diff --git a/profiles/mastodon.nix b/profiles/mastodon.nix new file mode 100644 index 0000000..17e8a1a --- /dev/null +++ b/profiles/mastodon.nix @@ -0,0 +1,72 @@ +# NixOps configuration for the hosts running a Mastodon server +{ + config, + pkgs, + lib, + ... +}: { + services = { + mastodon = { + enable = true; # Enable the Mastodon service + localDomain = "mcwhirter.io"; # Domain serving Mastodon + configureNginx = false; # Configure Nginx as a reverse proxy + smtp = { + fromAddress = "social@mcwhirter.io"; + user = "social"; + }; + extraConfig = { + WEB_DOMAIN = "social.mcwhirter.io"; + }; + }; + }; + + services.nginx = { + enable = true; # Enable Nginx + recommendedGzipSettings = true; + recommendedOptimisation = true; + recommendedProxySettings = true; + recommendedTlsSettings = true; + virtualHosts = { + # Required to redirect requests to the mastodon service + "mcwhirter.io" = { + locations."/.well-known/host-meta".extraConfig = "return 301 $scheme://social.mcwhirter.io$request_uri;"; + }; + "social.mcwhirter.io" = { + enableACME = true; # Use ACME certs + forceSSL = true; # Force SSL + root = "${pkgs.mastodon}/public/"; + locations."/system/".alias = "/var/lib/mastodon/public-system/"; + + locations."/" = { + tryFiles = "$uri @proxy"; + }; + + locations."@proxy" = { + proxyPass = "http://unix:/run/mastodon-web/web.socket"; + proxyWebsockets = true; + }; + + locations."/api/v1/streaming/" = { + proxyPass = "http://unix:/run/mastodon-streaming/streaming.socket"; + proxyWebsockets = true; + }; + }; + }; + }; + + users.groups.mastodon.members = [ + "nginx" + ]; + + security.acme = { + acceptTerms = true; + certs = { + "social.mcwhirter.io" = { + group = "mastodon"; + postRun = "systemctl reload nginx.service; systemctl restart mastodon.service"; + email = "acme@mcwhirter.io"; + webroot = "/var/lib/acme/acme-challenge"; + }; + }; + }; +}