mastodon: initial setup

modules/default.nix

@@ -6,6 +6,7 @@
     ./desktop/awesome/default.nix
     ./locations.nix
     ./resilio.nix
+    ./services/mastodon/default.nix
     ./services/matrix.nix
     ./tailscale.nix
     ./www/global.nix

modules/locations.nix

@@ -14,6 +14,7 @@ in
       default = {
         services = {
           matrix = "vm.strangervm.ts.hillion.co.uk";
+          mastodon = "vm.strangervm.ts.hillion.co.uk";
         };
       };
     };
@@ -21,5 +22,6 @@ in
 
   config = lib.mkIf cfg.autoServe {
     custom.services.matrix.enable = cfg.locations.services.matrix == config.networking.fqdn;
+    custom.services.mastodon.enable = cfg.locations.services.mastodon == config.networking.fqdn;
   };
 }

modules/services/mastodon/default.nix

@@ -0,0 +1,58 @@
+{ config, pkgs, lib, ... }:
+
+let
+  cfg = config.custom.services.mastodon;
+in
+{
+  options.custom.services.mastodon = {
+    enable = lib.mkEnableOption "mastodon";
+  };
+
+  config = lib.mkIf cfg.enable {
+    age.secrets = {
+      "mastodon/otp_secret_file" = {
+        file = ../../../secrets/mastodon/social.hillion.co.uk/otp_secret_file.age;
+        owner = config.services.mastodon.user;
+        group = config.services.mastodon.group;
+      };
+      "mastodon/secret_key_base" = {
+        file = ../../../secrets/mastodon/social.hillion.co.uk/secret_key_base.age;
+        owner = config.services.mastodon.user;
+        group = config.services.mastodon.group;
+      };
+      "mastodon/vapid_private_key" = {
+        file = ../../../secrets/mastodon/social.hillion.co.uk/vapid_private_key.age;
+        owner = config.services.mastodon.user;
+        group = config.services.mastodon.group;
+      };
+      "mastodon/mastodon_at_social.hillion.co.uk" = {
+        file = ../../../secrets/mastodon/social.hillion.co.uk/mastodon_at_social.hillion.co.uk.age;
+        owner = config.services.mastodon.user;
+        group = config.services.mastodon.group;
+      };
+    };
+
+    services.mastodon = {
+      enable = true;
+      localDomain = "social.hillion.co.uk";
+
+      vapidPublicKeyFile = builtins.path { path = ./vapid_public_key; };
+      otpSecretFile = config.age.secrets."mastodon/otp_secret_file".path;
+      secretKeyBaseFile = config.age.secrets."mastodon/secret_key_base".path;
+      vapidPrivateKeyFile = config.age.secrets."mastodon/vapid_private_key".path;
+
+      smtp = {
+        user = "mastodon@social.hillion.co.uk";
+        port = 587;
+        passwordFile = config.age.secrets."mastodon/mastodon_at_social.hillion.co.uk".path;
+        host = "smtp.eu.mailgun.org";
+        fromAddress = "mastodon@social.hillion.co.uk";
+        authenticate = true;
+      };
+
+      extraConfig = {
+        EMAIL_DOMAIN_WHITELIST = "hillion.co.uk";
+      };
+    };
+  };
+}

modules/services/mastodon/vapid_public_key

@@ -0,0 +1 @@
+BNC88033km7UbxwclsVwr8k8Fe0ndQzeEwc9v4IqEtnU2YMLDKBsZ9eGBPXOQwClnqa-PxxuHSkxeDRC_uQdzb0=

modules/www/global.nix

@@ -10,6 +10,8 @@ in
   };
 
   config = lib.mkIf cfg.enable {
+    users.users.caddy.extraGroups = [ "mastodon" ];
+
     services.caddy = {
       enable = true;
 
@@ -49,7 +51,41 @@ in
       virtualHosts."drone.hillion.co.uk".extraConfig = ''
         reverse_proxy http://vm.strangervm.ts.hillion.co.uk:18733
       '';
+      virtualHosts."social.hillion.co.uk".extraConfig = ''
+        handle_path /system/* {
+          file_server * {
+            root /var/lib/mastodon/public-system
+          }
+        }
+
+        handle /api/v1/streaming/* {
+          reverse_proxy  unix//run/mastodon-streaming/streaming.socket
+        }
+      
+        route * {
+          file_server * {
+            root ${pkgs.mastodon}/public
+            pass_thru
+          }
+          reverse_proxy * unix//run/mastodon-web/web.socket
+        }
+
+        handle_errors {
+          root * ${pkgs.mastodon}/public
+          rewrite 500.html
+          file_server
+        }
+
+        encode gzip
+
+        header /* {
+          Strict-Transport-Security "max-age=31536000;"
+        }
+        header /emoji/* Cache-Control "public, max-age=31536000, immutable"
+        header /packs/* Cache-Control "public, max-age=31536000, immutable"
+        header /system/accounts/avatars/* Cache-Control "public, max-age=31536000, immutable"
+        header /system/media_attachments/files/* Cache-Control "public, max-age=31536000, immutable"
+      '';
     };
   };
 }
-

secrets/mastodon/social.hillion.co.uk/mastodon_at_social.hillion.co.uk.age

@@ -0,0 +1,22 @@
+age-encryption.org/v1
+-> ssh-rsa GxPFJQ
+fR5abxPrwpYFhEty3T8Zx7u3K5HzIRujjj5aZP84+7gZlEE+Fjj7+F1cWk2QeM38
+x1YHA5psEsuWAqtAQ/v9Rp/JHFH+HcO6imEIaFv2Lg1tv8IswT995ynejr0E1wN/
+QKzVXhyqXbTHB6EsGKrzxHAK4GcqXwPFV4JWSYQ+Q2JSDkX4j7yM6kT7k7OI32ZO
+RmhezWUp5FfZp37NJAJdBQNTqp/nvYLc3X9Wq4kFrvWZNRrh1Yix7vIv0iaqvoHY
+JWLb9NLQA9RfSKnAVIlbbhNZzMBdCH2zPjNFPdRFHilqcGzxL5NZcEnPcvgwdLU3
+wrxCU0ZlDDVM6PPR4wnf6A
+-> ssh-rsa K9mW1w
+YMUoAeS+odaUTqNrPpUdno5+X2FEtYKJXoELKAV73FzEZPRGqx6QOW66T7I1T6Ta
+bI8DN0APAhw5iQLzyfQAqCTk+e9OpVMKhOz9aoOvTUMWQvzFnLPplUBrfqErKf0N
+ynivabBZDu4bYlveUxvDootS0BEGqMX521+GfHXXrnF1kswmQU9iBjaXOJ6ee5kA
+uuRXYjdvMCRdxt4IfPsmds5sxmQmb3TtqDTglYF/bGSJRvCuTFE2RJReqR0J7fI8
+7X/v1BXqZ4/USFcaAvDTejynzw7XbVd0QxF8pvyovnC8QAcNEOSW03ZTWa72SAyH
+sIN+E5WM8vByNDMM9SbtyQ
+-> ssh-ed25519 O0LMHg DyROBi4kg7STbIT2AQebM2l+PIxRVGHzIzeJNFCckwU
+tdNtu0iX9DbBcGO++S3FNpPi0bhs8VblZZ1vG+JAtpQ
+-> pp5-grease h K,g1$` -W-'z=\ PFC!
+b5JA7LoHsCfpp/rgBBETM+EOZSEqILdpmkWU2kmJdBvpFG+4oCUFD+el2azOiZpf
+VSgZiCfct2WDZuEEdZyWAcmRd+z7
+--- Wngnxun5npVjMmr9+LpV28g8T8nzIcDW8vm124DsbLU
+ÍêuëE€9ª´Ã]ùÚèÿxdcpyNüV´x×ôDl	N¨j/Íò”Uœ­æè°)J|½ksea<65>ì
éG¡B¬›twZKÇÃÚ]d<>V<02>Ù

secrets/mastodon/social.hillion.co.uk/otp_secret_file.age

@@ -0,0 +1,22 @@
+age-encryption.org/v1
+-> ssh-rsa GxPFJQ
+buJjlLdz+QJS/ltPEoSC1QIuc25yPA1faRy4oFcUDDMLGrfoH53V3r9S3ku0qOeV
+bb/VJoTRnmNK+ES1Z06dDlNHISCZzwhqO6Y67eb4AXsd4D+2L5c9fzmRhUph8U9a
+8bSJ5wdY6Be7+zd8+Jn8/+Vq24+hj5JxaznSjBPUGdfMd+wK7tFXZwHzab1FqYmu
+LBRVSxWcjZG+zWErt3+IxcxC051LtjbnfpZowAe9iYKjDgYU/JmF2ujz2AIN/ZX8
+heyzCA5BftAoavjcPMapVUnMU1jhQeiPfSG8NzgqaJDi7KPg/Ejujst3KfZdJg11
+3sKdUN9iT+kRG298JdIP2g
+-> ssh-rsa K9mW1w
+wmBPlRZqmkMhHxcjHqv1hBTt3C6oKX3aubI73gtAnO9wgA3vfkWiDtdPJA/yxWuv
+Uz62QxQv09bd9sQ0C+VOx3DHlmIxU8j4ZX9ZdxgBSKm3QGRsfZYNjuRKN4raKjbP
+qvjQ7OkmzgJKBK4abtsZOjTc0YVzmHb/DWc4Swbnlf5MNuB0sFk4n5sVWtmRcx41
+AC92COM1U9OjJbCry99v+iNGEYkqZJaqbv2cGnft68TMi+eKpDx2BQ5/FcEFJRTX
+AVeOsRdBpkx8MN8GOA1FwkJE1EAQSwPz2owUwScoCg8ynBk6e7rYtCFugEm7F+Kr
+TGqNvLd1Ej7t9nrV3VKO0Q
+-> ssh-ed25519 O0LMHg 82e9p3tOgjrQJ0OpjYIaY3Z3B4P4Va0OtoeQWUDNRi4
++yL/wlDqhYM+XigMT1BVT+yz68df/1sj9R4mraTYA9w
+-> )-grease
+ks1I3lwsUUiYhDwrOZMVE/c0o7lGhmxx3GMpDQ
+--- CTOHTcdLxijAcutu0KPmmINx0jIdUZJL7YdLsLavBoY
+3+f©Ž%·(~ù!¥H§äµ\h7™	qUÛ{£d’œ—ˆO
ÕΕI­Ÿò#êjJ8½‰ä›³šiØ~>ú¯ú™Þ—ï¥<C3AF>Ù%,f¬ù°VÐ$¬ÉA|óWo¢©/'ûba ;¶`:kÈ
+Å#˜7¯;úèŽö+ä?lò<œ!Žbút9q˜%0¼ù»ó¡b&€­¶ƒéúº
DìÑ4Á8ˆ

secrets/mastodon/social.hillion.co.uk/secret_key_base.age

@@ -0,0 +1,22 @@
+age-encryption.org/v1
+-> ssh-rsa GxPFJQ
+lKGHm6g4g5VUSGPywFDxDUl15UbCu8cAxMDleH/LiMq4bqmgkSuEIqISRw04Bqgl
+xcPE5iaL/xHMAMOSQmGq6fuJDvKLkhNLdtIEzdOSZRtRwMmSnN3fgmdwgXIxhftn
+ZvcJJPLPjHJoPx1dN8beS5pPgVrRX4RbOWpeGrl57jJCF4Gdryq5SpeB2P6SU3iS
+jw16kj0/gRvjGyFarURCUbiXnoQ8yZBzm77fzQR7GlGmDw1ySFoxooFq6yyw8nqd
+xZMBBZ6mf6gYReGzQUvVGzlybTpgdCgCLu8vAGMZJmZ9nxUdRXJWhGfxctNH3Pn2
+5gR4jItiQPQbGDS3Nrbgxw
+-> ssh-rsa K9mW1w
+MYjQSBZfMCcSj5Io08+sa1p9MVt+kWvSsACyhZX1cC9iybD45zZare6zZBpPp1YL
+BxM0RnG7lPiNU4K8kqd325qnQudITaX4tBSDPprfdoa1LSB7nNMMfmFFSzGkfBri
+W5yJNYy7ECLguYbqCLSdjfQ/Da0sbpCeuYlTe3j1UH0eY6t0l3tMjBOIZHhiXMSB
+P5y6JxubQKG/VlNVHsrgD0IT0A0XVJFLWJ4iE36B0QfrsAUm+68qpxEJenuVIgaq
+TkGAJPauFDmAWfFMOKYyXJFLKQ2tVdNvTHIHxAQdzwosqYUdvXyU/ugT5UFddS7i
+RKIY+9U8RQAU9Qg8cpYGLw
+-> ssh-ed25519 O0LMHg w28mpV/lT2kZMgOPkRFbWUhos+2azTGn1XWWlcGQ5Xg
+5pjjuQbFaiSsT9Y1poh1R+yaEDWc+sNfTFikk86U5X0
+-> y-grease IcQ/&4 x [nL_
+m/JAUuy/7a7/k+qTDEuSDtJcjqAuum+2
+--- tZoksBLZWjbl7cH9Rmfz8Em9ZbDFQQgKVkxKJRx2V74
+wH ¸…šÏ^ÎÁ«¶µ€F_„ ›$“=…ñÝZmsE9uÓŒ<C393>^Öy¹<79>ÜñÚ#„šZ\wSê÷{~"I„®
?IÁ;É6ó®*úÀl5-ÎõD2ël½ù4„/!‚Ðñ‚§}÷Pû´öiW¶7ÈiW|0´uq³mûWr¦Ë#ƒîéÚ<>;=AlÂgŒ*06Å	{füK0¬aÍbMK/¶
+Ò

secrets/mastodon/social.hillion.co.uk/vapid_private_key.age

@@ -0,0 +1,23 @@
+age-encryption.org/v1
+-> ssh-rsa GxPFJQ
+mdMhxMiuWstsWZ4wSiWcloDrP1sJrKOQFy1IwAEXjrXmWx+N9W2p93+gz9W3mTir
+ooLWTdj2g9tywRpFlLfZr8MDsZEpCxSLb2TG6/xOHuu7qfdsK2V/q+AdgmNZQemv
+KdIQoszcltG7tv1MyUgcCgusGqJIudLhJ8Sk5w0yPmKW6K/o0cRqX2IAxLWOts2m
+wlpieG2r35+OHTyaMC6HKDhZBM5Te9b9nQNwq8kj4n98Il3gEGkWYRK6eGiPoQNq
+ywQv4cmLVmPvuGRhRymzGOieMk2EeT8ZEs970t7SRgq58BFWI79hFZ1Mihr0pXyL
+wJgnEvaUey1rBj6Nlbdvcw
+-> ssh-rsa K9mW1w
+s29WasIMWE/iVZ2ESd3HpcMsZeC8K/99X/aopLCtK+c+ykXzbdXyHjCvtfvpvMF+
+GVgWLpPpTa/miLZX2ih7GDXBOI06cvs0Zy1eFvVBUsgID87hpHqfGbpFKvQrMPEc
+wvcINtOBVa4B9IQ5HNMrBtKQuJ2kOdyerosm93S7crOG2ioAt+FLCIjYYLRCteFN
+QIbD8vgcocpezAmY06WnepNM1Yi8yeHGi2m3HfPTNxKb6zxMGQ4RcW4a+CYiu0KO
+rtXFDcQyw82BHzgM+mbW1bZ94EwlVeJJRzrukfFi5zZxzr+Zisv8kK9aQZYvTaMS
+5ddMYrdpxJeGJAtO6ir3yw
+-> ssh-ed25519 O0LMHg yHLnNQMahSSgXtWmyAurXI7+bvlJhg4edg/G+AzGAkk
+PDbS4LjOhHY6GIfQAojtDYpUJV3xS4nAAnvhfhMui3I
+-> TQ~'V\-grease vuL/7@ .YbM/Fv$
+sJRsjd41yeR2gJRv567GFh9a6G55o7Jd00QYxPPp
+--- dClpo30O0AgOaIbkTeyPuuLgV5xCVwj9TpOMJ8fGUJo
+Œ˜:çÓ’UYÎ,7™D{µCÏÓö
+1
TÂCQɶ*f=„gCkú«<C3BA>]'šúeûWfìšÄ«~”†£E¸

+ÊãÍ:å²ÑA –”

secrets/secrets.nix

@@ -65,4 +65,10 @@ in
   # Drone Secrets
   "drone/gitea_client_secret.age".publicKeys = jake_users ++ [ ts.strangervm.vm ];
   "drone/rpc_secret.age".publicKeys = jake_users ++ [ ts.strangervm.vm ];
+
+  # Mastodon Secrets
+  "mastodon/social.hillion.co.uk/otp_secret_file.age".publicKeys = jake_users ++ [ ts.strangervm.vm ];
+  "mastodon/social.hillion.co.uk/secret_key_base.age".publicKeys = jake_users ++ [ ts.strangervm.vm ];
+  "mastodon/social.hillion.co.uk/vapid_private_key.age".publicKeys = jake_users ++ [ ts.strangervm.vm ];
+  "mastodon/social.hillion.co.uk/mastodon_at_social.hillion.co.uk.age".publicKeys = jake_users ++ [ ts.strangervm.vm ];
 }