Setup Mastodon

2025-12-25 13:46:59 +01:00 · 2022-12-01 02:31:13 +01:00 · 2022-12-01 02:31:13 +01:00 · dc7cff3140
commit dc7cff3140
parent 41519afebe
8 changed files with 96 additions and 3 deletions
--- a/modules/default.nix
+++ b/modules/default.nix
@ -6,5 +6,6 @@
    ./gitlab-runner.nix
    ./openssh.nix
    ./murmur.nix
+    ./mastodon.nix
  ];
 }
--- a/modules/mailserver.nix
+++ b/modules/mailserver.nix
@ -17,6 +17,12 @@
    monitPassword = {
      key = "email/accounts_passwords/monit";
    };
+    noreplyBanditlairPassword = {
+      key = "email/accounts_passwords/noreply_banditlair";
+    };
+    noreplyFroidmontPassword = {
+      key = "email/accounts_passwords/noreply_froidmont";
+    };
  };

  mailserver = {
@ -156,6 +162,14 @@
        hashedPasswordFile = config.sops.secrets.monitPassword.path;
        sendOnly = true;
      };
+      "noreply@banditlair.com" = {
+        hashedPasswordFile = config.sops.secrets.noreplyBanditlairPassword.path;
+        sendOnly = true;
+      };
+      "noreply@froidmont.org" = {
+        hashedPasswordFile = config.sops.secrets.noreplyFroidmontPassword.path;
+        sendOnly = true;
+      };
    };
    extraVirtualAliases = {
      "info@banditlair.com" = "paultrial@banditlair.com";
--- a/modules/mastodon.nix
+++ b/modules/mastodon.nix
@ -0,0 +1,50 @@
+{ config, lib, ... }:
+with lib;
+let
+  cfg = config.custom.services.mastodon;
+in
+{
+  options.custom.services.mastodon = {
+    enable = mkEnableOption "mastodon";
+  };
+
+
+  config = mkIf cfg.enable {
+    sops.secrets = {
+      mastodonDbPassword = {
+        owner = config.users.users.mastodon.name;
+        key = "mastodon/db_password";
+        restartUnits = [ "mastodon-init-db.service" ];
+      };
+      noreplyFroidmontPassword = {
+        owner = config.users.users.mastodon.name;
+        key = "email/accounts_passwords/noreply_froidmont_clear";
+      };
+    };
+
+    services.mastodon = {
+      enable = true;
+      localDomain = "social.froidmont.org";
+      configureNginx = true;
+      database = {
+        createLocally = false;
+        host = "10.0.1.11";
+        name = "mastodon";
+        user = "mastodon";
+        passwordFile = config.sops.secrets.mastodonDbPassword.path;
+      };
+      smtp = {
+        createLocally = false;
+        authenticate = true;
+        host = "mail.banditlair.com";
+        port = 465;
+        fromAddress = "noreply@froidmont.org";
+        user = "noreply@froidmont.org";
+        passwordFile = config.sops.secrets.noreplyFroidmontPassword.path;
+      };
+      extraConfig = {
+        SMTP_SSL = "true";
+      };
+    };
+  };
+}
--- a/modules/postgresql.nix
+++ b/modules/postgresql.nix
@ -40,6 +40,11 @@
      key = "wikijs-test/db_password";
      restartUnits = [ "postgresql-setup.service" ];
    };
+    mastodonDbPassword = {
+      owner = config.services.postgresql.superUser;
+      key = "mastodon/db_password";
+      restartUnits = [ "postgresql-setup.service" ];
+    };
  };

  systemd.services.postgresql-setup = let pgsql = config.services.postgresql; in
@ -61,16 +66,19 @@
        PSQL -tAc "SELECT 1 FROM pg_roles WHERE rolname = 'nextcloud'" | grep -q 1 || PSQL -tAc 'CREATE ROLE "nextcloud"'
        PSQL -tAc "SELECT 1 FROM pg_roles WHERE rolname = 'roundcube'" | grep -q 1 || PSQL -tAc 'CREATE ROLE "roundcube"'
        PSQL -tAc "SELECT 1 FROM pg_roles WHERE rolname = 'wikijs-test'" | grep -q 1 || PSQL -tAc 'CREATE ROLE "wikijs-test"'
+        PSQL -tAc "SELECT 1 FROM pg_roles WHERE rolname = 'mastodon'" | grep -q 1 || PSQL -tAc 'CREATE ROLE "mastodon"'
        
        PSQL -tAc "SELECT 1 FROM pg_database WHERE datname = 'synapse'" | grep -q 1 || PSQL -tAc 'CREATE DATABASE "synapse" OWNER "synapse" TEMPLATE template0 LC_COLLATE = "C" LC_CTYPE = "C"'
        PSQL -tAc "SELECT 1 FROM pg_database WHERE datname = 'nextcloud'" | grep -q 1 || PSQL -tAc 'CREATE DATABASE "nextcloud" OWNER "nextcloud"'
        PSQL -tAc "SELECT 1 FROM pg_database WHERE datname = 'roundcube'" | grep -q 1 || PSQL -tAc 'CREATE DATABASE "roundcube" OWNER "roundcube"'
        PSQL -tAc "SELECT 1 FROM pg_database WHERE datname = 'wikijs-test'" | grep -q 1 || PSQL -tAc 'CREATE DATABASE "wikijs-test" OWNER "wikijs-test"'
+        PSQL -tAc "SELECT 1 FROM pg_database WHERE datname = 'mastodon'" | grep -q 1 || PSQL -tAc 'CREATE DATABASE "mastodon" OWNER "mastodon"'

        PSQL -tAc  "ALTER ROLE synapse LOGIN"
        PSQL -tAc  "ALTER ROLE nextcloud LOGIN"
        PSQL -tAc  "ALTER ROLE roundcube LOGIN"
        PSQL -tAc  "ALTER ROLE \"wikijs-test\" LOGIN"
+        PSQL -tAc  "ALTER ROLE mastodon LOGIN"

        synapse_password="$(<'${config.sops.secrets.synapseDbPassword.path}')"
        PSQL -tAc  "ALTER ROLE synapse WITH PASSWORD '$synapse_password'"
@ -80,6 +88,8 @@
        PSQL -tAc  "ALTER ROLE roundcube WITH PASSWORD '$roundcube_password'"
        wikijstest_password="$(<'${config.sops.secrets.wikiJsTestDbPassword.path}')"
        PSQL -tAc  "ALTER ROLE \"wikijs-test\" WITH PASSWORD '$wikijstest_password'"
+        mastodon_password="$(<'${config.sops.secrets.mastodonDbPassword.path}')"
+        PSQL -tAc  "ALTER ROLE mastodon WITH PASSWORD '$mastodon_password'"
      '';

      serviceConfig = {