos/boxes/bolty/mastodon-db.sops.yaml b/nixos/boxes/bolty/mastodon-db.sops.yaml new file mode 100644 index 00000000..2b9952bc --- /dev/null +++ b/nixos/boxes/bolty/mastodon-db.sops.yaml @@ -0,0 +1,93 @@ +mastodon-db: "" +sops: + kms: [] + gcp_kms: [] + azure_kv: [] + hc_vault: [] + age: + - recipient: age1qpxvqf2254vynw7aah2pyd8tm0lqtfqr9maguewdj3uqjp8smqvssjp43n + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBEM2JVelR6K0Zjbm5ubjJD + MVV5NkdhaGl1eE5oUUp1bm1VQmEvTThPRkE0CkRtQ2k4WHhkTlhNQ25tN1V5VkR3 + b3c0NzJuSFRLNnVRZUNkTml6dnRKMlUKLS0tIEt2UkFEVkFGbHFURkRONUlmMW0w + ZXNpZVh2eUpuRDZ3ZFhTcTAxU2FKWTAKuWxeWi10LGOBcDuruA1Nu2cbZ4ERN6B2 + ujbcoKVN9nA+wy5+HgBxfOFQ78KvkuRmIKfbLvyRX/9Pg8v5o1Ybhg== + -----END AGE ENCRYPTED FILE----- + - recipient: age1s3z2rfske90kt93a3z7twp6kew6mqd08sgunupym0gpmuh8ezqqscdrv7m + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAxSi9CNnFCQTdGTjlqWlY5 + eS82NDV1WFpDOGNJZVJhblhVV0xPRGcwTmtzClFXQjVXNDZHVUFWVFNHQ1FOaGNM + SUxLTDZ0MXdrZVNsUUhkQUNWdStxUjgKLS0tIDlsNU9JUFFTOVdHcUxmMzVvNHUr + dnQ1T0FwMGtpdTBYODVBdHN5NjhtNHMKYb4+t8oyZ1lfFDIbjzGfiN7EihD7oef1 + cna9lEwgfm19G1yiPjgszlPQwdjvSk6vlPNYcOT1KYisGnTtRHUCvw== + -----END AGE ENCRYPTED FILE----- + - recipient: age1p76577kkfttxxj8ckwwkhyhhz7qq2d7qf2lenyaa0g3v2gd3eecqhhf9jn + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBZcEpFUGE3bnBXYzlsZGl5 + RFR6bU56VVZRT3ZIaXc5cDYyd28vMUtoVkhVCjlwbmRBMngvWC9FQ1VsK1dxOXNo + UExONjFxZTE4S0dIeDR0VWFndEg5eUkKLS0tIHQxNWFGVHRHUGdTWTN5aVFsWGpj + TjYzVkkvUDlEOWZCM3Y3TUpHMWp1MXMKAxvbXIc0SgUdbzZvV53kqbLG8uDaSoOw + G1GWOJcruJ+WywsxoVcd6UA01GgUOYg9bAaeEJuzABfBG9u2WmL6DQ== + -----END AGE ENCRYPTED FILE----- + - recipient: age1mpgtj57e256q9nqz8jt0jt9ntxrldu0p7aunxx3y5vnerfz04vqqdst2gt + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB3aTE3VFpZdmZYNVh4Rkw3 + Y2pXRXdWSUw2eWhHcEo1OFNnMEpRNjZzbUc0ClVGZXB2aWxXRUdZVmFWR0JDSitk + L0svd2RLb3A3QlV3ZG02TXQ3UkdlRXcKLS0tIDhVZTRHdDhJQ2ViSC9YU3ZIdURN + U3l2bjhjdktwWnpDSXFtWkp2cEFQa1kKy74uyFJcUf9L2EHcQ5RrymRFn5AsOtpQ + Ar1Tb+TCXsyXwMlXwqX5jTdKFxwpsgiT/GuE8mHjGOM9XoJPEHaoMA== + -----END AGE ENCRYPTED FILE----- + - recipient: age1msgz4lzqj3wd4yu3mfgxyl5gz0y94al59njv8fqu7s0dvwt9yuvsctlhvu + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBGVzRnN2xtOWw2dWlYZWR3 + b2g2WVlDcVk3eGRrQkV0ZER1a1ZLcDF2QWdjCnlMWDhMbkdFZVBkMXNwZFBKTW5z + QWxNSzRkRDdlT1FsUWpRNktYME5mcXcKLS0tIEh5UHpVb1gyeng1eXFjNnZlcTc1 + cVBMNDR6VmxTRTUzYTlETCtqTUZ6Nm8KSSlzWikCyVZsd1yzC8sq8e9UQnZhhQgl + jljUQOvLjDtjvmRMpTaAdGQuArVONWrk8UJheawo33BNL0lWyDSCcg== + -----END AGE ENCRYPTED FILE----- + - recipient: age10f7djsyu5fwew2l2x89a4st4qw4xdkyr3z7qd8frs54yqz7cayvqruttla + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBvQlNrNG5kRG1YRXhmbFRl + Q2tMZ1RBbTFmaUg4TmtxWkFTM3VqUHhkR1c4CkJEVzFqZXRDRndJd1FuQ0t2aXNt + YkZMbkhER1FKcWNaUWhpbWxxaSt2ZHcKLS0tIEJnSk9yeFRhckN2cEpUc3VXMGps + cXVqRWpJZk5zM1VPTVNzcFBSaG5pMU0KjIni2nzw98OgER95cOdzBrvuM80CdCzb + 46FU071PAWBpgAH5SvIsI85At6fl0B8rKrce1nBSUDhvlnq4RbQpJA== + -----END AGE ENCRYPTED FILE----- + - recipient: age10f7djsyu5fwew2l2x89a4st4qw4xdkyr3z7qd8frs54yqz7cayvqruttla + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBPWGtnR2ltS2I0R0p0VlV1 + MUJyRTZsNUV0M0l6N2QrYnIyTHRrUmlmdERVCnBMU0MzNG5WQmpFcXpkM1BETFhn + RTV5R2ZZNFh6bEhkaVArenFobUZSUWcKLS0tIDUyUnpkQ29nbXdIaVhmN1dZWHhl + TERUMWJycHhWYXN0YzEwajBBVy9tYkEKSPZUnP65cRFgZdD7uHOyaMnMzPvuwHNf + 7Q2Y0vCevwmppPt6TsNWWMKJUjWkdgAeAmmkKcSuaDi2EthdnxlwCQ== + -----END AGE ENCRYPTED FILE----- + - recipient: age1n09swn3qekcuw23vksp7hv4hpg0krlag3c5qcjjaf08m99c3ysqs6sxeyk + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBTS2FRbm1VUEFhN1NFc3RB + QVRSRHBvbGdXcDVuanluaFZuUmlxSkJ2NHhRCi92ZGpWV0d2Z2ZMYnhyUTJlcDZB + YlhsQzdCYWRmV3RZOXdiVlpWZzJtcEUKLS0tIDhqaHFwTUR1bi91SldFeXloUExY + dFhJU3RmT204SitRazVRVEE1Y1plb2MKMv1gUa7xMixd6GyJWgous6gd6u/TPNpo + 9BKtmf4F9VQRdrghf+dZgExsbqD+14wdVMmncWXDBt2/G9++kxngUQ== + -----END AGE ENCRYPTED FILE----- + - recipient: age1tt4c8t72fha2fj7xlm0dew5avmkdxujmgplte4qm7sxlcucggedq0eyk7t + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB6SlVhOTBZZHQxNWV0SnZj + eGJJNFhnV2hyY0xqaWNEVmtJdWZjMkxUNEVvCnpaL0xvaEh4TG1sTWtRdWdPSk94 + SzIrZUFwNktObVNQalozbmd3Wnd6SEkKLS0tIE1WYWNTc2Z4bmlzOTRRakgzN0hK + U0lzVDRnQVV2Q0h2OHVKRmVhcVE5U2MKDGo89QvLMEehTjUowAa4kTXsqauGvZeP + eTw2bqpOkpVwdtMroHcz3Su8ZqDb+ejGE6n3GcwEUUuyPNSn/iE+hQ== + -----END AGE ENCRYPTED FILE----- + lastmodified: "2022-11-26T12:03:57Z" + mac: ENC[AES256_GCM,data:9istsKh21b1w5UNXJyjbR8FmjLyZL+QiBNtfFyVtLv6/rc90NSFfXzq8jVTUA/DHkMNhe6Zt+ieCucc2+MjZoKX77JFMcJgPYzdrhT7Fzk9U+7XMIUN+vKuh3RRV9f6zNiGSHAwjN3Gz0yvFWxlrvZ4W1hpjpKQ6LKXkW0c2l88=,iv:dZQeInjC96GJpSppAez0/Ovte+zns/FSP7KY/5+dcpE=,tag:wajCNA52jC+PCpUmF8ctOQ==,type:str] + pgp: [] + unencrypted_suffix: _unencrypted + version: 3.7.3 diff --git a/nixos/boxes/bolty/mastodon.nix b/nixos/boxes/bolty/mastodon.nix new file mode 100644 index 00000000..62a5806a --- /dev/null +++ b/nixos/boxes/bolty/mastodon.nix @@ -0,0 +1,168 @@ +{ + config, + pkgs, + inputs, + lib, + ... +}: let + newestPackages = inputs.nixpkgs-master.legacyPackages.${pkgs.system}; + package = newestPackages.mastodon; + domain = "peninsula.industries"; + internalWebPort = 55002; + postgresPort = 5432; + path = "/data/mastodon"; + mailgunSmtpSecretName = "mastodon-mailgun-smtp-password"; + mailgunSmtpPasswordPath = "/run/secrets/${mailgunSmtpSecretName}"; + mastodonDbSecretName = "mastodon-db"; + mastodonDbSecretPath = "/run/secrets/${mastodonDbSecretName}"; + uid = 2049; + gid = 3049; + systemUserName = "mastodon"; + systemGroupName = "mastodon"; + users = { + users."${systemUserName}" = { + inherit uid; + isSystemUser = true; + isNormalUser = false; + group = systemGroupName; + }; + groups."${systemGroupName}" = { + inherit gid; + members = ["${systemUserName}" "nginx"]; + }; + }; + secretSettings = { + owner = systemUserName; + group = systemGroupName; + }; + publicPath = "${path}/public-system/"; +in { + imports = [../nginx.nix]; + system.stateVersion = "23.05"; + + networking.firewall.allowedTCPPorts = [internalWebPort]; + services.nginx = { + virtualHosts = { + "masto-system.internal.cyplo.dev" = { + root = "${publicPath}"; + }; + }; + }; + + sops.secrets."${mailgunSmtpSecretName}" = + { + sopsFile = ./mailgun.sops.yaml; + path = mailgunSmtpPasswordPath; + } + // secretSettings; + sops.secrets."${mastodonDbSecretName}" = + { + sopsFile = ./mastodon-db.sops.yaml; + path = mastodonDbSecretPath; + } + // secretSettings; + + inherit users; + + systemd.services.mastodon-make-path = { + script = '' + mkdir -p ${path} + chown -R ${systemUserName}:${systemGroupName} ${path} + mkdir -p ${publicPath} + chmod -R o-rwx ${publicPath} + chmod -R g-rwx ${publicPath} + chmod -R g+X ${publicPath} + chmod -R g+r ${publicPath} + chmod -R u+rwX ${publicPath} + ''; + serviceConfig = {Type = "oneshot";}; + before = ["container@mastodon.service"]; + }; + + containers.mastodon = { + autoStart = true; + hostAddress = "100.69.177.80"; + forwardPorts = [ + { + containerPort = internalWebPort; + hostPort = internalWebPort; + } + ]; + bindMounts = { + "/var/lib/mastodon" = { + hostPath = "${path}"; + isReadOnly = false; + }; + "${mailgunSmtpPasswordPath}" = { + hostPath = "${mailgunSmtpPasswordPath}"; + isReadOnly = true; + }; + "${mastodonDbSecretPath}" = { + hostPath = "${mastodonDbSecretPath}"; + isReadOnly = true; + }; + }; + config = { + config, + pkgs, + lib, + ... + }: { + system.stateVersion = "23.05"; + services.postgresql.port = postgresPort; + users = + users + // { + mutableUsers = false; + allowNoPasswordLogin = true; + }; + systemd.services.mastodon-media-auto-remove = { + description = "Mastodon media auto remove"; + serviceConfig = { + Type = "oneshot"; + EnvironmentFile = "/var/lib/mastodon/.secrets_env"; + }; + script = '' + /run/current-system/sw/bin/mastodon-tootctl media remove --days=8 --prune-profiles --include-follows -c1 + /run/current-system/sw/bin/mastodon-tootctl media remove --days=8 --remove-headers --include-follows -c1 + /run/current-system/sw/bin/mastodon-tootctl preview_cards remove --days=8 + ''; + startAt = "daily"; + }; + services.mastodon = { + enable = true; + inherit package; + localDomain = "${domain}"; + user = systemUserName; + group = systemGroupName; + mediaAutoRemove.enable = false; + streamingProcesses = 2; + smtp = { + host = "smtp.eu.mailgun.org"; + port = 465; + authenticate = true; + user = "postmaster@${domain}"; + fromAddress = "Peninsula Industries Mastodon "; + createLocally = false; + passwordFile = "${mailgunSmtpPasswordPath}"; + }; + sidekiqThreads = 8; + extraConfig = { + SMTP_TLS = "true"; + SMTP_ENABLE_STARTTLS_AUTO = "true"; + SINGLE_USER_MODE = "true"; + RAILS_SERVE_STATIC_FILES = "true"; + AUTHORIZED_FETCH = "true"; + DISALLOW_UNAUTHENTICATED_API_ACCESS = "true"; + }; + webPort = internalWebPort; + configureNginx = false; + enableUnixSocket = false; + database = { + port = postgresPort; + passwordFile = mastodonDbSecretPath; + }; + }; + }; + }; +} diff --git a/nixos/boxes/bolty/videos.nix b/nixos/boxes/bolty/videos.nix index 0df868ae..bc8c6b06 100644 --- a/nixos/boxes/bolty/videos.nix +++ b/nixos/boxes/bolty/videos.nix @@ -2,13 +2,15 @@ domain = "vidyos.peninsula.industries"; port = 3876; in { + services.postgresql.port = 5444; services.invidious = { package = inputs.nixpkgs-nixos-unstable.legacyPackages."x86_64-linux".invidious; - enable = true; + enable = false; inherit domain; inherit port; database.createLocally = true; + database.port = 5444; nginx.enable = false; settings = { external_port = 443; diff --git a/nixos/boxes/vpsfree1/mastodon.nix b/nixos/boxes/vpsfree1/mastodon.nix index b2a6d87b..dc734d5d 100644 --- a/nixos/boxes/vpsfree1/mastodon.nix +++ b/nixos/boxes/vpsfree1/mastodon.nix @@ -154,7 +154,7 @@ in { createLocally = false; passwordFile = "${mailgunSmtpPasswordPath}"; }; - sidekiqThreads = 8; + sidekiqThreads = 2; extraConfig = { SMTP_TLS = "true"; SMTP_ENABLE_STARTTLS_AUTO = "true";