diff --git a/modules/nixos/guests/mastodon/default.nix b/modules/nixos/guests/mastodon/default.nix index d9229b7..5158ac3 100755 --- a/modules/nixos/guests/mastodon/default.nix +++ b/modules/nixos/guests/mastodon/default.nix @@ -14,48 +14,18 @@ let host = serviceCfg.domains.url0; dns0 = instances.web.dns.provider0; dns0Path = "dns/${dns0}"; - - fedifetcherConfig = pkgs.writeText "fedifetcher-config.json" ( - builtins.toJSON { - server = host; - home-timeline-length = 200; - max-followings = 80; - from-notifications = 1; - max-bookmarks = 80; - max-favourites = 40; - backfill-with-context = 1; - backfill-mentioned-users = 1; - remember-users-for-hours = 168; - remember-hosts-for-days = 30; - http-timeout = 5; - lock-hours = 24; - log-level = "INFO"; - } - ); - - fedifetcherPython = pkgs.python3.withPackages ( - ps: with ps; [ - requests - pytz - beautifulsoup4 - ] - ); - - fedifetcherSrc = pkgs.fetchFromGitHub { - owner = "nanos"; - repo = "FediFetcher"; - rev = "main"; - sha256 = "sha256-J7psV/mA7okuuO7/aXVVWS9p63eMncG2CEEGN38ip0="; - }; in { # If you need to start fresh for some reason, run these to create the new Admin account: # sudo -u mastodon mastodon-tootctl accounts create nick --email=nick@localhost --confirmed --role=Owner # sudo -u mastodon mastodon-tootctl accounts approve nick + # If you fuck up and lose the password, use this: # sudo mastodon-tootctl accounts modify --reset-password nick + # If you really fuck up and name yourself wrong, use this shit # sudo mastodon-tootctl accounts modify username --remove-role + # nixpkgs.overlays = [ # ( # final: prev: { @@ -69,6 +39,7 @@ in # } # ) # ]; + microvm.vms = { ${serviceCfg.name} = { autostart = true; @@ -161,12 +132,14 @@ in root /var/lib/mastodon/public-system } } + handle /api/v1/streaming/* { reverse_proxy unix//run/mastodon-streaming/streaming.socket { header_up X-Forwarded-Proto {http.request.header.X-Forwarded-Proto} header_up X-Forwarded-Host {http.request.header.X-Forwarded-Host} } } + route * { file_server * { root ${pkgs.mastodon}/public @@ -177,15 +150,19 @@ in header_up X-Forwarded-Host {http.request.header.X-Forwarded-Host} } } + handle_errors { root * ${pkgs.mastodon}/public rewrite 500.html file_server } + encode gzip + header /* { Strict-Transport-Security "max-age=31536000;" } + header /emoji/* Cache-Control "public, max-age=31536000, immutable" header /packs/* Cache-Control "public, max-age=31536000, immutable" header /system/accounts/avatars/* Cache-Control "public, max-age=31536000, immutable" @@ -194,9 +171,11 @@ in }; }; }; + postgresql = { enable = true; }; + openssh = { enable = true; settings = { @@ -205,12 +184,14 @@ in }; }; }; + users.users.${serviceCfg.name}.extraGroups = [ "postgres" ]; users.users.caddy.extraGroups = [ serviceCfg.name ]; + networking.firewall.allowedTCPPorts = [ 22 # SSH 80 # Caddy @@ -220,6 +201,7 @@ in 2525 # SMTP 5432 # Postgres ]; + systemd = { services = { mastodon-init-dirs = { @@ -252,57 +234,23 @@ in description = "Copy secrets from virtiofs to local filesystem"; before = [ "mastodon-init-dirs.service" ]; requiredBy = [ "mastodon-init-dirs.service" ]; + serviceConfig = { Type = "oneshot"; RemainAfterExit = true; }; + script = '' mkdir -p /etc/mastodon-secrets cp /run/secrets/pass /etc/mastodon-secrets/pass cp /run/secrets/database /etc/mastodon-secrets/database cp /run/secrets/redis /etc/mastodon-secrets/redis cp /run/secrets/smtp /etc/mastodon-secrets/smtp - cp /run/secrets/fedifetcher-token /etc/mastodon-secrets/fedifetcher-token chmod 755 /etc/mastodon-secrets chmod 644 /etc/mastodon-secrets/* ''; }; - - fedifetcher = { - description = "FediFetcher Service"; - after = [ - "network.target" - "mastodon-web.service" - ]; - serviceConfig = { - Type = "oneshot"; - User = serviceCfg.name; - WorkingDirectory = "/var/lib/fedifetcher"; - ExecStart = - let - script = pkgs.writeShellScript "fedifetcher-run" '' - set -e - export ACCESS_TOKEN=$(cat /etc/mastodon-secrets/fedifetcher-token) - ${fedifetcherPython}/bin/python ${fedifetcherSrc}/find_posts.py \ - -c=${fedifetcherConfig} \ - --access-token="$ACCESS_TOKEN" - ''; - in - "${script}"; - }; - }; }; - - timers.fedifetcher = { - description = "FediFetcher Timer"; - wantedBy = [ "timers.target" ]; - timerConfig = { - OnCalendar = "*:0/15"; # Run every 15 minutes - Persistent = true; - Unit = "fedifetcher.service"; - }; - }; - network = { enable = true; networks."20-lan" = { @@ -320,7 +268,6 @@ in ]; }; }; - services = { mastodon-init-db = { serviceConfig = { @@ -329,7 +276,6 @@ in }; systemd-tmpfiles-setup.after = [ "var-lib-mastodon.mount" ]; }; - tmpfiles.rules = [ "d /var/lib/mastodon 0755 mastodon mastodon -" "Z /var/lib/mastodon 0755 mastodon mastodon -" @@ -340,7 +286,6 @@ in "d /var/lib/mastodon/public-system/media_attachments 0755 mastodon mastodon -" "d /var/lib/mastodon/public-system/media_attachments/files 0755 mastodon mastodon -" "d /var/lib/mastodon/public-system/site_uploads 0755 mastodon mastodon -" - "d /var/lib/fedifetcher 0755 mastodon mastodon -" ]; }; @@ -392,17 +337,12 @@ in source = "/run/secrets/${serviceCfg.name}"; tag = "host_secrets"; } - { - mountPoint = "/var/lib/fedifetcher"; - proto = "virtiofs"; - source = "${serviceCfg.mntPaths.path0}/fedifetcher"; - tag = "fedifetcher_data"; - } ]; }; }; }; }; + sops = { secrets = builtins.listToAttrs ( map @@ -419,7 +359,6 @@ in "database" "redis" "pass" - "fedifetcher-token" ] ); }; @@ -428,7 +367,6 @@ in "d ${serviceCfg.mntPaths.path0} 0751 microvm wheel - -" "d ${serviceCfg.mntPaths.path0}/data 0751 microvm wheel - -" "d ${serviceCfg.mntPaths.path0}/database 0751 microvm wheel - -" - "d ${serviceCfg.mntPaths.path0}/fedifetcher 0751 microvm wheel - -" ]; services.caddy.virtualHosts."${host}" = { @@ -438,7 +376,9 @@ in header_up X-Real-IP {remote_host} header_up X-Forwarded-For {remote_host} } + tls ${serviceCfg.ssl.cert} ${serviceCfg.ssl.key} + encode zstd gzip ''; };