1 files changed, 54 insertions, 0 deletions

diff --git a/system/services/mastodon/default.nix b/system/services/mastodon/default.nix
new file mode 100644
index 0000000..39a0f56
--- /dev/null
+++ b/system/services/mastodon/default.nix
@@ -0,0 +1,54 @@
+{config, ...}: let
+  emailAddress = "mastodon@vhack.eu";
+in {
+  services.mastodon = {
+    enable = true;
+    localDomain = "vhack.eu";
+    smtp = {
+      authenticate = true;
+      createLocally = false;
+      fromAddress = emailAddress;
+      user = emailAddress;
+      host = "server1.vhack.eu";
+      passwordFile = config.age.secrets.mastodonMail.path;
+    };
+    extraConfig = {
+      WEB_DOMAIN = "mastodon.vhack.eu";
+      EMAIL_DOMAIN_ALLOWLIST = "vhack.eu|sils.li";
+    };
+  };
+
+  services.nginx = {
+    enable = true;
+    recommendedProxySettings = true; # required for redirections to work
+    virtualHosts = {
+      ${config.services.mastodon.extraConfig.WEB_DOMAIN} = {
+        root = "${config.services.mastodon.package}/public/";
+        # mastodon only supports https, but you can override this if you offload tls elsewhere.
+        forceSSL = true;
+        enableACME = true;
+
+        locations = {
+          "/system/".alias = "/var/lib/mastodon/public-system/";
+          "/".tryFiles = "$uri @proxy";
+          "@proxy" = {
+            proxyPass = "http://unix:/run/mastodon-web/web.socket";
+            proxyWebsockets = true;
+          };
+          "/api/v1/streaming/" = {
+            proxyPass = "http://unix:/run/mastodon-streaming/streaming.socket";
+            proxyWebsockets = true;
+          };
+        };
+      };
+
+      "vhack.eu" = {
+        locations."/.well-known/webfinger".return = "301 https://${config.services.mastodon.extraConfig.WEB_DOMAIN}$request_uri";
+      };
+    };
+  };
+
+  users.groups.${config.services.mastodon.group}.members = [
+    config.services.nginx.user
+  ];
+}