{ config, pkgs, inputs, lib, ... }: let domain = "peninsula.industries"; streamingPort = 55000; webPort = 55001; postgresPort = 5433; path = "/var/lib/mastodon/"; mailgunSmtpSecretName = "mailgun-smtp-password"; mailgunSmtpPasswordPath = "/run/secrets/${mailgunSmtpSecretName}"; mastodonDbSecretName = "mastodon-db"; mastodonDbSecretPath = "/run/secrets/${mastodonDbSecretName}"; uid = 2049; gid = 3049; systemUserName = "mastodon"; systemGroupName = "mastodon"; in { imports = [ ../nginx.nix ]; services.nginx = { virtualHosts = { "${domain}" = { forceSSL = true; enableACME = true; root = "${config.services.mastodon.package}/public/"; locations."/system/".alias = "${path}/public-system/"; locations."/" = { tryFiles = "$uri @proxy"; }; locations."@proxy" = { proxyPass = "http://localhost:" + toString webPort; proxyWebsockets = true; }; locations."/api/v1/streaming/" = { proxyPass = "http://localhost:" + toString streamingPort; proxyWebsockets = true; }; }; }; }; sops.secrets."${mailgunSmtpSecretName}" = { sopsFile = ./mailgun.sops.yaml; path = mailgunSmtpPasswordPath; owner = systemUserName; group = systemGroupName; }; sops.secrets."${mastodonDbSecretName}" = { sopsFile = ./mastodon-db.sops.yaml; path = mastodonDbSecretPath; owner = systemUserName; group = systemGroupName; }; users.users."${systemUserName}" = { uid = uid; isSystemUser = true; isNormalUser = false; group = systemGroupName; }; users.groups."${systemGroupName}" = { gid = gid; members = [ "${systemUserName}" ]; }; containers.mastodon = { autoStart = true; forwardPorts = [ { containerPort = streamingPort; hostPort = streamingPort; } { containerPort = webPort; hostPort = webPort; } ]; bindMounts = { "${path}" = { hostPath = "${path}"; isReadOnly = false; }; "${mailgunSmtpPasswordPath}" = { hostPath = "${mailgunSmtpPasswordPath}"; isReadOnly = true; }; "${mastodonDbSecretPath}" = { hostPath = "${mastodonDbSecretPath}"; isReadOnly = true; }; }; config = { config, pkgs, lib, ... }: { system.stateVersion = "22.05"; services.postgresql.port = postgresPort; users.mutableUsers = false; users.allowNoPasswordLogin = true; users.users."${systemUserName}" = { uid = uid; isSystemUser = true; isNormalUser = false; group = systemGroupName; }; users.groups."${systemGroupName}" = { gid = gid; members = [ "${systemUserName}" ]; }; services.mastodon = { enable = true; localDomain = "${domain}"; user = systemUserName; group = systemGroupName; smtp = { host = "smtp.eu.mailgun.org"; port = 465; authenticate = true; user = "postmaster@${domain}"; fromAddress = "Peninsula Industries Mastodon "; createLocally = false; passwordFile = "${mailgunSmtpPasswordPath}"; }; extraConfig = { SMTP_TLS = "true"; SMTP_ENABLE_STARTTLS_AUTO = "true"; }; inherit streamingPort; inherit webPort; configureNginx = false; enableUnixSocket = false; database = { port = postgresPort; passwordFile = mastodonDbSecretPath; }; }; }; }; }