summary refs log tree commit diff stats
path: root/system/services/mastodon/default.nix
blob: f613bf357d322bf51592d524c3d1ac038787b17b (plain) (blame)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
{
  config,
  pkgs,
  ...
}: let
  emailAddress = "mastodon@vhack.eu";
  applyPatches = pkg:
    pkg.overrideAttrs (attrs: {
      patches = (attrs.patches or []) ++ [./patches/0001-feat-treewide-Increase-character-limit-to-5000-in-me.patch];
    });
in {
  services.mastodon = {
    enable = true;

    package = applyPatches pkgs.mastodon;

    # Unstable Mastodon package, used if
    # security updates aren't backported.
    #package = applyPatches pkgs-unstable.mastodon;

    localDomain = "vhack.eu";
    smtp = {
      authenticate = true;
      createLocally = false;
      fromAddress = emailAddress;
      user = emailAddress;
      host = "server1.vhack.eu";
      passwordFile = config.age.secrets.mastodonMail.path;
    };
    streamingProcesses = 5; # Number of Cores - 1
    extraConfig = {
      WEB_DOMAIN = "mastodon.vhack.eu";
      EMAIL_DOMAIN_ALLOWLIST = "vhack.eu|sils.li";
    };
  };

  services.nginx = {
    enable = true;
    recommendedProxySettings = true; # required for redirections to work
    virtualHosts = {
      ${config.services.mastodon.extraConfig.WEB_DOMAIN} = {
        root = "${config.services.mastodon.package}/public/";
        # mastodon only supports https, but you can override this if you offload tls elsewhere.
        forceSSL = true;
        enableACME = true;

        locations = {
          "/system/".alias = "/var/lib/mastodon/public-system/";
          "/".tryFiles = "$uri @proxy";
          "@proxy" = {
            proxyPass = "http://unix:/run/mastodon-web/web.socket";
            proxyWebsockets = true;
          };
          "/api/v1/streaming/" = {
            proxyPass = "http://unix:/run/mastodon-streaming/streaming.socket";
            proxyWebsockets = true;
          };
        };
      };

      "vhack.eu" = {
        locations."/.well-known/webfinger".return = "301 https://${config.services.mastodon.extraConfig.WEB_DOMAIN}$request_uri";
      };
    };
  };

  users.groups.${config.services.mastodon.group}.members = [
    config.services.nginx.user
  ];
}