vivlim
/
snoottube-ops
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
snoottube-ops/modules/mastodon_container.nix

190 lines
6.3 KiB
Nix
Raw Blame History

{ ... }:
{ containerName, hostAddress, domain, localAddress, useElasticsearch
, mastodonPackage, forwardPorts, imports, disabledModules, acme, smtp
, mastodonExtraConfig, oauth2ProxyUsers, oauth2ProxyKeys }: {
containerConfig = {
#ephemeral = true;
autoStart = true;
privateNetwork = true;
inherit hostAddress;
inherit localAddress;
inherit forwardPorts;
bindMounts = {
"/var/lib/mastodon" = {
hostPath = "/var/lib/${containerName}-container/mastodon";
isReadOnly = false;
};
"/var/lib/redis-mastodon" = {
hostPath = "/var/lib/${containerName}-container/redis-mastodon";
isReadOnly = false;
};
"/var/lib/postgresql" = {
hostPath = "/var/lib/${containerName}-container/postgresql";
isReadOnly = false;
};
"/var/lib/elasticsearch" = {
hostPath = "/var/lib/${containerName}-container/elasticsearch";
isReadOnly = false;
};
"/var/lib/acme" = {
hostPath = "/var/lib/${containerName}-container/acme";
isReadOnly = false;
};
"/var/lib/certs" = {
hostPath = "/var/lib/${containerName}-container/certs";
isReadOnly = false;
};
"/var/lib/secrets" = {
hostPath = "/var/lib/${containerName}-container/secrets";
isReadOnly = true;
};
"/var/backup" = {
hostPath = "/var/lib/${containerName}-container/backup";
isReadOnly = false;
};
};
config = { pkgs, ... }: {
inherit imports;
inherit disabledModules;
networking = {
firewall.enable = true;
firewall.allowedTCPPorts = [ 443 80 ];
proxy.default = "http://outer:3128";
proxy.noProxy = "127.0.0.1,localhost,outer,${hostAddress}";
extraHosts = ''
${hostAddress} outer
'';
};
security = { inherit acme; };
services.redis.servers.mastodon = {
enable = true;
bind = "127.0.0.1";
port = 31637;
};
services.mastodon = {
enable = true;
package = mastodonPackage;
configureNginx = true;
localDomain = domain;
enableUnixSocket = true;
redis = {
createLocally = true;
host = "127.0.0.1";
port = 31637;
};
database = {
createLocally = true;
host = "/run/postgresql";
port = 5432;
};
inherit smtp;
extraConfig = mastodonExtraConfig;
elasticsearch.host = "127.0.0.1";
trustedProxy = hostAddress;
};
# enable pghero
services.postgresql.settings.shared_preload_libraries =
"pg_stat_statements";
services.postgresql.settings."pg_stat_statements.track" = "all";
services.postgresqlBackup = {
enable = true;
databases = [ "mastodon" ];
startAt = "*-*-* 04:15:00";
location = "/var/backup/postgresql";
};
nixpkgs.config.allowUnfree = useElasticsearch; # elasticsearch
services.elasticsearch = {
enable = useElasticsearch;
package = pkgs.elasticsearch7;
extraConf = ''
ingest.geoip.downloader.enabled: false
xpack.security.enabled: false
'';
};
services.oauth2_proxy_mastodon = {
enable = true;
provider = "mastodon";
keyFile = "/var/lib/secrets/oauth2_proxy_keys";
setXauthrequest = true;
mastodon = { mastodon-url = "https://${domain}"; };
extraConfig = { };
email.addresses = oauth2ProxyUsers;
};
services.nginx = {
virtualHosts."${domain}" = {
locations."/oauth2/" = {
proxyPass =
"http://127.0.0.1:4180"; # can't use config.services.oauth2_proxy_mastodon.httpAddress fsr. probably because of weird container module stuff.;
extraConfig = ''
proxy_set_header X-Scheme $scheme;
proxy_set_header X-Auth-Request-Redirect $scheme://$host$request_uri;
'';
};
locations."/oauth2/auth" = {
proxyPass =
"http://127.0.0.1:4180"; # can't use config.services.oauth2_proxy_mastodon.httpAddress fsr. probably because of weird container module stuff.;
extraConfig = ''
proxy_set_header X-Scheme $scheme;
# nginx auth_request includes headers but not body
proxy_set_header Content-Length "";
proxy_pass_request_body off;
'';
};
# locations."/netdata/" = {
# proxyPass = "http://outer:19999/";
# extraConfig = ''
# auth_request /oauth2/auth;
# error_page 401 = /oauth2/sign_in;
#
# auth_request_set $auth_cookie $upstream_http_set_cookie;
# add_header Set-Cookie $auth_cookie;
# '';
# };
# locations."/netdata-ingress/" = {
# proxyPass = "http://outer:19998/";
# extraConfig = ''
# auth_request /oauth2/auth;
# error_page 401 = /oauth2/sign_in;
#
# auth_request_set $auth_cookie $upstream_http_set_cookie;
# add_header Set-Cookie $auth_cookie;
# '';
# };
};
};
# tootctl on path
environment.systemPackages = [ pkgs.mastodonFork ];
system.stateVersion = "22.05";
};
};
activationScript = ''
mkdir -p /var/lib/${containerName}-container/mastodon
mkdir -p /var/lib/${containerName}-container/redis-mastodon
mkdir -p /var/lib/${containerName}-container/postgresql
mkdir -p /var/lib/${containerName}-container/elasticsearch
mkdir -p /var/lib/${containerName}-container/acme
mkdir -p /var/lib/${containerName}-container/certs
mkdir -p /var/lib/${containerName}-container/backup
mkdir -p /var/lib/${containerName}-container/secrets
cp "${oauth2ProxyKeys}" /var/lib/${containerName}-container/secrets/oauth2_proxy_keys
# this happens to be the uid for oauth2_proxy
chown 996 /var/lib/${containerName}-container/secrets
chown 996 /var/lib/${containerName}-container/secrets/*
'';
}
Reference in New Issue View Git Blame Copy Permalink