From e54bb9b7a9f63c242bff2fab75c7eddcb9535c32 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Cyryl=20P=C5=82otnicki?= Date: Sun, 4 Feb 2024 22:33:26 +0000 Subject: [PATCH] move masto to cupsnet --- nixos/boxes/bolty/mastodon-db.sops.yaml | 93 --------- nixos/boxes/bolty/mastodon.nix | 168 ----------------- nixos/boxes/{vpsfree1 => cupsnet}/MASTODON.md | 0 nixos/boxes/cupsnet/default.nix | 1 + nixos/boxes/cupsnet/mastodon-db.sops.yaml | 111 +++++++++++ nixos/boxes/cupsnet/mastodon.nix | 118 ++++++++++++ nixos/boxes/vpsfree1/default.nix | 1 - nixos/boxes/vpsfree1/mastodon-db.sops.yaml | 93 --------- nixos/boxes/vpsfree1/mastodon.nix | 178 ------------------ 9 files changed, 230 insertions(+), 533 deletions(-) delete mode 100644 nixos/boxes/bolty/mastodon-db.sops.yaml delete mode 100644 nixos/boxes/bolty/mastodon.nix rename nixos/boxes/{vpsfree1 => cupsnet}/MASTODON.md (100%) create mode 100644 nixos/boxes/cupsnet/mastodon-db.sops.yaml create mode 100644 nixos/boxes/cupsnet/mastodon.nix delete mode 100644 nixos/boxes/vpsfree1/mastodon-db.sops.yaml delete mode 100644 nixos/boxes/vpsfree1/mastodon.nix diff --git a/nixos/boxes/bolty/mastodon-db.sops.yaml b/nixos/boxes/bolty/mastodon-db.sops.yaml deleted file mode 100644 index 2b9952bc..00000000 --- a/nixos/boxes/bolty/mastodon-db.sops.yaml +++ /dev/null @@ -1,93 +0,0 @@ -mastodon-db: "" -sops: - kms: [] - gcp_kms: [] - azure_kv: [] - hc_vault: [] - age: - - recipient: age1qpxvqf2254vynw7aah2pyd8tm0lqtfqr9maguewdj3uqjp8smqvssjp43n - enc: | - -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBEM2JVelR6K0Zjbm5ubjJD - MVV5NkdhaGl1eE5oUUp1bm1VQmEvTThPRkE0CkRtQ2k4WHhkTlhNQ25tN1V5VkR3 - b3c0NzJuSFRLNnVRZUNkTml6dnRKMlUKLS0tIEt2UkFEVkFGbHFURkRONUlmMW0w - ZXNpZVh2eUpuRDZ3ZFhTcTAxU2FKWTAKuWxeWi10LGOBcDuruA1Nu2cbZ4ERN6B2 - ujbcoKVN9nA+wy5+HgBxfOFQ78KvkuRmIKfbLvyRX/9Pg8v5o1Ybhg== - -----END AGE ENCRYPTED FILE----- - - recipient: age1s3z2rfske90kt93a3z7twp6kew6mqd08sgunupym0gpmuh8ezqqscdrv7m - enc: | - -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAxSi9CNnFCQTdGTjlqWlY5 - eS82NDV1WFpDOGNJZVJhblhVV0xPRGcwTmtzClFXQjVXNDZHVUFWVFNHQ1FOaGNM - SUxLTDZ0MXdrZVNsUUhkQUNWdStxUjgKLS0tIDlsNU9JUFFTOVdHcUxmMzVvNHUr - dnQ1T0FwMGtpdTBYODVBdHN5NjhtNHMKYb4+t8oyZ1lfFDIbjzGfiN7EihD7oef1 - cna9lEwgfm19G1yiPjgszlPQwdjvSk6vlPNYcOT1KYisGnTtRHUCvw== - -----END AGE ENCRYPTED FILE----- - - recipient: age1p76577kkfttxxj8ckwwkhyhhz7qq2d7qf2lenyaa0g3v2gd3eecqhhf9jn - enc: | - -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBZcEpFUGE3bnBXYzlsZGl5 - RFR6bU56VVZRT3ZIaXc5cDYyd28vMUtoVkhVCjlwbmRBMngvWC9FQ1VsK1dxOXNo - UExONjFxZTE4S0dIeDR0VWFndEg5eUkKLS0tIHQxNWFGVHRHUGdTWTN5aVFsWGpj - TjYzVkkvUDlEOWZCM3Y3TUpHMWp1MXMKAxvbXIc0SgUdbzZvV53kqbLG8uDaSoOw - G1GWOJcruJ+WywsxoVcd6UA01GgUOYg9bAaeEJuzABfBG9u2WmL6DQ== - -----END AGE ENCRYPTED FILE----- - - recipient: age1mpgtj57e256q9nqz8jt0jt9ntxrldu0p7aunxx3y5vnerfz04vqqdst2gt - enc: | - -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB3aTE3VFpZdmZYNVh4Rkw3 - Y2pXRXdWSUw2eWhHcEo1OFNnMEpRNjZzbUc0ClVGZXB2aWxXRUdZVmFWR0JDSitk - L0svd2RLb3A3QlV3ZG02TXQ3UkdlRXcKLS0tIDhVZTRHdDhJQ2ViSC9YU3ZIdURN - U3l2bjhjdktwWnpDSXFtWkp2cEFQa1kKy74uyFJcUf9L2EHcQ5RrymRFn5AsOtpQ - Ar1Tb+TCXsyXwMlXwqX5jTdKFxwpsgiT/GuE8mHjGOM9XoJPEHaoMA== - -----END AGE ENCRYPTED FILE----- - - recipient: age1msgz4lzqj3wd4yu3mfgxyl5gz0y94al59njv8fqu7s0dvwt9yuvsctlhvu - enc: | - -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBGVzRnN2xtOWw2dWlYZWR3 - b2g2WVlDcVk3eGRrQkV0ZER1a1ZLcDF2QWdjCnlMWDhMbkdFZVBkMXNwZFBKTW5z - QWxNSzRkRDdlT1FsUWpRNktYME5mcXcKLS0tIEh5UHpVb1gyeng1eXFjNnZlcTc1 - cVBMNDR6VmxTRTUzYTlETCtqTUZ6Nm8KSSlzWikCyVZsd1yzC8sq8e9UQnZhhQgl - jljUQOvLjDtjvmRMpTaAdGQuArVONWrk8UJheawo33BNL0lWyDSCcg== - -----END AGE ENCRYPTED FILE----- - - recipient: age10f7djsyu5fwew2l2x89a4st4qw4xdkyr3z7qd8frs54yqz7cayvqruttla - enc: | - -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBvQlNrNG5kRG1YRXhmbFRl - Q2tMZ1RBbTFmaUg4TmtxWkFTM3VqUHhkR1c4CkJEVzFqZXRDRndJd1FuQ0t2aXNt - YkZMbkhER1FKcWNaUWhpbWxxaSt2ZHcKLS0tIEJnSk9yeFRhckN2cEpUc3VXMGps - cXVqRWpJZk5zM1VPTVNzcFBSaG5pMU0KjIni2nzw98OgER95cOdzBrvuM80CdCzb - 46FU071PAWBpgAH5SvIsI85At6fl0B8rKrce1nBSUDhvlnq4RbQpJA== - -----END AGE ENCRYPTED FILE----- - - recipient: age10f7djsyu5fwew2l2x89a4st4qw4xdkyr3z7qd8frs54yqz7cayvqruttla - enc: | - -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBPWGtnR2ltS2I0R0p0VlV1 - MUJyRTZsNUV0M0l6N2QrYnIyTHRrUmlmdERVCnBMU0MzNG5WQmpFcXpkM1BETFhn - RTV5R2ZZNFh6bEhkaVArenFobUZSUWcKLS0tIDUyUnpkQ29nbXdIaVhmN1dZWHhl - TERUMWJycHhWYXN0YzEwajBBVy9tYkEKSPZUnP65cRFgZdD7uHOyaMnMzPvuwHNf - 7Q2Y0vCevwmppPt6TsNWWMKJUjWkdgAeAmmkKcSuaDi2EthdnxlwCQ== - -----END AGE ENCRYPTED FILE----- - - recipient: age1n09swn3qekcuw23vksp7hv4hpg0krlag3c5qcjjaf08m99c3ysqs6sxeyk - enc: | - -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBTS2FRbm1VUEFhN1NFc3RB - QVRSRHBvbGdXcDVuanluaFZuUmlxSkJ2NHhRCi92ZGpWV0d2Z2ZMYnhyUTJlcDZB - YlhsQzdCYWRmV3RZOXdiVlpWZzJtcEUKLS0tIDhqaHFwTUR1bi91SldFeXloUExY - dFhJU3RmT204SitRazVRVEE1Y1plb2MKMv1gUa7xMixd6GyJWgous6gd6u/TPNpo - 9BKtmf4F9VQRdrghf+dZgExsbqD+14wdVMmncWXDBt2/G9++kxngUQ== - -----END AGE ENCRYPTED FILE----- - - recipient: age1tt4c8t72fha2fj7xlm0dew5avmkdxujmgplte4qm7sxlcucggedq0eyk7t - enc: | - -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB6SlVhOTBZZHQxNWV0SnZj - eGJJNFhnV2hyY0xqaWNEVmtJdWZjMkxUNEVvCnpaL0xvaEh4TG1sTWtRdWdPSk94 - SzIrZUFwNktObVNQalozbmd3Wnd6SEkKLS0tIE1WYWNTc2Z4bmlzOTRRakgzN0hK - U0lzVDRnQVV2Q0h2OHVKRmVhcVE5U2MKDGo89QvLMEehTjUowAa4kTXsqauGvZeP - eTw2bqpOkpVwdtMroHcz3Su8ZqDb+ejGE6n3GcwEUUuyPNSn/iE+hQ== - -----END AGE ENCRYPTED FILE----- - lastmodified: "2022-11-26T12:03:57Z" - mac: ENC[AES256_GCM,data:9istsKh21b1w5UNXJyjbR8FmjLyZL+QiBNtfFyVtLv6/rc90NSFfXzq8jVTUA/DHkMNhe6Zt+ieCucc2+MjZoKX77JFMcJgPYzdrhT7Fzk9U+7XMIUN+vKuh3RRV9f6zNiGSHAwjN3Gz0yvFWxlrvZ4W1hpjpKQ6LKXkW0c2l88=,iv:dZQeInjC96GJpSppAez0/Ovte+zns/FSP7KY/5+dcpE=,tag:wajCNA52jC+PCpUmF8ctOQ==,type:str] - pgp: [] - unencrypted_suffix: _unencrypted - version: 3.7.3 diff --git a/nixos/boxes/bolty/mastodon.nix b/nixos/boxes/bolty/mastodon.nix deleted file mode 100644 index f974e1a8..00000000 --- a/nixos/boxes/bolty/mastodon.nix +++ /dev/null @@ -1,168 +0,0 @@ -{ - config, - pkgs, - inputs, - lib, - ... -}: let - newestPackages = inputs.nixpkgs-master.legacyPackages.${pkgs.system}; - package = newestPackages.mastodon; - domain = "peninsula.industries"; - internalWebPort = 55002; - postgresPort = 5432; - path = "/data/mastodon"; - mailgunSmtpSecretName = "mastodon-mailgun-smtp-password"; - mailgunSmtpPasswordPath = "/run/secrets/${mailgunSmtpSecretName}"; - mastodonDbSecretName = "mastodon-db"; - mastodonDbSecretPath = "/run/secrets/${mastodonDbSecretName}"; - uid = 2049; - gid = 3049; - systemUserName = "mastodon"; - systemGroupName = "mastodon"; - users = { - users."${systemUserName}" = { - inherit uid; - isSystemUser = true; - isNormalUser = false; - group = systemGroupName; - }; - groups."${systemGroupName}" = { - inherit gid; - members = ["${systemUserName}" "nginx"]; - }; - }; - secretSettings = { - owner = systemUserName; - group = systemGroupName; - }; - publicPath = "${path}/public-system/"; -in { - imports = [../nginx.nix]; - system.stateVersion = "23.11"; - - networking.firewall.allowedTCPPorts = [internalWebPort]; - services.nginx = { - virtualHosts = { - "masto-system.internal.cyplo.dev" = { - root = "${publicPath}"; - }; - }; - }; - - sops.secrets."${mailgunSmtpSecretName}" = - { - sopsFile = ./mailgun.sops.yaml; - path = mailgunSmtpPasswordPath; - } - // secretSettings; - sops.secrets."${mastodonDbSecretName}" = - { - sopsFile = ./mastodon-db.sops.yaml; - path = mastodonDbSecretPath; - } - // secretSettings; - - inherit users; - - systemd.services.mastodon-make-path = { - script = '' - mkdir -p ${path} - chown -R ${systemUserName}:${systemGroupName} ${path} - mkdir -p ${publicPath} - chmod -R o-rwx ${publicPath} - chmod -R g-rwx ${publicPath} - chmod -R g+X ${publicPath} - chmod -R g+r ${publicPath} - chmod -R u+rwX ${publicPath} - ''; - serviceConfig = {Type = "oneshot";}; - before = ["container@mastodon.service"]; - }; - - containers.mastodon = { - autoStart = true; - hostAddress = "100.69.177.80"; - forwardPorts = [ - { - containerPort = internalWebPort; - hostPort = internalWebPort; - } - ]; - bindMounts = { - "/var/lib/mastodon" = { - hostPath = "${path}"; - isReadOnly = false; - }; - "${mailgunSmtpPasswordPath}" = { - hostPath = "${mailgunSmtpPasswordPath}"; - isReadOnly = true; - }; - "${mastodonDbSecretPath}" = { - hostPath = "${mastodonDbSecretPath}"; - isReadOnly = true; - }; - }; - config = { - config, - pkgs, - lib, - ... - }: { - system.stateVersion = "23.11"; - services.postgresql.port = postgresPort; - users = - users - // { - mutableUsers = false; - allowNoPasswordLogin = true; - }; - systemd.services.mastodon-media-auto-remove = { - description = "Mastodon media auto remove"; - serviceConfig = { - Type = "oneshot"; - EnvironmentFile = "/var/lib/mastodon/.secrets_env"; - }; - script = '' - /run/current-system/sw/bin/mastodon-tootctl media remove --days=8 --prune-profiles --include-follows -c1 - /run/current-system/sw/bin/mastodon-tootctl media remove --days=8 --remove-headers --include-follows -c1 - /run/current-system/sw/bin/mastodon-tootctl preview_cards remove --days=8 - ''; - startAt = "daily"; - }; - services.mastodon = { - enable = true; - inherit package; - localDomain = "${domain}"; - user = systemUserName; - group = systemGroupName; - mediaAutoRemove.enable = false; - streamingProcesses = 2; - smtp = { - host = "smtp.eu.mailgun.org"; - port = 465; - authenticate = true; - user = "postmaster@${domain}"; - fromAddress = "Peninsula Industries Mastodon "; - createLocally = false; - passwordFile = "${mailgunSmtpPasswordPath}"; - }; - sidekiqThreads = 8; - extraConfig = { - SMTP_TLS = "true"; - SMTP_ENABLE_STARTTLS_AUTO = "true"; - SINGLE_USER_MODE = "true"; - RAILS_SERVE_STATIC_FILES = "true"; - AUTHORIZED_FETCH = "true"; - DISALLOW_UNAUTHENTICATED_API_ACCESS = "true"; - }; - webPort = internalWebPort; - configureNginx = false; - enableUnixSocket = false; - database = { - port = postgresPort; - passwordFile = mastodonDbSecretPath; - }; - }; - }; - }; -} diff --git a/nixos/boxes/vpsfree1/MASTODON.md b/nixos/boxes/cupsnet/MASTODON.md similarity index 100% rename from nixos/boxes/vpsfree1/MASTODON.md rename to nixos/boxes/cupsnet/MASTODON.md diff --git a/nixos/boxes/cupsnet/default.nix b/nixos/boxes/cupsnet/default.nix index 1b5222c0..4cf4cf27 100644 --- a/nixos/boxes/cupsnet/default.nix +++ b/nixos/boxes/cupsnet/default.nix @@ -14,6 +14,7 @@ ./disks.nix ./foundryvtt.nix ./gitea.nix + ./mastodon.nix ./ssh.nix ./videos.nix ]; diff --git a/nixos/boxes/cupsnet/mastodon-db.sops.yaml b/nixos/boxes/cupsnet/mastodon-db.sops.yaml new file mode 100644 index 00000000..bb0a640e --- /dev/null +++ b/nixos/boxes/cupsnet/mastodon-db.sops.yaml @@ -0,0 +1,111 @@ +mastodon-db: "" +sops: + kms: [] + gcp_kms: [] + azure_kv: [] + hc_vault: [] + age: + - recipient: age1qpxvqf2254vynw7aah2pyd8tm0lqtfqr9maguewdj3uqjp8smqvssjp43n + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBVdHoyVEhVTW1uMWJESDQ0 + SjBITnNRWC83b2h4bFBPVnRkdXh1bEorL1hnCjVNbXJaaGEvVmt1Q2g2WVc4L1Mx + N1lCbHJoaTJNOUQ1dk8yb1U4allZRWMKLS0tIFcvVkFRejBXOTE3NkJvcVBpSjRt + TFBkTVl1WkVQYXhDSDVFNFMwMVZKekEKdXQZzqhX8zguTww+Bsm4t7yewcOP/trf + NZgJtxSqsuKRojUlcF3qWKNmsZLlYRbadXLYYQkXMOXgqbprfVVPEw== + -----END AGE ENCRYPTED FILE----- + - recipient: age1s3z2rfske90kt93a3z7twp6kew6mqd08sgunupym0gpmuh8ezqqscdrv7m + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBZWkNDcENsUmhzbGFiVUJJ + U1VjdjJZcU5jNGRFY1FzYS9CbzdSRjN5TEh3Cmpudm5QQlF3TkN5akRlMkpxMjdG + a0VNTjRFYlNIVzVjdTZXV1QxMmVyZmsKLS0tIDJnam9UREVONkkyMzBKWFArZGVH + TStxUW5BMHdlYmlRUG0wdEY4UVkydU0KFR5JTvNHYSV5qQ96YlXQafpqMyISYIC8 + l5KTLOA/0v9pam4yqU/GPgk1Cjy9ILiejwqG6lZK5Kiga4mTvgKbog== + -----END AGE ENCRYPTED FILE----- + - recipient: age1p76577kkfttxxj8ckwwkhyhhz7qq2d7qf2lenyaa0g3v2gd3eecqhhf9jn + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB2cjFaWnVKTGQyMytOTW9V + NG4rWEhIV0FINSt0OEhGQ1NsVkFPdHJvQVJZCmhxUUNqVy9CL3BGT0FKTGd5Um5s + blZraUxMTXFQb0kzODhlTU5PQ2tBK2MKLS0tIERJc1NqbTVaZ2Qwa24rYUlXM2JT + T1hhbHBMdE5idm1aMGFadzBHU1BxSlEKriJHrdFueTHuA9KFy6bf6QFUq64tfFqk + 1FYY1DEC6gbXo/u2enH0L3HI9rhkkCDBmjdym66eJxcK7TmR9c8W5g== + -----END AGE ENCRYPTED FILE----- + - recipient: age1mpgtj57e256q9nqz8jt0jt9ntxrldu0p7aunxx3y5vnerfz04vqqdst2gt + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBkRVBEVXJpRGYrR1pNWDJR + cUNyd3Y3T0N3aTltQ3MzbHpvR2djOExRQ1dBClAvMVozNkMzOUFhS0pDSURFVkNm + S0tCZ09Lcys4WVJaSDNERHhMQWU5a2sKLS0tIGxzS2p3ZUhqMk9Ddy9JU1hMS2Fr + Q3ZmZ3dNWjJnVE14bWFnaExRaXZYbjAKIB8pOI/1szONZVS7vD3K2ZyPISw7gOey + ukcbddEPPFWUD24eMksBRReISarzq3Myqw7nRVqxvRP+JTgIa49pWA== + -----END AGE ENCRYPTED FILE----- + - recipient: age1msgz4lzqj3wd4yu3mfgxyl5gz0y94al59njv8fqu7s0dvwt9yuvsctlhvu + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBUNnNHZlpsVGllOVU0ZlJ5 + cDVDdmpPUXdod3QxbnpxcENtZTNkYll1WkhrClRNU2dQeG4ya1lDZTRyUCtVNGsy + SzBIZDNnK2lMOHhPUk1BTHUyZFJQeHMKLS0tIFJhbTgzdktYV0hVeGwzTzhYTG95 + QzRqNWpseG9iNVpzYzcraEZPYktRaEUKhRti44yCso/a/3TdLsp+gkrm/8f09AGa + 2ZDdNChn8VzQyEjElT4LkyXJkrXsEB/Sj3E9u2LOOYnDHtjBkD+sCA== + -----END AGE ENCRYPTED FILE----- + - recipient: age10f7djsyu5fwew2l2x89a4st4qw4xdkyr3z7qd8frs54yqz7cayvqruttla + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBjN2Nlb3FXVGpkbGFyM0E1 + MFlBZnhubytxbWdtWkxiblRxMWVJcUNBWlZJClRPRGdzdVZnVC9vOTRKeEpNYkFP + bXEyTWhKL3pzUFBwaUNKSnJZbnlvN2cKLS0tIHBiemZjVHNUOExiYkVSdVlUZFdG + QjNiK0dzN3FxOWhyVk40NXZFcHFKRzQKsOW45uPXZbZWhXt88M55Ov2D+2Rd95OC + hIUuk5+6SfAy7FIgnAOfA/2369OcyBOodPdVgQwKfD5sowwVsFHSHg== + -----END AGE ENCRYPTED FILE----- + - recipient: age10f7djsyu5fwew2l2x89a4st4qw4xdkyr3z7qd8frs54yqz7cayvqruttla + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBRTHBob0dPbTlTeU1kSnZi + OUJvWTNCRmhKZWhObXU3QlhrRE0vZUdYeWxnClpMb2VtZ0t0dFE2dmFzbytxeVBQ + dTVkSW1EMkc4dzhNcFluaDl6cjk1VE0KLS0tIEx1SXMva2twTHBJVGhJL0ZYVUp5 + clRNWVRiTktHVDFGWmNmTkdXOStSdTQKkdgVVedpeBag+NexPOrpz3e5RqBbTXJR + 2aawOQ22hwi+sY/ec8asPDZBXx9nvGxRIZZpBjaN7S90SfZu1S6g0g== + -----END AGE ENCRYPTED FILE----- + - recipient: age18vg9wvmj2jc8tdcyc202v46lvfndqfe3dse2hewx0snalpvk43fqc22n6y + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBaSUVMa0VLY2R3K0x0aW1t + bWxBU3VGQUZaUVJsUm15RlFkUHpLUUZka1MwCmVPYTFJckJBNmgvK3dWcHZ4c0JT + MDhoa3ZXT1Irc01zZDZOTnNYWHlEY28KLS0tIEZReUVKWDlPdlRvR01tRnkxeDRr + WTNKUnZjd1E5YWIwK2IrZWFSd2Q1RzQK/Q+UtKH7ZDi+c2RGRZd9VFwRRyKO4mLp + 1jPjlZsRcHYEmFVohQtqMLadHc2AOhcJDn9pk5qXwnEkKfDX6yaZjA== + -----END AGE ENCRYPTED FILE----- + - recipient: age108m6yx77k7aqcyesy4zmkulryzvyep6m92pflmldcnv3w5a0k9xqn5h7cx + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBoVG44NksxeDh2TEwvT2NL + SDJaVzJqNUVzbEMxaDd5VDNUZG8rdUNjZDFZCk5zQ0NtM3ZCbEZEUm43WTIwVmVL + YUxjTUdOVEVLU25KbmtySm1ZMWEwSncKLS0tIG80K1ZsYVQyQnY1b1dlOEZjU2Iw + aHo4eklKRDA1SHV5WHJlSWZBK2VEYjQKkIyoSU1zfx440OhDXMhwtNhAah9d4IrR + Dof/0gD6KXfM9Tn77SvfGAW++V/JdwvfHlU2jnk3zaEGechI6SZiEg== + -----END AGE ENCRYPTED FILE----- + - recipient: age1n09swn3qekcuw23vksp7hv4hpg0krlag3c5qcjjaf08m99c3ysqs6sxeyk + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBubFBvYjNPVHUva0ZpU2NW + b2oxWE1NQUc4REE1U3dZemxPUVVVaWdCNkZJCncwc01YUlB3Z2h3Um5QT1dVNlJE + VXcwTFlmWUNxZEg3VFJlT2pLNjNLV3MKLS0tIGZUand3THlWTk0xeGpoN0R6N2x6 + M2haWW9uWkJzeGpwejIzOFR2R1R4YUkKUSoykoO4tdXHhZ1BaUVDfTY27nduRo4o + 7nvHlbqqd15FE2HbHqdSmBFsDIIuoNt1QKjXe87ICzYNHkmjYzXxEA== + -----END AGE ENCRYPTED FILE----- + - recipient: age1tt4c8t72fha2fj7xlm0dew5avmkdxujmgplte4qm7sxlcucggedq0eyk7t + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBjeklXZzRoZzBaUS94cG8y + KzdYcis5eHVVQ2dLVlJlYUt3RzlyY2JPR1dNCmN2bFlPY3NDWlNKS1Y0SldINWhv + b0U0SXpJdzZJVGFSTjFqR3VBMERFV2cKLS0tIGdvMU9JMHVWc1V2RTlYRVcvbE5I + bmYwVWlacVNUUmZKM3I2Vi90RDVEUU0KkJDXWC60A+F4ByVrENQ8hKeD3puSiApe + D/B4WDiIxTR2s1BH/ViaPMsQWI2gCSd6kAEjjHhG11mS5uJFzWoR7A== + -----END AGE ENCRYPTED FILE----- + lastmodified: "2024-02-04T22:28:51Z" + mac: ENC[AES256_GCM,data:7lS6+2M0zQrL74F3zTj6PKIZD+IOxjYFZCutc+4fPkvp+jriFkBw7DyF5BllXsDxf7zazhbbVWJsi5LpYVGl/5C6NelVwnDG25tmTmObHt02fzM2BElfuEN2G/3Vk+FXC0bsST0jZkuWh3m4r/8VTj0Uj+gnGiRUHJHpOq+A/YY=,iv:M7nEQWzG8b0z0OcZCvd4OGpGpRKRZs0JnZw7hFgjL+c=,tag:AZ4gMEOoU3kbQ98Kq1SGWg==,type:str] + pgp: [] + unencrypted_suffix: _unencrypted + version: 3.8.1 diff --git a/nixos/boxes/cupsnet/mastodon.nix b/nixos/boxes/cupsnet/mastodon.nix new file mode 100644 index 00000000..5da55d85 --- /dev/null +++ b/nixos/boxes/cupsnet/mastodon.nix @@ -0,0 +1,118 @@ +{ + config, + pkgs, + inputs, + lib, + ... +}: let + newestPackages = inputs.nixpkgs-master.legacyPackages.${pkgs.system}; + package = newestPackages.mastodon; + domain = "peninsula.industries"; + path = "/var/lib/mastodon/"; + mailgunSmtpSecretName = "mastodon-mailgun-smtp-password"; + mailgunSmtpPasswordPath = "/run/secrets/${mailgunSmtpSecretName}"; + mastodonDbSecretName = "mastodon-db"; + mastodonDbSecretPath = "/run/secrets/${mastodonDbSecretName}"; + uid = 2049; + gid = 3049; + systemUserName = "mastodon"; + systemGroupName = "mastodon"; + users = { + users."${systemUserName}" = { + inherit uid; + isSystemUser = true; + isNormalUser = false; + group = systemGroupName; + }; + groups."${systemGroupName}" = { + inherit gid; + members = ["${systemUserName}" "nginx"]; + }; + }; + tootctlPath = "/run/current-system/sw/bin/mastodon-tootctl"; + secretSettings = { + owner = systemUserName; + group = systemGroupName; + }; + publicPath = "${path}/public-system/"; +in { + imports = [../nginx.nix]; + + sops.secrets."${mailgunSmtpSecretName}" = + { + sopsFile = ./mailgun.sops.yaml; + path = mailgunSmtpPasswordPath; + } + // secretSettings; + sops.secrets."${mastodonDbSecretName}" = + { + sopsFile = ./mastodon-db.sops.yaml; + path = mastodonDbSecretPath; + } + // secretSettings; + + inherit users; + + systemd.services.mastodon-make-path = { + script = '' + mkdir -p ${path} + chown -R ${systemUserName}:${systemGroupName} ${path} + mkdir -p ${publicPath} + chmod -R o-rwx ${publicPath} + chmod -R g-rwx ${publicPath} + chmod -R g+X ${publicPath} + chmod -R g+r ${publicPath} + chmod -R u+rwX ${publicPath} + ''; + serviceConfig = {Type = "oneshot";}; + before = ["container@mastodon.service"]; + }; + + systemd.services.mastodon-media-auto-remove = { + description = "Mastodon media auto remove"; + serviceConfig = { + User = systemUserName; + Group = systemGroupName; + Type = "oneshot"; + EnvironmentFile = "/var/lib/mastodon/.secrets_env"; + }; + script = '' + ${tootctlPath} media remove --days=8 --prune-profiles --include-follows -c1 + ${tootctlPath} media remove --days=8 --remove-headers --include-follows -c1 + ${tootctlPath} preview_cards remove --days=8 + ''; + startAt = "daily"; + }; + services.mastodon = { + enable = true; + inherit package; + localDomain = "${domain}"; + user = systemUserName; + group = systemGroupName; + mediaAutoRemove.enable = false; + streamingProcesses = 2; + smtp = { + host = "smtp.eu.mailgun.org"; + port = 465; + authenticate = true; + user = "postmaster@${domain}"; + fromAddress = "Peninsula Industries Mastodon "; + createLocally = false; + passwordFile = "${mailgunSmtpPasswordPath}"; + }; + sidekiqThreads = 8; + extraConfig = { + SMTP_TLS = "true"; + SMTP_ENABLE_STARTTLS_AUTO = "true"; + SINGLE_USER_MODE = "true"; + RAILS_SERVE_STATIC_FILES = "true"; + AUTHORIZED_FETCH = "true"; + DISALLOW_UNAUTHENTICATED_API_ACCESS = "true"; + }; + configureNginx = true; + enableUnixSocket = true; + database = { + passwordFile = mastodonDbSecretPath; + }; + }; +} diff --git a/nixos/boxes/vpsfree1/default.nix b/nixos/boxes/vpsfree1/default.nix index da609498..31893177 100644 --- a/nixos/boxes/vpsfree1/default.nix +++ b/nixos/boxes/vpsfree1/default.nix @@ -7,7 +7,6 @@ ../nginx.nix ../send-logs.nix ./backups.nix - ./mastodon.nix ./rss.nix ./ssh.nix ./syncthing-relay.nix diff --git a/nixos/boxes/vpsfree1/mastodon-db.sops.yaml b/nixos/boxes/vpsfree1/mastodon-db.sops.yaml deleted file mode 100644 index 2b9952bc..00000000 --- a/nixos/boxes/vpsfree1/mastodon-db.sops.yaml +++ /dev/null @@ -1,93 +0,0 @@ -mastodon-db: "" -sops: - kms: [] - gcp_kms: [] - azure_kv: [] - hc_vault: [] - age: - - recipient: age1qpxvqf2254vynw7aah2pyd8tm0lqtfqr9maguewdj3uqjp8smqvssjp43n - enc: | - -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBEM2JVelR6K0Zjbm5ubjJD - MVV5NkdhaGl1eE5oUUp1bm1VQmEvTThPRkE0CkRtQ2k4WHhkTlhNQ25tN1V5VkR3 - b3c0NzJuSFRLNnVRZUNkTml6dnRKMlUKLS0tIEt2UkFEVkFGbHFURkRONUlmMW0w - ZXNpZVh2eUpuRDZ3ZFhTcTAxU2FKWTAKuWxeWi10LGOBcDuruA1Nu2cbZ4ERN6B2 - ujbcoKVN9nA+wy5+HgBxfOFQ78KvkuRmIKfbLvyRX/9Pg8v5o1Ybhg== - -----END AGE ENCRYPTED FILE----- - - recipient: age1s3z2rfske90kt93a3z7twp6kew6mqd08sgunupym0gpmuh8ezqqscdrv7m - enc: | - -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAxSi9CNnFCQTdGTjlqWlY5 - eS82NDV1WFpDOGNJZVJhblhVV0xPRGcwTmtzClFXQjVXNDZHVUFWVFNHQ1FOaGNM - SUxLTDZ0MXdrZVNsUUhkQUNWdStxUjgKLS0tIDlsNU9JUFFTOVdHcUxmMzVvNHUr - dnQ1T0FwMGtpdTBYODVBdHN5NjhtNHMKYb4+t8oyZ1lfFDIbjzGfiN7EihD7oef1 - cna9lEwgfm19G1yiPjgszlPQwdjvSk6vlPNYcOT1KYisGnTtRHUCvw== - -----END AGE ENCRYPTED FILE----- - - recipient: age1p76577kkfttxxj8ckwwkhyhhz7qq2d7qf2lenyaa0g3v2gd3eecqhhf9jn - enc: | - -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBZcEpFUGE3bnBXYzlsZGl5 - RFR6bU56VVZRT3ZIaXc5cDYyd28vMUtoVkhVCjlwbmRBMngvWC9FQ1VsK1dxOXNo - UExONjFxZTE4S0dIeDR0VWFndEg5eUkKLS0tIHQxNWFGVHRHUGdTWTN5aVFsWGpj - TjYzVkkvUDlEOWZCM3Y3TUpHMWp1MXMKAxvbXIc0SgUdbzZvV53kqbLG8uDaSoOw - G1GWOJcruJ+WywsxoVcd6UA01GgUOYg9bAaeEJuzABfBG9u2WmL6DQ== - -----END AGE ENCRYPTED FILE----- - - recipient: age1mpgtj57e256q9nqz8jt0jt9ntxrldu0p7aunxx3y5vnerfz04vqqdst2gt - enc: | - -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB3aTE3VFpZdmZYNVh4Rkw3 - Y2pXRXdWSUw2eWhHcEo1OFNnMEpRNjZzbUc0ClVGZXB2aWxXRUdZVmFWR0JDSitk - L0svd2RLb3A3QlV3ZG02TXQ3UkdlRXcKLS0tIDhVZTRHdDhJQ2ViSC9YU3ZIdURN - U3l2bjhjdktwWnpDSXFtWkp2cEFQa1kKy74uyFJcUf9L2EHcQ5RrymRFn5AsOtpQ - Ar1Tb+TCXsyXwMlXwqX5jTdKFxwpsgiT/GuE8mHjGOM9XoJPEHaoMA== - -----END AGE ENCRYPTED FILE----- - - recipient: age1msgz4lzqj3wd4yu3mfgxyl5gz0y94al59njv8fqu7s0dvwt9yuvsctlhvu - enc: | - -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBGVzRnN2xtOWw2dWlYZWR3 - b2g2WVlDcVk3eGRrQkV0ZER1a1ZLcDF2QWdjCnlMWDhMbkdFZVBkMXNwZFBKTW5z - QWxNSzRkRDdlT1FsUWpRNktYME5mcXcKLS0tIEh5UHpVb1gyeng1eXFjNnZlcTc1 - cVBMNDR6VmxTRTUzYTlETCtqTUZ6Nm8KSSlzWikCyVZsd1yzC8sq8e9UQnZhhQgl - jljUQOvLjDtjvmRMpTaAdGQuArVONWrk8UJheawo33BNL0lWyDSCcg== - -----END AGE ENCRYPTED FILE----- - - recipient: age10f7djsyu5fwew2l2x89a4st4qw4xdkyr3z7qd8frs54yqz7cayvqruttla - enc: | - -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBvQlNrNG5kRG1YRXhmbFRl - Q2tMZ1RBbTFmaUg4TmtxWkFTM3VqUHhkR1c4CkJEVzFqZXRDRndJd1FuQ0t2aXNt - YkZMbkhER1FKcWNaUWhpbWxxaSt2ZHcKLS0tIEJnSk9yeFRhckN2cEpUc3VXMGps - cXVqRWpJZk5zM1VPTVNzcFBSaG5pMU0KjIni2nzw98OgER95cOdzBrvuM80CdCzb - 46FU071PAWBpgAH5SvIsI85At6fl0B8rKrce1nBSUDhvlnq4RbQpJA== - -----END AGE ENCRYPTED FILE----- - - recipient: age10f7djsyu5fwew2l2x89a4st4qw4xdkyr3z7qd8frs54yqz7cayvqruttla - enc: | - -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBPWGtnR2ltS2I0R0p0VlV1 - MUJyRTZsNUV0M0l6N2QrYnIyTHRrUmlmdERVCnBMU0MzNG5WQmpFcXpkM1BETFhn - RTV5R2ZZNFh6bEhkaVArenFobUZSUWcKLS0tIDUyUnpkQ29nbXdIaVhmN1dZWHhl - TERUMWJycHhWYXN0YzEwajBBVy9tYkEKSPZUnP65cRFgZdD7uHOyaMnMzPvuwHNf - 7Q2Y0vCevwmppPt6TsNWWMKJUjWkdgAeAmmkKcSuaDi2EthdnxlwCQ== - -----END AGE ENCRYPTED FILE----- - - recipient: age1n09swn3qekcuw23vksp7hv4hpg0krlag3c5qcjjaf08m99c3ysqs6sxeyk - enc: | - -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBTS2FRbm1VUEFhN1NFc3RB - QVRSRHBvbGdXcDVuanluaFZuUmlxSkJ2NHhRCi92ZGpWV0d2Z2ZMYnhyUTJlcDZB - YlhsQzdCYWRmV3RZOXdiVlpWZzJtcEUKLS0tIDhqaHFwTUR1bi91SldFeXloUExY - dFhJU3RmT204SitRazVRVEE1Y1plb2MKMv1gUa7xMixd6GyJWgous6gd6u/TPNpo - 9BKtmf4F9VQRdrghf+dZgExsbqD+14wdVMmncWXDBt2/G9++kxngUQ== - -----END AGE ENCRYPTED FILE----- - - recipient: age1tt4c8t72fha2fj7xlm0dew5avmkdxujmgplte4qm7sxlcucggedq0eyk7t - enc: | - -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB6SlVhOTBZZHQxNWV0SnZj - eGJJNFhnV2hyY0xqaWNEVmtJdWZjMkxUNEVvCnpaL0xvaEh4TG1sTWtRdWdPSk94 - SzIrZUFwNktObVNQalozbmd3Wnd6SEkKLS0tIE1WYWNTc2Z4bmlzOTRRakgzN0hK - U0lzVDRnQVV2Q0h2OHVKRmVhcVE5U2MKDGo89QvLMEehTjUowAa4kTXsqauGvZeP - eTw2bqpOkpVwdtMroHcz3Su8ZqDb+ejGE6n3GcwEUUuyPNSn/iE+hQ== - -----END AGE ENCRYPTED FILE----- - lastmodified: "2022-11-26T12:03:57Z" - mac: ENC[AES256_GCM,data:9istsKh21b1w5UNXJyjbR8FmjLyZL+QiBNtfFyVtLv6/rc90NSFfXzq8jVTUA/DHkMNhe6Zt+ieCucc2+MjZoKX77JFMcJgPYzdrhT7Fzk9U+7XMIUN+vKuh3RRV9f6zNiGSHAwjN3Gz0yvFWxlrvZ4W1hpjpKQ6LKXkW0c2l88=,iv:dZQeInjC96GJpSppAez0/Ovte+zns/FSP7KY/5+dcpE=,tag:wajCNA52jC+PCpUmF8ctOQ==,type:str] - pgp: [] - unencrypted_suffix: _unencrypted - version: 3.7.3 diff --git a/nixos/boxes/vpsfree1/mastodon.nix b/nixos/boxes/vpsfree1/mastodon.nix deleted file mode 100644 index e11c8e37..00000000 --- a/nixos/boxes/vpsfree1/mastodon.nix +++ /dev/null @@ -1,178 +0,0 @@ -{ - config, - pkgs, - inputs, - lib, - ... -}: let - newestPackages = inputs.nixpkgs-master.legacyPackages.${pkgs.system}; - package = newestPackages.mastodon; - domain = "peninsula.industries"; - webPort = 55001; - postgresPort = 5432; - path = "/var/lib/mastodon/"; - mailgunSmtpSecretName = "mastodon-mailgun-smtp-password"; - mailgunSmtpPasswordPath = "/run/secrets/${mailgunSmtpSecretName}"; - mastodonDbSecretName = "mastodon-db"; - mastodonDbSecretPath = "/run/secrets/${mastodonDbSecretName}"; - uid = 2049; - gid = 3049; - systemUserName = "mastodon"; - systemGroupName = "mastodon"; - users = { - users."${systemUserName}" = { - inherit uid; - isSystemUser = true; - isNormalUser = false; - group = systemGroupName; - }; - groups."${systemGroupName}" = { - inherit gid; - members = ["${systemUserName}" "nginx"]; - }; - }; - tootctlPath = "/run/current-system/sw/bin/mastodon-tootctl"; - secretSettings = { - owner = systemUserName; - group = systemGroupName; - }; - publicPath = "${path}/public-system/"; -in { - imports = [../nginx.nix]; - - services.nginx = { - virtualHosts = { - "${domain}" = { - forceSSL = true; - enableACME = true; - root = "${package}/public/"; - - locations."/" = {tryFiles = "$uri @proxy";}; - locations."/system/".alias = "${publicPath}"; - - locations."@proxy" = { - proxyPass = "http://127.0.0.1:" + toString webPort; - proxyWebsockets = true; - }; - }; - }; - }; - - sops.secrets."${mailgunSmtpSecretName}" = - { - sopsFile = ./mailgun.sops.yaml; - path = mailgunSmtpPasswordPath; - } - // secretSettings; - sops.secrets."${mastodonDbSecretName}" = - { - sopsFile = ./mastodon-db.sops.yaml; - path = mastodonDbSecretPath; - } - // secretSettings; - - inherit users; - - systemd.services.mastodon-make-path = { - script = '' - mkdir -p ${path} - chown -R ${systemUserName}:${systemGroupName} ${path} - mkdir -p ${publicPath} - chmod -R o-rwx ${publicPath} - chmod -R g-rwx ${publicPath} - chmod -R g+X ${publicPath} - chmod -R g+r ${publicPath} - chmod -R u+rwX ${publicPath} - ''; - serviceConfig = {Type = "oneshot";}; - before = ["container@mastodon.service"]; - }; - - containers.mastodon = { - autoStart = true; - forwardPorts = [ - { - containerPort = webPort; - hostPort = webPort; - } - ]; - bindMounts = { - "${path}" = { - hostPath = "${path}"; - isReadOnly = false; - }; - "${mailgunSmtpPasswordPath}" = { - hostPath = "${mailgunSmtpPasswordPath}"; - isReadOnly = true; - }; - "${mastodonDbSecretPath}" = { - hostPath = "${mastodonDbSecretPath}"; - isReadOnly = true; - }; - }; - config = { - config, - pkgs, - lib, - ... - }: { - system.stateVersion = "23.11"; - services.postgresql.port = postgresPort; - users = - users - // { - mutableUsers = false; - allowNoPasswordLogin = true; - }; - systemd.services.mastodon-media-auto-remove = { - description = "Mastodon media auto remove"; - serviceConfig = { - User = systemUserName; - Group = systemGroupName; - Type = "oneshot"; - EnvironmentFile = "/var/lib/mastodon/.secrets_env"; - }; - script = '' - ${tootctlPath} media remove --days=8 --prune-profiles --include-follows -c1 - ${tootctlPath} media remove --days=8 --remove-headers --include-follows -c1 - ${tootctlPath} preview_cards remove --days=8 - ''; - startAt = "daily"; - }; - services.mastodon = { - enable = true; - inherit package; - localDomain = "${domain}"; - user = systemUserName; - group = systemGroupName; - mediaAutoRemove.enable = false; - streamingProcesses = 2; - smtp = { - host = "smtp.eu.mailgun.org"; - port = 465; - authenticate = true; - user = "postmaster@${domain}"; - fromAddress = "Peninsula Industries Mastodon "; - createLocally = false; - passwordFile = "${mailgunSmtpPasswordPath}"; - }; - sidekiqThreads = 8; - extraConfig = { - SMTP_TLS = "true"; - SMTP_ENABLE_STARTTLS_AUTO = "true"; - SINGLE_USER_MODE = "true"; - RAILS_SERVE_STATIC_FILES = "true"; - AUTHORIZED_FETCH = "true"; - DISALLOW_UNAUTHENTICATED_API_ACCESS = "true"; - }; - inherit webPort; - configureNginx = false; - enableUnixSocket = false; - database = { - port = postgresPort; - passwordFile = mastodonDbSecretPath; - }; - }; - }; - }; -}