simple-nixos-fediverse/mastodon.nix

let
  snakeoil_key = {
    id = "GK3515373e4c851ebaad366558";
    secret = "7d37d093435a41f2aab8f13c19ba067d9776c90215f56614adad6ece597dbb34";
  };
in
{ config, lib, pkgs, ... }: lib.mkMerge [
  { # garage setup
    services.garage = {
      ensureBuckets = {
        mastodon = {
          website = true;
          # corsRules = {
          #   enable = true;
          #   allowedHeaders = [ "*" ];
          #   allowedMethods = [ "GET" ];
          #   allowedOrigins = [ "*" ];
          # };
        };
      };
      ensureKeys = {
        mastodon = {
          inherit (snakeoil_key) id secret;
          ensureAccess = {
            mastodon = {
              read = true;
              write = true;
              owner = true;
            };
          };
        };
      };
    };
    services.mastodon = {
      extraConfig = {
        S3_ENABLED = "true";
        S3_ENDPOINT = "http://s3.garage.localhost:3900";
        S3_REGION = "garage";
        S3_BUCKET = "mastodon";
        # use <S3_BUCKET>.<S3_ENDPOINT>
        S3_OVERRIDE_PATH_STLE = "true";
        AWS_ACCESS_KEY_ID = snakeoil_key.id;
        AWS_SECRET_ACCESS_KEY = snakeoil_key.secret;
        S3_PROTOCOL = "http";
        S3_HOSTNAME = "web.garage.localhost:3902";
        # by default it tries to use "<S3_HOSTNAME>/<S3_BUCKET>"
        # but we want "<S3_BUCKET>.<S3_HOSTNAME>"
        S3_ALIAS_HOST = "mastodon.web.garage.localhost:3902";
        # XXX: I think we need to set up a proper CDN host
        CDN_HOST = "mastodon.web.garage.localhost:3902";
        # SEE: the last section in https://docs.joinmastodon.org/admin/optional/object-storage/
        # TODO: can we set up ACLs with garage?
        S3_PERMISSION = "";
      };
    };
  }
  # mastodon setup
  {
    # open up access to the mastodon web interface
    networking.firewall.allowedTCPPorts = [ 443 ];

    services.mastodon = {
      enable = true;

      # TODO: set up a domain name, and a DNS service so that this can run not in a vm
      # localDomain = "domain.social";
      configureNginx = true;

      # TODO: configure a mailserver so this works
      # smtp.fromAddress = "mastodon@mastodon.localhost";

      # TODO: this is hardware-dependent. let's figure it out when we have hardware
      # streamingProcesses = 1;
    };

    security.acme = {
      acceptTerms = true;
      preliminarySelfsigned = true;
      # TODO: configure a mailserver so we can set up acme
      # defaults.email = "test@example.com";
    };
  }
  # VM setup
  {
    # these configurations only apply when producing a VM (e.g. nixos-rebuild build-vm)
    virtualisation.vmVariant = { config, ... }: {
      services.mastodon = {
        # redirects to localhost, but allows it to have a proper domain name
        localDomain = "mastodon.localhost";

        smtp = {
          fromAddress = "mastodon@mastodon.localhost";
          createLocally = false;
        };

        extraConfig = {
          EMAIL_DOMAIN_ALLOWLIST = "example.com";
        };

        # from the documentation: recommended is the amount of your CPU cores minus one.
        # but it also must be a positive integer
        streamingProcesses = let
          ncores = config.virtualisation.cores;
        in
          lib.max 1 (ncores - 1);
      };

      security.acme = {
        defaults = {
          # invalid server; the systemd service will fail, and we won't get properly signed certificates
          # but let's not spam the letsencrypt servers (and we don't own this domain anyways)
          server = "https://127.0.0.1";
          email = "none";
        };
      };

      virtualisation.memorySize = 2048;
      virtualisation.forwardPorts = [
        {
          from = "host";
          host.port = 44443;
          guest.port = 443;
        }
      ];
    };
  }

  # mastodon development environment
  {
    networking.firewall.allowedTCPPorts = [ 55001 ];
    virtualisation.vmVariant = { config, ... }: {
      services.mastodon = {
        # needed so we can directly access mastodon at port 55001
        # otherwise, mastodon has to be accessed *from* port 443, which we can't do via port forwarding
        enableUnixSocket = false;
        extraConfig = {
          RAILS_ENV = "development";
          # to be accessible from outside the VM
          BIND = "0.0.0.0";
          # for letter_opener (still doesn't work though)
          REMOTE_DEV = "true";
        };
      };

      services.postgresql = {
        enable = true;
        ensureUsers = [
          {
            name = config.services.mastodon.database.user;
            ensureClauses.createdb = true;
            # ensurePermissions doesn't work anymore
            # ensurePermissions = {
            #   "mastodon_development.*" = "ALL PRIVILEGES";
            #   "mastodon_test.*" = "ALL PRIVILEGES";
            # }
          }
        ];
        # ensureDatabases = [ "mastodon_development_test" "mastodon_test" ];
      };

      # run rails db:seed so that mastodon sets up the databases for us
      # iirc the postgresql module can also do this kind of thing
      systemd.services.mastodon-init-db.script = lib.mkForce ''
          # This conditional freaks me out
          # Maybe configure psql to output in a more machine-readable format?
          if [ `psql -c \
                  "select count(*) from pg_class c \
                  join pg_namespace s on s.oid = c.relnamespace \
                  where s.nspname not in ('pg_catalog', 'pg_toast', 'information_schema') \
                  and s.nspname not like 'pg_temp%';" | sed -n 3p` -eq 0 ]; then
            echo "Seeding database"
            rails db:setup
            # SAFETY_ASSURED=1 rails db:schema:load
            rails db:seed
          else
            echo "Migrating database (this might be a noop)"
            # TODO: this breaks for some reason
            # rails db:migrate
          fi
      '';
      virtualisation.forwardPorts = [
        {
          from = "host";
          host.port = 55001;
          guest.port = 55001;
        }
      ];
    };
  }
]