{ ... }: { containerName, hostAddress, domain, localAddress, useElasticsearch , mastodonPackage, forwardPorts, imports, disabledModules, acme, smtp , mastodonExtraConfig, oauth2ProxyUsers, oauth2ProxyKeys }: { containerConfig = { #ephemeral = true; autoStart = true; privateNetwork = true; inherit hostAddress; inherit localAddress; inherit forwardPorts; bindMounts = { "/var/lib/mastodon" = { hostPath = "/var/lib/${containerName}-container/mastodon"; isReadOnly = false; }; "/var/lib/redis-mastodon" = { hostPath = "/var/lib/${containerName}-container/redis-mastodon"; isReadOnly = false; }; "/var/lib/postgresql" = { hostPath = "/var/lib/${containerName}-container/postgresql"; isReadOnly = false; }; "/var/lib/elasticsearch" = { hostPath = "/var/lib/${containerName}-container/elasticsearch"; isReadOnly = false; }; "/var/lib/acme" = { hostPath = "/var/lib/${containerName}-container/acme"; isReadOnly = false; }; "/var/lib/certs" = { hostPath = "/var/lib/${containerName}-container/certs"; isReadOnly = false; }; "/var/lib/secrets" = { hostPath = "/var/lib/${containerName}-container/secrets"; isReadOnly = true; }; "/var/backup" = { hostPath = "/var/lib/${containerName}-container/backup"; isReadOnly = false; }; }; config = { pkgs, ... }: { inherit imports; inherit disabledModules; networking = { firewall.enable = true; firewall.allowedTCPPorts = [ 443 80 ]; proxy.default = "http://outer:3128"; proxy.noProxy = "127.0.0.1,localhost,outer,${hostAddress}"; extraHosts = '' ${hostAddress} outer ''; }; security = { inherit acme; }; services.redis.servers.mastodon = { enable = true; bind = "127.0.0.1"; port = 31637; }; services.mastodon = { enable = true; package = mastodonPackage; configureNginx = true; localDomain = domain; enableUnixSocket = true; redis = { createLocally = true; host = "127.0.0.1"; port = 31637; }; database = { createLocally = true; host = "/run/postgresql"; port = 5432; }; inherit smtp; extraConfig = mastodonExtraConfig; elasticsearch.host = "127.0.0.1"; trustedProxy = hostAddress; }; # enable pghero services.postgresql.settings.shared_preload_libraries = "pg_stat_statements"; services.postgresql.settings."pg_stat_statements.track" = "all"; services.postgresqlBackup = { enable = true; databases = [ "mastodon" ]; startAt = "*-*-* 04:15:00"; location = "/var/backup/postgresql"; }; nixpkgs.config.allowUnfree = useElasticsearch; # elasticsearch services.elasticsearch = { enable = useElasticsearch; package = pkgs.elasticsearch7; extraConf = '' ingest.geoip.downloader.enabled: false xpack.security.enabled: false ''; }; services.oauth2_proxy_mastodon = { enable = true; provider = "mastodon"; keyFile = "/var/lib/secrets/oauth2_proxy_keys"; setXauthrequest = true; mastodon = { mastodon-url = "https://${domain}"; }; extraConfig = { }; email.addresses = oauth2ProxyUsers; }; services.nginx = { virtualHosts."${domain}" = { locations."/oauth2/" = { proxyPass = "http://127.0.0.1:4180"; # can't use config.services.oauth2_proxy_mastodon.httpAddress fsr. probably because of weird container module stuff.; extraConfig = '' proxy_set_header X-Scheme $scheme; proxy_set_header X-Auth-Request-Redirect $scheme://$host$request_uri; ''; }; locations."/oauth2/auth" = { proxyPass = "http://127.0.0.1:4180"; # can't use config.services.oauth2_proxy_mastodon.httpAddress fsr. probably because of weird container module stuff.; extraConfig = '' proxy_set_header X-Scheme $scheme; # nginx auth_request includes headers but not body proxy_set_header Content-Length ""; proxy_pass_request_body off; ''; }; # locations."/netdata/" = { # proxyPass = "http://outer:19999/"; # extraConfig = '' # auth_request /oauth2/auth; # error_page 401 = /oauth2/sign_in; # # auth_request_set $auth_cookie $upstream_http_set_cookie; # add_header Set-Cookie $auth_cookie; # ''; # }; # locations."/netdata-ingress/" = { # proxyPass = "http://outer:19998/"; # extraConfig = '' # auth_request /oauth2/auth; # error_page 401 = /oauth2/sign_in; # # auth_request_set $auth_cookie $upstream_http_set_cookie; # add_header Set-Cookie $auth_cookie; # ''; # }; }; }; # tootctl on path environment.systemPackages = [ pkgs.mastodonFork ]; system.stateVersion = "22.05"; }; }; activationScript = '' mkdir -p /var/lib/${containerName}-container/mastodon mkdir -p /var/lib/${containerName}-container/redis-mastodon mkdir -p /var/lib/${containerName}-container/postgresql mkdir -p /var/lib/${containerName}-container/elasticsearch mkdir -p /var/lib/${containerName}-container/acme mkdir -p /var/lib/${containerName}-container/certs mkdir -p /var/lib/${containerName}-container/backup mkdir -p /var/lib/${containerName}-container/secrets cp "${oauth2ProxyKeys}" /var/lib/${containerName}-container/secrets/oauth2_proxy_keys # this happens to be the uid for oauth2_proxy chown 996 /var/lib/${containerName}-container/secrets chown 996 /var/lib/${containerName}-container/secrets/* ''; }