test: trying to get microVMs to work

2025-12-06 21:17:14 -06:00 · 2025-11-11 01:01:05 -06:00 · 2025-11-11 01:01:05 -06:00 · 2582d3cec9
commit 2582d3cec9
parent 0c4173ceaf
9 changed files with 539 additions and 417 deletions
--- a/modules/config/instances/config/mastodon.nix
+++ b/modules/config/instances/config/mastodon.nix
@ -2,22 +2,25 @@
 let
  inherit (moduleFunctions.instancesFunctions)
    domain1
    servicePath
    sslPath
-    sopsPath
+    varPath
    mntPath
    secretPath
    cachePath
    ;
  label = "Mastodon";
  name = "mastodon";
  subdomain = "social";
  domain = "${subdomain}.${domain1}";
  secrets = "${secretPath}/${name}";
  ssl = "${sslPath}/${domain}";
 in
 {
  label = label;
  name = name;
  short = "Mast";
  email = {
-    address0 = "noreply@${domain}";
+    address0 = "noreply@${domain1}";
  };
  domains = {
    url0 = domain;
@ -28,16 +31,28 @@ in
    "mast"
    "md"
  ];
-  sops = {
+  interface = {
-    path0 = "${sopsPath}/${name}";
+    id = "vm-${name}";
-  };
+    mac = "02:00:00:00:55:05";
-  paths = {
+    idUser = "vmuser-mastodon";
-    path0 = "${servicePath}/${label}";
+    macUser = "02:00:00:00:00:05";
-    path1 = "";
+    ip = "192.168.50.115";
-    path2 = "";
+    gate = "192.168.50.1";
    ssh = 2205;
  };
  ssl = {
-    cert = "${sslPath}/${subdomain}.${domain1}/fullchain.pem";
+    path = ssl;
-    key = "${sslPath}/${subdomain}.${domain1}/key.pem";
+    cert = "${ssl}/fullchain.pem";
    key = "${ssl}/key.pem";
  };
  varPaths = {
    path0 = "${varPath}/${name}";
    path1 = "${cachePath}/${name}";
  };
  mntPaths = {
    path0 = "${mntPath}/${name}";
  };
  secretPaths = {
    path0 = secrets;
  };
 }
--- a/modules/nixos/guests/firefly-iii/default.nix
+++ b/modules/nixos/guests/firefly-iii/default.nix
@ -16,170 +16,191 @@ let
  dns0Path = "dns/${dns0}";
 in
 {
-  microvm.vms.${serviceCfg.name} = {
+  microvm.vms = {
-    autostart = true;
+    ${serviceCfg.name} = {
-    restartIfChanged = true;
+      autostart = true;
-    config = {
+      restartIfChanged = true;
-      system.stateVersion = "24.05";
+      config = {
-      time.timeZone = "America/Winnipeg";
+        system.stateVersion = "24.05";
-      users.users.root.openssh.authorizedKeys.keys = flake.config.people.users.${user0}.sshKeys;
+        time.timeZone = "America/Winnipeg";
-      services = {
+        users.users.root.openssh.authorizedKeys.keys = flake.config.people.users.${user0}.sshKeys;
-        firefly-iii = {
+        services = {
-          enable = true;
+          firefly-iii = {
-          dataDir = serviceCfg.varPaths.path0;
+            enable = true;
-          enableNginx = false;
+            # dataDir = serviceCfg.varPaths.path0;
-          poolConfig = {
+            enableNginx = false;
-            "listen.owner" = config.services.caddy.user;
+            poolConfig = {
-            "pm" = "dynamic";
+              "listen.owner" = config.services.caddy.user;
-            "pm.max_children" = 32;
+              "pm" = "dynamic";
-            "pm.start_servers" = 2;
+              "pm.max_children" = 32;
-            "pm.min_spare_servers" = 2;
+              "pm.start_servers" = 2;
-            "pm.max_spare_servers" = 4;
+              "pm.min_spare_servers" = 2;
-            "pm.max_requests" = 500;
+              "pm.max_spare_servers" = 4;
              "pm.max_requests" = 500;
            };
            settings = {
              APP_URL = "https://${host}";
              APP_KEY_FILE = "/run/secrets/pass";
              # DB_PASSWORD_FILE = "/run/secrets/data";
              # DB_CONNECTION = "pgsql";
              # DB_HOST = "db";
              # DB_DATABASE = "firefly";
              # DB_USERNAME = "firefly";
              MAIL_MAILER = smtpCfg.name;
              MAIL_HOST = smtpCfg.hostname;
              MAIL_PORT = smtpCfg.ports.port0;
              MAIL_FROM = smtpCfg.email.address0;
              MAIL_USERNAME = smtpCfg.email.address0;
              MAIL_PASSWORD_FILE = "/run/secrets/smtp";
              MAIL_ENCRYPTION = "tls";
              SITE_OWNER = email.address2;
            };
          };
-          settings = {
+
-            APP_URL = "https://${host}";
+          firefly-iii-data-importer = {
-            APP_KEY_FILE = "/run/secrets/pass";
+            enable = true;
-            DB_PASSWORD_FILE = "/run/secrets/data";
+          };
-            DB_CONNECTION = "pgsql";
+
-            DB_HOST = "db";
+          caddy = {
-            DB_DATABASE = "firefly";
+            enable = true;
-            DB_USERNAME = "firefly";
+            virtualHosts."${serviceCfg.interface.ip}" = {
-            MAIL_MAILER = smtpCfg.name;
+              extraConfig = ''
-            MAIL_HOST = smtpCfg.hostname;
+                root * ${config.services.firefly-iii.package}/public
-            MAIL_PORT = smtpCfg.ports.port0;
+
-            MAIL_FROM = smtpCfg.email.address0;
+                file_server
-            MAIL_USERNAME = smtpCfg.email.address0;
+
-            MAIL_PASSWORD_FILE = "/run/secrets/smtp";
+                encode gzip
-            MAIL_ENCRYPTION = "tls";
+
-            SITE_OWNER = email.address2;
+                php_fastcgi unix//run/phpfpm/firefly-iii.sock
              '';
            };
          };
          # postgresql = {
          #   enable = true;
          #   ensureDatabases = [ "firefly" ];
          #   ensureUsers = [
          #     {
          #       name = "firefly";
          #       ensureDBOwnership = true;
          #     }
          #   ];
          # };
          openssh = {
            enable = true;
            settings = {
              PasswordAuthentication = false;
              PermitRootLogin = "prohibit-password";
            };
          };
        };
-        firefly-iii-data-importer = {
+        networking.firewall.allowedTCPPorts = [
-          enable = true;
+          22
-        };
+          80
          serviceCfg.ports.port0
          serviceCfg.ports.port1
        ];
-        caddy = {
+        systemd = {
-          enable = true;
+          services = {
-          virtualHosts."${serviceCfg.interface.ip}" = {
+            fix-secrets-permissions = {
-            extraConfig = ''
+              description = "Fix secrets permissions for firefly-iii";
-              root * ${config.services.firefly-iii.package}/public
+              wantedBy = [ "multi-user.target" ];
-
+              before = [
-              file_server
+                "firefly-iii-setup.service"
-
+                "phpfpm-firefly-iii.service"
-              encode gzip
+              ];
-
+              serviceConfig = {
-              php_fastcgi unix//run/phpfpm/firefly-iii.sock
+                Type = "oneshot";
-            '';
+                RemainAfterExit = true;
              };
              script = ''
                chown root:firefly-iii /run/secrets/pass
                chown root:firefly-iii /run/secrets/smtp
                chmod 0640 /run/secrets/pass
                chmod 0640 /run/secrets/smtp
              '';
            };
            systemd-networkd.wantedBy = [ "multi-user.target" ];
          };
          network = {
            enable = true;
            networks."20-lan" = {
              matchConfig.Name = "enp0s5";
              addresses = [
                { Address = "${serviceCfg.interface.ip}/24"; }
              ];
              routes = [
                {
                  Destination = "${hostCfg.localhost.address1}/0";
                  Gateway = serviceCfg.interface.gate;
                }
              ];
              dns = [
                "1.1.1.1"
                "8.8.8.8"
              ];
            };
          };
        };
-        postgresql = {
+          tmpfiles.rules = [
-          enable = true;
+            "Z ${serviceCfg.varPaths.path0} 0755 ${serviceCfg.name} ${serviceCfg.name} -"
          ensureDatabases = [ "firefly" ];
          ensureUsers = [
            {
              name = "firefly";
              ensureDBOwnership = true;
            }
          ];
        };
-        openssh = {
+        microvm = {
-          enable = true;
+          vcpu = 2;
-          settings = {
+          mem = 3072;
-            PasswordAuthentication = false;
+          hypervisor = "qemu";
-            PermitRootLogin = "prohibit-password";
+          interfaces = [
-          };
+            {
              type = "tap";
              id = serviceCfg.interface.id;
              mac = serviceCfg.interface.mac;
            }
            {
              type = "user";
              id = serviceCfg.interface.idUser;
              mac = serviceCfg.interface.macUser;
            }
          ];
          forwardPorts = [
            {
              from = "host";
              host.port = serviceCfg.interface.ssh;
              guest.port = 22;
            }
          ];
          shares = [
            {
              mountPoint = "/nix/.ro-store";
              proto = "virtiofs";
              source = "/nix/store";
              tag = "read_only_nix_store";
            }
            {
              mountPoint = "/var/lib/${serviceCfg.name}";
              proto = "virtiofs";
              source = "${serviceCfg.mntPaths.path0}";
              tag = "${serviceCfg.name}_data";
            }
            # {
            #   mountPoint = "/var/lib/postgresql";
            #   proto = "virtiofs";
            #   source = "${serviceCfg.mntPaths.path0}/database";
            #   tag = "${serviceCfg.name}_database";
            # }
            {
              mountPoint = "/run/secrets";
              proto = "virtiofs";
              source = "/run/secrets/${serviceCfg.name}";
              tag = "host_secrets";
            }
          ];
        };
      };
      networking.firewall.allowedTCPPorts = [
        22
        80
        serviceCfg.ports.port0
        serviceCfg.ports.port1
      ];
      systemd = {
        network = {
          enable = true;
          networks."20-lan" = {
            matchConfig.Name = "enp0s5";
            addresses = [
              { Address = "${serviceCfg.interface.ip}/24"; }
            ];
            routes = [
              {
                Destination = "${hostCfg.localhost.address1}/0";
                Gateway = serviceCfg.interface.gate;
              }
            ];
            dns = [
              "1.1.1.1"
              "8.8.8.8"
            ];
          };
        };
        tmpfiles.rules = [
          "Z ${serviceCfg.varPaths.path0} 0755 ${serviceCfg.name} ${serviceCfg.name} -"
          # "Z ${serviceCfg.secretPaths.path0} 0755 ${serviceCfg.name} ${serviceCfg.name} -"
          "Z /var/lib/postgresql 755 postgres postgres -"
        ];
      };
      systemd.services.systemd-networkd.wantedBy = [ "multi-user.target" ];
      microvm = {
        vcpu = 2;
        mem = 3072;
        hypervisor = "qemu";
        interfaces = [
          {
            type = "tap";
            id = serviceCfg.interface.id;
            mac = serviceCfg.interface.mac;
          }
          {
            type = "user";
            id = serviceCfg.interface.idUser;
            mac = serviceCfg.interface.macUser;
          }
        ];
        forwardPorts = [
          {
            from = "host";
            host.port = serviceCfg.interface.ssh;
            guest.port = 22;
          }
        ];
        shares = [
          {
            mountPoint = "/nix/.ro-store";
            proto = "virtiofs";
            source = "/nix/store";
            tag = "read_only_nix_store";
          }
          {
            mountPoint = "/var/lib/${serviceCfg.name}";
            proto = "virtiofs";
            source = "${serviceCfg.mntPaths.path0}/data";
            tag = "${serviceCfg.name}_data";
          }
          {
            mountPoint = "/var/lib/postgresql";
            proto = "virtiofs";
            source = "${serviceCfg.mntPaths.path0}/database";
            tag = "${serviceCfg.name}_database";
          }
          {
            mountPoint = "/run/secrets";
            proto = "virtiofs";
            source = "/run/secrets/${serviceCfg.name}";
            tag = "host_secrets";
          }
        ];
      };
    };
  };
@ -193,6 +214,8 @@ in
  systemd.tmpfiles.rules = [
    "d ${serviceCfg.mntPaths.path0} 0751 microvm wheel - -"
    # "d ${serviceCfg.mntPaths.path0}/data 0751 microvm wheel - -"
    # "d ${serviceCfg.mntPaths.path0}/database 0751 microvm wheel - -"
  ];
  sops = {
--- a/modules/nixos/guests/forgejo/default.nix
+++ b/modules/nixos/guests/forgejo/default.nix
@ -34,12 +34,8 @@ in
          ${serviceCfg.name} = {
            enable = true;
            lfs.enable = true;
            database = {
              type = "postgres";
            };
            secrets = {
              mailer.PASSWD = "/run/secrets/smtp";
              database.PASSWD = "/run/secrets/database";
            };
            settings = {
              server = {
@ -48,7 +44,7 @@ in
                HTTP_PORT = serviceCfg.ports.port0;
              };
              # If you need to start from scratch, don't forget to turn this off again
-              service.DISABLE_REGISTRATION = false;
+              service.DISABLE_REGISTRATION = true;
              actions = {
                ENABLED = true;
                DEFAULT_ACTIONS_URL = "github";
@ -76,17 +72,6 @@ in
              PermitRootLogin = "prohibit-password";
            };
          };
          postgresql = {
            enable = true;
            ensureDatabases = [ serviceCfg.name ];
            ensureUsers = [
              {
                name = serviceCfg.name;
                ensureDBOwnership = true;
              }
            ];
          };
        };
        networking.firewall.allowedTCPPorts = [
@ -128,7 +113,7 @@ in
          tmpfiles.rules = [
            "Z ${serviceCfg.varPaths.path0} 0755 ${serviceCfg.name} ${serviceCfg.name} -"
-            "Z /var/lib/postgresql 0755 postgres postgres -"
+            # "Z /var/lib/postgresql 0755 postgres postgres -"
          ];
        };
@ -167,15 +152,9 @@ in
            {
              mountPoint = "/var/lib/${serviceCfg.name}";
              proto = "virtiofs";
-              source = "${serviceCfg.mntPaths.path0}/data";
+              source = "${serviceCfg.mntPaths.path0}";
              tag = "${serviceCfg.name}_data";
            }
            {
              mountPoint = "/var/lib/postgresql";
              proto = "virtiofs";
              source = "${serviceCfg.mntPaths.path0}/database";
              tag = "${serviceCfg.name}_database";
            }
            {
              mountPoint = "/run/secrets";
              proto = "virtiofs";
@ -189,9 +168,7 @@ in
  };
  systemd.tmpfiles.rules = [
-    "d ${serviceCfg.mntPaths.path0}/data 0751 microvm wheel - -"
+    "d ${serviceCfg.mntPaths.path0} 0751 microvm wheel - -"
    "d ${serviceCfg.mntPaths.path0}/database 0751 microvm wheel - -"
  ];
  services.caddy.virtualHosts."${host}" = {
@ -211,9 +188,5 @@ in
      owner = "root";
      mode = "0600";
    };
    "${serviceCfg.name}/database" = {
      owner = "root";
      mode = "0600";
    };
  };
 }
--- a/modules/nixos/services/mastodon/config/chars.patch
+++ b/modules/nixos/services/mastodon/config/chars.patch
--- a/modules/nixos/services/mastodon/config/twitter.txt
+++ b/modules/nixos/services/mastodon/config/twitter.txt
--- a/modules/nixos/guests/mastodon/default.nix
+++ b/modules/nixos/guests/mastodon/default.nix
@ -0,0 +1,323 @@
 {
  flake,
  config,
  pkgs,
  lib,
  ...
 }:
 let
  inherit (flake.config.people) user0;
  inherit (flake.config.services) instances;
  serviceCfg = flake.config.services.instances.mastodon;
  smtpCfg = flake.config.services.instances.smtp;
  hostCfg = flake.config.services.instances.web;
  host = serviceCfg.domains.url0;
  dns0 = instances.web.dns.provider0;
  dns0Path = "dns/${dns0}";
 in
 {
  # If you need to start fresh for some reason, run these to create the new Admin account:
  # sudo -u mastodon mastodon-tootctl accounts create nick --email=nick@localhost --confirmed --role=Owner
  # sudo -u mastodon mastodon-tootctl accounts approve nick
  # If you fuck up and lose the password, use this:
  # sudo mastodon-tootctl accounts modify --reset-password nick
  # If you really fuck up and name yourself wrong, use this shit
  # sudo mastodon-tootctl accounts modify username --remove-role
  # nixpkgs.overlays = [
  #   (
  #     final: prev: {
  #       mastodon = prev.mastodon.overrideAttrs (oldAttrs: {
  #         postPatch =
  #           (oldAttrs.postPatch or "")
  #           + ''
  #             patch -p1 < ${./chars.patch}
  #           '';
  #       });
  #     }
  #   )
  # ];
  microvm.vms = {
    ${serviceCfg.name} = {
      autostart = true;
      restartIfChanged = true;
      config = {
        system.stateVersion = "24.05";
        time.timeZone = "America/Winnipeg";
        users.users.root.openssh.authorizedKeys.keys = flake.config.people.users.${user0}.sshKeys;
        services = {
          ${serviceCfg.name} = {
            enable = true;
            localDomain = host;
            secretKeyBaseFile = "/run/secrets/pass";
            streamingProcesses = 7;
            trustedProxy = hostCfg.localhost.address1;
            automaticMigrations = true;
            database = {
              createLocally = true;
              name = serviceCfg.name;
              host = "/run/postgresql";
              user = serviceCfg.name;
              passwordFile = "/run/secrets/database";
            };
            extraConfig = {
              SINGLE_USER_MODE = "true";
              SMTP_AUTH_METHOD = "plain";
              SMTP_DELIVERY_METHOD = "smtp";
              SMTP_ENABLE_STARTTLS_AUTO = "true";
              SMTP_SSL = "false";
            };
            mediaAutoRemove = {
              enable = true;
              olderThanDays = 14;
            };
            redis = {
              createLocally = true;
              enableUnixSocket = true;
            };
            sidekiqThreads = 25;
            sidekiqProcesses = {
              all = {
                jobClasses = [
                ];
                threads = null;
              };
              default = {
                jobClasses = [
                  "default"
                ];
                threads = 5;
              };
              ingress = {
                jobClasses = [
                  "ingress"
                ];
                threads = 5;
              };
              push-pull = {
                jobClasses = [
                  "push"
                  "pull"
                ];
                threads = 5;
              };
              mailers = {
                jobClasses = [
                  "mailers"
                ];
                threads = 5;
              };
            };
            smtp = {
              authenticate = true;
              createLocally = false;
              fromAddress = "upRootNutrition <${smtpCfg.email.address1}>";
              host = smtpCfg.hostname;
              passwordFile = "/run/secrets/smtp";
              port = smtpCfg.ports.port1;
              user = smtpCfg.email.address1;
            };
          };
          caddy = {
            virtualHosts = {
              "${serviceCfg.interface.ip}" = {
                extraConfig = ''
                  handle_path /system/* {
                    file_server * {
                      root /var/lib/mastodon/public-system
                    }
                  }
                  handle /api/v1/streaming/* {
                    reverse_proxy unix//run/mastodon-streaming/streaming.socket
                  }
                  route * {
                    file_server * {
                      root ${pkgs.mastodon}/public
                      pass_thru
                    }
                    reverse_proxy * unix//run/mastodon-web/web.socket
                  }
                  tls ${serviceCfg.ssl.cert} ${serviceCfg.ssl.key}
                  handle_errors {
                    root * ${pkgs.mastodon}/public
                    rewrite 500.html
                    file_server
                  }
                  encode gzip
                  header /* {
                    Strict-Transport-Security "max-age=31536000;"
                  }
                  header /emoji/* Cache-Control "public, max-age=31536000, immutable"
                  header /packs/* Cache-Control "public, max-age=31536000, immutable"
                  header /system/accounts/avatars/* Cache-Control "public, max-age=31536000, immutable"
                  header /system/media_attachments/files/* Cache-Control "public, max-age=31536000, immutable"
                '';
              };
            };
          };
          postgresql = {
            enable = true;
          };
          openssh = {
            enable = true;
            settings = {
              PasswordAuthentication = false;
              PermitRootLogin = "prohibit-password";
            };
          };
        };
        users.users.${serviceCfg.name}.extraGroups = [
          "postgres"
        ];
        networking.firewall.allowedTCPPorts = [
          22 # SSH
          80 # Caddy
          25 # SMTP
          139 # SMTP
          587 # SMTP
          2525 # SMTP
          5432 # Postgres
        ];
        fileSystems."/tmp" = {
          device = "tmpfs";
          fsType = "tmpfs";
          options = [
            "size=4G"
            "mode=1777"
          ];
        };
        systemd = {
          services = {
            systemd-networkd.wantedBy = [ "multi-user.target" ];
            caddy.serviceConfig.ReadWriteDirectories = lib.mkForce [
              "/var/lib/caddy"
              "/run/mastodon-web"
            ];
          };
          network = {
            enable = true;
            networks."20-lan" = {
              matchConfig.Name = "enp0s5";
              addresses = [ { Address = "${serviceCfg.interface.ip}/24"; } ];
              routes = [
                {
                  Destination = "${hostCfg.localhost.address1}/0";
                  Gateway = serviceCfg.interface.gate;
                }
              ];
              dns = [
                "1.1.1.1"
                "8.8.8.8"
              ];
            };
          };
          tmpfiles.rules = [
            "Z ${serviceCfg.varPaths.path0} 0755 ${serviceCfg.name} ${serviceCfg.name} -"
          ];
        };
        microvm = {
          vcpu = 2;
          mem = 3072;
          hypervisor = "qemu";
          interfaces = [
            {
              type = "tap";
              id = serviceCfg.interface.id;
              mac = serviceCfg.interface.mac;
            }
            {
              type = "user";
              id = serviceCfg.interface.idUser;
              mac = serviceCfg.interface.macUser;
            }
          ];
          forwardPorts = [
            {
              from = "host";
              host.port = serviceCfg.interface.ssh;
              guest.port = 22;
            }
          ];
          shares = [
            {
              mountPoint = "/nix/.ro-store";
              proto = "virtiofs";
              source = "/nix/store";
              tag = "read_only_nix_store";
            }
            {
              mountPoint = "/var/lib/${serviceCfg.name}";
              proto = "virtiofs";
              source = "${serviceCfg.mntPaths.path0}";
              tag = "${serviceCfg.name}_data";
            }
            {
              mountPoint = "/run/secrets";
              proto = "virtiofs";
              source = "/run/secrets/${serviceCfg.name}";
              tag = "host_secrets";
            }
          ];
        };
      };
    };
  };
  sops = {
    secrets = builtins.listToAttrs (
      map
        (secret: {
          name = "${serviceCfg.name}/${secret}";
          value = {
            owner = "root";
            mode = "0600";
          };
        })
        [
          "smtp"
          "database"
          "redis"
          "pass"
        ]
    );
  };
  systemd.tmpfiles.rules = [
    "d ${serviceCfg.mntPaths.path0} 0751 microvm wheel - -"
  ];
  services.caddy.virtualHosts."${host}" = {
    extraConfig = ''
      reverse_proxy ${serviceCfg.interface.ip}:80
      tls ${serviceCfg.ssl.cert} ${serviceCfg.ssl.key}
      encode zstd gzip
    '';
  };
  users.users.caddy.extraGroups = [ "acme" ];
  security.acme.certs."${host}" = {
    dnsProvider = dns0;
    environmentFile = config.sops.secrets.${dns0Path}.path;
    group = "caddy";
  };
 }
--- a/modules/nixos/guests/vaultwarden/default.nix
+++ b/modules/nixos/guests/vaultwarden/default.nix
@ -144,7 +144,7 @@ in
              mountPoint = "/var/lib/bitwarden_rs";
              proto = "virtiofs";
              source = serviceCfg.mntPaths.path0;
-              tag = "vaultwarden_data";
+              tag = "${serviceCfg.name}_data";
            }
            {
              mountPoint = "/run/secrets";
--- a/modules/nixos/services/mastodon/default.nix
+++ b/modules/nixos/services/mastodon/default.nix
@ -1,214 +0,0 @@
 {
  flake,
  config,
  pkgs,
  lib,
  ...
 }:
 let
  inherit (flake.config.machines.devices)
    ceres
    ;
  inherit (flake.config.services.instances) smtp mastodon web;
  service = mastodon;
  host = service.domains.url0;
  localhost = web.localhost.address0;
 in
 {
  # If you need to start fresh for some reason, run these to create the new Admin account:
  # sudo -u mastodon mastodon-tootctl accounts create nick --email=nick@localhost --confirmed --role=Owner
  # sudo -u mastodon mastodon-tootctl accounts approve nick
  # If you fuck up and lose the password, use this:
  # sudo mastodon-tootctl accounts modify --reset-password nick
  # If you really fuck up and name yourself wrong, use this shit
  # sudo mastodon-tootctl accounts modify username --remove-role
  # nixpkgs.overlays = [
  #   (
  #     final: prev: {
  #       mastodon = prev.mastodon.overrideAttrs (oldAttrs: {
  #         postPatch =
  #           (oldAttrs.postPatch or "")
  #           + ''
  #             patch -p1 < ${./chars.patch}
  #           '';
  #       });
  #     }
  #   )
  # ];
  services = {
    mastodon = {
      enable = true;
      localDomain = host;
      secretKeyBaseFile = "/var/lib/mastodon/secrets/secret-key-base";
      streamingProcesses = 7;
      trustedProxy = localhost;
      automaticMigrations = true;
      database = {
        createLocally = true;
        name = service.name;
        host = "/run/postgresql";
        user = service.name;
        passwordFile = config.sops.secrets."${service.name}-database".path;
      };
      extraConfig = {
        SINGLE_USER_MODE = "true";
        SMTP_AUTH_METHOD = "plain";
        SMTP_DELIVERY_METHOD = "smtp";
        SMTP_ENABLE_STARTTLS_AUTO = "true";
        SMTP_SSL = "false";
      };
      mediaAutoRemove = {
        enable = true;
        olderThanDays = 14;
      };
      redis = {
        createLocally = true;
        enableUnixSocket = true;
      };
      sidekiqThreads = 25;
      sidekiqProcesses = {
        all = {
          jobClasses = [
          ];
          threads = null;
        };
        default = {
          jobClasses = [
            "default"
          ];
          threads = 5;
        };
        ingress = {
          jobClasses = [
            "ingress"
          ];
          threads = 5;
        };
        push-pull = {
          jobClasses = [
            "push"
            "pull"
          ];
          threads = 5;
        };
        mailers = {
          jobClasses = [
            "mailers"
          ];
          threads = 5;
        };
      };
      smtp = {
        authenticate = true;
        createLocally = false;
        fromAddress = "upRootNutrition <${smtp.email.address1}>";
        host = smtp.hostname;
        passwordFile = config.sops.secrets."${service.name}-smtp".path;
        port = smtp.ports.port1;
        user = smtp.email.address1;
      };
    };
    caddy = {
      virtualHosts = {
        "${host}" = {
          extraConfig = ''
            handle_path /system/* {
              file_server * {
                root /var/lib/mastodon/public-system
              }
            }
            handle /api/v1/streaming/* {
              reverse_proxy unix//run/mastodon-streaming/streaming.socket
            }
            route * {
              file_server * {
                root ${pkgs.mastodon}/public
                pass_thru
              }
              reverse_proxy * unix//run/mastodon-web/web.socket
            }
            tls ${service.ssl.cert} ${service.ssl.key}
            handle_errors {
              root * ${pkgs.mastodon}/public
              rewrite 500.html
              file_server
            }
            encode gzip
            header /* {
              Strict-Transport-Security "max-age=31536000;"
            }
            header /emoji/* Cache-Control "public, max-age=31536000, immutable"
            header /packs/* Cache-Control "public, max-age=31536000, immutable"
            header /system/accounts/avatars/* Cache-Control "public, max-age=31536000, immutable"
            header /system/media_attachments/files/* Cache-Control "public, max-age=31536000, immutable"
          '';
        };
      };
    };
  };
  systemd.services.caddy.serviceConfig.ReadWriteDirectories = lib.mkForce [
    "/var/lib/caddy"
    "/run/mastodon-web"
  ];
  sops =
    let
      sopsPath = secret: {
        path = "${service.sops.path0}/${service.name}-${secret}";
        owner = service.name;
        mode = "600";
      };
    in
    {
      secrets = builtins.listToAttrs (
        map
          (secret: {
            name = "${service.name}-${secret}";
            value = sopsPath secret;
          })
          [
            "smtp"
            "database"
            "redis"
          ]
      );
    };
  fileSystems."/var/lib/${service.name}" = {
    device = service.paths.path0;
    fsType = "none";
    options = [
      "bind"
    ];
    depends = [
      ceres.storage0.mount
    ];
  };
  systemd.tmpfiles.rules = [
    "Z ${service.paths.path0} 0755 ${service.name} ${service.name} -"
    "Z ${service.sops.path0} 0755 ${service.name} ${service.name} -"
  ];
  users.users.${service.name}.extraGroups = [
    "postgres"
  ];
  networking = {
    firewall = {
      allowedTCPPorts = [
      ];
    };
  };
 }
--- a/secrets/secrets.yaml
+++ b/secrets/secrets.yaml
@ -6,9 +6,11 @@ network:
    server: ENC[AES256_GCM,data:EFsmXNkuf5OAMh8hjfZTixmmdjqBNIME9JjQC8azeCwcMVInm8bWdxE4OqFmxOk9MAU=,iv:pI6WeM2aQC+7vx1Xmp5O2rikqNLgzuEOg+Lo7TqFQxU=,tag:ElcA8mn9dx+IjIf38nKT5A==,type:str]
    fallaryn: ENC[AES256_GCM,data:O77hH3STB6zpl0b9iXsVu9OOrlLKUwfs2qI9hdqX4kMuBs3XgT/xsQ==,iv:RDKsuJoy+LIyADMc3bgOEmLKdXtu6kad2aeVetuZdJI=,tag:MrpCZ+iJUnGIjeHMgcYG6Q==,type:str]
    garnet: ENC[AES256_GCM,data:N8sAdjTAiubQihKrtdCkaJQBKkz6/kNdeATiaZXRhlP/HLg7zg==,iv:8QP1HnGSUGHpkwBwQY2Z0gZ6tYaK7XzMuxXexY6QQaU=,tag:fHzPh9lvqB2BmuSkVH5Ojg==,type:str]
-mastodon-smtp: ENC[AES256_GCM,data:GKowwVH7eqZRqJPg+J8q3rJpArtLHs4xdzMMWAFobOU=,iv:alviX07JoGIPDKjFy/SfqfVHMyO38E9AMWV62bOCZpA=,tag:ivOmAjrniHweFPFiwnJJBw==,type:str]
+mastodon:
-mastodon-database: ENC[AES256_GCM,data:qPOU8yGqEQWuMJ4E/fCc+vfKp+YZONb17ZIDHXYZ9RY=,iv:HzVd2ptZBtpRA/XA593WTNL3xJx97hvNx49zIZPBlhQ=,tag:KGZ7Mw2M5O9DBhB+fv+w1Q==,type:str]
+    smtp: ENC[AES256_GCM,data:ey1fq4e/V2rmY/PRvopbFkBFt2SNb0UERCu4pUf0iOpW,iv:dNl+cm2zkas48I9lUyYss5lMWBi9EEiqaeefuE49V7w=,tag:zucvfmY84B25SGS4vYr91Q==,type:str]
-mastodon-redis: ENC[AES256_GCM,data:aEEOGmyLin80X1uNiLLIuCSGlGjYX9vOl45GuxwlJqE=,iv:3qaZAqwm6tLnB1vCtZ2ZotaZO4/XmQKLe/I+pzqbJj0=,tag:K1y1QoLgGRvi8oJrzcakhQ==,type:str]
+    database: ENC[AES256_GCM,data:dYdLk9s4xZjHaIZCiKvLf/7HbcHVdMOk69JzYmXkX4lf,iv:IJKSR47LR08OuzPJZmfQnVUyOSjtUEmv0c/sGT9eIws=,tag:KUtW8ZKoZHBKvixVLYkNrQ==,type:str]
    redis: ENC[AES256_GCM,data:lrbTQAuay170fXNUGooG7bJg5lROItwUrnlKYBalo7Zp,iv:osaPJhqOpT5fm4ZYP7rbn0y/jzCfOu8+iPwO8KhRkuM=,tag:ByQjwCT7MtJjgpGWNAoffA==,type:str]
    pass: ENC[AES256_GCM,data:VlWIQQK89E4FaIUNXu1+sPuEbSQIVdYeGVWt8eztCMpikVsmeFd+G3XxS1Zm76m0tNFZjF7oHILpCudHU4M8k810ePwadcUOiglCP4P2Dkn1vrrB384T5Ed9gn8NHo3S1HlXczsNKmy6j8fP2CNKSb8Mar5VQBbajqryA73bB9pI,iv:EvlNrU4ImdYe5/HQytXCxqDui3Df3oIcC1vLkor7be4=,tag:lnkyjWHyEUTWPVqjwYx+cg==,type:str]
 peertube-smtp: ENC[AES256_GCM,data:rYwL0RNVvC9DUsSRJ5WpLX3VqT4zHYarxSe/tdRBHqs=,iv:cQKRbxdMOF+g84djLZcOk3hMYifucO+r0JxV8EnRjro=,tag:ZnN/LmQ/A3FR4bdJ9DYoEw==,type:str]
 peertube-database: ENC[AES256_GCM,data:nm0bHwTcT+ROZc2BC9jx+tXWjZ3689rdn4fdYW+7JTU=,iv:EeQVBAIXPut9gs+I9WpRf7L3f7ACTeTWycUFIKAneKk=,tag:QjGQmZ3zMAgB/WDbxTZVIQ==,type:str]
 peertube-redis: ENC[AES256_GCM,data:SQoPzPjgf4YN9dhvO0wo2DEra7cTgfZBx4vCBpNVSXI=,iv:mcCwYtE9E/Mb4V0j9NnU9WhaUMeBpX7BOcc8HGDiEvI=,tag:CsSiS4peZhnZ22uNtUC44w==,type:str]
@ -46,7 +48,7 @@ caddy:
    comfyui-auth: ENC[AES256_GCM,data:YkHxbW/0zTmnrggXKl2jNO4OnBaepmCwB3ZC6d8MPIKf8snWJzAvTq5+X5ABzziwKaypHRTcS6vuNntxKrrD8DS7hX9DqVCZc5WeFHI6S5VzHh3SprW2MF4E8nm4Hj+VHoKGmRSSOU1cfX3J,iv:v0Pid0BCY2QsMNaahBvJd4WWZD115JDLHlOCQvPiaGU=,tag:gpsAgt052NoOyIa9WqJXyg==,type:str]
 wifi-home: ENC[AES256_GCM,data:5NYSCUyalDf7gZF7WaRQJCo=,iv:RkVZKsmVEBg5M28DSkBD41673iLM+dqDAAhSwjqejck=,tag:QQ17VSWOnU0bGglZq6455Q==,type:str]
 firefly-iii:
-    pass: ENC[AES256_GCM,data:e7uOZ284bAmokWolrRq81mEguMovZDd9D/7Sr8BwIR6U1Ea/qPfErPgdUEw6OGdQLmmaHg==,iv:2QyCe7cKpys4CEtnNKOBxRA0jo6u2OFU9xeiKnO4myc=,tag:WKCopzEN8+xmAIvla8hqtQ==,type:str]
+    pass: ENC[AES256_GCM,data:WjHcoTuEzEq9pfw4QoqRjI4jhu5VPEMOXlHL0olg9dqUj4EGa1Shv5T/kIxdRFuao0y3zQ==,iv:4/fmFOxxDLzplsNGpSJMQOeoNviZw2c2pFlB1ZkRu+o=,tag:7TQ2q/kEFDU4tZxPx53ebw==,type:str]
    data: ENC[AES256_GCM,data:921LhcRTWVk24eEAQoDMV+RllSP3PbSXCCIDXlQA80Mq,iv:YXEgas77DgdyPTnBZa/ySjcERBIwmdDZJbijeNKNF24=,tag:Wj25wA7tLJ2bZ/faG9DUhg==,type:str]
    smtp: ENC[AES256_GCM,data:+e4MiRZ2WOZyWYpMf+By1Eb45ih4TA+svLI2+00yQk82,iv:+52+kJouMwkOSDEaOCA8V80+wT/VzNxgtCkOO68SCdk=,tag:YrtrJAXIhQpsUTEeYvrVwQ==,type:str]
 password-user0: ENC[AES256_GCM,data:VKrySmPAKh3UwCQXJS0EnOPPLDrigWtw5g4WMbSGz/VRtbzlQxMIgs42c/8NnHiqr98ifWy7u9c280oo7SrHhQmEOOvxfITQ9A==,iv:toGkVKCjsmtPP5Ukk/q8kPSmJo3FcTAyj2vcIEkHmU0=,tag:Nhucsk1kgx7zDZZQKycKZQ==,type:str]
@ -61,7 +63,7 @@ sops:
            bXBOa1VSakoyaWxpODJEOU11QUZCaUEK8Ch9Ten3DdrPHF1DTH2qei85AlHUOaLD
            aNfzakake7ej+MxJYdKEU0bcWofNMKzIlZa2uM10KZSENDP8d8qlig==
            -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2025-11-11T03:26:53Z"
+    lastmodified: "2025-11-11T06:59:50Z"
-    mac: ENC[AES256_GCM,data:Wsc9G4UIX/GfuYdHgf/rMqHNJBKFQp4/pp13IJhFXyONxullcHqH5qZBophGen9loRhaRTLVglRDVPEfQwisFJHIDu6yQ7A2YLLVl5oZ5GB2jkUxK/hnw5FqQG5NTaoAls150niyDQchTe0GO7YzEamIucnJwkiUVsc0+7ZGED4=,iv:ZOk64KSwjvN28stBE3xJu4oxSCyVhTsJnqBeliHUyp8=,tag:IhQeULWdFBuIvqGy9SEcTQ==,type:str]
+    mac: ENC[AES256_GCM,data:EJ9lYBbFiYH8pzrnxap05Xj0CgdzxCPoCqq7fCgrJrlngHP8IP6WoAtFpnWfYGa6hDCY0W+RDSzAc3yReYS7tGuGLkCKcPhC/h9boEADPNEEoCnmV0uimeVDIFj0o1as00q2Mzaz5FRJGzpRkjaIT+YjQfaRGcjlBGobjFHFHKQ=,iv:G8iu/sX6hvrc3TuoE2X6X2TUGDyFTPIVILb+n36KETY=,tag:9nHq03Z0iIMtF1qnMhAHMA==,type:str]
    unencrypted_suffix: _unencrypted
    version: 3.11.0