basic mastodon setup

This commit is contained in:
Cyryl Płotnicki 2022-11-26 11:10:35 +00:00
parent 157372b2ba
commit cc8a094452
4 changed files with 327 additions and 0 deletions

View file

@ -11,6 +11,7 @@
./fossil.nix
./foundryvtt.nix
./gitea.nix
./mastodon.nix
./matrix-front.nix
./rss.nix
./search.nix
@ -26,5 +27,10 @@
boot.binfmt.emulatedSystems = [ "aarch64-linux" ];
time.timeZone = "Europe/London";
zramSwap = {
enable = true;
algorithm = "zstd";
memoryPercent = 50;
};
nix.buildCores = 7;
}

View file

@ -0,0 +1,93 @@
mailgun-smtp-password: ENC[AES256_GCM,data:n46qt7mnpDpu00Ah0i7HOFZMyFzKGoZo8X/7Mb2jKEEmCFyGo1egq3vViXdDsPx87DQ=,iv:b6DNlT0AGkMgsut1S3W4KcvyshJ6kQHlqQhv3PqqnM0=,tag:SzsvTOcL5/Oi7U0nldqI+g==,type:str]
sops:
kms: []
gcp_kms: []
azure_kv: []
hc_vault: []
age:
- recipient: age1qpxvqf2254vynw7aah2pyd8tm0lqtfqr9maguewdj3uqjp8smqvssjp43n
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBSeWVuY3Evcm1taWFSM3Jv
aFdUSGVCcXZ0MkFWbUhYMVlMKzNWbkw1WlVvClkrMUVrcjEzQ0tjN2hSOUdPdXNE
cnpnN3BqN1QwTVMvbklkL3B3ZlJOd00KLS0tIEdyMmp5VmpZdGZXRS9WdDBrWHE0
aXZ0ZFJLZUplQVltS0VkMCtlMGdleFEK0aAWEkyRzM0SdR+eNTurVvD70yhJJxC7
oRNuo5SD5XU4AMakCLffc1I4XkM8L6SwffS20yP+s9UY/D1n9FBZAg==
-----END AGE ENCRYPTED FILE-----
- recipient: age1s3z2rfske90kt93a3z7twp6kew6mqd08sgunupym0gpmuh8ezqqscdrv7m
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBFWUFBaHBZdmVIWnRuaHpT
WVBOLzJKNERBQXhrNVEyWVcyZllPSFV6bG40CisrQWU4R3plcHJ3ODRTbXNvL2dr
TXV0R3loVjUxcFI2dnJqaURMOXJqQWsKLS0tIHhpMkNlckc3VDNRelBmMTVNZy94
T0hxY1hOLzNTYithQ0g0YlBuUExlK1UKOCUEwKPlXL+im23fxkbHY5iMD7tSaEq5
qF686lZHPJ9hil/8O+cmQ/qQPOiEqJBh9cvw9deWo+T65pp7aeixRQ==
-----END AGE ENCRYPTED FILE-----
- recipient: age1p76577kkfttxxj8ckwwkhyhhz7qq2d7qf2lenyaa0g3v2gd3eecqhhf9jn
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBwVTBodlh0cXl4MEc3cXli
ZndJV21aV2U3OEJLZXkrNmVPNy93T2tXbURBCnhBQVRGSXVaMXJiWG9jbU5kR1Jk
Um1seVd5L1FkK3YxRmp2ZExUekwzMTAKLS0tIHoyK0FwVG1HQ3BFc0huRUZneGFR
QUh6NGdtZ2xkbUhXeXdpeVdjZTdHZ1kK/DeOe18HwJpoRNxo4JvdNGc8Ema61J4w
oxTZpqszWeNItmLtTvWJk9kahR1PhUwReG3zhVpxa+SzJTkLLy9amQ==
-----END AGE ENCRYPTED FILE-----
- recipient: age1mpgtj57e256q9nqz8jt0jt9ntxrldu0p7aunxx3y5vnerfz04vqqdst2gt
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBCaVVpeVphcENhN1RNV0JK
MUFDTFo0aEZuN0dYOGU4YmQwampPdTJQcUEwCld1WlhFUG11bzZTL3MzOVhNa1J6
RmhpeUN0Sm0xK1B6WTJsUjdCNXRzU2cKLS0tIHpNd1d4bVBXVlYyMG5hVjRkVi9Z
SFN5TUhqWWxHd2ZMeEdtUGV3SmljOUUKKPazmCwOsqYVLTW1wo6ie1+l910X5o6I
ygmi3TSv0ztwgqi94x3ma/1v82pPT/GCtGe22tCUOOiR+qn70mOGZw==
-----END AGE ENCRYPTED FILE-----
- recipient: age1msgz4lzqj3wd4yu3mfgxyl5gz0y94al59njv8fqu7s0dvwt9yuvsctlhvu
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBBRmFJMVJlMHBrNzltNDdq
RVZKYUJlMEcwVGtwaEI1RTloOHowbVNZREQ4CkFnSGlzM1VkWW5pcVNDWSsrQ1NI
dkVGaWhhaWd4VTA4RmplSUV0NTFpa0EKLS0tIEpqV1hWUEpvbytOOXNVeFhYWHNF
N0tHazQ3VEl2c1kwODNBd3lpS2NkM1kKt3uWMg2LuCeEquyYB5FNzEfI2qv7D1d2
8KD3X9mangmITwmLumdzcmxwEYmz0SD6im9fy413S1JZxDZonvZ8lA==
-----END AGE ENCRYPTED FILE-----
- recipient: age10f7djsyu5fwew2l2x89a4st4qw4xdkyr3z7qd8frs54yqz7cayvqruttla
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBFaVI0N3JBbmFCdk9CMDk1
bTB0NTJLb1J3S3JKcjk2dzFzdmJmQkpvbFdJCklFSW9PL2NSSFRSeGlkZmJqR1Av
dDlrMmw2L21kZDFFT0ZTNG5aK1YvSncKLS0tIEFVZlNOSVduUHhOMDI2Z1Z5R2Uw
TytkQnZ5RXp3R1pCSThjM0VYdnkxcncKGM4ceBAfyXpgRGLAvTdEpE31uXJSCktR
KhfUZ/3lvuu7M12ju4ogqdoTND88IWDL2sewmgkyFRRbuBMHfEbKBg==
-----END AGE ENCRYPTED FILE-----
- recipient: age10f7djsyu5fwew2l2x89a4st4qw4xdkyr3z7qd8frs54yqz7cayvqruttla
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBiRDhsU2tLRDU2Zm8zTkpy
d3Y4RGtPc3IzM1h3TVBHYi90eElDM25qZTBrCkdSL2I1SGxNaktZMzF0V0xiOHVy
ZXdGc095ZWRLWjNTdkMzVFlXMUNVY00KLS0tIFF2S3V2Y3hpMFN6Sm54dW9PVUVI
UjE1NXVYa2RzZHhmN2ZiTFltTERtd2sKmHDLboVclE9tn/2dtA21SWWQ8an27HEd
6iUOFVPQ7Yy3wd64CU7sd+vUq7w24NMORjj+ltQJXnpDfedmoecALQ==
-----END AGE ENCRYPTED FILE-----
- recipient: age1n09swn3qekcuw23vksp7hv4hpg0krlag3c5qcjjaf08m99c3ysqs6sxeyk
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBjVVlPeFkrdWN1aG9uWi9j
YVZacG1lRHA3VXpTWUlBSmFLbkxZemg0eFFvClZXcjJNLzVDVCtrZ3ZRNi92VWFM
VmJNeE1FWEVYWTZqQTdIYkYvUDhsZnMKLS0tIEg1RFNJUkJmNjVHMUQwMjBYb282
NmQrUk15LzZrcHQzV2c0K3VPOVc4V2cKXDggWmSB4WZbAqFoc+rGTRrpbG25L6Xz
7R3AD52Ul2dE60CdrPACoi7zJWKfr/QjJ5qfUi3xxhNn906qYRVQXQ==
-----END AGE ENCRYPTED FILE-----
- recipient: age1tt4c8t72fha2fj7xlm0dew5avmkdxujmgplte4qm7sxlcucggedq0eyk7t
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBId1FBN0Y5dHY3S2c1cEhi
eFNGTkdrQ0luMEliYU0zOVJpdmFENy9iOHhrClNmTHdsK01EeFlTWGk3Y1R3YTMx
SERzbTZ2YUdreWFVaGlXdlh1aC91U1EKLS0tIFR3RzRJZHIyR1IxZG13SFlUeTdI
SVNKZ0psWE9LVG9qaVZ6cUJhYVFxVEkKEai4IXJstKRavu4hrV4PFWv69kjdvWit
Y7xHFrR5OS5/Elfg5uPk6fkF91H+niY5XPytuRAkNdkIJh29sDClvg==
-----END AGE ENCRYPTED FILE-----
lastmodified: "2022-11-26T11:45:27Z"
mac: ENC[AES256_GCM,data:oaL1xKVsSrTgsyQBWmkB8JcMFfpEIzRTtknzyHtVco/x8fzPtiiun+23Th8hoCZ1siz29MT74J3eUW7mrchKAUz9hm4JDhAZGs0qg2dVCVZgPP4xNHISbOCb05rTkqW4ocXhfbFZHiP0ZQw6LKGgIpy8ncOsYd3rZVEjBFq4ajU=,iv:Rb5sjUPvpDEgheiSiGQjX064YOPnFb/cClh6gtXno+g=,tag:Z/VIoHZWcpA87MhBUFPwSQ==,type:str]
pgp: []
unencrypted_suffix: _unencrypted
version: 3.7.3

View file

@ -0,0 +1,93 @@
mastodon-db: ""
sops:
kms: []
gcp_kms: []
azure_kv: []
hc_vault: []
age:
- recipient: age1qpxvqf2254vynw7aah2pyd8tm0lqtfqr9maguewdj3uqjp8smqvssjp43n
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBEM2JVelR6K0Zjbm5ubjJD
MVV5NkdhaGl1eE5oUUp1bm1VQmEvTThPRkE0CkRtQ2k4WHhkTlhNQ25tN1V5VkR3
b3c0NzJuSFRLNnVRZUNkTml6dnRKMlUKLS0tIEt2UkFEVkFGbHFURkRONUlmMW0w
ZXNpZVh2eUpuRDZ3ZFhTcTAxU2FKWTAKuWxeWi10LGOBcDuruA1Nu2cbZ4ERN6B2
ujbcoKVN9nA+wy5+HgBxfOFQ78KvkuRmIKfbLvyRX/9Pg8v5o1Ybhg==
-----END AGE ENCRYPTED FILE-----
- recipient: age1s3z2rfske90kt93a3z7twp6kew6mqd08sgunupym0gpmuh8ezqqscdrv7m
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAxSi9CNnFCQTdGTjlqWlY5
eS82NDV1WFpDOGNJZVJhblhVV0xPRGcwTmtzClFXQjVXNDZHVUFWVFNHQ1FOaGNM
SUxLTDZ0MXdrZVNsUUhkQUNWdStxUjgKLS0tIDlsNU9JUFFTOVdHcUxmMzVvNHUr
dnQ1T0FwMGtpdTBYODVBdHN5NjhtNHMKYb4+t8oyZ1lfFDIbjzGfiN7EihD7oef1
cna9lEwgfm19G1yiPjgszlPQwdjvSk6vlPNYcOT1KYisGnTtRHUCvw==
-----END AGE ENCRYPTED FILE-----
- recipient: age1p76577kkfttxxj8ckwwkhyhhz7qq2d7qf2lenyaa0g3v2gd3eecqhhf9jn
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBZcEpFUGE3bnBXYzlsZGl5
RFR6bU56VVZRT3ZIaXc5cDYyd28vMUtoVkhVCjlwbmRBMngvWC9FQ1VsK1dxOXNo
UExONjFxZTE4S0dIeDR0VWFndEg5eUkKLS0tIHQxNWFGVHRHUGdTWTN5aVFsWGpj
TjYzVkkvUDlEOWZCM3Y3TUpHMWp1MXMKAxvbXIc0SgUdbzZvV53kqbLG8uDaSoOw
G1GWOJcruJ+WywsxoVcd6UA01GgUOYg9bAaeEJuzABfBG9u2WmL6DQ==
-----END AGE ENCRYPTED FILE-----
- recipient: age1mpgtj57e256q9nqz8jt0jt9ntxrldu0p7aunxx3y5vnerfz04vqqdst2gt
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB3aTE3VFpZdmZYNVh4Rkw3
Y2pXRXdWSUw2eWhHcEo1OFNnMEpRNjZzbUc0ClVGZXB2aWxXRUdZVmFWR0JDSitk
L0svd2RLb3A3QlV3ZG02TXQ3UkdlRXcKLS0tIDhVZTRHdDhJQ2ViSC9YU3ZIdURN
U3l2bjhjdktwWnpDSXFtWkp2cEFQa1kKy74uyFJcUf9L2EHcQ5RrymRFn5AsOtpQ
Ar1Tb+TCXsyXwMlXwqX5jTdKFxwpsgiT/GuE8mHjGOM9XoJPEHaoMA==
-----END AGE ENCRYPTED FILE-----
- recipient: age1msgz4lzqj3wd4yu3mfgxyl5gz0y94al59njv8fqu7s0dvwt9yuvsctlhvu
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBGVzRnN2xtOWw2dWlYZWR3
b2g2WVlDcVk3eGRrQkV0ZER1a1ZLcDF2QWdjCnlMWDhMbkdFZVBkMXNwZFBKTW5z
QWxNSzRkRDdlT1FsUWpRNktYME5mcXcKLS0tIEh5UHpVb1gyeng1eXFjNnZlcTc1
cVBMNDR6VmxTRTUzYTlETCtqTUZ6Nm8KSSlzWikCyVZsd1yzC8sq8e9UQnZhhQgl
jljUQOvLjDtjvmRMpTaAdGQuArVONWrk8UJheawo33BNL0lWyDSCcg==
-----END AGE ENCRYPTED FILE-----
- recipient: age10f7djsyu5fwew2l2x89a4st4qw4xdkyr3z7qd8frs54yqz7cayvqruttla
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBvQlNrNG5kRG1YRXhmbFRl
Q2tMZ1RBbTFmaUg4TmtxWkFTM3VqUHhkR1c4CkJEVzFqZXRDRndJd1FuQ0t2aXNt
YkZMbkhER1FKcWNaUWhpbWxxaSt2ZHcKLS0tIEJnSk9yeFRhckN2cEpUc3VXMGps
cXVqRWpJZk5zM1VPTVNzcFBSaG5pMU0KjIni2nzw98OgER95cOdzBrvuM80CdCzb
46FU071PAWBpgAH5SvIsI85At6fl0B8rKrce1nBSUDhvlnq4RbQpJA==
-----END AGE ENCRYPTED FILE-----
- recipient: age10f7djsyu5fwew2l2x89a4st4qw4xdkyr3z7qd8frs54yqz7cayvqruttla
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBPWGtnR2ltS2I0R0p0VlV1
MUJyRTZsNUV0M0l6N2QrYnIyTHRrUmlmdERVCnBMU0MzNG5WQmpFcXpkM1BETFhn
RTV5R2ZZNFh6bEhkaVArenFobUZSUWcKLS0tIDUyUnpkQ29nbXdIaVhmN1dZWHhl
TERUMWJycHhWYXN0YzEwajBBVy9tYkEKSPZUnP65cRFgZdD7uHOyaMnMzPvuwHNf
7Q2Y0vCevwmppPt6TsNWWMKJUjWkdgAeAmmkKcSuaDi2EthdnxlwCQ==
-----END AGE ENCRYPTED FILE-----
- recipient: age1n09swn3qekcuw23vksp7hv4hpg0krlag3c5qcjjaf08m99c3ysqs6sxeyk
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBTS2FRbm1VUEFhN1NFc3RB
QVRSRHBvbGdXcDVuanluaFZuUmlxSkJ2NHhRCi92ZGpWV0d2Z2ZMYnhyUTJlcDZB
YlhsQzdCYWRmV3RZOXdiVlpWZzJtcEUKLS0tIDhqaHFwTUR1bi91SldFeXloUExY
dFhJU3RmT204SitRazVRVEE1Y1plb2MKMv1gUa7xMixd6GyJWgous6gd6u/TPNpo
9BKtmf4F9VQRdrghf+dZgExsbqD+14wdVMmncWXDBt2/G9++kxngUQ==
-----END AGE ENCRYPTED FILE-----
- recipient: age1tt4c8t72fha2fj7xlm0dew5avmkdxujmgplte4qm7sxlcucggedq0eyk7t
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB6SlVhOTBZZHQxNWV0SnZj
eGJJNFhnV2hyY0xqaWNEVmtJdWZjMkxUNEVvCnpaL0xvaEh4TG1sTWtRdWdPSk94
SzIrZUFwNktObVNQalozbmd3Wnd6SEkKLS0tIE1WYWNTc2Z4bmlzOTRRakgzN0hK
U0lzVDRnQVV2Q0h2OHVKRmVhcVE5U2MKDGo89QvLMEehTjUowAa4kTXsqauGvZeP
eTw2bqpOkpVwdtMroHcz3Su8ZqDb+ejGE6n3GcwEUUuyPNSn/iE+hQ==
-----END AGE ENCRYPTED FILE-----
lastmodified: "2022-11-26T12:03:57Z"
mac: ENC[AES256_GCM,data:9istsKh21b1w5UNXJyjbR8FmjLyZL+QiBNtfFyVtLv6/rc90NSFfXzq8jVTUA/DHkMNhe6Zt+ieCucc2+MjZoKX77JFMcJgPYzdrhT7Fzk9U+7XMIUN+vKuh3RRV9f6zNiGSHAwjN3Gz0yvFWxlrvZ4W1hpjpKQ6LKXkW0c2l88=,iv:dZQeInjC96GJpSppAez0/Ovte+zns/FSP7KY/5+dcpE=,tag:wajCNA52jC+PCpUmF8ctOQ==,type:str]
pgp: []
unencrypted_suffix: _unencrypted
version: 3.7.3

View file

@ -0,0 +1,135 @@
{ config, pkgs, inputs, lib, ... }:
let
domain = "peninsula.industries";
streamingPort = 55000;
webPort = 55001;
postgresPort = 5433;
path = "/var/lib/mastodon/";
mailgunSmtpSecretName = "mailgun-smtp-password";
mailgunSmtpPasswordPath = "/run/secrets/${mailgunSmtpSecretName}";
mastodonDbSecretName = "mastodon-db";
mastodonDbSecretPath = "/run/secrets/${mastodonDbSecretName}";
uid = 2049;
gid = 3049;
systemUserName = "mastodon";
systemGroupName = "mastodon";
in {
imports = [ ../nginx.nix ];
services.nginx = {
virtualHosts = {
"${domain}" = {
forceSSL = true;
enableACME = true;
root = "${config.services.mastodon.package}/public/";
locations."/system/".alias = "${path}/public-system/";
locations."/" = { tryFiles = "$uri @proxy"; };
locations."@proxy" = {
proxyPass = "http://localhost:" + toString webPort;
proxyWebsockets = true;
};
locations."/api/v1/streaming/" = {
proxyPass = "http://localhost:" + toString streamingPort;
proxyWebsockets = true;
};
};
};
};
sops.secrets."${mailgunSmtpSecretName}" = {
sopsFile = ./mailgun.sops.yaml;
path = mailgunSmtpPasswordPath;
owner = systemUserName;
group = systemGroupName;
};
sops.secrets."${mastodonDbSecretName}" = {
sopsFile = ./mastodon-db.sops.yaml;
path = mastodonDbSecretPath;
owner = systemUserName;
group = systemGroupName;
};
users.users."${systemUserName}" = {
uid = uid;
isSystemUser = true;
isNormalUser = false;
group = systemGroupName;
};
users.groups."${systemGroupName}" = {
gid = gid;
members = [ "${systemUserName}" ];
};
containers.mastodon = {
autoStart = true;
forwardPorts = [
{
containerPort = streamingPort;
hostPort = streamingPort;
}
{
containerPort = webPort;
hostPort = webPort;
}
];
bindMounts = {
"${path}" = {
hostPath = "${path}";
isReadOnly = false;
};
"${mailgunSmtpPasswordPath}" = {
hostPath = "${mailgunSmtpPasswordPath}";
isReadOnly = true;
};
"${mastodonDbSecretPath}" = {
hostPath = "${mastodonDbSecretPath}";
isReadOnly = true;
};
};
config = { config, pkgs, lib, ... }: {
system.stateVersion = "22.05";
services.postgresql.port = postgresPort;
users.mutableUsers = false;
users.allowNoPasswordLogin = true;
users.users."${systemUserName}" = {
uid = uid;
isSystemUser = true;
isNormalUser = false;
group = systemGroupName;
};
users.groups."${systemGroupName}" = {
gid = gid;
members = [ "${systemUserName}" ];
};
services.mastodon = {
enable = true;
localDomain = "${domain}";
user = systemUserName;
group = systemGroupName;
smtp = {
host = "smtp.eu.mailgun.org";
port = 465;
authenticate = true;
user = "postmaster@${domain}";
fromAddress = "Peninsula Industries Mastodon <mastodon@${domain}>";
createLocally = false;
passwordFile = "${mailgunSmtpPasswordPath}";
};
extraConfig = {
SMTP_TLS = "true";
SMTP_ENABLE_STARTTLS_AUTO = "true";
};
inherit streamingPort;
inherit webPort;
configureNginx = false;
enableUnixSocket = false;
database = {
port = postgresPort;
passwordFile = mastodonDbSecretPath;
};
};
};
};
}