177 lines
5.7 KiB
Nix
177 lines
5.7 KiB
Nix
{
|
|
config,
|
|
lib,
|
|
pkgs,
|
|
...
|
|
}:
|
|
let
|
|
sp = config.selfprivacy;
|
|
cfg = sp.modules.mastodon;
|
|
oauthClientID = "mastodon";
|
|
auth-passthru = config.selfprivacy.passthru.auth;
|
|
oauthDiscoveryURL = auth-passthru.oauth2-discovery-url oauthClientID;
|
|
issuer = lib.strings.removeSuffix "/.well-known/openid-configuration" oauthDiscoveryURL;
|
|
|
|
usersGroup = "sp.mastodon.users";
|
|
adminsGroup = "sp.mastodon.admins";
|
|
|
|
oauthClientSecretFP = auth-passthru.mkOAuth2ClientSecretFP oauthClientID;
|
|
oauthRedirectURL = "https://${cfg.subdomain}.${sp.domain}/auth/auth/openid_connect/callback";
|
|
in
|
|
{
|
|
options.selfprivacy.modules.mastodon = {
|
|
enable =
|
|
(lib.mkOption {
|
|
default = false;
|
|
type = lib.types.bool;
|
|
description = "Enable Mastodon";
|
|
})
|
|
// {
|
|
meta = {
|
|
type = "enable";
|
|
};
|
|
};
|
|
location =
|
|
(lib.mkOption {
|
|
type = lib.types.str;
|
|
description = "Mastodon location";
|
|
})
|
|
// {
|
|
meta = {
|
|
type = "location";
|
|
};
|
|
};
|
|
subdomain =
|
|
(lib.mkOption {
|
|
default = "mastodon";
|
|
type = lib.types.strMatching "[A-Za-z0-9][A-Za-z0-9\-]{0,61}[A-Za-z0-9]";
|
|
description = "Subdomain (changing subdomain after setting up will cause breakage of the server!)";
|
|
})
|
|
// {
|
|
meta = {
|
|
widget = "subdomain";
|
|
type = "string";
|
|
regex = "[A-Za-z0-9][A-Za-z0-9\-]{0,61}[A-Za-z0-9]";
|
|
weight = 0;
|
|
};
|
|
};
|
|
};
|
|
|
|
config = lib.mkIf cfg.enable {
|
|
fileSystems = lib.mkIf sp.useBinds {
|
|
"/var/lib/mastodon" = {
|
|
device = "/volumes/${cfg.location}/mastodon";
|
|
options = [ "bind" ];
|
|
};
|
|
};
|
|
|
|
services.mastodon = {
|
|
enable = true;
|
|
localDomain = "${cfg.subdomain}.${sp.domain}";
|
|
enableUnixSocket = false;
|
|
configureNginx = true;
|
|
database.createLocally = true;
|
|
streamingProcesses = 3;
|
|
|
|
smtp = {
|
|
createLocally = false;
|
|
# fromAddress = "noreply.mastodon@${sp.domain}";
|
|
# user = "noreply.mastodon";
|
|
|
|
fromAddress = "mastodon@${sp.domain}";
|
|
user = "mastodon";
|
|
|
|
host = "hollowness.top";
|
|
port = 465;
|
|
passwordFile = "/run/keys/mastodon/email_password";
|
|
authenticate = true;
|
|
};
|
|
extraConfig = {
|
|
# "SMTP_ENABLE_STARTTLS" = "never";
|
|
"SMTP_ENABLE_STARTTLS_AUTO" = "true";
|
|
"SMTP_ENABLE_STARTTLS" = "always";
|
|
"SMTP_TLS" = "true";
|
|
"SMTP_SSL" = "true";
|
|
};
|
|
};
|
|
|
|
# services.postfix.config = {
|
|
# smtp_sasl_auth_enable = "yes";
|
|
# smtp_sasl_security_options = "";
|
|
# smtp_sasl_password_maps = "texthash:/run/postfix/mastodon.cf";
|
|
# virtual_mailbox_maps = [ "hash:/run/postfix/mastodon.cf" ];
|
|
# };
|
|
# mailserver.loginAccounts."noreply.mastodon@${sp.domain}" = {
|
|
mailserver.loginAccounts."mastodon@${sp.domain}" = {
|
|
hashedPasswordFile = "/run/postfix/mastodon.cf";
|
|
sendOnly = true;
|
|
};
|
|
|
|
systemd = {
|
|
services.mastodon-email-password-setup = {
|
|
enable = true;
|
|
wantedBy = [ "multi-user.target" "mastodon-web.service" "postfix.service" ];
|
|
serviceConfig = {
|
|
Type = "oneshot";
|
|
ExecStart = pkgs.writeShellScript "gen-mastodon-email-password" ''
|
|
export password=$(head -c 32 /dev/urandom | base64 | sed 's/[+=\\/A-Z]//g')
|
|
|
|
rm -f /run/keys/mastodon/email_password || true
|
|
mkdir /run/keys/mastodon/ || true # Create /run/keys/mastodon if it doesn't exist
|
|
echo $password > /run/keys/mastodon/email_password
|
|
chmod 400 /run/keys/mastodon/email_password
|
|
chown ${config.services.mastodon.user}:${config.services.mastodon.group} /run/keys/mastodon/email_password
|
|
|
|
rm -f /run/postfix/mastodon.cf || true
|
|
mkdir /run/postfix/ || true # Create /run/postfix if it doesn't exist
|
|
export hashedPassword=$(${lib.getExe pkgs.mkpasswd} -sm bcrypt "$password")
|
|
# echo "noreply.mastodon@${sp.domain}: $hashedPassword" > /run/postfix/mastodon.cf
|
|
echo "$hashedPassword" > /run/postfix/mastodon.cf
|
|
chmod 440 /run/postfix/mastodon.cf
|
|
chown ${config.services.postfix.user}:${config.services.postfix.group} /run/postfix/mastodon.cf
|
|
'';
|
|
};
|
|
};
|
|
|
|
services.mastodon-web = {
|
|
unitConfig.RequiresMountsFor = lib.mkIf sp.useBinds "/volumes/${cfg.location}/mastodon";
|
|
serviceConfig = {
|
|
Slice = "hedgedoc.slice";
|
|
LoadCredential = ["client-secret:${oauthClientSecretFP}"];
|
|
ExecStart = lib.mkForce (pkgs.writeShellScript "run-mastodon-with-client-secret" ''
|
|
export OIDC_CLIENT_SECRET=$(cat $CREDENTIALS_DIRECTORY/client-secret)
|
|
${config.services.mastodon.package}/bin/puma -C config/puma.rb
|
|
'');
|
|
};
|
|
environment = {
|
|
OIDC_ENABLED = "true";
|
|
OIDC_DISPLAY_NAME= "Kanidm";
|
|
OIDC_ISSUER = issuer;
|
|
OIDC_DISCOVERY = "true";
|
|
OIDC_SCOPE = "openid,profile,email";
|
|
OIDC_UID_FIELD = "preferred_username";
|
|
OIDC_CLIENT_ID = oauthClientID;
|
|
OIDC_REDIRECT_URI = oauthRedirectURL;
|
|
OIDC_SECURITY_ASSUME_EMAIL_IS_VERIFIED = "false";
|
|
};
|
|
};
|
|
slices.mastodon = {
|
|
description = "Mastodon service slice";
|
|
};
|
|
};
|
|
|
|
selfprivacy.auth.clients.${oauthClientID} = {
|
|
inherit usersGroup;
|
|
inherit adminsGroup;
|
|
subdomain = cfg.subdomain;
|
|
originLanding = "https://${cfg.subdomain}.${sp.domain}/";
|
|
originUrl = oauthRedirectURL;
|
|
clientSystemdUnits = [ "mastodon.service" ];
|
|
enablePkce = false;
|
|
useShortPreferredUsername = true;
|
|
linuxUserOfClient = "mastodon";
|
|
linuxGroupOfClient = "mastodon";
|
|
};
|
|
};
|
|
}
|