diff --git a/dns.tf b/dns.tf index db7077a..46dda7e 100644 --- a/dns.tf +++ b/dns.tf @@ -88,6 +88,14 @@ resource "hetznerdns_record" "jitsi_a" { ttl = 600 } +resource "hetznerdns_record" "mastodon_a" { + zone_id = data.hetznerdns_zone.froidmont_zone.id + name = "social" + value = hcloud_server.backend1.ipv4_address + type = "A" + ttl = 600 +} + resource "hetznerdns_record" "elefan-test_a" { zone_id = data.hetznerdns_zone.froidmont_zone.id name = "elefan-test" diff --git a/modules/default.nix b/modules/default.nix index 7658111..8cbada4 100644 --- a/modules/default.nix +++ b/modules/default.nix @@ -6,5 +6,6 @@ ./gitlab-runner.nix ./openssh.nix ./murmur.nix + ./mastodon.nix ]; } diff --git a/modules/mailserver.nix b/modules/mailserver.nix index f45d56c..e160713 100644 --- a/modules/mailserver.nix +++ b/modules/mailserver.nix @@ -17,6 +17,12 @@ monitPassword = { key = "email/accounts_passwords/monit"; }; + noreplyBanditlairPassword = { + key = "email/accounts_passwords/noreply_banditlair"; + }; + noreplyFroidmontPassword = { + key = "email/accounts_passwords/noreply_froidmont"; + }; }; mailserver = { @@ -156,6 +162,14 @@ hashedPasswordFile = config.sops.secrets.monitPassword.path; sendOnly = true; }; + "noreply@banditlair.com" = { + hashedPasswordFile = config.sops.secrets.noreplyBanditlairPassword.path; + sendOnly = true; + }; + "noreply@froidmont.org" = { + hashedPasswordFile = config.sops.secrets.noreplyFroidmontPassword.path; + sendOnly = true; + }; }; extraVirtualAliases = { "info@banditlair.com" = "paultrial@banditlair.com"; diff --git a/modules/mastodon.nix b/modules/mastodon.nix new file mode 100644 index 0000000..4cfdb0d --- /dev/null +++ b/modules/mastodon.nix @@ -0,0 +1,50 @@ +{ config, lib, ... }: +with lib; +let + cfg = config.custom.services.mastodon; +in +{ + options.custom.services.mastodon = { + enable = mkEnableOption "mastodon"; + }; + + + config = mkIf cfg.enable { + sops.secrets = { + mastodonDbPassword = { + owner = config.users.users.mastodon.name; + key = "mastodon/db_password"; + restartUnits = [ "mastodon-init-db.service" ]; + }; + noreplyFroidmontPassword = { + owner = config.users.users.mastodon.name; + key = "email/accounts_passwords/noreply_froidmont_clear"; + }; + }; + + services.mastodon = { + enable = true; + localDomain = "social.froidmont.org"; + configureNginx = true; + database = { + createLocally = false; + host = "10.0.1.11"; + name = "mastodon"; + user = "mastodon"; + passwordFile = config.sops.secrets.mastodonDbPassword.path; + }; + smtp = { + createLocally = false; + authenticate = true; + host = "mail.banditlair.com"; + port = 465; + fromAddress = "noreply@froidmont.org"; + user = "noreply@froidmont.org"; + passwordFile = config.sops.secrets.noreplyFroidmontPassword.path; + }; + extraConfig = { + SMTP_SSL = "true"; + }; + }; + }; +} diff --git a/modules/postgresql.nix b/modules/postgresql.nix index 0752fb6..d064222 100644 --- a/modules/postgresql.nix +++ b/modules/postgresql.nix @@ -40,6 +40,11 @@ key = "wikijs-test/db_password"; restartUnits = [ "postgresql-setup.service" ]; }; + mastodonDbPassword = { + owner = config.services.postgresql.superUser; + key = "mastodon/db_password"; + restartUnits = [ "postgresql-setup.service" ]; + }; }; systemd.services.postgresql-setup = let pgsql = config.services.postgresql; in @@ -61,16 +66,19 @@ PSQL -tAc "SELECT 1 FROM pg_roles WHERE rolname = 'nextcloud'" | grep -q 1 || PSQL -tAc 'CREATE ROLE "nextcloud"' PSQL -tAc "SELECT 1 FROM pg_roles WHERE rolname = 'roundcube'" | grep -q 1 || PSQL -tAc 'CREATE ROLE "roundcube"' PSQL -tAc "SELECT 1 FROM pg_roles WHERE rolname = 'wikijs-test'" | grep -q 1 || PSQL -tAc 'CREATE ROLE "wikijs-test"' + PSQL -tAc "SELECT 1 FROM pg_roles WHERE rolname = 'mastodon'" | grep -q 1 || PSQL -tAc 'CREATE ROLE "mastodon"' PSQL -tAc "SELECT 1 FROM pg_database WHERE datname = 'synapse'" | grep -q 1 || PSQL -tAc 'CREATE DATABASE "synapse" OWNER "synapse" TEMPLATE template0 LC_COLLATE = "C" LC_CTYPE = "C"' PSQL -tAc "SELECT 1 FROM pg_database WHERE datname = 'nextcloud'" | grep -q 1 || PSQL -tAc 'CREATE DATABASE "nextcloud" OWNER "nextcloud"' PSQL -tAc "SELECT 1 FROM pg_database WHERE datname = 'roundcube'" | grep -q 1 || PSQL -tAc 'CREATE DATABASE "roundcube" OWNER "roundcube"' PSQL -tAc "SELECT 1 FROM pg_database WHERE datname = 'wikijs-test'" | grep -q 1 || PSQL -tAc 'CREATE DATABASE "wikijs-test" OWNER "wikijs-test"' + PSQL -tAc "SELECT 1 FROM pg_database WHERE datname = 'mastodon'" | grep -q 1 || PSQL -tAc 'CREATE DATABASE "mastodon" OWNER "mastodon"' PSQL -tAc "ALTER ROLE synapse LOGIN" PSQL -tAc "ALTER ROLE nextcloud LOGIN" PSQL -tAc "ALTER ROLE roundcube LOGIN" PSQL -tAc "ALTER ROLE \"wikijs-test\" LOGIN" + PSQL -tAc "ALTER ROLE mastodon LOGIN" synapse_password="$(<'${config.sops.secrets.synapseDbPassword.path}')" PSQL -tAc "ALTER ROLE synapse WITH PASSWORD '$synapse_password'" @@ -80,6 +88,8 @@ PSQL -tAc "ALTER ROLE roundcube WITH PASSWORD '$roundcube_password'" wikijstest_password="$(<'${config.sops.secrets.wikiJsTestDbPassword.path}')" PSQL -tAc "ALTER ROLE \"wikijs-test\" WITH PASSWORD '$wikijstest_password'" + mastodon_password="$(<'${config.sops.secrets.mastodonDbPassword.path}')" + PSQL -tAc "ALTER ROLE mastodon WITH PASSWORD '$mastodon_password'" ''; serviceConfig = { diff --git a/profiles/backend.nix b/profiles/backend.nix index 113bef4..50e9b45 100644 --- a/profiles/backend.nix +++ b/profiles/backend.nix @@ -27,7 +27,7 @@ custom = { services.backup-job = { enable = true; - additionalPaths = [ "/var/lib/nextcloud/config" ]; + additionalPaths = [ "/var/lib/nextcloud/config" "/var/lib/mastodon" ]; readWritePaths = [ "/nix/var/data/murmur" "/nix/var/data/backup/" ]; preHook = '' cp /var/lib/murmur/murmur.sqlite /nix/var/data/murmur/murmur.sqlite @@ -72,6 +72,8 @@ services.openssh.enable = true; services.murmur.enable = true; + + services.mastodon.enable = true; }; services.wiki-js = { diff --git a/profiles/db.nix b/profiles/db.nix index d43ef3b..ee8f514 100644 --- a/profiles/db.nix +++ b/profiles/db.nix @@ -25,6 +25,7 @@ ${pkgs.postgresql_12}/bin/pg_dump -U synapse synapse > /nix/var/data/postgresql/synapse.dmp ${pkgs.postgresql_12}/bin/pg_dump -U nextcloud nextcloud > /nix/var/data/postgresql/nextcloud.dmp ${pkgs.postgresql_12}/bin/pg_dump -U roundcube roundcube > /nix/var/data/postgresql/roundcube.dmp + ${pkgs.postgresql_12}/bin/pg_dump -U mastodon mastodon > /nix/var/data/postgresql/mastodon.dmp ''; startAt = "03:00"; sshKey = config.sops.secrets.borgSshKey.path; diff --git a/secrets.enc.yml b/secrets.enc.yml index 90cacc5..7555c73 100644 --- a/secrets.enc.yml +++ b/secrets.enc.yml @@ -11,6 +11,9 @@ synapse: nextcloud: db_password: ENC[AES256_GCM,data:guuBM5ag+Q014Y+rt0+E9hJcYfLcXV8HfJdbWRuI7BC+Gsjr82OkowFYquFLvcnMAgYWXroy73jW4I4v,iv:KDm/er5h/rK6jqRQdS36LPAw3oOk/yZya0OMPoJlyBg=,tag:4AXG7/BRHOoYJwvVwJxhPw==,type:str] admin_password: ENC[AES256_GCM,data:zTOHKYJmBbA6Tca2l+vO748dGzP2XkAvZHmJtrbftDI5Q/1mS3ZLw16g1DT+pKXF7VIUm2plR7ZRtxwq,iv:87lrQzhdyz1YiIO25fXwn0TvEASm/H8N5cZUckIm780=,tag:VXyNu8CnoY/ShK7dHnPTWA==,type:str] +mastodon: + db_password: ENC[AES256_GCM,data:XY/C6n3T7iINN1Sk2GdhQgHK0+vltLssOVfRLA2rFmqdxLHjvpKQTPHWxDbzELVcGqgGyiMH4AG240lo,iv:8M/fLo1MjIpUIW54WgddILmcgtofeh0rIBvKQaX/Csw=,tag:Al6LjmcPOlza5iJivf0agg==,type:str] + smtp_password: ENC[AES256_GCM,data:uhtPw/1uuKsDifdPzaczWFdZm3TP3e25U69bGysJdudnjY9rjf8HrDJ1/wqXR4hbLMaJP41fVN9WXYSE,iv:VjIQCBx6BFzATuALewU6Dc7Ti+uekmAUIJ+r2iOcFHg=,tag:vhCvRbkRxuYyf/qLeoaFzA==,type:str] roundcube: db_password: ENC[AES256_GCM,data:t2/gRhkkwd7eXKvRowNnBfOiJS4nWZlZpjtmmw+XcARbcYyf4Z3+jG6anzqxYjHHGzza23qcpfiSB4t7,iv:H7vdeBgVY3aSsMCyBBbCb0qqbDHTA/S3fwK1lDBebDI=,tag:LbeMqj3xdWz8e6XSEV+jtw==,type:str] pg_pass_file: ENC[AES256_GCM,data:pXWi2lC3Na8K/P+F0nUW00mq2vApw/pf5stJvlfuwEdan1GKBa9jSqJE17mq7weaMkhI1vBwDdfu/P1y7hEBzRNU3CA=,iv:3bC2mKUt8jI+Avm8UQq6b15JA2F7/usfDEh6XYJ9OZA=,tag:0pYQyWDh3w00XRQe13IrCw==,type:str] @@ -27,6 +30,10 @@ email: marie: ENC[AES256_GCM,data:XM1Gt2fY0GqOq+J3+CQflnWPLMmILqTWviWxzkrluovweQ+iMWmfGAS9o2K/GAS1Rr0G3P4NFmhPe6YL,iv:g9Y3WClUzvE4bkXaV82q2/cFME20KvsIV1T/q0ysBIo=,tag:Gc5rE/WubuD66uz+8OOclQ==,type:str] alice: ENC[AES256_GCM,data:wLnrPro2FIsT+i5rpcmen63waTE6RBF/aw5yUz6BmsMRXCMmJyoLxrGgB4faIaBEnRNT68iozP8dSCIG,iv:2Tjvz/5JMBby+OBAYShIAz7Tl3gSQAYmUepJcHM9my0=,tag:ulrfLiTBExN5D9hjg3rgSA==,type:str] monit: ENC[AES256_GCM,data:p/Vtc9MM8BeNF2V3l0VL82oOk0JUeKY/hAqPtW45Sdm8hiZbCNdF68jurvoI2oBu8b0d2Fer0n4ybAQJ,iv:R7PhqwaWaxx7g1gyYnh0UdoQILYHKuFG84AGghiOJ9g=,tag:S/IpeyVHLzHyqPDHIxAT8w==,type:str] + noreply_banditlair: ENC[AES256_GCM,data:qTeu6VcUN5NEAtGaINHoIU0JHaRc9PzJUwgRl/UEbVFmZ/Hs532DqaE81Io3AcQbzv4GnB9IAoVIiAoG,iv:9m5Y4xb2gyqOOQaWl0nIWRElwws3mwwwg9zq8lIF7ko=,tag:0yJIVHhF/wlRdwjgTQ1Jhg==,type:str] + noreply_banditlair_clear: ENC[AES256_GCM,data:2860Gha3T19BqzmZ96UfgrXTOEMU7gleBxh2m8K7f1cmVjgCWVZxBkVqtYbRFrv7jxZ/Q2228CiE29KR,iv:2Zj6ej8FQX34W2AE9g7rc+kL0YYaOGUheMZZ3zjuJBc=,tag:u9fyUQABHfHm4hEabvjTLQ==,type:str] + noreply_froidmont: ENC[AES256_GCM,data:iWf1e/r+QMZ+Ysy5GpK4g5IfS0DCfg0aV84Bn6vE7j+DhqYUuxeFRO6kLQbinN0+Nm6LNuTJwYHcqs6D,iv:Eu9brnP+v3D2ATAPQRHorwRtngPx+zcBaJoTf1EXKMs=,tag:PxQFatjpzEYLz7m6fEadag==,type:str] + noreply_froidmont_clear: ENC[AES256_GCM,data:QCoE97FbaQKN0JvEeLS99ppMerGJ0hPge6EhtvAyQginUxIK66MoUhJdoUCVwR8cm3RLIkl1wScC0Dtd,iv:InALAMNwNCnE+t4KJy+0KxwdoL0fuQNdKKJzJdxF27U=,tag:pXnnuHIiAvV9LsWqzTFE6A==,type:str] dmarc_exporter: password: ENC[AES256_GCM,data:eWTv3x0uDhvW8U9ZW/FTNIEkDB0vhMoauZWNju2xZoIV2MhBeOwBHQ==,iv:+GQji5bqDCXOyt8+Vjsb08UW5zaA0KLGMQqhRBQUxcg=,tag:FvRoUrabkEn0PA8DZLIayA==,type:str] monit: @@ -59,8 +66,8 @@ sops: azure_kv: [] hc_vault: [] age: [] - lastmodified: "2022-11-07T15:15:00Z" - mac: ENC[AES256_GCM,data:YBMmTgwhCAzLx4a07IFgehry9YyWDijloEYafYBsWSvyJMWl5ilwL75rIKEeWFNDjg2qc1prxwhypZIux79y9c9VsScJvcjbt8mR0lpce3ov0n8V2APP84ypiboiedCcBq0AgoW+wDW/jNupKfRs2jyUwRyuTnh4pM2qqFmOtEo=,iv:72Q09ge81Ngpv+9toujTi85lz7EZjz6PXeSshSdG+zA=,tag:EmyXMETtfXQFJ37M1wCutw==,type:str] + lastmodified: "2022-11-30T23:53:32Z" + mac: ENC[AES256_GCM,data:zb23kjrAAAsgSzkpx3fU2vzaZXii5euZyrkv8v4nyq20dLbuoW0N7UuvLushRq8t0PHaDaBvH/iiiBJkGq0r+pFasyKaFu7dGh2ApEBcm4Nu7SUbOslZRvzXakBbEChMvMBUEn2LcXu8P9144L83ztygmDO3VDGRP7SCSSExz7s=,iv:R/JbRCFFSQSNbmcq41MpDF/tTVls+3djiSxZ+NYWrew=,tag:ajwb+40N/vCzikvonBNH4w==,type:str] pgp: - created_at: "2021-11-29T00:57:34Z" enc: |