diff --git a/nixos/boxes/vpsfree1/mastodon.nix b/nixos/boxes/vpsfree1/mastodon.nix index 0df9e876..598379d9 100644 --- a/nixos/boxes/vpsfree1/mastodon.nix +++ b/nixos/boxes/vpsfree1/mastodon.nix @@ -10,7 +10,32 @@ domain = "peninsula.industries"; streamingPort = 55000; webPort = 55001; + postgresPort = 5432; path = "/var/lib/mastodon/"; + mailgunSmtpSecretName = "mastodon-mailgun-smtp-password"; + mailgunSmtpPasswordPath = "/run/secrets/${mailgunSmtpSecretName}"; + mastodonDbSecretName = "mastodon-db"; + mastodonDbSecretPath = "/run/secrets/${mastodonDbSecretName}"; + uid = 2049; + gid = 3049; + systemUserName = "mastodon"; + systemGroupName = "mastodon"; + users = { + users."${systemUserName}" = { + inherit uid; + isSystemUser = true; + isNormalUser = false; + group = systemGroupName; + }; + groups."${systemGroupName}" = { + inherit gid; + members = ["${systemUserName}" "nginx"]; + }; + }; + secretSettings = { + owner = systemUserName; + group = systemGroupName; + }; publicPath = "${path}/public-system/"; in { imports = [../nginx.nix]; @@ -37,4 +62,124 @@ in { }; }; }; + + sops.secrets."${mailgunSmtpSecretName}" = + { + sopsFile = ./mailgun.sops.yaml; + path = mailgunSmtpPasswordPath; + } + // secretSettings; + sops.secrets."${mastodonDbSecretName}" = + { + sopsFile = ./mastodon-db.sops.yaml; + path = mastodonDbSecretPath; + } + // secretSettings; + + inherit users; + + systemd.services.mastodon-make-path = { + script = '' + mkdir -p ${path} + chown -R ${systemUserName}:${systemGroupName} ${path} + mkdir -p ${publicPath} + chmod -R o-rwx ${publicPath} + chmod -R g-rwx ${publicPath} + chmod -R g+X ${publicPath} + chmod -R g+r ${publicPath} + chmod -R u+rwX ${publicPath} + ''; + serviceConfig = {Type = "oneshot";}; + before = ["container@mastodon.service"]; + }; + + containers.mastodon = { + autoStart = true; + forwardPorts = [ + { + containerPort = streamingPort; + hostPort = streamingPort; + } + { + containerPort = webPort; + hostPort = webPort; + } + ]; + bindMounts = { + "${path}" = { + hostPath = "${path}"; + isReadOnly = false; + }; + "${mailgunSmtpPasswordPath}" = { + hostPath = "${mailgunSmtpPasswordPath}"; + isReadOnly = true; + }; + "${mastodonDbSecretPath}" = { + hostPath = "${mastodonDbSecretPath}"; + isReadOnly = true; + }; + }; + config = { + config, + pkgs, + lib, + ... + }: { + system.stateVersion = "23.05"; + services.postgresql.port = postgresPort; + users = + users + // { + mutableUsers = false; + allowNoPasswordLogin = true; + }; + systemd.services.mastodon-media-auto-remove = { + description = "Mastodon media auto remove"; + serviceConfig = { + Type = "oneshot"; + EnvironmentFile = "/var/lib/mastodon/.secrets_env"; + }; + script = '' + /run/current-system/sw/bin/mastodon-tootctl media remove --days=8 --prune-profiles --include-follows -c1 + /run/current-system/sw/bin/mastodon-tootctl media remove --days=8 --remove-headers --include-follows -c1 + /run/current-system/sw/bin/mastodon-tootctl preview_cards remove --days=8 + ''; + startAt = "daily"; + }; + services.mastodon = { + enable = true; + inherit package; + localDomain = "${domain}"; + user = systemUserName; + group = systemGroupName; + mediaAutoRemove.enable = false; + smtp = { + host = "smtp.eu.mailgun.org"; + port = 465; + authenticate = true; + user = "postmaster@${domain}"; + fromAddress = "Peninsula Industries Mastodon "; + createLocally = false; + passwordFile = "${mailgunSmtpPasswordPath}"; + }; + sidekiqThreads = 8; + extraConfig = { + SMTP_TLS = "true"; + SMTP_ENABLE_STARTTLS_AUTO = "true"; + SINGLE_USER_MODE = "true"; + RAILS_SERVE_STATIC_FILES = "true"; + AUTHORIZED_FETCH = "true"; + DISALLOW_UNAUTHENTICATED_API_ACCESS = "true"; + }; + inherit streamingPort; + inherit webPort; + configureNginx = false; + enableUnixSocket = false; + database = { + port = postgresPort; + passwordFile = mastodonDbSecretPath; + }; + }; + }; + }; }