mastodon: initial deployment

2022-06-28 18:15:10 +10:00 · 2022-06-28 18:15:10 +10:00 · 91b65a04f9
parent c3ec689b9a
commit 91b65a04f9
1 changed files with 72 additions and 0 deletions
--- a/profiles/mastodon.nix
+++ b/profiles/mastodon.nix
@ -0,0 +1,72 @@
+# NixOps configuration for the hosts running a Mastodon server
+{
+  config,
+  pkgs,
+  lib,
+  ...
+}: {
+  services = {
+    mastodon = {
+      enable = true; # Enable the Mastodon service
+      localDomain = "mcwhirter.io"; # Domain serving Mastodon
+      configureNginx = false; # Configure Nginx as a reverse proxy
+      smtp = {
+        fromAddress = "social@mcwhirter.io";
+        user = "social";
+      };
+      extraConfig = {
+        WEB_DOMAIN = "social.mcwhirter.io";
+      };
+    };
+  };
+
+  services.nginx = {
+    enable = true; # Enable Nginx
+    recommendedGzipSettings = true;
+    recommendedOptimisation = true;
+    recommendedProxySettings = true;
+    recommendedTlsSettings = true;
+    virtualHosts = {
+      # Required to redirect requests to the mastodon service
+      "mcwhirter.io" = {
+        locations."/.well-known/host-meta".extraConfig = "return 301 $scheme://social.mcwhirter.io$request_uri;";
+      };
+      "social.mcwhirter.io" = {
+        enableACME = true; # Use ACME certs
+        forceSSL = true; # Force SSL
+        root = "${pkgs.mastodon}/public/";
+        locations."/system/".alias = "/var/lib/mastodon/public-system/";
+
+        locations."/" = {
+          tryFiles = "$uri @proxy";
+        };
+
+        locations."@proxy" = {
+          proxyPass = "http://unix:/run/mastodon-web/web.socket";
+          proxyWebsockets = true;
+        };
+
+        locations."/api/v1/streaming/" = {
+          proxyPass = "http://unix:/run/mastodon-streaming/streaming.socket";
+          proxyWebsockets = true;
+        };
+      };
+    };
+  };
+
+  users.groups.mastodon.members = [
+    "nginx"
+  ];
+
+  security.acme = {
+    acceptTerms = true;
+    certs = {
+      "social.mcwhirter.io" = {
+        group = "mastodon";
+        postRun = "systemctl reload nginx.service; systemctl restart mastodon.service";
+        email = "acme@mcwhirter.io";
+        webroot = "/var/lib/acme/acme-challenge";
+      };
+    };
+  };
+}