{ config, pkgs, inputs, lib, ... }: let newestPackages = inputs.nixpkgs-master.legacyPackages.${pkgs.system}; package = newestPackages.mastodon; domain = "peninsula.industries"; webPort = 55001; postgresPort = 5432; path = "/var/lib/mastodon/"; mailgunSmtpSecretName = "mastodon-mailgun-smtp-password"; mailgunSmtpPasswordPath = "/run/secrets/${mailgunSmtpSecretName}"; mastodonDbSecretName = "mastodon-db"; mastodonDbSecretPath = "/run/secrets/${mastodonDbSecretName}"; uid = 2049; gid = 3049; systemUserName = "mastodon"; systemGroupName = "mastodon"; users = { users."${systemUserName}" = { inherit uid; isSystemUser = true; isNormalUser = false; group = systemGroupName; }; groups."${systemGroupName}" = { inherit gid; members = ["${systemUserName}" "nginx"]; }; }; tootctlPath = "/run/current-system/sw/bin/mastodon-tootctl"; secretSettings = { owner = systemUserName; group = systemGroupName; }; publicPath = "${path}/public-system/"; in { imports = [../nginx.nix]; services.nginx = { virtualHosts = { "${domain}" = { forceSSL = true; enableACME = true; root = "${package}/public/"; locations."/" = {tryFiles = "$uri @proxy";}; locations."/system/".alias = "${publicPath}"; locations."@proxy" = { proxyPass = "http://127.0.0.1:" + toString webPort; proxyWebsockets = true; }; }; }; }; sops.secrets."${mailgunSmtpSecretName}" = { sopsFile = ./mailgun.sops.yaml; path = mailgunSmtpPasswordPath; } // secretSettings; sops.secrets."${mastodonDbSecretName}" = { sopsFile = ./mastodon-db.sops.yaml; path = mastodonDbSecretPath; } // secretSettings; inherit users; systemd.services.mastodon-make-path = { script = '' mkdir -p ${path} chown -R ${systemUserName}:${systemGroupName} ${path} mkdir -p ${publicPath} chmod -R o-rwx ${publicPath} chmod -R g-rwx ${publicPath} chmod -R g+X ${publicPath} chmod -R g+r ${publicPath} chmod -R u+rwX ${publicPath} ''; serviceConfig = {Type = "oneshot";}; before = ["container@mastodon.service"]; }; containers.mastodon = { autoStart = true; forwardPorts = [ { containerPort = webPort; hostPort = webPort; } ]; bindMounts = { "${path}" = { hostPath = "${path}"; isReadOnly = false; }; "${mailgunSmtpPasswordPath}" = { hostPath = "${mailgunSmtpPasswordPath}"; isReadOnly = true; }; "${mastodonDbSecretPath}" = { hostPath = "${mastodonDbSecretPath}"; isReadOnly = true; }; }; config = { config, pkgs, lib, ... }: { system.stateVersion = "23.11"; services.postgresql.port = postgresPort; users = users // { mutableUsers = false; allowNoPasswordLogin = true; }; systemd.services.mastodon-media-auto-remove = { description = "Mastodon media auto remove"; serviceConfig = { User = systemUserName; Group = systemGroupName; Type = "oneshot"; EnvironmentFile = "/var/lib/mastodon/.secrets_env"; }; script = '' ${tootctlPath} media remove --days=8 --prune-profiles --include-follows -c1 ${tootctlPath} media remove --days=8 --remove-headers --include-follows -c1 ${tootctlPath} preview_cards remove --days=8 ''; startAt = "daily"; }; services.mastodon = { enable = true; inherit package; localDomain = "${domain}"; user = systemUserName; group = systemGroupName; mediaAutoRemove.enable = false; streamingProcesses = 2; smtp = { host = "smtp.eu.mailgun.org"; port = 465; authenticate = true; user = "postmaster@${domain}"; fromAddress = "Peninsula Industries Mastodon "; createLocally = false; passwordFile = "${mailgunSmtpPasswordPath}"; }; sidekiqThreads = 8; extraConfig = { SMTP_TLS = "true"; SMTP_ENABLE_STARTTLS_AUTO = "true"; SINGLE_USER_MODE = "true"; RAILS_SERVE_STATIC_FILES = "true"; AUTHORIZED_FETCH = "true"; DISALLOW_UNAUTHENTICATED_API_ACCESS = "true"; }; inherit webPort; configureNginx = false; enableUnixSocket = false; database = { port = postgresPort; passwordFile = mastodonDbSecretPath; }; }; }; }; }