2023-03-04 18:42:59 -08:00
|
|
|
{ ... }:
|
|
|
|
{ containerName, hostAddress, domain, localAddress, useElasticsearch
|
|
|
|
, mastodonPackage, forwardPorts, imports, disabledModules, acme, smtp
|
2023-03-05 14:48:21 -08:00
|
|
|
, mastodonExtraConfig, oauth2ProxyUsers, oauth2ProxyKeys, autoStart }: {
|
2023-03-04 18:42:59 -08:00
|
|
|
|
|
|
|
containerConfig = {
|
|
|
|
#ephemeral = true;
|
2023-03-05 14:48:21 -08:00
|
|
|
inherit autoStart;
|
2023-03-04 18:42:59 -08:00
|
|
|
privateNetwork = true;
|
|
|
|
inherit hostAddress;
|
|
|
|
inherit localAddress;
|
|
|
|
inherit forwardPorts;
|
|
|
|
bindMounts = {
|
|
|
|
"/var/lib/mastodon" = {
|
|
|
|
hostPath = "/var/lib/${containerName}-container/mastodon";
|
|
|
|
isReadOnly = false;
|
|
|
|
};
|
|
|
|
"/var/lib/redis-mastodon" = {
|
|
|
|
hostPath = "/var/lib/${containerName}-container/redis-mastodon";
|
|
|
|
isReadOnly = false;
|
|
|
|
};
|
|
|
|
"/var/lib/postgresql" = {
|
|
|
|
hostPath = "/var/lib/${containerName}-container/postgresql";
|
|
|
|
isReadOnly = false;
|
|
|
|
};
|
|
|
|
"/var/lib/elasticsearch" = {
|
|
|
|
hostPath = "/var/lib/${containerName}-container/elasticsearch";
|
|
|
|
isReadOnly = false;
|
|
|
|
};
|
|
|
|
"/var/lib/acme" = {
|
|
|
|
hostPath = "/var/lib/${containerName}-container/acme";
|
|
|
|
isReadOnly = false;
|
|
|
|
};
|
|
|
|
"/var/lib/certs" = {
|
|
|
|
hostPath = "/var/lib/${containerName}-container/certs";
|
|
|
|
isReadOnly = false;
|
|
|
|
};
|
|
|
|
"/var/lib/secrets" = {
|
|
|
|
hostPath = "/var/lib/${containerName}-container/secrets";
|
|
|
|
isReadOnly = true;
|
|
|
|
};
|
|
|
|
"/var/backup" = {
|
|
|
|
hostPath = "/var/lib/${containerName}-container/backup";
|
|
|
|
isReadOnly = false;
|
|
|
|
};
|
|
|
|
};
|
|
|
|
config = { pkgs, ... }: {
|
|
|
|
inherit imports;
|
|
|
|
inherit disabledModules;
|
|
|
|
|
|
|
|
networking = {
|
|
|
|
firewall.enable = true;
|
|
|
|
firewall.allowedTCPPorts = [ 443 80 ];
|
|
|
|
proxy.default = "http://outer:3128";
|
|
|
|
proxy.noProxy = "127.0.0.1,localhost,outer,${hostAddress}";
|
|
|
|
extraHosts = ''
|
|
|
|
${hostAddress} outer
|
|
|
|
'';
|
|
|
|
};
|
|
|
|
security = { inherit acme; };
|
|
|
|
|
|
|
|
services.redis.servers.mastodon = {
|
|
|
|
enable = true;
|
|
|
|
bind = "127.0.0.1";
|
|
|
|
port = 31637;
|
|
|
|
};
|
|
|
|
|
|
|
|
services.mastodon = {
|
|
|
|
enable = true;
|
|
|
|
|
|
|
|
package = mastodonPackage;
|
|
|
|
configureNginx = true;
|
|
|
|
localDomain = domain;
|
|
|
|
enableUnixSocket = true;
|
|
|
|
redis = {
|
|
|
|
createLocally = true;
|
|
|
|
host = "127.0.0.1";
|
|
|
|
port = 31637;
|
|
|
|
};
|
|
|
|
database = {
|
|
|
|
createLocally = true;
|
|
|
|
host = "/run/postgresql";
|
|
|
|
port = 5432;
|
|
|
|
};
|
|
|
|
inherit smtp;
|
|
|
|
extraConfig = mastodonExtraConfig;
|
|
|
|
elasticsearch.host = "127.0.0.1";
|
|
|
|
trustedProxy = hostAddress;
|
|
|
|
};
|
|
|
|
|
|
|
|
# enable pghero
|
|
|
|
services.postgresql.settings.shared_preload_libraries =
|
|
|
|
"pg_stat_statements";
|
|
|
|
services.postgresql.settings."pg_stat_statements.track" = "all";
|
|
|
|
|
|
|
|
services.postgresqlBackup = {
|
|
|
|
enable = true;
|
|
|
|
databases = [ "mastodon" ];
|
|
|
|
startAt = "*-*-* 04:15:00";
|
|
|
|
location = "/var/backup/postgresql";
|
|
|
|
};
|
|
|
|
|
|
|
|
nixpkgs.config.allowUnfree = useElasticsearch; # elasticsearch
|
|
|
|
services.elasticsearch = {
|
|
|
|
enable = useElasticsearch;
|
|
|
|
package = pkgs.elasticsearch7;
|
|
|
|
extraConf = ''
|
|
|
|
ingest.geoip.downloader.enabled: false
|
|
|
|
xpack.security.enabled: false
|
|
|
|
'';
|
|
|
|
};
|
|
|
|
|
|
|
|
services.oauth2_proxy_mastodon = {
|
|
|
|
enable = true;
|
|
|
|
provider = "mastodon";
|
|
|
|
keyFile = "/var/lib/secrets/oauth2_proxy_keys";
|
|
|
|
setXauthrequest = true;
|
|
|
|
mastodon = { mastodon-url = "https://${domain}"; };
|
|
|
|
extraConfig = { };
|
|
|
|
email.addresses = oauth2ProxyUsers;
|
|
|
|
};
|
|
|
|
|
|
|
|
services.nginx = {
|
|
|
|
virtualHosts."${domain}" = {
|
|
|
|
locations."/oauth2/" = {
|
|
|
|
proxyPass =
|
|
|
|
"http://127.0.0.1:4180"; # can't use config.services.oauth2_proxy_mastodon.httpAddress fsr. probably because of weird container module stuff.;
|
|
|
|
extraConfig = ''
|
|
|
|
proxy_set_header X-Scheme $scheme;
|
|
|
|
proxy_set_header X-Auth-Request-Redirect $scheme://$host$request_uri;
|
|
|
|
'';
|
|
|
|
};
|
|
|
|
locations."/oauth2/auth" = {
|
|
|
|
proxyPass =
|
|
|
|
"http://127.0.0.1:4180"; # can't use config.services.oauth2_proxy_mastodon.httpAddress fsr. probably because of weird container module stuff.;
|
|
|
|
extraConfig = ''
|
|
|
|
proxy_set_header X-Scheme $scheme;
|
|
|
|
# nginx auth_request includes headers but not body
|
|
|
|
proxy_set_header Content-Length "";
|
|
|
|
proxy_pass_request_body off;
|
|
|
|
'';
|
|
|
|
};
|
|
|
|
# locations."/netdata/" = {
|
|
|
|
# proxyPass = "http://outer:19999/";
|
|
|
|
# extraConfig = ''
|
|
|
|
# auth_request /oauth2/auth;
|
|
|
|
# error_page 401 = /oauth2/sign_in;
|
|
|
|
#
|
|
|
|
# auth_request_set $auth_cookie $upstream_http_set_cookie;
|
|
|
|
# add_header Set-Cookie $auth_cookie;
|
|
|
|
# '';
|
|
|
|
# };
|
|
|
|
# locations."/netdata-ingress/" = {
|
|
|
|
# proxyPass = "http://outer:19998/";
|
|
|
|
# extraConfig = ''
|
|
|
|
# auth_request /oauth2/auth;
|
|
|
|
# error_page 401 = /oauth2/sign_in;
|
|
|
|
#
|
|
|
|
# auth_request_set $auth_cookie $upstream_http_set_cookie;
|
|
|
|
# add_header Set-Cookie $auth_cookie;
|
|
|
|
# '';
|
|
|
|
# };
|
|
|
|
};
|
|
|
|
};
|
|
|
|
|
|
|
|
# tootctl on path
|
2023-03-05 14:48:21 -08:00
|
|
|
environment.systemPackages = [ mastodonPackage ];
|
2023-03-04 18:42:59 -08:00
|
|
|
system.stateVersion = "22.05";
|
|
|
|
};
|
|
|
|
};
|
|
|
|
|
|
|
|
activationScript = ''
|
|
|
|
mkdir -p /var/lib/${containerName}-container/mastodon
|
|
|
|
mkdir -p /var/lib/${containerName}-container/redis-mastodon
|
|
|
|
mkdir -p /var/lib/${containerName}-container/postgresql
|
|
|
|
mkdir -p /var/lib/${containerName}-container/elasticsearch
|
|
|
|
mkdir -p /var/lib/${containerName}-container/acme
|
|
|
|
mkdir -p /var/lib/${containerName}-container/certs
|
|
|
|
mkdir -p /var/lib/${containerName}-container/backup
|
|
|
|
|
|
|
|
mkdir -p /var/lib/${containerName}-container/secrets
|
|
|
|
cp "${oauth2ProxyKeys}" /var/lib/${containerName}-container/secrets/oauth2_proxy_keys
|
|
|
|
# this happens to be the uid for oauth2_proxy
|
|
|
|
chown 996 /var/lib/${containerName}-container/secrets
|
|
|
|
chown 996 /var/lib/${containerName}-container/secrets/*
|
|
|
|
'';
|
|
|
|
|
|
|
|
}
|
|
|
|
|