mastodon deployment

.gitattributes

@@ -0,0 +1 @@
+secrets/** filter=git-crypt diff=git-crypt

configuration.nix

@@ -2,12 +2,17 @@
   imports = [
     ./hardware-configuration.nix
     ./networking.nix # generated at runtime by nixos-infect
+    ./mastodon.nix
   ];
 
   boot.cleanTmpDir = true;
+
   zramSwap.enable = true;
-  networking.hostName = "tootcat";
+
+  networking.hostName = "toot2022";
+
   services.openssh.enable = true;
+
   users.users.root.openssh.authorizedKeys.keys = [
     "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICbl5lj73KF0vqvpFoZrGf4RR2oYu9I9D8iNU+pgMpcQ woozle@SamEagle" 
     "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCXSuH5z15JOGJs/XdTUutYHYE7XYOebhowdHFKddx1lY+3DI8QImaMuJd6rZu6aV1HMTkTDqM5a7CEJNhc52kWwsU64jlZFdAqlCaks12JanUEYf6sdYxKQIJE9Q7W6oOpGSSEb4eysd99lK5DlI4zG4mbm1j045lq9Npwu8ZVlF77HVMHeGMEQoGBoNt4eK2V3Y8RZ/+nLCbqUbOIGpeM7m87UyObXC9Bv2mrjvAOZAFsxVHS9X0AXCSJG7Gk4ie/gCM0Fi4kqJwI44X0SxKYoIMkyXMOx6w8yNeEFJ5fYP5PIsFRjcIEMkjt8vZZ7eBTpSi02RhnuQhwkRCP+cL7 woozle@gonzo" 
@@ -16,5 +21,8 @@
     "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDl8q6PxrPYMaWPgT/vRqrP7dKVOgMXaQ/ABXk2tXykhpx8Vir19Q+baxeFI/Kg0G6mJvk6e2Fb9d9DNUWzwhaxBfU0IKeW63hgnz0L+jP+2jWcf0VoZa0YR55M7743O+h7GxBSbJ7glyVOb9/v1RAc/Ub//0PlS0NAqXezzpZBuwEbJBIon5XiDHE4TWEZ3En3hD7F0I0HX29AV9m456WbWrJIefbZyvvlX9tOSVVf8yi0Rvjm2+cPR2bWgEuKIsYVez3i1AzeNeiw/1zo3DLcASzIGCEp4ayf+cz9WgUmn3vTui63kAbSNferKT6K665hGa4Bgwf3i/DeM1XHx7EB woozle@HogThrob" 
     "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQC77xf1sHhelcBYqgB7Hlh9v1yfdN91VoPrHa3QubT8gGVaJ5VSZA/njbkv4RaC/DuQHcXqck1IR8a0S+fb3OBDVH65417tML8aD0mrfnqzdfEWTI1yEzUxanBkCNKg2ltwEN3yoeFaHyvl10OGOKRJq0nfCraSfiSX+gCUIaboteVE4Br7ADRiAckWm9qIzJqNIsxgvSnlkXMjtD0hWnAHNjbLLyBWDl/nXQwoVGCtQm/BkMeahoiixWNrqCrLMXKoiLlGoHwAF8gR+/qWtpCwzvdjbZQrFTX+MXL7gNxCTS8o7KAErqQPMr6ea/DmhsP+PJ4MWQWi8RVDhXZI9zZn woozle@ForgetfulJones" 
     "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGfEjFxICM8XxLy46DBGKFpb8qGelsGpNWBV8e0R0CpD ash@boson" 
+    "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGNGuXUltszKyBYVWH+sTsqk7erhV4oXO8cjPiVoNpDp ash@fucko" 
   ];
+  
+  system.stateVersion = "22.05";
 }

flake.lock

@@ -0,0 +1,27 @@
+{
+  "nodes": {
+    "nixpkgs": {
+      "locked": {
+        "lastModified": 1653345208,
+        "narHash": "sha256-G/nZ3lg/y1PNg3OGTLU/cQXfVUoi6zkwiLtAK5BIFeI=",
+        "owner": "ashkitten",
+        "repo": "nixpkgs",
+        "rev": "faf2721604490531a48d29a44fd08cf96ad58bc8",
+        "type": "github"
+      },
+      "original": {
+        "owner": "ashkitten",
+        "ref": "tootcat",
+        "repo": "nixpkgs",
+        "type": "github"
+      }
+    },
+    "root": {
+      "inputs": {
+        "nixpkgs": "nixpkgs"
+      }
+    }
+  },
+  "root": "root",
+  "version": 7
+}

flake.nix

@@ -1,6 +1,7 @@
 {
   inputs = {
-    nixpkgs.url = "github:NixOS/nixpkgs/nixos-unstable";
+    # nixpkgs.url = "github:NixOS/nixpkgs/nixos-unstable";
+    nixpkgs.url = "github:ashkitten/nixpkgs/tootcat";
   };
 
   outputs = { nixpkgs, ... }: {
@@ -12,12 +13,16 @@
       };
 
       tootcat = { name, nodes, pkgs, ... }: {
-        deployment.targetHost = "toot2022.vbz.ovh";
+        deployment.targetHost = "toot.cat";
         
         imports = [
           ./configuration.nix
         ];
       };
     };
+    
+    devShells."x86_64-linux".default = import ./shell.nix {
+      pkgs = nixpkgs.legacyPackages."x86_64-linux";
+    };
   };
 }

mastodon.nix

@@ -0,0 +1,71 @@
+{ pkgs, lib, ... }:
+
+let
+  mastodon = pkgs.mastodon.override {
+    version = import ./mastodon/version.nix;
+    srcOverride = pkgs.callPackage ./mastodon/source.nix {};
+    dependenciesDir = ./mastodon;
+    yarnSha256 = "sha256-tcr/k5Hrg+VY0SVsOyqAXdgyuiJhto3Wy7XICaoQ29E=";
+  };
+in
+  {
+    services = {
+      mastodon = {
+        enable = true;
+        package = mastodon;
+        configureNginx = true;
+        localDomain = "toot.cat";
+
+        smtp.fromAddress = "server2022@toot.cat";
+
+        extraConfig = {
+          S3_ENABLED = "true";
+          S3_BUCKET = "tootcat";
+          AWS_ACCESS_KEY_ID = "tootcat";
+          S3_REGION = "jort";
+          S3_PROTOCOL = "https";
+          S3_HOSTNAME = "pool-api.jortage.com";
+          S3_ENDPOINT = "https://pool-api.jortage.com";
+          S3_SIGNATURE_VERSION = "v4";
+          S3_ALIAS_HOST = "pool.jortage.com/tootcat";
+          EXTRA_DATA_HOSTS = "https://blob.jortage.com";
+
+          MAX_TOOT_CHARS = "1000000";
+        };
+
+        extraSecrets = {
+          AWS_SECRET_ACCESS_KEY = "/var/lib/mastodon/secrets/aws-secret-access-key";
+        };
+      };
+    
+      postgresqlBackup = {
+        enable = true;
+        databases = [ "mastodon" ];
+      };
+    };
+
+    deployment.keys = let
+      mastodonSecret = name: {
+        inherit name;
+        value = {
+          keyFile = ./secrets/mastodon/${name};
+          destDir = "/var/lib/mastodon/secrets";
+          user = "mastodon";
+          group = "mastodon";
+        };
+      };
+    in builtins.listToAttrs (builtins.map mastodonSecret [
+      "otp-secret"
+      "secret-key-base"
+      "vapid-private-key"
+      "vapid-public-key"
+      "aws-secret-access-key"
+    ]);
+    
+    networking.firewall.allowedTCPPorts = [ 80 443 ];
+
+    security.acme = {
+      acceptTerms = true;
+      defaults.email = "tc.certbot.2022@wooz.dev";
+    };
+  }

mastodon/source.nix

@@ -0,0 +1,11 @@
+# This file was generated by pkgs.mastodon.updateScript.
+{ fetchgit, applyPatches }: let
+  src = fetchgit {
+    url = "https://github.com/glitch-soc/mastodon.git";
+    rev = "06de3a17f89e0a781389354aea6a9e3f72316b7d";
+    sha256 = "1p5fxswjwdycqwr6njzqn4klswsypq7vlknb146hfnbg1n9dn01h";
+  };
+in applyPatches {
+  inherit src;
+  patches = [];
+}

mastodon/version.nix

@@ -0,0 +1 @@
+"3.5.2"

shell.nix

@@ -0,0 +1,10 @@
+{ pkgs ? import <nixpkgs> {} }:
+
+with pkgs; mkShell {
+  name = "tootcat-shell";
+  buildInputs = [
+    colmena
+    git-crypt
+    mastodon.updateScript
+  ];
+}