feat: finally got mastodon working

2025-12-06 21:17:14 -06:00 · 2025-11-17 02:26:07 -06:00 · 2025-11-17 02:26:07 -06:00 · 83aab0bc63
commit 83aab0bc63
parent 2fc17f3539
2 changed files with 65 additions and 94 deletions
--- a/modules/nixos/guests/mastodon/default.nix
+++ b/modules/nixos/guests/mastodon/default.nix
@ -52,16 +52,16 @@ in
          ${serviceCfg.name} = {
            enable = true;
            localDomain = host;
-            secretKeyBaseFile = "/run/mastodon-secrets/pass";
+            secretKeyBaseFile = "/etc/mastodon-secrets/pass";
            streamingProcesses = 7;
-            trustedProxy = hostCfg.localhost.address1;
+            trustedProxy = hostCfg.localhost.address0;
            automaticMigrations = true;
            database = {
              createLocally = true;
              name = serviceCfg.name;
              host = "/run/postgresql";
              user = serviceCfg.name;
-              passwordFile = "/run/mastodon-secrets/database";
+              passwordFile = "/etc/mastodon-secrets/database";
            };
            extraConfig = {
              SINGLE_USER_MODE = "true";
@ -116,7 +116,7 @@ in
              createLocally = false;
              fromAddress = "upRootNutrition <${smtpCfg.email.address1}>";
              host = smtpCfg.hostname;
-              passwordFile = "/run/mastodon-secrets/smtp";
+              passwordFile = "/etc/mastodon-secrets/smtp";
              port = smtpCfg.ports.port1;
              user = smtpCfg.email.address1;
            };
@ -134,7 +134,10 @@ in
                  }
                  handle /api/v1/streaming/* {
-                    reverse_proxy unix//run/mastodon-streaming/streaming.socket
+                    reverse_proxy unix//run/mastodon-streaming/streaming.socket {
                      header_up X-Forwarded-Proto {http.request.header.X-Forwarded-Proto}
                      header_up X-Forwarded-Host {http.request.header.X-Forwarded-Host}
                    }
                  }
                  route * {
@ -142,7 +145,10 @@ in
                      root ${pkgs.mastodon}/public
                      pass_thru
                    }
-                    reverse_proxy * unix//run/mastodon-web/web.socket
+                    reverse_proxy * unix//run/mastodon-web/web.socket {
                      header_up X-Forwarded-Proto {http.request.header.X-Forwarded-Proto}
                      header_up X-Forwarded-Host {http.request.header.X-Forwarded-Host}
                    }
                  }
                  handle_errors {
@ -198,57 +204,52 @@ in
        systemd = {
          services = {
-            systemd-networkd.wantedBy = [ "multi-user.target" ];
+            mastodon-init-dirs = {
            mastodon-web.wantedBy = [ "multi-user.target" ];
            mastodon-streaming-1.wantedBy = [ "multi-user.target" ];
            mastodon-streaming-2.wantedBy = [ "multi-user.target" ];
            mastodon-streaming-3.wantedBy = [ "multi-user.target" ];
            mastodon-streaming-4.wantedBy = [ "multi-user.target" ];
            mastodon-streaming-5.wantedBy = [ "multi-user.target" ];
            mastodon-streaming-6.wantedBy = [ "multi-user.target" ];
            mastodon-streaming-7.wantedBy = [ "multi-user.target" ];
            mastodon-sidekiq-all.wantedBy = [ "multi-user.target" ];
            mastodon-sidekiq-default.wantedBy = [ "multi-user.target" ];
            mastodon-sidekiq-ingress.wantedBy = [ "multi-user.target" ];
            mastodon-sidekiq-mailers.wantedBy = [ "multi-user.target" ];
            mastodon-sidekiq-push-pull.wantedBy = [ "multi-user.target" ];
            mastodon-init-db = {
              environment = {
                DISABLE_BOOTSNAP = "1";
              };
              serviceConfig = {
-                TimeoutStartSec = "10min";
+                PrivateMounts = lib.mkForce false;
              };
            };
-            copy-secrets-to-tmpfs = {
+            mastodon-web = {
-              description = "Copy secrets from virtiofs to tmpfs";
+              serviceConfig = {
-              wantedBy = [ "multi-user.target" ];
+                PrivateMounts = lib.mkForce false;
              };
            };
            mastodon-streaming-1 = {
              serviceConfig = {
                PrivateMounts = lib.mkForce false;
              };
            };
            mastodon-streaming-2.serviceConfig.PrivateMounts = lib.mkForce false;
            mastodon-streaming-3.serviceConfig.PrivateMounts = lib.mkForce false;
            mastodon-streaming-4.serviceConfig.PrivateMounts = lib.mkForce false;
            mastodon-streaming-5.serviceConfig.PrivateMounts = lib.mkForce false;
            mastodon-streaming-6.serviceConfig.PrivateMounts = lib.mkForce false;
            mastodon-streaming-7.serviceConfig.PrivateMounts = lib.mkForce false;
            mastodon-sidekiq-all.serviceConfig.PrivateMounts = lib.mkForce false;
            mastodon-sidekiq-default.serviceConfig.PrivateMounts = lib.mkForce false;
            mastodon-sidekiq-ingress.serviceConfig.PrivateMounts = lib.mkForce false;
            mastodon-sidekiq-mailers.serviceConfig.PrivateMounts = lib.mkForce false;
            mastodon-sidekiq-push-pull.serviceConfig.PrivateMounts = lib.mkForce false;
            mastodon-copy-secrets = {
              description = "Copy secrets from virtiofs to local filesystem";
              before = [ "mastodon-init-dirs.service" ];
              requiredBy = [ "mastodon-init-dirs.service" ];
              serviceConfig = {
                Type = "oneshot";
                RemainAfterExit = true;
              };
              script = ''
-                mkdir -p /run/mastodon-secrets
+                mkdir -p /etc/mastodon-secrets
-                mkdir -p /run/mastodon-web
+                cp /run/secrets/pass /etc/mastodon-secrets/pass
-                cp /run/secrets/pass /run/mastodon-secrets/pass
+                cp /run/secrets/database /etc/mastodon-secrets/database
-                cp /run/secrets/smtp /run/mastodon-secrets/smtp
+                cp /run/secrets/redis /etc/mastodon-secrets/redis
-                cp /run/secrets/database /run/mastodon-secrets/database
+                cp /run/secrets/smtp /etc/mastodon-secrets/smtp
-                cp /run/secrets/redis /run/mastodon-secrets/redis
+                chmod 755 /etc/mastodon-secrets
-                chown root:mastodon /run/mastodon-secrets/*
+                chmod 644 /etc/mastodon-secrets/*
                chmod 0640 /run/mastodon-secrets/*
                chown mastodon:mastodon /run/mastodon-web
                chmod 0755 /run/mastodon-web
              '';
            };
            caddy = {
              after = [ "copy-secrets-to-tmpfs.service" ];
              requires = [ "copy-secrets-to-tmpfs.service" ];
              serviceConfig.ReadWriteDirectories = lib.mkForce [
                "/var/lib/caddy"
                "/run/mastodon-web"
              ];
            };
          };
          network = {
            enable = true;
@ -267,10 +268,19 @@ in
              ];
            };
          };
-
+          services = {
            mastodon-init-db = {
              serviceConfig = {
                EnvironmentFile = "/var/lib/mastodon/.secrets_env";
              };
            };
            systemd-tmpfiles-setup.after = [ "var-lib-mastodon.mount" ];
          };
          tmpfiles.rules = [
-            "Z ${serviceCfg.varPaths.path0} 0755 ${serviceCfg.name} ${serviceCfg.name} -"
+            "d /var/lib/mastodon 0755 mastodon mastodon -"
            "Z /var/lib/mastodon 0755 mastodon mastodon -"
            "Z /var/lib/postgresql 0755 postgres postgres -"
            "d /var/cache/mastodon/precompile 0755 mastodon mastodon -"
          ];
        };
@ -335,7 +345,8 @@ in
          name = "${serviceCfg.name}/${secret}";
          value = {
            owner = "root";
-            mode = "0600";
+            group = "root";
            mode = "0644";
          };
        })
        [
@ -351,12 +362,15 @@ in
    "d ${serviceCfg.mntPaths.path0} 0751 microvm wheel - -"
    "d ${serviceCfg.mntPaths.path0}/data 0751 microvm wheel - -"
    "d ${serviceCfg.mntPaths.path0}/database 0751 microvm wheel - -"
  ];
  services.caddy.virtualHosts."${host}" = {
    extraConfig = ''
-      reverse_proxy http://${serviceCfg.interface.ip}:80
+      reverse_proxy http://${serviceCfg.interface.ip}:80 {
        header_up X-Forwarded-Proto {scheme}
        header_up X-Real-IP {remote_host}
        header_up X-Forwarded-For {remote_host}
      }
      tls ${serviceCfg.ssl.cert} ${serviceCfg.ssl.key}
--- a/modules/nixos/services/owncast/default.nix
+++ b/modules/nixos/services/owncast/default.nix
@ -1,43 +0,0 @@
 { flake, ... }:
 let
  inherit (flake.config.services.instances)
    owncast
    web
    ;
  service = owncast;
  localhost = web.localhost.address1;
  host = service.domains.url0;
 in
 {
  services = {
    owncast = {
      enable = true;
      listen = localhost;
      port = service.ports.port0;
      openFirewall = true;
    };
    caddy = {
      virtualHosts = {
        "${host}" = {
          extraConfig = ''
            reverse_proxy ${localhost}:${toString service.ports.port0}
            tls ${service.ssl.cert} ${service.ssl.key}
          '';
        };
      };
    };
  };
  networking = {
    firewall = {
      allowedTCPPorts = [
        service.ports.port0
        service.ports.port1
      ];
    };
  };
  # OBS Server rtmp://192.168.50.140:1935/live
 }