simple-nixos-fediverse/mastodon.nix

200 lines
7.2 KiB
Nix
Raw Normal View History

let
snakeoil_key = {
id = "GK3515373e4c851ebaad366558";
secret = "7d37d093435a41f2aab8f13c19ba067d9776c90215f56614adad6ece597dbb34";
};
in
2024-03-06 10:48:01 +01:00
{ config, lib, pkgs, ... }: lib.mkMerge [
{ # garage setup
2024-03-27 10:59:50 +01:00
services.garage = {
ensureBuckets = {
2024-05-25 01:02:12 +02:00
mastodon = {
website = true;
corsRules = {
enable = true;
allowedHeaders = [ "*" ];
allowedMethods = [ "GET" ];
allowedOrigins = [ "*" ];
};
2024-05-25 01:02:12 +02:00
};
2024-03-27 10:59:50 +01:00
};
ensureKeys = {
mastodon = {
inherit (snakeoil_key) id secret;
ensureAccess = {
mastodon = {
read = true;
write = true;
owner = true;
};
};
};
};
};
services.mastodon = {
extraConfig = {
S3_ENABLED = "true";
S3_ENDPOINT = "http://s3.garage.localhost:3900";
S3_REGION = "garage";
S3_BUCKET = "mastodon";
# use <S3_BUCKET>.<S3_ENDPOINT>
S3_OVERRIDE_PATH_STLE = "true";
AWS_ACCESS_KEY_ID = snakeoil_key.id;
AWS_SECRET_ACCESS_KEY = snakeoil_key.secret;
S3_PROTOCOL = "http";
S3_HOSTNAME = "web.garage.localhost:3902";
# by default it tries to use "<S3_HOSTNAME>/<S3_BUCKET>"
# but we want "<S3_BUCKET>.<S3_HOSTNAME>"
S3_ALIAS_HOST = "mastodon.web.garage.localhost:3902";
2024-05-25 01:02:12 +02:00
# XXX: I think we need to set up a proper CDN host
# CDN_HOST = "mastodon.web.garage.localhost:3902";
# SEE: the last section in https://docs.joinmastodon.org/admin/optional/object-storage/
# TODO: can we set up ACLs with garage?
S3_PERMISSION = "";
};
};
}
2024-03-06 10:48:01 +01:00
# mastodon setup
{
# open up access to the mastodon web interface
networking.firewall.allowedTCPPorts = [ 443 ];
2024-02-22 10:56:31 +01:00
services.mastodon = {
2024-03-06 10:48:01 +01:00
enable = true;
2024-02-22 10:56:31 +01:00
2024-03-06 10:48:01 +01:00
# TODO: set up a domain name, and a DNS service so that this can run not in a vm
# localDomain = "domain.social";
configureNginx = true;
2024-03-06 10:40:22 +01:00
2024-03-06 10:48:01 +01:00
# TODO: configure a mailserver so this works
# smtp.fromAddress = "mastodon@mastodon.localhost";
# TODO: this is hardware-dependent. let's figure it out when we have hardware
# streamingProcesses = 1;
};
security.acme = {
acceptTerms = true;
preliminarySelfsigned = true;
# TODO: configure a mailserver so we can set up acme
# defaults.email = "test@example.com";
2024-02-22 10:56:31 +01:00
};
2024-03-06 10:48:01 +01:00
}
# VM setup
{
services.mastodon = {
# redirects to localhost, but allows it to have a proper domain name
localDomain = "mastodon.localhost";
2024-03-06 10:48:01 +01:00
smtp = {
fromAddress = "mastodon@mastodon.localhost";
createLocally = false;
2024-03-06 10:48:01 +01:00
};
2024-02-22 10:56:31 +01:00
extraConfig = {
EMAIL_DOMAIN_ALLOWLIST = "example.com";
2024-03-06 10:48:01 +01:00
};
2024-03-06 10:40:22 +01:00
# from the documentation: recommended is the amount of your CPU cores minus one.
# but it also must be a positive integer
streamingProcesses = lib.max 1 (config.virtualisation.cores - 1);
};
security.acme = {
defaults = {
# invalid server; the systemd service will fail, and we won't get properly signed certificates
# but let's not spam the letsencrypt servers (and we don't own this domain anyways)
server = "https://127.0.0.1";
email = "none";
};
2024-03-06 10:40:22 +01:00
};
virtualisation.memorySize = 2048;
virtualisation.forwardPorts = [
{
from = "host";
host.port = 44443;
guest.port = 443;
}
];
2024-03-06 10:48:01 +01:00
}
# mastodon development environment
{
2024-03-20 01:39:59 +01:00
networking.firewall.allowedTCPPorts = [ 55001 ];
services.mastodon = {
# needed so we can directly access mastodon at port 55001
# otherwise, mastodon has to be accessed *from* port 443, which we can't do via port forwarding
enableUnixSocket = false;
extraConfig = {
RAILS_ENV = "development";
# to be accessible from outside the VM
BIND = "0.0.0.0";
# for letter_opener (still doesn't work though)
REMOTE_DEV = "true";
LOCAL_DOMAIN = "mastodon.localhost:8443";
2024-02-22 10:56:31 +01:00
};
};
# services.nginx.virtualHosts."${config.services.mastodon.localDomain}" = {
# extraConfig = ''
# add_header Content-Security-Policy 'base-uri 'none'; default-src 'none'; frame-ancestors 'none'; font-src 'self' http://mastodon.localhost:8443; img-src * https: data: blob: http://mastodon.localhost:8443; style-src 'self' http://mastodon.localhost:8443 'nonce-QvwdQ3lNRMmEcQnhZ22MAg=='; media-src 'self' https: data: http://mastodon.localhost:8443; frame-src 'self' https:; manifest-src 'self' http://mastodon.localhost:8443; form-action 'self'; child-src 'self' blob: http://mastodon.localhost:8443; worker-src 'self' blob: http://mastodon.localhost:8443; connect-src 'self' data: blob: http://mastodon.localhost:8443 http://mastodon.web.garage.localhost:3902 ws://mastodon.localhost:4000 ws://localhost:3035 http://localhost:3035; script-src 'self' 'unsafe-inline' 'unsafe-eval' http://mastodon.localhost:8443'
# '';
# };
# services.nginx.virtualHosts."${config.services.mastodon.localDomain}".locations."/sw.js" =
2024-02-22 10:56:31 +01:00
services.postgresql = {
enable = true;
ensureUsers = [
2024-03-06 15:16:35 +01:00
{
name = config.services.mastodon.database.user;
ensureClauses.createdb = true;
# ensurePermissions doesn't work anymore
# ensurePermissions = {
# "mastodon_development.*" = "ALL PRIVILEGES";
# "mastodon_test.*" = "ALL PRIVILEGES";
# }
2024-03-06 15:16:35 +01:00
}
];
# ensureDatabases = [ "mastodon_development_test" "mastodon_test" ];
2024-03-06 10:40:22 +01:00
};
# Currently, nixos seems to be able to create a single database per
# postgres user. This works for the production version of mastodon, which
# is what's packaged in nixpkgs. For development, we need two databases,
# mastodon_development and mastodon_test. This used to be possible with
# ensurePermissions, but that's broken and has been removed. Here I copy
# the mastodon-init-db script from upstream nixpkgs, but add the single
# line `rails db:setup`, which asks mastodon to create the postgres
# databases for us.
# FIXME: the commented out lines were breaking things, but presumably they're necessary for something.
# TODO: see if we can fix the upstream ensurePermissions stuff. See above for what that config would look like.
systemd.services.mastodon-init-db.script = lib.mkForce ''
result="$(psql -t --csv -c \
"select count(*) from pg_class c \
join pg_namespace s on s.oid = c.relnamespace \
where s.nspname not in ('pg_catalog', 'pg_toast', 'information_schema') \
and s.nspname not like 'pg_temp%';")" || error_code=$?
if [ "''${error_code:-0}" -ne 0 ]; then
echo "Failure checking if database is seeded. psql gave exit code $error_code"
exit "$error_code"
fi
if [ "$result" -eq 0 ]; then
echo "Seeding database"
rails db:setup
# SAFETY_ASSURED=1 rails db:schema:load
rails db:seed
# else
# echo "Migrating database (this might be a noop)"
# rails db:migrate
fi
'';
virtualisation.forwardPorts = [
{
from = "host";
host.port = 55001;
guest.port = 55001;
}
];
2024-03-06 10:48:01 +01:00
}
]