(messily) refactor container definition so it's reusable
This commit is contained in:
parent
7c2b78733a
commit
5cb7263c17
|
@ -1,11 +1,74 @@
|
||||||
{ config, pkgs, nestedContainerExtras, ... }:
|
{ config, pkgs, nestedContainerExtras, ... }:
|
||||||
|
let
|
||||||
|
mastodonContainerFactory = import ../modules/mastodon_container.nix { };
|
||||||
|
prodConfig = {
|
||||||
|
containerName = "mastodon";
|
||||||
|
hostAddress = "192.168.42.11";
|
||||||
|
domain = "snoot.tube";
|
||||||
|
localAddress = "192.168.42.12";
|
||||||
|
useElasticsearch = true;
|
||||||
|
mastodonPackage = pkgs.mastodonFork;
|
||||||
|
forwardPorts = [
|
||||||
|
{
|
||||||
|
containerPort = 443;
|
||||||
|
hostPort = 443;
|
||||||
|
protocol = "tcp";
|
||||||
|
}
|
||||||
|
{
|
||||||
|
containerPort = 80;
|
||||||
|
hostPort = 80;
|
||||||
|
protocol = "tcp";
|
||||||
|
}
|
||||||
|
];
|
||||||
|
imports = nestedContainerExtras.imports;
|
||||||
|
disabledModules = nestedContainerExtras.disabledModules;
|
||||||
|
acme = {
|
||||||
|
acceptTerms = true;
|
||||||
|
defaults.email = "vivlim@pm.me";
|
||||||
|
defaults.server =
|
||||||
|
"https://localhost"; # try to use localhost as acme server. this request *will* fail, and we'll fall back to self-signed
|
||||||
|
#defaults.enableDebugLogs = true;
|
||||||
|
};
|
||||||
|
smtp = {
|
||||||
|
createLocally = false;
|
||||||
|
authenticate = false;
|
||||||
|
fromAddress = "snoot-tube-mastodon@vvn.space";
|
||||||
|
host =
|
||||||
|
"192.168.1.7"; # ts ip isn't reachable from the container. maybe need a mail relay on the host? use lan ip for now "100.109.126.18"; # sky-reflected-in-mirrors ts ip
|
||||||
|
port = 25;
|
||||||
|
};
|
||||||
|
mastodonExtraConfig = {
|
||||||
|
ALTERNATE_DOMAINS = "dev.snoot.tube,awake.snoot.tube";
|
||||||
|
#EMAIL_DOMAIN_ALLOWLIST = "vvn.space";
|
||||||
|
SMTP_AUTH_METHOD = "none";
|
||||||
|
SMTP_OPENSSL_VERIFY_MODE = "none";
|
||||||
|
MAX_TOOT_CHARS = "42069";
|
||||||
|
AUTHORIZED_FETCH = "true";
|
||||||
|
USER_ACTIVE_DAYS = "14";
|
||||||
|
STATSD_ADDR = "outer:9125";
|
||||||
|
MAX_REACTIONS = "8";
|
||||||
|
SEARCH_SCOPE = "public";
|
||||||
|
};
|
||||||
|
oauth2ProxyUsers = ''
|
||||||
|
viv
|
||||||
|
itsonlythee
|
||||||
|
lifning
|
||||||
|
Skirmisher
|
||||||
|
'';
|
||||||
|
oauth2ProxyKeys = config.sops.secrets.oauth2_proxy_keys.path;
|
||||||
|
|
||||||
{
|
};
|
||||||
|
|
||||||
|
prodContainer = (mastodonContainerFactory prodConfig);
|
||||||
|
in {
|
||||||
config.networking.hostName = "mastodon-snoottube";
|
config.networking.hostName = "mastodon-snoottube";
|
||||||
config.networking.firewall.enable = true;
|
config.networking.firewall.enable = true;
|
||||||
config.networking.firewall.allowedTCPPorts = [ 80 443 22 19999 19998 19980 19981 9102 4040 ];
|
config.networking.firewall.allowedTCPPorts =
|
||||||
config.networking.firewall.interfaces."ve-+".allowedTCPPorts = [ 3128 ]; # ssh forwarded http proxy
|
[ 80 443 22 19999 19998 19980 19981 9102 4040 ];
|
||||||
config.networking.firewall.interfaces."ve-+".allowedUDPPorts = [ 9125 ]; # statsd
|
config.networking.firewall.interfaces."ve-+".allowedTCPPorts =
|
||||||
|
[ 3128 ]; # ssh forwarded http proxy
|
||||||
|
config.networking.firewall.interfaces."ve-+".allowedUDPPorts =
|
||||||
|
[ 9125 ]; # statsd
|
||||||
config.networking.firewall.checkReversePath = "loose";
|
config.networking.firewall.checkReversePath = "loose";
|
||||||
|
|
||||||
config.networking.extraHosts = ''
|
config.networking.extraHosts = ''
|
||||||
|
@ -17,7 +80,7 @@
|
||||||
|
|
||||||
# enable containers to reach network
|
# enable containers to reach network
|
||||||
config.networking.nat.enable = true;
|
config.networking.nat.enable = true;
|
||||||
config.networking.nat.internalInterfaces = ["ve-+"];
|
config.networking.nat.internalInterfaces = [ "ve-+" ];
|
||||||
config.networking.nat.externalInterface = "ens18";
|
config.networking.nat.externalInterface = "ens18";
|
||||||
|
|
||||||
config.services.prometheus_exporters = {
|
config.services.prometheus_exporters = {
|
||||||
|
@ -33,205 +96,15 @@
|
||||||
user = "root";
|
user = "root";
|
||||||
monitoringPort = 0;
|
monitoringPort = 0;
|
||||||
extraArguments =
|
extraArguments =
|
||||||
"-o ExitOnForwardFailure=yes -o ConnectTimeout=10 -o ServerAliveInterval=15 -o ServerAliveCountMax=4 -N -R 4433:192.168.42.12:443 -L 3128:localhost:3128 -L 19981:localhost:19980 -L 19998:localhost:19999 -L 4040:localhost:4040 -g -i /root/.ssh/id_ed25519_to_ingress snoot.tube -p 6922";
|
"-o ExitOnForwardFailure=yes -o ConnectTimeout=10 -o ServerAliveInterval=15 -o ServerAliveCountMax=4 -N -R 4433:${prodConfig.localAddress}:443 -L 3128:localhost:3128 -L 19981:localhost:19980 -L 19998:localhost:19999 -L 4040:localhost:4040 -g -i /root/.ssh/id_ed25519_to_ingress snoot.tube -p 6922";
|
||||||
}];
|
}];
|
||||||
};
|
};
|
||||||
|
|
||||||
config.containers = {
|
config.containers = { mastodon = prodContainer.containerConfig; };
|
||||||
mastodon = {
|
|
||||||
#ephemeral = true;
|
|
||||||
autoStart = true;
|
|
||||||
privateNetwork = true;
|
|
||||||
hostAddress = "192.168.42.11";
|
|
||||||
localAddress = "192.168.42.12";
|
|
||||||
forwardPorts = [
|
|
||||||
{ containerPort = 443; hostPort = 443; protocol = "tcp"; }
|
|
||||||
{ containerPort = 80; hostPort = 80; protocol = "tcp"; }
|
|
||||||
];
|
|
||||||
bindMounts = {
|
|
||||||
"/var/lib/mastodon" = { hostPath = "/var/lib/mastodon-container/mastodon"; isReadOnly = false;};
|
|
||||||
"/var/lib/redis-mastodon" = { hostPath = "/var/lib/mastodon-container/redis-mastodon"; isReadOnly = false;};
|
|
||||||
"/var/lib/postgresql" = { hostPath = "/var/lib/mastodon-container/postgresql"; isReadOnly = false;};
|
|
||||||
"/var/lib/elasticsearch" = { hostPath = "/var/lib/mastodon-container/elasticsearch"; isReadOnly = false;};
|
|
||||||
"/var/lib/acme" = { hostPath = "/var/lib/mastodon-container/acme"; isReadOnly = false;};
|
|
||||||
"/var/lib/certs" = { hostPath = "/var/lib/mastodon-container/certs"; isReadOnly = false;};
|
|
||||||
"/var/lib/secrets" = { hostPath = "/var/lib/mastodon-container/secrets"; isReadOnly = true;};
|
|
||||||
"/var/backup" = { hostPath = "/var/lib/mastodon-container/backup"; isReadOnly = false;};
|
|
||||||
};
|
|
||||||
config = { pkgs, ... }: {
|
|
||||||
imports = nestedContainerExtras.imports;
|
|
||||||
disabledModules = nestedContainerExtras.disabledModules;
|
|
||||||
|
|
||||||
networking = {
|
config.system.activationScripts.createMastodonContainerPaths =
|
||||||
firewall.enable = true;
|
pkgs.lib.stringAfter [ "setupSecrets" "var" ]
|
||||||
firewall.allowedTCPPorts = [ 443 80 ];
|
prodContainer.activationScript;
|
||||||
proxy.default = "http://outer:3128";
|
|
||||||
proxy.noProxy = "127.0.0.1,localhost,outer,192.168.42.11";
|
|
||||||
extraHosts = ''
|
|
||||||
192.168.42.11 outer
|
|
||||||
'';
|
|
||||||
};
|
|
||||||
security = {
|
|
||||||
acme = {
|
|
||||||
acceptTerms = true;
|
|
||||||
defaults.email = "vivlim@pm.me";
|
|
||||||
defaults.server = "https://localhost"; # try to use localhost as acme server. this request *will* fail, and we'll fall back to self-signed
|
|
||||||
#defaults.enableDebugLogs = true;
|
|
||||||
};
|
|
||||||
};
|
|
||||||
|
|
||||||
services.redis.servers.mastodon = {
|
|
||||||
enable = true;
|
|
||||||
bind = "127.0.0.1";
|
|
||||||
port = 31637;
|
|
||||||
};
|
|
||||||
|
|
||||||
services.mastodon = {
|
|
||||||
enable = true;
|
|
||||||
|
|
||||||
package = pkgs.mastodonFork;
|
|
||||||
configureNginx = true;
|
|
||||||
localDomain = "snoot.tube";
|
|
||||||
enableUnixSocket = true;
|
|
||||||
redis = {
|
|
||||||
createLocally = true;
|
|
||||||
host = "127.0.0.1";
|
|
||||||
port = 31637;
|
|
||||||
};
|
|
||||||
database = {
|
|
||||||
createLocally = true;
|
|
||||||
host = "/run/postgresql";
|
|
||||||
port = 5432;
|
|
||||||
};
|
|
||||||
smtp = {
|
|
||||||
createLocally = false;
|
|
||||||
authenticate=false;
|
|
||||||
fromAddress = "snoot-tube-mastodon@vvn.space";
|
|
||||||
host = "192.168.1.7"; # ts ip isn't reachable from the container. maybe need a mail relay on the host? use lan ip for now "100.109.126.18"; # sky-reflected-in-mirrors ts ip
|
|
||||||
port = 25;
|
|
||||||
};
|
|
||||||
extraConfig = {
|
|
||||||
ALTERNATE_DOMAINS="dev.snoot.tube,awake.snoot.tube";
|
|
||||||
#EMAIL_DOMAIN_ALLOWLIST = "vvn.space";
|
|
||||||
SMTP_AUTH_METHOD="none";
|
|
||||||
SMTP_OPENSSL_VERIFY_MODE="none";
|
|
||||||
MAX_TOOT_CHARS="42069";
|
|
||||||
AUTHORIZED_FETCH="true";
|
|
||||||
USER_ACTIVE_DAYS="14";
|
|
||||||
STATSD_ADDR=outer:9125;
|
|
||||||
MAX_REACTIONS="8";
|
|
||||||
SEARCH_SCOPE="public";
|
|
||||||
};
|
|
||||||
elasticsearch.host = "127.0.0.1";
|
|
||||||
#trustedProxy = "20.230.229.78"; # snoot.tube
|
|
||||||
trustedProxy = "192.168.42.11";
|
|
||||||
};
|
|
||||||
|
|
||||||
# enable pghero
|
|
||||||
services.postgresql.settings.shared_preload_libraries = "pg_stat_statements";
|
|
||||||
services.postgresql.settings."pg_stat_statements.track" = "all";
|
|
||||||
|
|
||||||
services.postgresqlBackup = {
|
|
||||||
enable = true;
|
|
||||||
databases = [ "mastodon" ];
|
|
||||||
startAt = "*-*-* 04:15:00";
|
|
||||||
location = "/var/backup/postgresql";
|
|
||||||
};
|
|
||||||
|
|
||||||
|
|
||||||
nixpkgs.config.allowUnfree = true; # elasticsearch
|
|
||||||
services.elasticsearch = {
|
|
||||||
enable = true;
|
|
||||||
package = pkgs.elasticsearch7;
|
|
||||||
extraConf = ''
|
|
||||||
ingest.geoip.downloader.enabled: false
|
|
||||||
xpack.security.enabled: false
|
|
||||||
'';
|
|
||||||
};
|
|
||||||
|
|
||||||
|
|
||||||
services.oauth2_proxy_mastodon = {
|
|
||||||
enable = true;
|
|
||||||
provider = "mastodon";
|
|
||||||
keyFile = "/var/lib/secrets/oauth2_proxy_keys";
|
|
||||||
setXauthrequest = true;
|
|
||||||
mastodon = {
|
|
||||||
mastodon-url = "https://snoot.tube";
|
|
||||||
};
|
|
||||||
extraConfig = {
|
|
||||||
};
|
|
||||||
email.addresses = ''
|
|
||||||
viv
|
|
||||||
itsonlythee
|
|
||||||
lifning
|
|
||||||
Skirmisher
|
|
||||||
'';
|
|
||||||
};
|
|
||||||
|
|
||||||
services.nginx = {
|
|
||||||
virtualHosts."snoot.tube" = {
|
|
||||||
locations."/oauth2/" = {
|
|
||||||
proxyPass = "http://127.0.0.1:4180"; # can't use config.services.oauth2_proxy_mastodon.httpAddress fsr. probably because of weird container module stuff.;
|
|
||||||
extraConfig = ''
|
|
||||||
proxy_set_header X-Scheme $scheme;
|
|
||||||
proxy_set_header X-Auth-Request-Redirect $scheme://$host$request_uri;
|
|
||||||
'';
|
|
||||||
};
|
|
||||||
locations."/oauth2/auth" = {
|
|
||||||
proxyPass = "http://127.0.0.1:4180"; # can't use config.services.oauth2_proxy_mastodon.httpAddress fsr. probably because of weird container module stuff.;
|
|
||||||
extraConfig = ''
|
|
||||||
proxy_set_header X-Scheme $scheme;
|
|
||||||
# nginx auth_request includes headers but not body
|
|
||||||
proxy_set_header Content-Length "";
|
|
||||||
proxy_pass_request_body off;
|
|
||||||
'';
|
|
||||||
};
|
|
||||||
# locations."/netdata/" = {
|
|
||||||
# proxyPass = "http://outer:19999/";
|
|
||||||
# extraConfig = ''
|
|
||||||
# auth_request /oauth2/auth;
|
|
||||||
# error_page 401 = /oauth2/sign_in;
|
|
||||||
#
|
|
||||||
# auth_request_set $auth_cookie $upstream_http_set_cookie;
|
|
||||||
# add_header Set-Cookie $auth_cookie;
|
|
||||||
# '';
|
|
||||||
# };
|
|
||||||
# locations."/netdata-ingress/" = {
|
|
||||||
# proxyPass = "http://outer:19998/";
|
|
||||||
# extraConfig = ''
|
|
||||||
# auth_request /oauth2/auth;
|
|
||||||
# error_page 401 = /oauth2/sign_in;
|
|
||||||
#
|
|
||||||
# auth_request_set $auth_cookie $upstream_http_set_cookie;
|
|
||||||
# add_header Set-Cookie $auth_cookie;
|
|
||||||
# '';
|
|
||||||
# };
|
|
||||||
};
|
|
||||||
};
|
|
||||||
|
|
||||||
|
|
||||||
# tootctl on path
|
|
||||||
environment.systemPackages = [ pkgs.mastodonFork ];
|
|
||||||
system.stateVersion = "22.05";
|
|
||||||
};
|
|
||||||
};
|
|
||||||
};
|
|
||||||
|
|
||||||
config.system.activationScripts.createMastodonContainerPaths = pkgs.lib.stringAfter [ "setupSecrets" "var" ] ''
|
|
||||||
mkdir -p /var/lib/mastodon-container/mastodon
|
|
||||||
mkdir -p /var/lib/mastodon-container/redis-mastodon
|
|
||||||
mkdir -p /var/lib/mastodon-container/postgresql
|
|
||||||
mkdir -p /var/lib/mastodon-container/elasticsearch
|
|
||||||
mkdir -p /var/lib/mastodon-container/acme
|
|
||||||
mkdir -p /var/lib/mastodon-container/certs
|
|
||||||
mkdir -p /var/lib/mastodon-container/backup
|
|
||||||
|
|
||||||
mkdir -p /var/lib/mastodon-container/secrets
|
|
||||||
cp "${config.sops.secrets.oauth2_proxy_keys.path}" /var/lib/mastodon-container/secrets/oauth2_proxy_keys
|
|
||||||
# this happens to be the uid for oauth2_proxy
|
|
||||||
chown 996 /var/lib/mastodon-container/secrets
|
|
||||||
chown 996 /var/lib/mastodon-container/secrets/*
|
|
||||||
'';
|
|
||||||
|
|
||||||
config.sops.secrets.oauth2_proxy_keys = { };
|
config.sops.secrets.oauth2_proxy_keys = { };
|
||||||
|
|
||||||
|
@ -252,14 +125,13 @@
|
||||||
})
|
})
|
||||||
];
|
];
|
||||||
|
|
||||||
|
|
||||||
config.sops.defaultSopsFile = ../secrets/backend.yaml;
|
config.sops.defaultSopsFile = ../secrets/backend.yaml;
|
||||||
config.sops.secrets.borg_backup_repo_passphrase = { };
|
config.sops.secrets.borg_backup_repo_passphrase = { };
|
||||||
config.sops.secrets.borgbase_ssh_private_key = { }; # it is extremely important for this to have a trailing newline, or connecting will fail
|
config.sops.secrets.borgbase_ssh_private_key =
|
||||||
|
{ }; # it is extremely important for this to have a trailing newline, or connecting will fail
|
||||||
config.services.borgbackup.jobs."borgbase" = {
|
config.services.borgbackup.jobs."borgbase" = {
|
||||||
paths = [ "/var/lib/mastodon-container" "/var/backup" ];
|
paths = [ "/var/lib/mastodon-container" "/var/backup" ];
|
||||||
exclude = [
|
exclude = [ ];
|
||||||
];
|
|
||||||
|
|
||||||
repo = "h5g87o5w@h5g87o5w.repo.borgbase.com:repo";
|
repo = "h5g87o5w@h5g87o5w.repo.borgbase.com:repo";
|
||||||
encryption = {
|
encryption = {
|
||||||
|
@ -377,8 +249,9 @@
|
||||||
mastodon: "sidekiq"
|
mastodon: "sidekiq"
|
||||||
'';
|
'';
|
||||||
in {
|
in {
|
||||||
ExecStart = "${pkgs.prometheus-statsd-exporter}/bin/statsd_exporter --web.listen-address=':9102' --statsd.listen-udp=':9125' --statsd.mapping-config=${mappingFile}";
|
ExecStart =
|
||||||
|
"${pkgs.prometheus-statsd-exporter}/bin/statsd_exporter --web.listen-address=':9102' --statsd.listen-udp=':9125' --statsd.mapping-config=${mappingFile}";
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
|
@ -0,0 +1,189 @@
|
||||||
|
{ ... }:
|
||||||
|
{ containerName, hostAddress, domain, localAddress, useElasticsearch
|
||||||
|
, mastodonPackage, forwardPorts, imports, disabledModules, acme, smtp
|
||||||
|
, mastodonExtraConfig, oauth2ProxyUsers, oauth2ProxyKeys }: {
|
||||||
|
|
||||||
|
containerConfig = {
|
||||||
|
#ephemeral = true;
|
||||||
|
autoStart = true;
|
||||||
|
privateNetwork = true;
|
||||||
|
inherit hostAddress;
|
||||||
|
inherit localAddress;
|
||||||
|
inherit forwardPorts;
|
||||||
|
bindMounts = {
|
||||||
|
"/var/lib/mastodon" = {
|
||||||
|
hostPath = "/var/lib/${containerName}-container/mastodon";
|
||||||
|
isReadOnly = false;
|
||||||
|
};
|
||||||
|
"/var/lib/redis-mastodon" = {
|
||||||
|
hostPath = "/var/lib/${containerName}-container/redis-mastodon";
|
||||||
|
isReadOnly = false;
|
||||||
|
};
|
||||||
|
"/var/lib/postgresql" = {
|
||||||
|
hostPath = "/var/lib/${containerName}-container/postgresql";
|
||||||
|
isReadOnly = false;
|
||||||
|
};
|
||||||
|
"/var/lib/elasticsearch" = {
|
||||||
|
hostPath = "/var/lib/${containerName}-container/elasticsearch";
|
||||||
|
isReadOnly = false;
|
||||||
|
};
|
||||||
|
"/var/lib/acme" = {
|
||||||
|
hostPath = "/var/lib/${containerName}-container/acme";
|
||||||
|
isReadOnly = false;
|
||||||
|
};
|
||||||
|
"/var/lib/certs" = {
|
||||||
|
hostPath = "/var/lib/${containerName}-container/certs";
|
||||||
|
isReadOnly = false;
|
||||||
|
};
|
||||||
|
"/var/lib/secrets" = {
|
||||||
|
hostPath = "/var/lib/${containerName}-container/secrets";
|
||||||
|
isReadOnly = true;
|
||||||
|
};
|
||||||
|
"/var/backup" = {
|
||||||
|
hostPath = "/var/lib/${containerName}-container/backup";
|
||||||
|
isReadOnly = false;
|
||||||
|
};
|
||||||
|
};
|
||||||
|
config = { pkgs, ... }: {
|
||||||
|
inherit imports;
|
||||||
|
inherit disabledModules;
|
||||||
|
|
||||||
|
networking = {
|
||||||
|
firewall.enable = true;
|
||||||
|
firewall.allowedTCPPorts = [ 443 80 ];
|
||||||
|
proxy.default = "http://outer:3128";
|
||||||
|
proxy.noProxy = "127.0.0.1,localhost,outer,${hostAddress}";
|
||||||
|
extraHosts = ''
|
||||||
|
${hostAddress} outer
|
||||||
|
'';
|
||||||
|
};
|
||||||
|
security = { inherit acme; };
|
||||||
|
|
||||||
|
services.redis.servers.mastodon = {
|
||||||
|
enable = true;
|
||||||
|
bind = "127.0.0.1";
|
||||||
|
port = 31637;
|
||||||
|
};
|
||||||
|
|
||||||
|
services.mastodon = {
|
||||||
|
enable = true;
|
||||||
|
|
||||||
|
package = mastodonPackage;
|
||||||
|
configureNginx = true;
|
||||||
|
localDomain = domain;
|
||||||
|
enableUnixSocket = true;
|
||||||
|
redis = {
|
||||||
|
createLocally = true;
|
||||||
|
host = "127.0.0.1";
|
||||||
|
port = 31637;
|
||||||
|
};
|
||||||
|
database = {
|
||||||
|
createLocally = true;
|
||||||
|
host = "/run/postgresql";
|
||||||
|
port = 5432;
|
||||||
|
};
|
||||||
|
inherit smtp;
|
||||||
|
extraConfig = mastodonExtraConfig;
|
||||||
|
elasticsearch.host = "127.0.0.1";
|
||||||
|
trustedProxy = hostAddress;
|
||||||
|
};
|
||||||
|
|
||||||
|
# enable pghero
|
||||||
|
services.postgresql.settings.shared_preload_libraries =
|
||||||
|
"pg_stat_statements";
|
||||||
|
services.postgresql.settings."pg_stat_statements.track" = "all";
|
||||||
|
|
||||||
|
services.postgresqlBackup = {
|
||||||
|
enable = true;
|
||||||
|
databases = [ "mastodon" ];
|
||||||
|
startAt = "*-*-* 04:15:00";
|
||||||
|
location = "/var/backup/postgresql";
|
||||||
|
};
|
||||||
|
|
||||||
|
nixpkgs.config.allowUnfree = useElasticsearch; # elasticsearch
|
||||||
|
services.elasticsearch = {
|
||||||
|
enable = useElasticsearch;
|
||||||
|
package = pkgs.elasticsearch7;
|
||||||
|
extraConf = ''
|
||||||
|
ingest.geoip.downloader.enabled: false
|
||||||
|
xpack.security.enabled: false
|
||||||
|
'';
|
||||||
|
};
|
||||||
|
|
||||||
|
services.oauth2_proxy_mastodon = {
|
||||||
|
enable = true;
|
||||||
|
provider = "mastodon";
|
||||||
|
keyFile = "/var/lib/secrets/oauth2_proxy_keys";
|
||||||
|
setXauthrequest = true;
|
||||||
|
mastodon = { mastodon-url = "https://${domain}"; };
|
||||||
|
extraConfig = { };
|
||||||
|
email.addresses = oauth2ProxyUsers;
|
||||||
|
};
|
||||||
|
|
||||||
|
services.nginx = {
|
||||||
|
virtualHosts."${domain}" = {
|
||||||
|
locations."/oauth2/" = {
|
||||||
|
proxyPass =
|
||||||
|
"http://127.0.0.1:4180"; # can't use config.services.oauth2_proxy_mastodon.httpAddress fsr. probably because of weird container module stuff.;
|
||||||
|
extraConfig = ''
|
||||||
|
proxy_set_header X-Scheme $scheme;
|
||||||
|
proxy_set_header X-Auth-Request-Redirect $scheme://$host$request_uri;
|
||||||
|
'';
|
||||||
|
};
|
||||||
|
locations."/oauth2/auth" = {
|
||||||
|
proxyPass =
|
||||||
|
"http://127.0.0.1:4180"; # can't use config.services.oauth2_proxy_mastodon.httpAddress fsr. probably because of weird container module stuff.;
|
||||||
|
extraConfig = ''
|
||||||
|
proxy_set_header X-Scheme $scheme;
|
||||||
|
# nginx auth_request includes headers but not body
|
||||||
|
proxy_set_header Content-Length "";
|
||||||
|
proxy_pass_request_body off;
|
||||||
|
'';
|
||||||
|
};
|
||||||
|
# locations."/netdata/" = {
|
||||||
|
# proxyPass = "http://outer:19999/";
|
||||||
|
# extraConfig = ''
|
||||||
|
# auth_request /oauth2/auth;
|
||||||
|
# error_page 401 = /oauth2/sign_in;
|
||||||
|
#
|
||||||
|
# auth_request_set $auth_cookie $upstream_http_set_cookie;
|
||||||
|
# add_header Set-Cookie $auth_cookie;
|
||||||
|
# '';
|
||||||
|
# };
|
||||||
|
# locations."/netdata-ingress/" = {
|
||||||
|
# proxyPass = "http://outer:19998/";
|
||||||
|
# extraConfig = ''
|
||||||
|
# auth_request /oauth2/auth;
|
||||||
|
# error_page 401 = /oauth2/sign_in;
|
||||||
|
#
|
||||||
|
# auth_request_set $auth_cookie $upstream_http_set_cookie;
|
||||||
|
# add_header Set-Cookie $auth_cookie;
|
||||||
|
# '';
|
||||||
|
# };
|
||||||
|
};
|
||||||
|
};
|
||||||
|
|
||||||
|
# tootctl on path
|
||||||
|
environment.systemPackages = [ pkgs.mastodonFork ];
|
||||||
|
system.stateVersion = "22.05";
|
||||||
|
};
|
||||||
|
};
|
||||||
|
|
||||||
|
activationScript = ''
|
||||||
|
mkdir -p /var/lib/${containerName}-container/mastodon
|
||||||
|
mkdir -p /var/lib/${containerName}-container/redis-mastodon
|
||||||
|
mkdir -p /var/lib/${containerName}-container/postgresql
|
||||||
|
mkdir -p /var/lib/${containerName}-container/elasticsearch
|
||||||
|
mkdir -p /var/lib/${containerName}-container/acme
|
||||||
|
mkdir -p /var/lib/${containerName}-container/certs
|
||||||
|
mkdir -p /var/lib/${containerName}-container/backup
|
||||||
|
|
||||||
|
mkdir -p /var/lib/${containerName}-container/secrets
|
||||||
|
cp "${oauth2ProxyKeys}" /var/lib/${containerName}-container/secrets/oauth2_proxy_keys
|
||||||
|
# this happens to be the uid for oauth2_proxy
|
||||||
|
chown 996 /var/lib/${containerName}-container/secrets
|
||||||
|
chown 996 /var/lib/${containerName}-container/secrets/*
|
||||||
|
'';
|
||||||
|
|
||||||
|
}
|
||||||
|
|
Loading…
Reference in New Issue