nixos/modules/services/mastodon/default.nix

{ config, pkgs, lib, ... }:

let
  cfg = config.custom.services.mastodon;
in
{
  options.custom.services.mastodon = {
    enable = lib.mkEnableOption "mastodon";
  };

  config = lib.mkIf cfg.enable {
    age.secrets = {
      "mastodon/otp_secret_file" = {
        file = ../../../secrets/mastodon/social.hillion.co.uk/otp_secret_file.age;
        owner = config.services.mastodon.user;
        group = config.services.mastodon.group;
      };
      "mastodon/secret_key_base" = {
        file = ../../../secrets/mastodon/social.hillion.co.uk/secret_key_base.age;
        owner = config.services.mastodon.user;
        group = config.services.mastodon.group;
      };
      "mastodon/vapid_private_key" = {
        file = ../../../secrets/mastodon/social.hillion.co.uk/vapid_private_key.age;
        owner = config.services.mastodon.user;
        group = config.services.mastodon.group;
      };
      "mastodon/mastodon_at_social.hillion.co.uk" = {
        file = ../../../secrets/mastodon/social.hillion.co.uk/mastodon_at_social.hillion.co.uk.age;
        owner = config.services.mastodon.user;
        group = config.services.mastodon.group;
      };
    };

    users.users.caddy.extraGroups = [ "mastodon" ];

    services = {
      mastodon = {
        enable = true;
        localDomain = "social.hillion.co.uk";

        vapidPublicKeyFile = builtins.path { path = ./vapid_public_key; };
        otpSecretFile = config.age.secrets."mastodon/otp_secret_file".path;
        secretKeyBaseFile = config.age.secrets."mastodon/secret_key_base".path;
        vapidPrivateKeyFile = config.age.secrets."mastodon/vapid_private_key".path;

        smtp = {
          user = "mastodon@social.hillion.co.uk";
          port = 587;
          passwordFile = config.age.secrets."mastodon/mastodon_at_social.hillion.co.uk".path;
          host = "smtp.eu.mailgun.org";
          fromAddress = "mastodon@social.hillion.co.uk";
          authenticate = true;
        };

        extraConfig = {
          EMAIL_DOMAIN_WHITELIST = "hillion.co.uk";
        };

        streamingProcesses = 9;
      };

      caddy = {
        enable = true;

        virtualHosts."social.hillion.co.uk".extraConfig = ''
          handle_path /system/* {
            file_server * {
              root /var/lib/mastodon/public-system
            }
          }

          handle /api/v1/streaming/* {
            reverse_proxy  unix//run/mastodon-streaming/streaming.socket
          }
        
          route * {
            file_server * {
              root ${pkgs.mastodon}/public
              pass_thru
            }
            reverse_proxy * unix//run/mastodon-web/web.socket
          }

          handle_errors {
            root * ${pkgs.mastodon}/public
            rewrite 500.html
            file_server
          }

          encode gzip

          header /* {
            Strict-Transport-Security "max-age=31536000;"
          }
          header /emoji/* Cache-Control "public, max-age=31536000, immutable"
          header /packs/* Cache-Control "public, max-age=31536000, immutable"
          header /system/accounts/avatars/* Cache-Control "public, max-age=31536000, immutable"
          header /system/media_attachments/files/* Cache-Control "public, max-age=31536000, immutable"
        '';
      };
    };
  };
}