kiara/Fediversity
1
0
Fork 0
forked from fediversity/fediversity
Code Pull requests Activity
Fediversity/deployment/fediversity/applications/mastodon/default.nix
Kiara Grouwstra c296bdab0a
deploy separate operator applications thru data model 
Signed-off-by: Kiara Grouwstra <kiara@procolix.eu>
2025-11-22 17:55:10 +01:00

106 lines
3.4 KiB
Nix
Raw Blame History

{
lib,
pkgs,
...
}:
let
inherit (lib) readFile;
inherit (pkgs) writeText;
in
{
applications.mastodon = {
description = ''
Your self-hosted, globally interconnected microblogging community
'';
module.options = import ../sharedOptions.nix {
inherit pkgs lib;
serviceDocName = "Mastodon";
defaults = {
domain = "mastodon.fediversity.net";
s3AccessKeyFile = writeText "s3AccessKey" "GK3515373e4c851ebaad366558";
s3SecretKeyFile = writeText "s3SecretKey" "7d37d093435a41f2aab8f13c19ba067d9776c90215f56614adad6ece597dbb34";
};
};
implementation =
cfg:
lib.optionalAttrs cfg.enable {
"mastodon-bucket".garage = {
ensureBuckets.mastodon = {
website = true;
corsRules = {
enable = true;
allowedHeaders = [ "*" ];
allowedMethods = [ "GET" ];
allowedOrigins = [ "*" ];
};
};
ensureKeys.mastodon = {
inherit (cfg) s3AccessKeyFile s3SecretKeyFile;
ensureAccess.mastodon = {
read = true;
write = true;
owner = true;
};
};
nixos-configuration = garage: {
services.mastodon.extraConfig = rec {
S3_ENABLED = "true";
# TODO: this shouldn't be hard-coded, it should come from the garage configuration
S3_ENDPOINT = garage.api.url;
S3_REGION = "garage";
# use <S3_BUCKET>.<S3_ENDPOINT>
S3_OVERRIDE_PATH_STLE = "true";
S3_PROTOCOL = "http";
S3_BUCKET = "mastodon";
S3_ALIAS_HOST = garage.web.domainForBucket S3_BUCKET;
# SEE: the last section in https://docs.joinmastodon.org/admin/optional/object-storage/
# TODO: can we set up ACLs with garage?
S3_PERMISSION = "";
};
## FIXME: secrets management; we should have a service that writes the
## `.env` files based on all the secrets that we need to put there.
services.mastodon.extraEnvFiles = [
(writeText "s3AccessKey" ''
AWS_ACCESS_KEY_ID=${readFile cfg.s3AccessKeyFile}
'')
(writeText "s3SecretKey" ''
AWS_SECRET_ACCESS_KEY=${readFile cfg.s3SecretKeyFile}
'')
];
};
};
"codez".nixos-module.module =
{
...
}:
{
# open up access to the mastodon web interface. 80 is necessary if only for ACME
networking.firewall.allowedTCPPorts = [
80
443
];
# virtualisation.cores = lib.mkDefault 1;
services.mastodon = {
enable = true;
localDomain = cfg.domain;
configureNginx = true;
# from the documentation: recommended is the amount of your CPU cores minus
# one. but it also must be a positive integer
streamingProcesses = 1;
# streamingProcesses = lib.max 1 (config.virtualisation.cores - 1);
# TODO: configure a mailserver so this works
smtp = {
fromAddress = "noreply@${cfg.domain}";
createLocally = false;
};
};
security.acme.preliminarySelfsigned = true;
};
};
};
}
View git blame Copy permalink