Initial commit

2025-09-11 17:30:40 +03:00
commit c635a33654
5 changed files with 230 additions and 0 deletions
--- a/module.nix
+++ b/module.nix
@@ -0,0 +1,131 @@
+{
+  config,
+  lib,
+  pkgs,
+  ...
+}:
+let
+  sp = config.selfprivacy;
+  cfg = sp.modules.mastodon;
+  oauthClientID = "mastodon";
+  auth-passthru = config.selfprivacy.passthru.auth;
+  oauthDiscoveryURL = config.services.kanidm.serverSettings.origin;
+  issuer = lib.strings.removeSuffix "/.well-known/openid-configuration" oauthDiscoveryURL;
+
+  # SelfPrivacy uses SP Module ID to identify the group!
+  usersGroup = "sp.mastodon.users";
+
+  oauthClientSecretFP = auth-passthru.mkOAuth2ClientSecretFP oauthClientID;
+  oauthRedirectURL = "https://${cfg.subdomain}.${sp.domain}/auth/auth/openid_connect/callback";
+in
+{
+  options.selfprivacy.modules.mastodon = {
+    enable =
+      (lib.mkOption {
+        default = false;
+        type = lib.types.bool;
+        description = "Enable Mastodon";
+      })
+      // {
+        meta = {
+          type = "enable";
+        };
+      };
+    location =
+      (lib.mkOption {
+        type = lib.types.str;
+        description = "Mastodon location";
+      })
+      // {
+        meta = {
+          type = "location";
+        };
+      };
+    subdomain =
+      (lib.mkOption {
+        default = "mastodon";
+        type = lib.types.strMatching "[A-Za-z0-9][A-Za-z0-9\-]{0,61}[A-Za-z0-9]";
+        description = "Subdomain";
+      })
+      // {
+        meta = {
+          widget = "subdomain";
+          type = "string";
+          regex = "[A-Za-z0-9][A-Za-z0-9\-]{0,61}[A-Za-z0-9]";
+          weight = 0;
+        };
+      };
+  };
+
+  config = lib.mkIf cfg.enable {
+    assertions = [
+      {
+        assertion = sp.sso.enable;
+        message = "Mastodon cannot be enabled when SSO is disabled.";
+      }
+    ];
+
+    fileSystems = lib.mkIf sp.useBinds {
+      "/var/lib/mastodon" = {
+        device = "/volumes/${cfg.location}/mastodon";
+        options = [ "bind" ];
+      };
+    };
+
+    # services.postgresql = {
+    #   ensureDatabases = [ "mastodon" ];
+    #   ensureUsers = [
+    #     {
+    #       name = "mastodon";
+    #       ensureDBOwnership = true;
+    #     }
+    #   ];
+    # };
+
+    services.mastodon = {
+      enable = true;
+      localDomain = "${cfg.subdomain}.${sp.domain}";
+      enableUnixSocket = false;
+      configureNginx = true;
+      database.createLocally = true;
+    };
+
+
+    systemd = {
+      services.mastodon = {
+        unitConfig.RequiresMountsFor = lib.mkIf sp.useBinds "/volumes/${cfg.location}/mastodon";
+        serviceConfig = {
+          loadCredentials = ["client-secret:${oauthClientSecretFP}"];
+          ExecStart = ''
+            export CLIENT_SECRET=$(cat $CREDENTIALS_DIRECTORY/client-secret)
+            ${config.services.mastodon.package}/bin/puma -C config/puma.rb`
+          '';
+        };
+        environment = {
+          OIDC_ENABLED = true;
+          OIDC_DISPLAY_NAME= "Kanidm";
+          OIDC_ISSUER = issuer;
+          OIDC_DISCOVERY = true;
+          OIDC_SCOPE = "openid,profile";
+          OIDC_UID_FIELD = "sub";
+          OIDC_CLIENT_ID = oauthClientID;
+          OIDC_REDIRECT_URI = oauthRedirectURL;
+        };        
+      };
+      slices.mastodon = {
+        description = "Mastodon service slice";
+      };
+    };
+
+    selfprivacy.auth.clients.${oauthClientID} = {
+      inherit usersGroup;
+      subdomain = cfg.subdomain;
+      originLanding = "https://${cfg.subdomain}.${sp.domain}/";
+      originUrl = oauthRedirectURL;
+      clientSystemdUnits = [ "mastodon.service" ];
+      enablePkce = true;
+      linuxUserOfClient = "mastodon";
+      linuxGroupOfClient = "mastodon";
+    };
+  };
+}