From 2582d3cec9d4c3cd31e8430e0077c2d2a4423e73 Mon Sep 17 00:00:00 2001 From: Nick Date: Tue, 11 Nov 2025 01:01:05 -0600 Subject: [PATCH] test: trying to get microVMs to work --- modules/config/instances/config/mastodon.nix | 41 ++- modules/nixos/guests/firefly-iii/default.nix | 327 ++++++++++-------- modules/nixos/guests/forgejo/default.nix | 35 +- .../mastodon/config/chars.patch | 0 .../mastodon/config/twitter.txt | 0 modules/nixos/guests/mastodon/default.nix | 323 +++++++++++++++++ modules/nixos/guests/vaultwarden/default.nix | 2 +- modules/nixos/services/mastodon/default.nix | 214 ------------ secrets/secrets.yaml | 14 +- 9 files changed, 539 insertions(+), 417 deletions(-) rename modules/nixos/{services => guests}/mastodon/config/chars.patch (100%) rename modules/nixos/{services => guests}/mastodon/config/twitter.txt (100%) create mode 100755 modules/nixos/guests/mastodon/default.nix delete mode 100755 modules/nixos/services/mastodon/default.nix diff --git a/modules/config/instances/config/mastodon.nix b/modules/config/instances/config/mastodon.nix index 3ac1bcc..3ed23f4 100755 --- a/modules/config/instances/config/mastodon.nix +++ b/modules/config/instances/config/mastodon.nix @@ -2,22 +2,25 @@ let inherit (moduleFunctions.instancesFunctions) domain1 - servicePath sslPath - sopsPath + varPath + mntPath + secretPath + cachePath ; - label = "Mastodon"; name = "mastodon"; subdomain = "social"; domain = "${subdomain}.${domain1}"; + secrets = "${secretPath}/${name}"; + ssl = "${sslPath}/${domain}"; in { label = label; name = name; short = "Mast"; email = { - address0 = "noreply@${domain}"; + address0 = "noreply@${domain1}"; }; domains = { url0 = domain; @@ -28,16 +31,28 @@ in "mast" "md" ]; - sops = { - path0 = "${sopsPath}/${name}"; - }; - paths = { - path0 = "${servicePath}/${label}"; - path1 = ""; - path2 = ""; + interface = { + id = "vm-${name}"; + mac = "02:00:00:00:55:05"; + idUser = "vmuser-mastodon"; + macUser = "02:00:00:00:00:05"; + ip = "192.168.50.115"; + gate = "192.168.50.1"; + ssh = 2205; }; ssl = { - cert = "${sslPath}/${subdomain}.${domain1}/fullchain.pem"; - key = "${sslPath}/${subdomain}.${domain1}/key.pem"; + path = ssl; + cert = "${ssl}/fullchain.pem"; + key = "${ssl}/key.pem"; + }; + varPaths = { + path0 = "${varPath}/${name}"; + path1 = "${cachePath}/${name}"; + }; + mntPaths = { + path0 = "${mntPath}/${name}"; + }; + secretPaths = { + path0 = secrets; }; } diff --git a/modules/nixos/guests/firefly-iii/default.nix b/modules/nixos/guests/firefly-iii/default.nix index 5267b61..a88d89d 100755 --- a/modules/nixos/guests/firefly-iii/default.nix +++ b/modules/nixos/guests/firefly-iii/default.nix @@ -16,170 +16,191 @@ let dns0Path = "dns/${dns0}"; in { - microvm.vms.${serviceCfg.name} = { - autostart = true; - restartIfChanged = true; - config = { - system.stateVersion = "24.05"; - time.timeZone = "America/Winnipeg"; - users.users.root.openssh.authorizedKeys.keys = flake.config.people.users.${user0}.sshKeys; - services = { - firefly-iii = { - enable = true; - dataDir = serviceCfg.varPaths.path0; - enableNginx = false; - poolConfig = { - "listen.owner" = config.services.caddy.user; - "pm" = "dynamic"; - "pm.max_children" = 32; - "pm.start_servers" = 2; - "pm.min_spare_servers" = 2; - "pm.max_spare_servers" = 4; - "pm.max_requests" = 500; + microvm.vms = { + ${serviceCfg.name} = { + autostart = true; + restartIfChanged = true; + config = { + system.stateVersion = "24.05"; + time.timeZone = "America/Winnipeg"; + users.users.root.openssh.authorizedKeys.keys = flake.config.people.users.${user0}.sshKeys; + services = { + firefly-iii = { + enable = true; + # dataDir = serviceCfg.varPaths.path0; + enableNginx = false; + poolConfig = { + "listen.owner" = config.services.caddy.user; + "pm" = "dynamic"; + "pm.max_children" = 32; + "pm.start_servers" = 2; + "pm.min_spare_servers" = 2; + "pm.max_spare_servers" = 4; + "pm.max_requests" = 500; + }; + settings = { + APP_URL = "https://${host}"; + APP_KEY_FILE = "/run/secrets/pass"; + # DB_PASSWORD_FILE = "/run/secrets/data"; + # DB_CONNECTION = "pgsql"; + # DB_HOST = "db"; + # DB_DATABASE = "firefly"; + # DB_USERNAME = "firefly"; + MAIL_MAILER = smtpCfg.name; + MAIL_HOST = smtpCfg.hostname; + MAIL_PORT = smtpCfg.ports.port0; + MAIL_FROM = smtpCfg.email.address0; + MAIL_USERNAME = smtpCfg.email.address0; + MAIL_PASSWORD_FILE = "/run/secrets/smtp"; + MAIL_ENCRYPTION = "tls"; + SITE_OWNER = email.address2; + }; }; - settings = { - APP_URL = "https://${host}"; - APP_KEY_FILE = "/run/secrets/pass"; - DB_PASSWORD_FILE = "/run/secrets/data"; - DB_CONNECTION = "pgsql"; - DB_HOST = "db"; - DB_DATABASE = "firefly"; - DB_USERNAME = "firefly"; - MAIL_MAILER = smtpCfg.name; - MAIL_HOST = smtpCfg.hostname; - MAIL_PORT = smtpCfg.ports.port0; - MAIL_FROM = smtpCfg.email.address0; - MAIL_USERNAME = smtpCfg.email.address0; - MAIL_PASSWORD_FILE = "/run/secrets/smtp"; - MAIL_ENCRYPTION = "tls"; - SITE_OWNER = email.address2; + + firefly-iii-data-importer = { + enable = true; + }; + + caddy = { + enable = true; + virtualHosts."${serviceCfg.interface.ip}" = { + extraConfig = '' + root * ${config.services.firefly-iii.package}/public + + file_server + + encode gzip + + php_fastcgi unix//run/phpfpm/firefly-iii.sock + ''; + }; + }; + + # postgresql = { + # enable = true; + # ensureDatabases = [ "firefly" ]; + # ensureUsers = [ + # { + # name = "firefly"; + # ensureDBOwnership = true; + # } + # ]; + # }; + + openssh = { + enable = true; + settings = { + PasswordAuthentication = false; + PermitRootLogin = "prohibit-password"; + }; }; }; - firefly-iii-data-importer = { - enable = true; - }; + networking.firewall.allowedTCPPorts = [ + 22 + 80 + serviceCfg.ports.port0 + serviceCfg.ports.port1 + ]; - caddy = { - enable = true; - virtualHosts."${serviceCfg.interface.ip}" = { - extraConfig = '' - root * ${config.services.firefly-iii.package}/public - - file_server - - encode gzip - - php_fastcgi unix//run/phpfpm/firefly-iii.sock - ''; + systemd = { + services = { + fix-secrets-permissions = { + description = "Fix secrets permissions for firefly-iii"; + wantedBy = [ "multi-user.target" ]; + before = [ + "firefly-iii-setup.service" + "phpfpm-firefly-iii.service" + ]; + serviceConfig = { + Type = "oneshot"; + RemainAfterExit = true; + }; + script = '' + chown root:firefly-iii /run/secrets/pass + chown root:firefly-iii /run/secrets/smtp + chmod 0640 /run/secrets/pass + chmod 0640 /run/secrets/smtp + ''; + }; + systemd-networkd.wantedBy = [ "multi-user.target" ]; + }; + network = { + enable = true; + networks."20-lan" = { + matchConfig.Name = "enp0s5"; + addresses = [ + { Address = "${serviceCfg.interface.ip}/24"; } + ]; + routes = [ + { + Destination = "${hostCfg.localhost.address1}/0"; + Gateway = serviceCfg.interface.gate; + } + ]; + dns = [ + "1.1.1.1" + "8.8.8.8" + ]; + }; }; - }; - postgresql = { - enable = true; - ensureDatabases = [ "firefly" ]; - ensureUsers = [ - { - name = "firefly"; - ensureDBOwnership = true; - } + tmpfiles.rules = [ + "Z ${serviceCfg.varPaths.path0} 0755 ${serviceCfg.name} ${serviceCfg.name} -" ]; }; - openssh = { - enable = true; - settings = { - PasswordAuthentication = false; - PermitRootLogin = "prohibit-password"; - }; + microvm = { + vcpu = 2; + mem = 3072; + hypervisor = "qemu"; + interfaces = [ + { + type = "tap"; + id = serviceCfg.interface.id; + mac = serviceCfg.interface.mac; + } + { + type = "user"; + id = serviceCfg.interface.idUser; + mac = serviceCfg.interface.macUser; + } + ]; + forwardPorts = [ + { + from = "host"; + host.port = serviceCfg.interface.ssh; + guest.port = 22; + } + ]; + shares = [ + { + mountPoint = "/nix/.ro-store"; + proto = "virtiofs"; + source = "/nix/store"; + tag = "read_only_nix_store"; + } + { + mountPoint = "/var/lib/${serviceCfg.name}"; + proto = "virtiofs"; + source = "${serviceCfg.mntPaths.path0}"; + tag = "${serviceCfg.name}_data"; + } + # { + # mountPoint = "/var/lib/postgresql"; + # proto = "virtiofs"; + # source = "${serviceCfg.mntPaths.path0}/database"; + # tag = "${serviceCfg.name}_database"; + # } + { + mountPoint = "/run/secrets"; + proto = "virtiofs"; + source = "/run/secrets/${serviceCfg.name}"; + tag = "host_secrets"; + } + ]; }; }; - - networking.firewall.allowedTCPPorts = [ - 22 - 80 - serviceCfg.ports.port0 - serviceCfg.ports.port1 - ]; - systemd = { - network = { - enable = true; - networks."20-lan" = { - matchConfig.Name = "enp0s5"; - addresses = [ - { Address = "${serviceCfg.interface.ip}/24"; } - ]; - routes = [ - { - Destination = "${hostCfg.localhost.address1}/0"; - Gateway = serviceCfg.interface.gate; - } - ]; - dns = [ - "1.1.1.1" - "8.8.8.8" - ]; - }; - }; - - tmpfiles.rules = [ - "Z ${serviceCfg.varPaths.path0} 0755 ${serviceCfg.name} ${serviceCfg.name} -" - # "Z ${serviceCfg.secretPaths.path0} 0755 ${serviceCfg.name} ${serviceCfg.name} -" - "Z /var/lib/postgresql 755 postgres postgres -" - ]; - }; - - systemd.services.systemd-networkd.wantedBy = [ "multi-user.target" ]; - microvm = { - vcpu = 2; - mem = 3072; - hypervisor = "qemu"; - interfaces = [ - { - type = "tap"; - id = serviceCfg.interface.id; - mac = serviceCfg.interface.mac; - } - { - type = "user"; - id = serviceCfg.interface.idUser; - mac = serviceCfg.interface.macUser; - } - ]; - forwardPorts = [ - { - from = "host"; - host.port = serviceCfg.interface.ssh; - guest.port = 22; - } - ]; - shares = [ - { - mountPoint = "/nix/.ro-store"; - proto = "virtiofs"; - source = "/nix/store"; - tag = "read_only_nix_store"; - } - { - mountPoint = "/var/lib/${serviceCfg.name}"; - proto = "virtiofs"; - source = "${serviceCfg.mntPaths.path0}/data"; - tag = "${serviceCfg.name}_data"; - } - { - mountPoint = "/var/lib/postgresql"; - proto = "virtiofs"; - source = "${serviceCfg.mntPaths.path0}/database"; - tag = "${serviceCfg.name}_database"; - } - { - mountPoint = "/run/secrets"; - proto = "virtiofs"; - source = "/run/secrets/${serviceCfg.name}"; - tag = "host_secrets"; - } - ]; - }; }; }; @@ -193,6 +214,8 @@ in systemd.tmpfiles.rules = [ "d ${serviceCfg.mntPaths.path0} 0751 microvm wheel - -" + # "d ${serviceCfg.mntPaths.path0}/data 0751 microvm wheel - -" + # "d ${serviceCfg.mntPaths.path0}/database 0751 microvm wheel - -" ]; sops = { diff --git a/modules/nixos/guests/forgejo/default.nix b/modules/nixos/guests/forgejo/default.nix index ef3f60d..7e2ea7c 100755 --- a/modules/nixos/guests/forgejo/default.nix +++ b/modules/nixos/guests/forgejo/default.nix @@ -34,12 +34,8 @@ in ${serviceCfg.name} = { enable = true; lfs.enable = true; - database = { - type = "postgres"; - }; secrets = { mailer.PASSWD = "/run/secrets/smtp"; - database.PASSWD = "/run/secrets/database"; }; settings = { server = { @@ -48,7 +44,7 @@ in HTTP_PORT = serviceCfg.ports.port0; }; # If you need to start from scratch, don't forget to turn this off again - service.DISABLE_REGISTRATION = false; + service.DISABLE_REGISTRATION = true; actions = { ENABLED = true; DEFAULT_ACTIONS_URL = "github"; @@ -76,17 +72,6 @@ in PermitRootLogin = "prohibit-password"; }; }; - - postgresql = { - enable = true; - ensureDatabases = [ serviceCfg.name ]; - ensureUsers = [ - { - name = serviceCfg.name; - ensureDBOwnership = true; - } - ]; - }; }; networking.firewall.allowedTCPPorts = [ @@ -128,7 +113,7 @@ in tmpfiles.rules = [ "Z ${serviceCfg.varPaths.path0} 0755 ${serviceCfg.name} ${serviceCfg.name} -" - "Z /var/lib/postgresql 0755 postgres postgres -" + # "Z /var/lib/postgresql 0755 postgres postgres -" ]; }; @@ -167,15 +152,9 @@ in { mountPoint = "/var/lib/${serviceCfg.name}"; proto = "virtiofs"; - source = "${serviceCfg.mntPaths.path0}/data"; + source = "${serviceCfg.mntPaths.path0}"; tag = "${serviceCfg.name}_data"; } - { - mountPoint = "/var/lib/postgresql"; - proto = "virtiofs"; - source = "${serviceCfg.mntPaths.path0}/database"; - tag = "${serviceCfg.name}_database"; - } { mountPoint = "/run/secrets"; proto = "virtiofs"; @@ -189,9 +168,7 @@ in }; systemd.tmpfiles.rules = [ - "d ${serviceCfg.mntPaths.path0}/data 0751 microvm wheel - -" - "d ${serviceCfg.mntPaths.path0}/database 0751 microvm wheel - -" - + "d ${serviceCfg.mntPaths.path0} 0751 microvm wheel - -" ]; services.caddy.virtualHosts."${host}" = { @@ -211,9 +188,5 @@ in owner = "root"; mode = "0600"; }; - "${serviceCfg.name}/database" = { - owner = "root"; - mode = "0600"; - }; }; } diff --git a/modules/nixos/services/mastodon/config/chars.patch b/modules/nixos/guests/mastodon/config/chars.patch similarity index 100% rename from modules/nixos/services/mastodon/config/chars.patch rename to modules/nixos/guests/mastodon/config/chars.patch diff --git a/modules/nixos/services/mastodon/config/twitter.txt b/modules/nixos/guests/mastodon/config/twitter.txt similarity index 100% rename from modules/nixos/services/mastodon/config/twitter.txt rename to modules/nixos/guests/mastodon/config/twitter.txt diff --git a/modules/nixos/guests/mastodon/default.nix b/modules/nixos/guests/mastodon/default.nix new file mode 100755 index 0000000..01c9d58 --- /dev/null +++ b/modules/nixos/guests/mastodon/default.nix @@ -0,0 +1,323 @@ +{ + flake, + config, + pkgs, + lib, + ... +}: +let + inherit (flake.config.people) user0; + inherit (flake.config.services) instances; + serviceCfg = flake.config.services.instances.mastodon; + smtpCfg = flake.config.services.instances.smtp; + hostCfg = flake.config.services.instances.web; + host = serviceCfg.domains.url0; + dns0 = instances.web.dns.provider0; + dns0Path = "dns/${dns0}"; +in +{ + # If you need to start fresh for some reason, run these to create the new Admin account: + # sudo -u mastodon mastodon-tootctl accounts create nick --email=nick@localhost --confirmed --role=Owner + # sudo -u mastodon mastodon-tootctl accounts approve nick + + # If you fuck up and lose the password, use this: + # sudo mastodon-tootctl accounts modify --reset-password nick + + # If you really fuck up and name yourself wrong, use this shit + # sudo mastodon-tootctl accounts modify username --remove-role + + # nixpkgs.overlays = [ + # ( + # final: prev: { + # mastodon = prev.mastodon.overrideAttrs (oldAttrs: { + # postPatch = + # (oldAttrs.postPatch or "") + # + '' + # patch -p1 < ${./chars.patch} + # ''; + # }); + # } + # ) + # ]; + + microvm.vms = { + ${serviceCfg.name} = { + autostart = true; + restartIfChanged = true; + config = { + system.stateVersion = "24.05"; + time.timeZone = "America/Winnipeg"; + users.users.root.openssh.authorizedKeys.keys = flake.config.people.users.${user0}.sshKeys; + services = { + ${serviceCfg.name} = { + enable = true; + localDomain = host; + secretKeyBaseFile = "/run/secrets/pass"; + streamingProcesses = 7; + trustedProxy = hostCfg.localhost.address1; + automaticMigrations = true; + database = { + createLocally = true; + name = serviceCfg.name; + host = "/run/postgresql"; + user = serviceCfg.name; + passwordFile = "/run/secrets/database"; + }; + extraConfig = { + SINGLE_USER_MODE = "true"; + SMTP_AUTH_METHOD = "plain"; + SMTP_DELIVERY_METHOD = "smtp"; + SMTP_ENABLE_STARTTLS_AUTO = "true"; + SMTP_SSL = "false"; + }; + mediaAutoRemove = { + enable = true; + olderThanDays = 14; + }; + redis = { + createLocally = true; + enableUnixSocket = true; + }; + sidekiqThreads = 25; + sidekiqProcesses = { + all = { + jobClasses = [ + ]; + threads = null; + }; + default = { + jobClasses = [ + "default" + ]; + threads = 5; + }; + ingress = { + jobClasses = [ + "ingress" + ]; + threads = 5; + }; + push-pull = { + jobClasses = [ + "push" + "pull" + ]; + threads = 5; + }; + mailers = { + jobClasses = [ + "mailers" + ]; + threads = 5; + }; + }; + smtp = { + authenticate = true; + createLocally = false; + fromAddress = "upRootNutrition <${smtpCfg.email.address1}>"; + host = smtpCfg.hostname; + passwordFile = "/run/secrets/smtp"; + port = smtpCfg.ports.port1; + user = smtpCfg.email.address1; + }; + }; + caddy = { + virtualHosts = { + "${serviceCfg.interface.ip}" = { + extraConfig = '' + handle_path /system/* { + file_server * { + root /var/lib/mastodon/public-system + } + } + + handle /api/v1/streaming/* { + reverse_proxy unix//run/mastodon-streaming/streaming.socket + } + + route * { + file_server * { + root ${pkgs.mastodon}/public + pass_thru + } + reverse_proxy * unix//run/mastodon-web/web.socket + } + + tls ${serviceCfg.ssl.cert} ${serviceCfg.ssl.key} + + handle_errors { + root * ${pkgs.mastodon}/public + rewrite 500.html + file_server + } + + encode gzip + + header /* { + Strict-Transport-Security "max-age=31536000;" + } + header /emoji/* Cache-Control "public, max-age=31536000, immutable" + header /packs/* Cache-Control "public, max-age=31536000, immutable" + header /system/accounts/avatars/* Cache-Control "public, max-age=31536000, immutable" + header /system/media_attachments/files/* Cache-Control "public, max-age=31536000, immutable" + ''; + }; + }; + }; + + postgresql = { + enable = true; + }; + + openssh = { + enable = true; + settings = { + PasswordAuthentication = false; + PermitRootLogin = "prohibit-password"; + }; + }; + }; + + users.users.${serviceCfg.name}.extraGroups = [ + "postgres" + ]; + + networking.firewall.allowedTCPPorts = [ + 22 # SSH + 80 # Caddy + 25 # SMTP + 139 # SMTP + 587 # SMTP + 2525 # SMTP + 5432 # Postgres + ]; + + fileSystems."/tmp" = { + device = "tmpfs"; + fsType = "tmpfs"; + options = [ + "size=4G" + "mode=1777" + ]; + }; + + systemd = { + services = { + systemd-networkd.wantedBy = [ "multi-user.target" ]; + caddy.serviceConfig.ReadWriteDirectories = lib.mkForce [ + "/var/lib/caddy" + "/run/mastodon-web" + ]; + }; + network = { + enable = true; + networks."20-lan" = { + matchConfig.Name = "enp0s5"; + addresses = [ { Address = "${serviceCfg.interface.ip}/24"; } ]; + routes = [ + { + Destination = "${hostCfg.localhost.address1}/0"; + Gateway = serviceCfg.interface.gate; + } + ]; + dns = [ + "1.1.1.1" + "8.8.8.8" + ]; + }; + }; + + tmpfiles.rules = [ + "Z ${serviceCfg.varPaths.path0} 0755 ${serviceCfg.name} ${serviceCfg.name} -" + ]; + }; + + microvm = { + vcpu = 2; + mem = 3072; + hypervisor = "qemu"; + interfaces = [ + { + type = "tap"; + id = serviceCfg.interface.id; + mac = serviceCfg.interface.mac; + } + { + type = "user"; + id = serviceCfg.interface.idUser; + mac = serviceCfg.interface.macUser; + } + ]; + forwardPorts = [ + { + from = "host"; + host.port = serviceCfg.interface.ssh; + guest.port = 22; + } + ]; + shares = [ + { + mountPoint = "/nix/.ro-store"; + proto = "virtiofs"; + source = "/nix/store"; + tag = "read_only_nix_store"; + } + { + mountPoint = "/var/lib/${serviceCfg.name}"; + proto = "virtiofs"; + source = "${serviceCfg.mntPaths.path0}"; + tag = "${serviceCfg.name}_data"; + } + { + mountPoint = "/run/secrets"; + proto = "virtiofs"; + source = "/run/secrets/${serviceCfg.name}"; + tag = "host_secrets"; + } + ]; + }; + }; + }; + }; + + sops = { + secrets = builtins.listToAttrs ( + map + (secret: { + name = "${serviceCfg.name}/${secret}"; + value = { + owner = "root"; + mode = "0600"; + }; + }) + [ + "smtp" + "database" + "redis" + "pass" + ] + ); + }; + + systemd.tmpfiles.rules = [ + "d ${serviceCfg.mntPaths.path0} 0751 microvm wheel - -" + ]; + + services.caddy.virtualHosts."${host}" = { + extraConfig = '' + reverse_proxy ${serviceCfg.interface.ip}:80 + + tls ${serviceCfg.ssl.cert} ${serviceCfg.ssl.key} + + encode zstd gzip + ''; + }; + + users.users.caddy.extraGroups = [ "acme" ]; + + security.acme.certs."${host}" = { + dnsProvider = dns0; + environmentFile = config.sops.secrets.${dns0Path}.path; + group = "caddy"; + }; +} diff --git a/modules/nixos/guests/vaultwarden/default.nix b/modules/nixos/guests/vaultwarden/default.nix index 64032a0..96c7f64 100755 --- a/modules/nixos/guests/vaultwarden/default.nix +++ b/modules/nixos/guests/vaultwarden/default.nix @@ -144,7 +144,7 @@ in mountPoint = "/var/lib/bitwarden_rs"; proto = "virtiofs"; source = serviceCfg.mntPaths.path0; - tag = "vaultwarden_data"; + tag = "${serviceCfg.name}_data"; } { mountPoint = "/run/secrets"; diff --git a/modules/nixos/services/mastodon/default.nix b/modules/nixos/services/mastodon/default.nix deleted file mode 100755 index 411dbab..0000000 --- a/modules/nixos/services/mastodon/default.nix +++ /dev/null @@ -1,214 +0,0 @@ -{ - flake, - config, - pkgs, - lib, - ... -}: -let - inherit (flake.config.machines.devices) - ceres - ; - inherit (flake.config.services.instances) smtp mastodon web; - service = mastodon; - host = service.domains.url0; - localhost = web.localhost.address0; -in -{ - # If you need to start fresh for some reason, run these to create the new Admin account: - # sudo -u mastodon mastodon-tootctl accounts create nick --email=nick@localhost --confirmed --role=Owner - # sudo -u mastodon mastodon-tootctl accounts approve nick - - # If you fuck up and lose the password, use this: - # sudo mastodon-tootctl accounts modify --reset-password nick - - # If you really fuck up and name yourself wrong, use this shit - # sudo mastodon-tootctl accounts modify username --remove-role - - # nixpkgs.overlays = [ - # ( - # final: prev: { - # mastodon = prev.mastodon.overrideAttrs (oldAttrs: { - # postPatch = - # (oldAttrs.postPatch or "") - # + '' - # patch -p1 < ${./chars.patch} - # ''; - # }); - # } - # ) - # ]; - - services = { - mastodon = { - enable = true; - localDomain = host; - secretKeyBaseFile = "/var/lib/mastodon/secrets/secret-key-base"; - streamingProcesses = 7; - trustedProxy = localhost; - automaticMigrations = true; - database = { - createLocally = true; - name = service.name; - host = "/run/postgresql"; - user = service.name; - passwordFile = config.sops.secrets."${service.name}-database".path; - }; - extraConfig = { - SINGLE_USER_MODE = "true"; - SMTP_AUTH_METHOD = "plain"; - SMTP_DELIVERY_METHOD = "smtp"; - SMTP_ENABLE_STARTTLS_AUTO = "true"; - SMTP_SSL = "false"; - }; - mediaAutoRemove = { - enable = true; - olderThanDays = 14; - }; - redis = { - createLocally = true; - enableUnixSocket = true; - }; - sidekiqThreads = 25; - sidekiqProcesses = { - all = { - jobClasses = [ - ]; - threads = null; - }; - default = { - jobClasses = [ - "default" - ]; - threads = 5; - }; - ingress = { - jobClasses = [ - "ingress" - ]; - threads = 5; - }; - push-pull = { - jobClasses = [ - "push" - "pull" - ]; - threads = 5; - }; - mailers = { - jobClasses = [ - "mailers" - ]; - threads = 5; - }; - }; - smtp = { - authenticate = true; - createLocally = false; - fromAddress = "upRootNutrition <${smtp.email.address1}>"; - host = smtp.hostname; - passwordFile = config.sops.secrets."${service.name}-smtp".path; - port = smtp.ports.port1; - user = smtp.email.address1; - }; - }; - caddy = { - virtualHosts = { - "${host}" = { - extraConfig = '' - handle_path /system/* { - file_server * { - root /var/lib/mastodon/public-system - } - } - - handle /api/v1/streaming/* { - reverse_proxy unix//run/mastodon-streaming/streaming.socket - } - - route * { - file_server * { - root ${pkgs.mastodon}/public - pass_thru - } - reverse_proxy * unix//run/mastodon-web/web.socket - } - - tls ${service.ssl.cert} ${service.ssl.key} - - handle_errors { - root * ${pkgs.mastodon}/public - rewrite 500.html - file_server - } - - encode gzip - - header /* { - Strict-Transport-Security "max-age=31536000;" - } - header /emoji/* Cache-Control "public, max-age=31536000, immutable" - header /packs/* Cache-Control "public, max-age=31536000, immutable" - header /system/accounts/avatars/* Cache-Control "public, max-age=31536000, immutable" - header /system/media_attachments/files/* Cache-Control "public, max-age=31536000, immutable" - ''; - }; - }; - }; - }; - - systemd.services.caddy.serviceConfig.ReadWriteDirectories = lib.mkForce [ - "/var/lib/caddy" - "/run/mastodon-web" - ]; - - sops = - let - sopsPath = secret: { - path = "${service.sops.path0}/${service.name}-${secret}"; - owner = service.name; - mode = "600"; - }; - in - { - secrets = builtins.listToAttrs ( - map - (secret: { - name = "${service.name}-${secret}"; - value = sopsPath secret; - }) - [ - "smtp" - "database" - "redis" - ] - ); - }; - - fileSystems."/var/lib/${service.name}" = { - device = service.paths.path0; - fsType = "none"; - options = [ - "bind" - ]; - depends = [ - ceres.storage0.mount - ]; - }; - - systemd.tmpfiles.rules = [ - "Z ${service.paths.path0} 0755 ${service.name} ${service.name} -" - "Z ${service.sops.path0} 0755 ${service.name} ${service.name} -" - ]; - - users.users.${service.name}.extraGroups = [ - "postgres" - ]; - - networking = { - firewall = { - allowedTCPPorts = [ - ]; - }; - }; -} diff --git a/secrets/secrets.yaml b/secrets/secrets.yaml index 132a55f..ec16e39 100755 --- a/secrets/secrets.yaml +++ b/secrets/secrets.yaml @@ -6,9 +6,11 @@ network: server: ENC[AES256_GCM,data:EFsmXNkuf5OAMh8hjfZTixmmdjqBNIME9JjQC8azeCwcMVInm8bWdxE4OqFmxOk9MAU=,iv:pI6WeM2aQC+7vx1Xmp5O2rikqNLgzuEOg+Lo7TqFQxU=,tag:ElcA8mn9dx+IjIf38nKT5A==,type:str] fallaryn: ENC[AES256_GCM,data:O77hH3STB6zpl0b9iXsVu9OOrlLKUwfs2qI9hdqX4kMuBs3XgT/xsQ==,iv:RDKsuJoy+LIyADMc3bgOEmLKdXtu6kad2aeVetuZdJI=,tag:MrpCZ+iJUnGIjeHMgcYG6Q==,type:str] garnet: ENC[AES256_GCM,data:N8sAdjTAiubQihKrtdCkaJQBKkz6/kNdeATiaZXRhlP/HLg7zg==,iv:8QP1HnGSUGHpkwBwQY2Z0gZ6tYaK7XzMuxXexY6QQaU=,tag:fHzPh9lvqB2BmuSkVH5Ojg==,type:str] -mastodon-smtp: ENC[AES256_GCM,data:GKowwVH7eqZRqJPg+J8q3rJpArtLHs4xdzMMWAFobOU=,iv:alviX07JoGIPDKjFy/SfqfVHMyO38E9AMWV62bOCZpA=,tag:ivOmAjrniHweFPFiwnJJBw==,type:str] -mastodon-database: ENC[AES256_GCM,data:qPOU8yGqEQWuMJ4E/fCc+vfKp+YZONb17ZIDHXYZ9RY=,iv:HzVd2ptZBtpRA/XA593WTNL3xJx97hvNx49zIZPBlhQ=,tag:KGZ7Mw2M5O9DBhB+fv+w1Q==,type:str] -mastodon-redis: ENC[AES256_GCM,data:aEEOGmyLin80X1uNiLLIuCSGlGjYX9vOl45GuxwlJqE=,iv:3qaZAqwm6tLnB1vCtZ2ZotaZO4/XmQKLe/I+pzqbJj0=,tag:K1y1QoLgGRvi8oJrzcakhQ==,type:str] +mastodon: + smtp: ENC[AES256_GCM,data:ey1fq4e/V2rmY/PRvopbFkBFt2SNb0UERCu4pUf0iOpW,iv:dNl+cm2zkas48I9lUyYss5lMWBi9EEiqaeefuE49V7w=,tag:zucvfmY84B25SGS4vYr91Q==,type:str] + database: ENC[AES256_GCM,data:dYdLk9s4xZjHaIZCiKvLf/7HbcHVdMOk69JzYmXkX4lf,iv:IJKSR47LR08OuzPJZmfQnVUyOSjtUEmv0c/sGT9eIws=,tag:KUtW8ZKoZHBKvixVLYkNrQ==,type:str] + redis: ENC[AES256_GCM,data:lrbTQAuay170fXNUGooG7bJg5lROItwUrnlKYBalo7Zp,iv:osaPJhqOpT5fm4ZYP7rbn0y/jzCfOu8+iPwO8KhRkuM=,tag:ByQjwCT7MtJjgpGWNAoffA==,type:str] + pass: ENC[AES256_GCM,data:VlWIQQK89E4FaIUNXu1+sPuEbSQIVdYeGVWt8eztCMpikVsmeFd+G3XxS1Zm76m0tNFZjF7oHILpCudHU4M8k810ePwadcUOiglCP4P2Dkn1vrrB384T5Ed9gn8NHo3S1HlXczsNKmy6j8fP2CNKSb8Mar5VQBbajqryA73bB9pI,iv:EvlNrU4ImdYe5/HQytXCxqDui3Df3oIcC1vLkor7be4=,tag:lnkyjWHyEUTWPVqjwYx+cg==,type:str] peertube-smtp: ENC[AES256_GCM,data:rYwL0RNVvC9DUsSRJ5WpLX3VqT4zHYarxSe/tdRBHqs=,iv:cQKRbxdMOF+g84djLZcOk3hMYifucO+r0JxV8EnRjro=,tag:ZnN/LmQ/A3FR4bdJ9DYoEw==,type:str] peertube-database: ENC[AES256_GCM,data:nm0bHwTcT+ROZc2BC9jx+tXWjZ3689rdn4fdYW+7JTU=,iv:EeQVBAIXPut9gs+I9WpRf7L3f7ACTeTWycUFIKAneKk=,tag:QjGQmZ3zMAgB/WDbxTZVIQ==,type:str] peertube-redis: ENC[AES256_GCM,data:SQoPzPjgf4YN9dhvO0wo2DEra7cTgfZBx4vCBpNVSXI=,iv:mcCwYtE9E/Mb4V0j9NnU9WhaUMeBpX7BOcc8HGDiEvI=,tag:CsSiS4peZhnZ22uNtUC44w==,type:str] @@ -46,7 +48,7 @@ caddy: comfyui-auth: ENC[AES256_GCM,data:YkHxbW/0zTmnrggXKl2jNO4OnBaepmCwB3ZC6d8MPIKf8snWJzAvTq5+X5ABzziwKaypHRTcS6vuNntxKrrD8DS7hX9DqVCZc5WeFHI6S5VzHh3SprW2MF4E8nm4Hj+VHoKGmRSSOU1cfX3J,iv:v0Pid0BCY2QsMNaahBvJd4WWZD115JDLHlOCQvPiaGU=,tag:gpsAgt052NoOyIa9WqJXyg==,type:str] wifi-home: ENC[AES256_GCM,data:5NYSCUyalDf7gZF7WaRQJCo=,iv:RkVZKsmVEBg5M28DSkBD41673iLM+dqDAAhSwjqejck=,tag:QQ17VSWOnU0bGglZq6455Q==,type:str] firefly-iii: - pass: ENC[AES256_GCM,data:e7uOZ284bAmokWolrRq81mEguMovZDd9D/7Sr8BwIR6U1Ea/qPfErPgdUEw6OGdQLmmaHg==,iv:2QyCe7cKpys4CEtnNKOBxRA0jo6u2OFU9xeiKnO4myc=,tag:WKCopzEN8+xmAIvla8hqtQ==,type:str] + pass: ENC[AES256_GCM,data:WjHcoTuEzEq9pfw4QoqRjI4jhu5VPEMOXlHL0olg9dqUj4EGa1Shv5T/kIxdRFuao0y3zQ==,iv:4/fmFOxxDLzplsNGpSJMQOeoNviZw2c2pFlB1ZkRu+o=,tag:7TQ2q/kEFDU4tZxPx53ebw==,type:str] data: ENC[AES256_GCM,data:921LhcRTWVk24eEAQoDMV+RllSP3PbSXCCIDXlQA80Mq,iv:YXEgas77DgdyPTnBZa/ySjcERBIwmdDZJbijeNKNF24=,tag:Wj25wA7tLJ2bZ/faG9DUhg==,type:str] smtp: ENC[AES256_GCM,data:+e4MiRZ2WOZyWYpMf+By1Eb45ih4TA+svLI2+00yQk82,iv:+52+kJouMwkOSDEaOCA8V80+wT/VzNxgtCkOO68SCdk=,tag:YrtrJAXIhQpsUTEeYvrVwQ==,type:str] password-user0: ENC[AES256_GCM,data:VKrySmPAKh3UwCQXJS0EnOPPLDrigWtw5g4WMbSGz/VRtbzlQxMIgs42c/8NnHiqr98ifWy7u9c280oo7SrHhQmEOOvxfITQ9A==,iv:toGkVKCjsmtPP5Ukk/q8kPSmJo3FcTAyj2vcIEkHmU0=,tag:Nhucsk1kgx7zDZZQKycKZQ==,type:str] @@ -61,7 +63,7 @@ sops: bXBOa1VSakoyaWxpODJEOU11QUZCaUEK8Ch9Ten3DdrPHF1DTH2qei85AlHUOaLD aNfzakake7ej+MxJYdKEU0bcWofNMKzIlZa2uM10KZSENDP8d8qlig== -----END AGE ENCRYPTED FILE----- - lastmodified: "2025-11-11T03:26:53Z" - mac: ENC[AES256_GCM,data:Wsc9G4UIX/GfuYdHgf/rMqHNJBKFQp4/pp13IJhFXyONxullcHqH5qZBophGen9loRhaRTLVglRDVPEfQwisFJHIDu6yQ7A2YLLVl5oZ5GB2jkUxK/hnw5FqQG5NTaoAls150niyDQchTe0GO7YzEamIucnJwkiUVsc0+7ZGED4=,iv:ZOk64KSwjvN28stBE3xJu4oxSCyVhTsJnqBeliHUyp8=,tag:IhQeULWdFBuIvqGy9SEcTQ==,type:str] + lastmodified: "2025-11-11T06:59:50Z" + mac: ENC[AES256_GCM,data:EJ9lYBbFiYH8pzrnxap05Xj0CgdzxCPoCqq7fCgrJrlngHP8IP6WoAtFpnWfYGa6hDCY0W+RDSzAc3yReYS7tGuGLkCKcPhC/h9boEADPNEEoCnmV0uimeVDIFj0o1as00q2Mzaz5FRJGzpRkjaIT+YjQfaRGcjlBGobjFHFHKQ=,iv:G8iu/sX6hvrc3TuoE2X6X2TUGDyFTPIVILb+n36KETY=,tag:9nHq03Z0iIMtF1qnMhAHMA==,type:str] unencrypted_suffix: _unencrypted version: 3.11.0