201 lines
5.7 KiB
Nix
201 lines
5.7 KiB
Nix
{ config, pkgs, lib, ... }:
|
|
|
|
let
|
|
secrets = import ./secrets.nix;
|
|
|
|
mastodon-lor-sh = pkgs.mastodon.override {
|
|
srcOverride = pkgs.applyPatches {
|
|
src = pkgs.fetchgit {
|
|
url = "https://github.com/mastodon/mastodon.git";
|
|
rev = "v${pkgs.mastodon.version}";
|
|
# sha256 mismatch will not allow automatic updates on every
|
|
# new Mastodon release. We don't want to have problems with
|
|
# updated dependencies in the unstable channel.
|
|
sha256 = "sha256-a3EpeTQBCP+J4Gde/iixcg3VUhZbw4DwbZp8GDRAzAI=";
|
|
};
|
|
patches = [
|
|
./patches/logo.patch
|
|
./patches/app-icon.patch
|
|
./patches/logo-symbol-wordmark.patch
|
|
./patches/mascot.patch
|
|
|
|
./patches/add-tango-theme.patch
|
|
./patches/add-merveilles-theme.patch
|
|
./patches/add-black-theme.patch
|
|
./patches/themes-config.patch
|
|
./patches/fix-mastodon-light-highlight-color.patch
|
|
|
|
./patches/fix-character-limit.patch
|
|
./patches/max-toot-chars-api.patch
|
|
|
|
./patches/simple-form.patch
|
|
./patches/not-so-scary-500.patch
|
|
];
|
|
postPatch = (import ./branding.nix { pkgs = pkgs; }).branding;
|
|
};
|
|
};
|
|
|
|
sidekiq-manager = pkgs.writers.writePython3 "sidekiq-manager" {} ''
|
|
from itertools import permutations
|
|
from subprocess import Popen
|
|
|
|
|
|
def sidekiq(queues, connections=16):
|
|
mastodon = "${mastodon-lor-sh}"
|
|
cmd = [f"{mastodon}/bin/sidekiq", "-r", mastodon]
|
|
cmd += ["-c", f"{connections}"]
|
|
for q in queues:
|
|
cmd += ['-q', q]
|
|
return Popen(cmd)
|
|
|
|
|
|
procs = [sidekiq(['mailers', 'pull', 'scheduler'])]
|
|
|
|
queues = ['default', 'push', 'ingress']
|
|
procs += [sidekiq(qs) for qs in permutations(queues)]
|
|
|
|
for p in procs:
|
|
p.wait()
|
|
'';
|
|
|
|
s3cmd = pkgs.writeShellScript "s3cmd" ''
|
|
${pkgs.s3cmd}/bin/s3cmd \
|
|
--access_key='${secrets.backup.accessKey}' \
|
|
--secret_key='${secrets.backup.secretKey}' \
|
|
--host='${secrets.backup.host}' \
|
|
--host-bucket='${secrets.backup.hostBucket}' \
|
|
$@
|
|
'';
|
|
|
|
auth = pkgs.buildGoModule rec {
|
|
name = "auth";
|
|
src = ./auth;
|
|
vendorHash = "sha256-cLn1tZL+LVMmSpLZYA7uRkEW7eFWGf+NFdvBEvQtjH4=";
|
|
};
|
|
|
|
bucket = secrets.backup.bucket;
|
|
|
|
domainName = "lor.sh";
|
|
in {
|
|
systemd.services."mastodon-auth" = {
|
|
wantedBy = [ "multi-user.target" ];
|
|
after = [ "network.target" ];
|
|
environment = {
|
|
SOCKET = "/var/run/mastodon-auth/auth.socket";
|
|
DATABASE = "mastodon";
|
|
AUTH_SECRET = secrets.authSecret;
|
|
};
|
|
serviceConfig = {
|
|
Restart = "always";
|
|
RestartSec = 30;
|
|
ExecStart = "${auth}/bin/auth";
|
|
User = "mastodon";
|
|
RuntimeDirectory = "mastodon-auth";
|
|
RuntimeDirectoryMode = "0750";
|
|
};
|
|
};
|
|
|
|
services.postgresqlBackup = {
|
|
enable = true;
|
|
databases = [ "mastodon" ];
|
|
compression = "gzip";
|
|
};
|
|
|
|
systemd.services.postgresqlBackup-mastodon.serviceConfig.ExecStartPost =
|
|
pkgs.writeShellScript "backup-to-s3" ''
|
|
cd /var/backup/postgresql
|
|
|
|
${pkgs.gnupg}/bin/gpg --batch --passphrase '${secrets.backup.password}' \
|
|
--symmetric mastodon.sql.gz
|
|
|
|
${s3cmd} rm ${bucket}/mastodon.prev.sql.gz.gpg
|
|
${s3cmd} mv ${bucket}/mastodon.sql.gz.gpg ${bucket}/mastodon.prev.sql.gz.gpg
|
|
${s3cmd} put mastodon.sql.gz.gpg ${bucket}/
|
|
|
|
rm mastodon.sql.gz.gpg
|
|
'';
|
|
|
|
# Until merge of https://github.com/NixOS/nixpkgs/pull/202408
|
|
systemd.services.mastodon-sidekiq.serviceConfig.ExecStart =
|
|
lib.mkForce "${sidekiq-manager}";
|
|
|
|
# https://github.com/mperham/sidekiq/wiki/Memory#bloat
|
|
systemd.services.mastodon-sidekiq.environment.MALLOC_ARENA_MAX = "2";
|
|
|
|
services.caddy = {
|
|
enable = true;
|
|
virtualHosts."${domainName}".extraConfig = ''
|
|
root * ${mastodon-lor-sh}/public
|
|
encode gzip
|
|
|
|
@static file
|
|
handle @static {
|
|
file_server
|
|
}
|
|
|
|
handle /api/v1/streaming* {
|
|
reverse_proxy unix//run/mastodon-streaming/streaming.socket
|
|
}
|
|
|
|
handle /api/v0/auth* {
|
|
reverse_proxy unix//run/mastodon-auth/auth.socket
|
|
}
|
|
|
|
handle {
|
|
reverse_proxy unix//run/mastodon-web/web.socket
|
|
}
|
|
|
|
header {
|
|
Strict-Transport-Security "max-age=31536000;"
|
|
}
|
|
|
|
@5xx expression `{err.status_code} >= 500 && {err.status_code} < 600`
|
|
handle_errors {
|
|
rewrite @5xx /500.html
|
|
file_server
|
|
}
|
|
'';
|
|
};
|
|
|
|
users.users.caddy.extraGroups = [ "mastodon" ];
|
|
|
|
services.mastodon = {
|
|
enable = true;
|
|
|
|
package = mastodon-lor-sh;
|
|
|
|
localDomain = "${domainName}";
|
|
configureNginx = false;
|
|
|
|
smtp = {
|
|
createLocally = false;
|
|
authenticate = true;
|
|
host = "smtp.eu.mailgun.org";
|
|
port = 587;
|
|
fromAddress = "Mastodon <mastodon@m.${domainName}>";
|
|
user = "mastodon@m.${domainName}";
|
|
passwordFile = builtins.toFile "smtp-password" secrets.smtpPassword;
|
|
};
|
|
|
|
vapidPublicKeyFile = builtins.toFile "vapidPublicKey" secrets.vapidPublicKey;
|
|
secretKeyBaseFile = builtins.toFile "secretKeyBase" secrets.secretKeyBase;
|
|
otpSecretFile = builtins.toFile "otpSecret" secrets.otpSecret;
|
|
vapidPrivateKeyFile = builtins.toFile "vapidPrivateKey" secrets.vapidPrivateKey;
|
|
|
|
extraConfig = {
|
|
S3_ENABLED = "true";
|
|
S3_PROTOCOL = "https";
|
|
S3_BUCKET = "lor-sh";
|
|
S3_REGION = "eu-central-1";
|
|
S3_HOSTNAME = "s3.eu-central-1.wasabisys.com";
|
|
S3_ENDPOINT = "https://s3.eu-central-1.wasabisys.com/lor-sh";
|
|
S3_ALIAS_HOST = "s3.eu-central-1.wasabisys.com/lor-sh/lor-sh";
|
|
AWS_ACCESS_KEY_ID = secrets.AWS_ACCESS_KEY_ID;
|
|
AWS_SECRET_ACCESS_KEY = secrets.AWS_SECRET_ACCESS_KEY;
|
|
|
|
DEEPL_API_KEY = secrets.DEEPL_API_KEY;
|
|
DEEPL_PLAN = "pro";
|
|
};
|
|
};
|
|
}
|