diff --git a/modules/nixos/guests/mastodon/default.nix b/modules/nixos/guests/mastodon/default.nix index 14a6dd3..5498acf 100755 --- a/modules/nixos/guests/mastodon/default.nix +++ b/modules/nixos/guests/mastodon/default.nix @@ -52,16 +52,16 @@ in ${serviceCfg.name} = { enable = true; localDomain = host; - secretKeyBaseFile = "/run/mastodon-secrets/pass"; + secretKeyBaseFile = "/etc/mastodon-secrets/pass"; streamingProcesses = 7; - trustedProxy = hostCfg.localhost.address1; + trustedProxy = hostCfg.localhost.address0; automaticMigrations = true; database = { createLocally = true; name = serviceCfg.name; host = "/run/postgresql"; user = serviceCfg.name; - passwordFile = "/run/mastodon-secrets/database"; + passwordFile = "/etc/mastodon-secrets/database"; }; extraConfig = { SINGLE_USER_MODE = "true"; @@ -116,7 +116,7 @@ in createLocally = false; fromAddress = "upRootNutrition <${smtpCfg.email.address1}>"; host = smtpCfg.hostname; - passwordFile = "/run/mastodon-secrets/smtp"; + passwordFile = "/etc/mastodon-secrets/smtp"; port = smtpCfg.ports.port1; user = smtpCfg.email.address1; }; @@ -134,7 +134,10 @@ in } handle /api/v1/streaming/* { - reverse_proxy unix//run/mastodon-streaming/streaming.socket + reverse_proxy unix//run/mastodon-streaming/streaming.socket { + header_up X-Forwarded-Proto {http.request.header.X-Forwarded-Proto} + header_up X-Forwarded-Host {http.request.header.X-Forwarded-Host} + } } route * { @@ -142,7 +145,10 @@ in root ${pkgs.mastodon}/public pass_thru } - reverse_proxy * unix//run/mastodon-web/web.socket + reverse_proxy * unix//run/mastodon-web/web.socket { + header_up X-Forwarded-Proto {http.request.header.X-Forwarded-Proto} + header_up X-Forwarded-Host {http.request.header.X-Forwarded-Host} + } } handle_errors { @@ -198,57 +204,52 @@ in systemd = { services = { - systemd-networkd.wantedBy = [ "multi-user.target" ]; - mastodon-web.wantedBy = [ "multi-user.target" ]; - mastodon-streaming-1.wantedBy = [ "multi-user.target" ]; - mastodon-streaming-2.wantedBy = [ "multi-user.target" ]; - mastodon-streaming-3.wantedBy = [ "multi-user.target" ]; - mastodon-streaming-4.wantedBy = [ "multi-user.target" ]; - mastodon-streaming-5.wantedBy = [ "multi-user.target" ]; - mastodon-streaming-6.wantedBy = [ "multi-user.target" ]; - mastodon-streaming-7.wantedBy = [ "multi-user.target" ]; - mastodon-sidekiq-all.wantedBy = [ "multi-user.target" ]; - mastodon-sidekiq-default.wantedBy = [ "multi-user.target" ]; - mastodon-sidekiq-ingress.wantedBy = [ "multi-user.target" ]; - mastodon-sidekiq-mailers.wantedBy = [ "multi-user.target" ]; - mastodon-sidekiq-push-pull.wantedBy = [ "multi-user.target" ]; - mastodon-init-db = { - environment = { - DISABLE_BOOTSNAP = "1"; - }; + mastodon-init-dirs = { serviceConfig = { - TimeoutStartSec = "10min"; + PrivateMounts = lib.mkForce false; }; }; - copy-secrets-to-tmpfs = { - description = "Copy secrets from virtiofs to tmpfs"; - wantedBy = [ "multi-user.target" ]; + mastodon-web = { + serviceConfig = { + PrivateMounts = lib.mkForce false; + }; + }; + mastodon-streaming-1 = { + serviceConfig = { + PrivateMounts = lib.mkForce false; + }; + }; + mastodon-streaming-2.serviceConfig.PrivateMounts = lib.mkForce false; + mastodon-streaming-3.serviceConfig.PrivateMounts = lib.mkForce false; + mastodon-streaming-4.serviceConfig.PrivateMounts = lib.mkForce false; + mastodon-streaming-5.serviceConfig.PrivateMounts = lib.mkForce false; + mastodon-streaming-6.serviceConfig.PrivateMounts = lib.mkForce false; + mastodon-streaming-7.serviceConfig.PrivateMounts = lib.mkForce false; + mastodon-sidekiq-all.serviceConfig.PrivateMounts = lib.mkForce false; + mastodon-sidekiq-default.serviceConfig.PrivateMounts = lib.mkForce false; + mastodon-sidekiq-ingress.serviceConfig.PrivateMounts = lib.mkForce false; + mastodon-sidekiq-mailers.serviceConfig.PrivateMounts = lib.mkForce false; + mastodon-sidekiq-push-pull.serviceConfig.PrivateMounts = lib.mkForce false; + mastodon-copy-secrets = { + description = "Copy secrets from virtiofs to local filesystem"; before = [ "mastodon-init-dirs.service" ]; + requiredBy = [ "mastodon-init-dirs.service" ]; + serviceConfig = { Type = "oneshot"; RemainAfterExit = true; }; + script = '' - mkdir -p /run/mastodon-secrets - mkdir -p /run/mastodon-web - cp /run/secrets/pass /run/mastodon-secrets/pass - cp /run/secrets/smtp /run/mastodon-secrets/smtp - cp /run/secrets/database /run/mastodon-secrets/database - cp /run/secrets/redis /run/mastodon-secrets/redis - chown root:mastodon /run/mastodon-secrets/* - chmod 0640 /run/mastodon-secrets/* - chown mastodon:mastodon /run/mastodon-web - chmod 0755 /run/mastodon-web + mkdir -p /etc/mastodon-secrets + cp /run/secrets/pass /etc/mastodon-secrets/pass + cp /run/secrets/database /etc/mastodon-secrets/database + cp /run/secrets/redis /etc/mastodon-secrets/redis + cp /run/secrets/smtp /etc/mastodon-secrets/smtp + chmod 755 /etc/mastodon-secrets + chmod 644 /etc/mastodon-secrets/* ''; }; - caddy = { - after = [ "copy-secrets-to-tmpfs.service" ]; - requires = [ "copy-secrets-to-tmpfs.service" ]; - serviceConfig.ReadWriteDirectories = lib.mkForce [ - "/var/lib/caddy" - "/run/mastodon-web" - ]; - }; }; network = { enable = true; @@ -267,10 +268,19 @@ in ]; }; }; - + services = { + mastodon-init-db = { + serviceConfig = { + EnvironmentFile = "/var/lib/mastodon/.secrets_env"; + }; + }; + systemd-tmpfiles-setup.after = [ "var-lib-mastodon.mount" ]; + }; tmpfiles.rules = [ - "Z ${serviceCfg.varPaths.path0} 0755 ${serviceCfg.name} ${serviceCfg.name} -" + "d /var/lib/mastodon 0755 mastodon mastodon -" + "Z /var/lib/mastodon 0755 mastodon mastodon -" "Z /var/lib/postgresql 0755 postgres postgres -" + "d /var/cache/mastodon/precompile 0755 mastodon mastodon -" ]; }; @@ -335,7 +345,8 @@ in name = "${serviceCfg.name}/${secret}"; value = { owner = "root"; - mode = "0600"; + group = "root"; + mode = "0644"; }; }) [ @@ -351,12 +362,15 @@ in "d ${serviceCfg.mntPaths.path0} 0751 microvm wheel - -" "d ${serviceCfg.mntPaths.path0}/data 0751 microvm wheel - -" "d ${serviceCfg.mntPaths.path0}/database 0751 microvm wheel - -" - ]; services.caddy.virtualHosts."${host}" = { extraConfig = '' - reverse_proxy http://${serviceCfg.interface.ip}:80 + reverse_proxy http://${serviceCfg.interface.ip}:80 { + header_up X-Forwarded-Proto {scheme} + header_up X-Real-IP {remote_host} + header_up X-Forwarded-For {remote_host} + } tls ${serviceCfg.ssl.cert} ${serviceCfg.ssl.key} diff --git a/modules/nixos/services/owncast/default.nix b/modules/nixos/services/owncast/default.nix deleted file mode 100755 index 84654e0..0000000 --- a/modules/nixos/services/owncast/default.nix +++ /dev/null @@ -1,43 +0,0 @@ -{ flake, ... }: -let - inherit (flake.config.services.instances) - owncast - web - ; - service = owncast; - localhost = web.localhost.address1; - host = service.domains.url0; -in -{ - services = { - owncast = { - enable = true; - listen = localhost; - port = service.ports.port0; - openFirewall = true; - }; - - caddy = { - virtualHosts = { - "${host}" = { - extraConfig = '' - reverse_proxy ${localhost}:${toString service.ports.port0} - - tls ${service.ssl.cert} ${service.ssl.key} - ''; - }; - }; - }; - }; - - networking = { - firewall = { - allowedTCPPorts = [ - service.ports.port0 - service.ports.port1 - ]; - }; - }; - - # OBS Server rtmp://192.168.50.140:1935/live -}