{
config,
pkgs,
inputs,
lib,
...
}: let
newestPackages = inputs.nixpkgs-master.legacyPackages.${pkgs.system};
package = newestPackages.mastodon;
domain = "peninsula.industries";
internalWebPort = 55002;
postgresPort = 5432;
path = "/data/mastodon";
mailgunSmtpSecretName = "mastodon-mailgun-smtp-password";
mailgunSmtpPasswordPath = "/run/secrets/${mailgunSmtpSecretName}";
mastodonDbSecretName = "mastodon-db";
mastodonDbSecretPath = "/run/secrets/${mastodonDbSecretName}";
uid = 2049;
gid = 3049;
systemUserName = "mastodon";
systemGroupName = "mastodon";
users = {
users."${systemUserName}" = {
inherit uid;
isSystemUser = true;
isNormalUser = false;
group = systemGroupName;
};
groups."${systemGroupName}" = {
inherit gid;
members = ["${systemUserName}" "nginx"];
};
};
secretSettings = {
owner = systemUserName;
group = systemGroupName;
};
publicPath = "${path}/public-system/";
in {
imports = [../nginx.nix];
system.stateVersion = "23.11";
networking.firewall.allowedTCPPorts = [internalWebPort];
services.nginx = {
virtualHosts = {
"masto-system.internal.cyplo.dev" = {
root = "${publicPath}";
};
};
};
sops.secrets."${mailgunSmtpSecretName}" =
{
sopsFile = ./mailgun.sops.yaml;
path = mailgunSmtpPasswordPath;
}
// secretSettings;
sops.secrets."${mastodonDbSecretName}" =
{
sopsFile = ./mastodon-db.sops.yaml;
path = mastodonDbSecretPath;
}
// secretSettings;
inherit users;
systemd.services.mastodon-make-path = {
script = ''
mkdir -p ${path}
chown -R ${systemUserName}:${systemGroupName} ${path}
mkdir -p ${publicPath}
chmod -R o-rwx ${publicPath}
chmod -R g-rwx ${publicPath}
chmod -R g+X ${publicPath}
chmod -R g+r ${publicPath}
chmod -R u+rwX ${publicPath}
'';
serviceConfig = {Type = "oneshot";};
before = ["container@mastodon.service"];
};
containers.mastodon = {
autoStart = true;
hostAddress = "100.69.177.80";
forwardPorts = [
{
containerPort = internalWebPort;
hostPort = internalWebPort;
}
];
bindMounts = {
"/var/lib/mastodon" = {
hostPath = "${path}";
isReadOnly = false;
};
"${mailgunSmtpPasswordPath}" = {
hostPath = "${mailgunSmtpPasswordPath}";
isReadOnly = true;
};
"${mastodonDbSecretPath}" = {
hostPath = "${mastodonDbSecretPath}";
isReadOnly = true;
};
};
config = {
config,
pkgs,
lib,
...
}: {
system.stateVersion = "23.11";
services.postgresql.port = postgresPort;
users =
users
// {
mutableUsers = false;
allowNoPasswordLogin = true;
};
systemd.services.mastodon-media-auto-remove = {
description = "Mastodon media auto remove";
serviceConfig = {
Type = "oneshot";
EnvironmentFile = "/var/lib/mastodon/.secrets_env";
};
script = ''
/run/current-system/sw/bin/mastodon-tootctl media remove --days=8 --prune-profiles --include-follows -c1
/run/current-system/sw/bin/mastodon-tootctl media remove --days=8 --remove-headers --include-follows -c1
/run/current-system/sw/bin/mastodon-tootctl preview_cards remove --days=8
'';
startAt = "daily";
};
services.mastodon = {
enable = true;
inherit package;
localDomain = "${domain}";
user = systemUserName;
group = systemGroupName;
mediaAutoRemove.enable = false;
streamingProcesses = 2;
smtp = {
host = "smtp.eu.mailgun.org";
port = 465;
authenticate = true;
user = "postmaster@${domain}";
fromAddress = "Peninsula Industries Mastodon <mastodon@${domain}>";
createLocally = false;
passwordFile = "${mailgunSmtpPasswordPath}";
};
sidekiqThreads = 8;
extraConfig = {
SMTP_TLS = "true";
SMTP_ENABLE_STARTTLS_AUTO = "true";
SINGLE_USER_MODE = "true";
RAILS_SERVE_STATIC_FILES = "true";
AUTHORIZED_FETCH = "true";
DISALLOW_UNAUTHENTICATED_API_ACCESS = "true";
};
webPort = internalWebPort;
configureNginx = false;
enableUnixSocket = false;
database = {
port = postgresPort;
passwordFile = mastodonDbSecretPath;
};
};
};
};
}