let snakeoil_key = { id = "GK3515373e4c851ebaad366558"; secret = "7d37d093435a41f2aab8f13c19ba067d9776c90215f56614adad6ece597dbb34"; }; in { config, lib, pkgs, ... }: lib.mkMerge [ { # garage setup services.garage = { ensureBuckets = { mastodon = { website = true; corsRules = { enable = true; allowedHeaders = [ "*" ]; allowedMethods = [ "GET" ]; allowedOrigins = [ "*" ]; }; }; }; ensureKeys = { mastodon = { inherit (snakeoil_key) id secret; ensureAccess = { mastodon = { read = true; write = true; owner = true; }; }; }; }; }; services.mastodon = { extraConfig = { S3_ENABLED = "true"; S3_ENDPOINT = "http://s3.garage.localhost:3900"; S3_REGION = "garage"; S3_BUCKET = "mastodon"; # use . S3_OVERRIDE_PATH_STLE = "true"; AWS_ACCESS_KEY_ID = snakeoil_key.id; AWS_SECRET_ACCESS_KEY = snakeoil_key.secret; S3_PROTOCOL = "http"; S3_HOSTNAME = "web.garage.localhost:3902"; # by default it tries to use "/" # but we want "." S3_ALIAS_HOST = "mastodon.web.garage.localhost:3902"; # XXX: I think we need to set up a proper CDN host # CDN_HOST = "mastodon.web.garage.localhost:3902"; # SEE: the last section in https://docs.joinmastodon.org/admin/optional/object-storage/ # TODO: can we set up ACLs with garage? S3_PERMISSION = ""; }; }; } # mastodon setup { # open up access to the mastodon web interface networking.firewall.allowedTCPPorts = [ 443 ]; services.mastodon = { enable = true; # TODO: set up a domain name, and a DNS service so that this can run not in a vm # localDomain = "domain.social"; configureNginx = true; # TODO: configure a mailserver so this works # smtp.fromAddress = "mastodon@mastodon.localhost"; # TODO: this is hardware-dependent. let's figure it out when we have hardware # streamingProcesses = 1; }; security.acme = { acceptTerms = true; preliminarySelfsigned = true; # TODO: configure a mailserver so we can set up acme # defaults.email = "test@example.com"; }; } # VM setup { services.mastodon = { # redirects to localhost, but allows it to have a proper domain name localDomain = "mastodon.localhost"; smtp = { fromAddress = "mastodon@mastodon.localhost"; createLocally = false; }; extraConfig = { EMAIL_DOMAIN_ALLOWLIST = "example.com"; }; # from the documentation: recommended is the amount of your CPU cores minus one. # but it also must be a positive integer streamingProcesses = lib.max 1 (config.virtualisation.cores - 1); }; security.acme = { defaults = { # invalid server; the systemd service will fail, and we won't get properly signed certificates # but let's not spam the letsencrypt servers (and we don't own this domain anyways) server = "https://127.0.0.1"; email = "none"; }; }; virtualisation.memorySize = 2048; virtualisation.forwardPorts = [ { from = "host"; host.port = 44443; guest.port = 443; } ]; } # mastodon development environment { networking.firewall.allowedTCPPorts = [ 55001 ]; services.mastodon = { # needed so we can directly access mastodon at port 55001 # otherwise, mastodon has to be accessed *from* port 443, which we can't do via port forwarding enableUnixSocket = false; extraConfig = { RAILS_ENV = "development"; # to be accessible from outside the VM BIND = "0.0.0.0"; # for letter_opener (still doesn't work though) REMOTE_DEV = "true"; LOCAL_DOMAIN = "mastodon.localhost:8443"; }; }; # services.nginx.virtualHosts."${config.services.mastodon.localDomain}" = { # extraConfig = '' # add_header Content-Security-Policy 'base-uri 'none'; default-src 'none'; frame-ancestors 'none'; font-src 'self' http://mastodon.localhost:8443; img-src * https: data: blob: http://mastodon.localhost:8443; style-src 'self' http://mastodon.localhost:8443 'nonce-QvwdQ3lNRMmEcQnhZ22MAg=='; media-src 'self' https: data: http://mastodon.localhost:8443; frame-src 'self' https:; manifest-src 'self' http://mastodon.localhost:8443; form-action 'self'; child-src 'self' blob: http://mastodon.localhost:8443; worker-src 'self' blob: http://mastodon.localhost:8443; connect-src 'self' data: blob: http://mastodon.localhost:8443 http://mastodon.web.garage.localhost:3902 ws://mastodon.localhost:4000 ws://localhost:3035 http://localhost:3035; script-src 'self' 'unsafe-inline' 'unsafe-eval' http://mastodon.localhost:8443' # ''; # }; # services.nginx.virtualHosts."${config.services.mastodon.localDomain}".locations."/sw.js" = services.postgresql = { enable = true; ensureUsers = [ { name = config.services.mastodon.database.user; ensureClauses.createdb = true; # ensurePermissions doesn't work anymore # ensurePermissions = { # "mastodon_development.*" = "ALL PRIVILEGES"; # "mastodon_test.*" = "ALL PRIVILEGES"; # } } ]; # ensureDatabases = [ "mastodon_development_test" "mastodon_test" ]; }; # Currently, nixos seems to be able to create a single database per # postgres user. This works for the production version of mastodon, which # is what's packaged in nixpkgs. For development, we need two databases, # mastodon_development and mastodon_test. This used to be possible with # ensurePermissions, but that's broken and has been removed. Here I copy # the mastodon-init-db script from upstream nixpkgs, but add the single # line `rails db:setup`, which asks mastodon to create the postgres # databases for us. # FIXME: the commented out lines were breaking things, but presumably they're necessary for something. # TODO: see if we can fix the upstream ensurePermissions stuff. See above for what that config would look like. systemd.services.mastodon-init-db.script = lib.mkForce '' result="$(psql -t --csv -c \ "select count(*) from pg_class c \ join pg_namespace s on s.oid = c.relnamespace \ where s.nspname not in ('pg_catalog', 'pg_toast', 'information_schema') \ and s.nspname not like 'pg_temp%';")" || error_code=$? if [ "''${error_code:-0}" -ne 0 ]; then echo "Failure checking if database is seeded. psql gave exit code $error_code" exit "$error_code" fi if [ "$result" -eq 0 ]; then echo "Seeding database" rails db:setup # SAFETY_ASSURED=1 rails db:schema:load rails db:seed # else # echo "Migrating database (this might be a noop)" # rails db:migrate fi ''; virtualisation.forwardPorts = [ { from = "host"; host.port = 55001; guest.port = 55001; } ]; } ]