phfroidmont/self-hosting
1
0
Fork 0
mirror of https://github.com/phfroidmont/self-hosting.git synced 2025-12-25 13:46:59 +01:00
Code Issues Projects Releases Packages Wiki Activity Actions

Setup Mastodon

Browse source
This commit is contained in:
Paul-Henri Froidmont 2022-12-01 02:31:13 +01:00
parent 41519afebe
commit dc7cff3140
Signed by: phfroidmont
GPG key ID: BE948AFD7E7873BE
8 changed files with 96 additions and 3 deletions
Download patch file Download diff file Expand all files Collapse all files

8
dns.tf
View file

@ -88,6 +88,14 @@ resource "hetznerdns_record" "jitsi_a" {
ttl = 600 ttl = 600
} }
resource "hetznerdns_record" "mastodon_a" {
zone_id = data.hetznerdns_zone.froidmont_zone.id
name = "social"
value = hcloud_server.backend1.ipv4_address
type = "A"
ttl = 600
}
resource "hetznerdns_record" "elefan-test_a" { resource "hetznerdns_record" "elefan-test_a" {
zone_id = data.hetznerdns_zone.froidmont_zone.id zone_id = data.hetznerdns_zone.froidmont_zone.id
name = "elefan-test" name = "elefan-test"

1
modules/default.nix
View file

@ -6,5 +6,6 @@
./gitlab-runner.nix ./gitlab-runner.nix
./openssh.nix ./openssh.nix
./murmur.nix ./murmur.nix
./mastodon.nix
]; ];
} }

14
modules/mailserver.nix
View file

@ -17,6 +17,12 @@
monitPassword = { monitPassword = {
key = "email/accounts_passwords/monit"; key = "email/accounts_passwords/monit";
}; };
noreplyBanditlairPassword = {
key = "email/accounts_passwords/noreply_banditlair";
};
noreplyFroidmontPassword = {
key = "email/accounts_passwords/noreply_froidmont";
};
}; };
mailserver = { mailserver = {
@ -156,6 +162,14 @@
hashedPasswordFile = config.sops.secrets.monitPassword.path; hashedPasswordFile = config.sops.secrets.monitPassword.path;
sendOnly = true; sendOnly = true;
}; };
"noreply@banditlair.com" = {
hashedPasswordFile = config.sops.secrets.noreplyBanditlairPassword.path;
sendOnly = true;
};
"noreply@froidmont.org" = {
hashedPasswordFile = config.sops.secrets.noreplyFroidmontPassword.path;
sendOnly = true;
};
}; };
extraVirtualAliases = { extraVirtualAliases = {
"info@banditlair.com" = "paultrial@banditlair.com"; "info@banditlair.com" = "paultrial@banditlair.com";

50
modules/mastodon.nix Normal file
View file

@ -0,0 +1,50 @@
{ config, lib, ... }:
with lib;
let
cfg = config.custom.services.mastodon;
in
{
options.custom.services.mastodon = {
enable = mkEnableOption "mastodon";
};
config = mkIf cfg.enable {
sops.secrets = {
mastodonDbPassword = {
owner = config.users.users.mastodon.name;
key = "mastodon/db_password";
restartUnits = [ "mastodon-init-db.service" ];
};
noreplyFroidmontPassword = {
owner = config.users.users.mastodon.name;
key = "email/accounts_passwords/noreply_froidmont_clear";
};
};
services.mastodon = {
enable = true;
localDomain = "social.froidmont.org";
configureNginx = true;
database = {
createLocally = false;
host = "10.0.1.11";
name = "mastodon";
user = "mastodon";
passwordFile = config.sops.secrets.mastodonDbPassword.path;
};
smtp = {
createLocally = false;
authenticate = true;
host = "mail.banditlair.com";
port = 465;
fromAddress = "noreply@froidmont.org";
user = "noreply@froidmont.org";
passwordFile = config.sops.secrets.noreplyFroidmontPassword.path;
};
extraConfig = {
SMTP_SSL = "true";
};
};
};
}

10
modules/postgresql.nix
View file

@ -40,6 +40,11 @@
key = "wikijs-test/db_password"; key = "wikijs-test/db_password";
restartUnits = [ "postgresql-setup.service" ]; restartUnits = [ "postgresql-setup.service" ];
}; };
mastodonDbPassword = {
owner = config.services.postgresql.superUser;
key = "mastodon/db_password";
restartUnits = [ "postgresql-setup.service" ];
};
}; };
systemd.services.postgresql-setup = let pgsql = config.services.postgresql; in systemd.services.postgresql-setup = let pgsql = config.services.postgresql; in
@ -61,16 +66,19 @@
PSQL -tAc "SELECT 1 FROM pg_roles WHERE rolname = 'nextcloud'" | grep -q 1 || PSQL -tAc 'CREATE ROLE "nextcloud"' PSQL -tAc "SELECT 1 FROM pg_roles WHERE rolname = 'nextcloud'" | grep -q 1 || PSQL -tAc 'CREATE ROLE "nextcloud"'
PSQL -tAc "SELECT 1 FROM pg_roles WHERE rolname = 'roundcube'" | grep -q 1 || PSQL -tAc 'CREATE ROLE "roundcube"' PSQL -tAc "SELECT 1 FROM pg_roles WHERE rolname = 'roundcube'" | grep -q 1 || PSQL -tAc 'CREATE ROLE "roundcube"'
PSQL -tAc "SELECT 1 FROM pg_roles WHERE rolname = 'wikijs-test'" | grep -q 1 || PSQL -tAc 'CREATE ROLE "wikijs-test"' PSQL -tAc "SELECT 1 FROM pg_roles WHERE rolname = 'wikijs-test'" | grep -q 1 || PSQL -tAc 'CREATE ROLE "wikijs-test"'
PSQL -tAc "SELECT 1 FROM pg_roles WHERE rolname = 'mastodon'" | grep -q 1 || PSQL -tAc 'CREATE ROLE "mastodon"'
PSQL -tAc "SELECT 1 FROM pg_database WHERE datname = 'synapse'" | grep -q 1 || PSQL -tAc 'CREATE DATABASE "synapse" OWNER "synapse" TEMPLATE template0 LC_COLLATE = "C" LC_CTYPE = "C"' PSQL -tAc "SELECT 1 FROM pg_database WHERE datname = 'synapse'" | grep -q 1 || PSQL -tAc 'CREATE DATABASE "synapse" OWNER "synapse" TEMPLATE template0 LC_COLLATE = "C" LC_CTYPE = "C"'
PSQL -tAc "SELECT 1 FROM pg_database WHERE datname = 'nextcloud'" | grep -q 1 || PSQL -tAc 'CREATE DATABASE "nextcloud" OWNER "nextcloud"' PSQL -tAc "SELECT 1 FROM pg_database WHERE datname = 'nextcloud'" | grep -q 1 || PSQL -tAc 'CREATE DATABASE "nextcloud" OWNER "nextcloud"'
PSQL -tAc "SELECT 1 FROM pg_database WHERE datname = 'roundcube'" | grep -q 1 || PSQL -tAc 'CREATE DATABASE "roundcube" OWNER "roundcube"' PSQL -tAc "SELECT 1 FROM pg_database WHERE datname = 'roundcube'" | grep -q 1 || PSQL -tAc 'CREATE DATABASE "roundcube" OWNER "roundcube"'
PSQL -tAc "SELECT 1 FROM pg_database WHERE datname = 'wikijs-test'" | grep -q 1 || PSQL -tAc 'CREATE DATABASE "wikijs-test" OWNER "wikijs-test"' PSQL -tAc "SELECT 1 FROM pg_database WHERE datname = 'wikijs-test'" | grep -q 1 || PSQL -tAc 'CREATE DATABASE "wikijs-test" OWNER "wikijs-test"'
PSQL -tAc "SELECT 1 FROM pg_database WHERE datname = 'mastodon'" | grep -q 1 || PSQL -tAc 'CREATE DATABASE "mastodon" OWNER "mastodon"'
PSQL -tAc "ALTER ROLE synapse LOGIN" PSQL -tAc "ALTER ROLE synapse LOGIN"
PSQL -tAc "ALTER ROLE nextcloud LOGIN" PSQL -tAc "ALTER ROLE nextcloud LOGIN"
PSQL -tAc "ALTER ROLE roundcube LOGIN" PSQL -tAc "ALTER ROLE roundcube LOGIN"
PSQL -tAc "ALTER ROLE \"wikijs-test\" LOGIN" PSQL -tAc "ALTER ROLE \"wikijs-test\" LOGIN"
PSQL -tAc "ALTER ROLE mastodon LOGIN"
synapse_password="$(<'${config.sops.secrets.synapseDbPassword.path}')" synapse_password="$(<'${config.sops.secrets.synapseDbPassword.path}')"
PSQL -tAc "ALTER ROLE synapse WITH PASSWORD '$synapse_password'" PSQL -tAc "ALTER ROLE synapse WITH PASSWORD '$synapse_password'"
@ -80,6 +88,8 @@
PSQL -tAc "ALTER ROLE roundcube WITH PASSWORD '$roundcube_password'" PSQL -tAc "ALTER ROLE roundcube WITH PASSWORD '$roundcube_password'"
wikijstest_password="$(<'${config.sops.secrets.wikiJsTestDbPassword.path}')" wikijstest_password="$(<'${config.sops.secrets.wikiJsTestDbPassword.path}')"
PSQL -tAc "ALTER ROLE \"wikijs-test\" WITH PASSWORD '$wikijstest_password'" PSQL -tAc "ALTER ROLE \"wikijs-test\" WITH PASSWORD '$wikijstest_password'"
mastodon_password="$(<'${config.sops.secrets.mastodonDbPassword.path}')"
PSQL -tAc "ALTER ROLE mastodon WITH PASSWORD '$mastodon_password'"
''; '';
serviceConfig = { serviceConfig = {

4
profiles/backend.nix
View file

@ -27,7 +27,7 @@
custom = { custom = {
services.backup-job = { services.backup-job = {
enable = true; enable = true;
additionalPaths = [ "/var/lib/nextcloud/config" ]; additionalPaths = [ "/var/lib/nextcloud/config" "/var/lib/mastodon" ];
readWritePaths = [ "/nix/var/data/murmur" "/nix/var/data/backup/" ]; readWritePaths = [ "/nix/var/data/murmur" "/nix/var/data/backup/" ];
preHook = '' preHook = ''
cp /var/lib/murmur/murmur.sqlite /nix/var/data/murmur/murmur.sqlite cp /var/lib/murmur/murmur.sqlite /nix/var/data/murmur/murmur.sqlite
@ -72,6 +72,8 @@
services.openssh.enable = true; services.openssh.enable = true;
services.murmur.enable = true; services.murmur.enable = true;
services.mastodon.enable = true;
}; };
services.wiki-js = { services.wiki-js = {

1
profiles/db.nix
View file

@ -25,6 +25,7 @@
${pkgs.postgresql_12}/bin/pg_dump -U synapse synapse > /nix/var/data/postgresql/synapse.dmp ${pkgs.postgresql_12}/bin/pg_dump -U synapse synapse > /nix/var/data/postgresql/synapse.dmp
${pkgs.postgresql_12}/bin/pg_dump -U nextcloud nextcloud > /nix/var/data/postgresql/nextcloud.dmp ${pkgs.postgresql_12}/bin/pg_dump -U nextcloud nextcloud > /nix/var/data/postgresql/nextcloud.dmp
${pkgs.postgresql_12}/bin/pg_dump -U roundcube roundcube > /nix/var/data/postgresql/roundcube.dmp ${pkgs.postgresql_12}/bin/pg_dump -U roundcube roundcube > /nix/var/data/postgresql/roundcube.dmp
${pkgs.postgresql_12}/bin/pg_dump -U mastodon mastodon > /nix/var/data/postgresql/mastodon.dmp
''; '';
startAt = "03:00"; startAt = "03:00";
sshKey = config.sops.secrets.borgSshKey.path; sshKey = config.sops.secrets.borgSshKey.path;

11
secrets.enc.yml
View file

@ -11,6 +11,9 @@ synapse:
nextcloud: nextcloud:
db_password: ENC[AES256_GCM,data:guuBM5ag+Q014Y+rt0+E9hJcYfLcXV8HfJdbWRuI7BC+Gsjr82OkowFYquFLvcnMAgYWXroy73jW4I4v,iv:KDm/er5h/rK6jqRQdS36LPAw3oOk/yZya0OMPoJlyBg=,tag:4AXG7/BRHOoYJwvVwJxhPw==,type:str] db_password: ENC[AES256_GCM,data:guuBM5ag+Q014Y+rt0+E9hJcYfLcXV8HfJdbWRuI7BC+Gsjr82OkowFYquFLvcnMAgYWXroy73jW4I4v,iv:KDm/er5h/rK6jqRQdS36LPAw3oOk/yZya0OMPoJlyBg=,tag:4AXG7/BRHOoYJwvVwJxhPw==,type:str]
admin_password: ENC[AES256_GCM,data:zTOHKYJmBbA6Tca2l+vO748dGzP2XkAvZHmJtrbftDI5Q/1mS3ZLw16g1DT+pKXF7VIUm2plR7ZRtxwq,iv:87lrQzhdyz1YiIO25fXwn0TvEASm/H8N5cZUckIm780=,tag:VXyNu8CnoY/ShK7dHnPTWA==,type:str] admin_password: ENC[AES256_GCM,data:zTOHKYJmBbA6Tca2l+vO748dGzP2XkAvZHmJtrbftDI5Q/1mS3ZLw16g1DT+pKXF7VIUm2plR7ZRtxwq,iv:87lrQzhdyz1YiIO25fXwn0TvEASm/H8N5cZUckIm780=,tag:VXyNu8CnoY/ShK7dHnPTWA==,type:str]
mastodon:
db_password: ENC[AES256_GCM,data:XY/C6n3T7iINN1Sk2GdhQgHK0+vltLssOVfRLA2rFmqdxLHjvpKQTPHWxDbzELVcGqgGyiMH4AG240lo,iv:8M/fLo1MjIpUIW54WgddILmcgtofeh0rIBvKQaX/Csw=,tag:Al6LjmcPOlza5iJivf0agg==,type:str]
smtp_password: ENC[AES256_GCM,data:uhtPw/1uuKsDifdPzaczWFdZm3TP3e25U69bGysJdudnjY9rjf8HrDJ1/wqXR4hbLMaJP41fVN9WXYSE,iv:VjIQCBx6BFzATuALewU6Dc7Ti+uekmAUIJ+r2iOcFHg=,tag:vhCvRbkRxuYyf/qLeoaFzA==,type:str]
roundcube: roundcube:
db_password: ENC[AES256_GCM,data:t2/gRhkkwd7eXKvRowNnBfOiJS4nWZlZpjtmmw+XcARbcYyf4Z3+jG6anzqxYjHHGzza23qcpfiSB4t7,iv:H7vdeBgVY3aSsMCyBBbCb0qqbDHTA/S3fwK1lDBebDI=,tag:LbeMqj3xdWz8e6XSEV+jtw==,type:str] db_password: ENC[AES256_GCM,data:t2/gRhkkwd7eXKvRowNnBfOiJS4nWZlZpjtmmw+XcARbcYyf4Z3+jG6anzqxYjHHGzza23qcpfiSB4t7,iv:H7vdeBgVY3aSsMCyBBbCb0qqbDHTA/S3fwK1lDBebDI=,tag:LbeMqj3xdWz8e6XSEV+jtw==,type:str]
pg_pass_file: ENC[AES256_GCM,data:pXWi2lC3Na8K/P+F0nUW00mq2vApw/pf5stJvlfuwEdan1GKBa9jSqJE17mq7weaMkhI1vBwDdfu/P1y7hEBzRNU3CA=,iv:3bC2mKUt8jI+Avm8UQq6b15JA2F7/usfDEh6XYJ9OZA=,tag:0pYQyWDh3w00XRQe13IrCw==,type:str] pg_pass_file: ENC[AES256_GCM,data:pXWi2lC3Na8K/P+F0nUW00mq2vApw/pf5stJvlfuwEdan1GKBa9jSqJE17mq7weaMkhI1vBwDdfu/P1y7hEBzRNU3CA=,iv:3bC2mKUt8jI+Avm8UQq6b15JA2F7/usfDEh6XYJ9OZA=,tag:0pYQyWDh3w00XRQe13IrCw==,type:str]
@ -27,6 +30,10 @@ email:
marie: ENC[AES256_GCM,data:XM1Gt2fY0GqOq+J3+CQflnWPLMmILqTWviWxzkrluovweQ+iMWmfGAS9o2K/GAS1Rr0G3P4NFmhPe6YL,iv:g9Y3WClUzvE4bkXaV82q2/cFME20KvsIV1T/q0ysBIo=,tag:Gc5rE/WubuD66uz+8OOclQ==,type:str] marie: ENC[AES256_GCM,data:XM1Gt2fY0GqOq+J3+CQflnWPLMmILqTWviWxzkrluovweQ+iMWmfGAS9o2K/GAS1Rr0G3P4NFmhPe6YL,iv:g9Y3WClUzvE4bkXaV82q2/cFME20KvsIV1T/q0ysBIo=,tag:Gc5rE/WubuD66uz+8OOclQ==,type:str]
alice: ENC[AES256_GCM,data:wLnrPro2FIsT+i5rpcmen63waTE6RBF/aw5yUz6BmsMRXCMmJyoLxrGgB4faIaBEnRNT68iozP8dSCIG,iv:2Tjvz/5JMBby+OBAYShIAz7Tl3gSQAYmUepJcHM9my0=,tag:ulrfLiTBExN5D9hjg3rgSA==,type:str] alice: ENC[AES256_GCM,data:wLnrPro2FIsT+i5rpcmen63waTE6RBF/aw5yUz6BmsMRXCMmJyoLxrGgB4faIaBEnRNT68iozP8dSCIG,iv:2Tjvz/5JMBby+OBAYShIAz7Tl3gSQAYmUepJcHM9my0=,tag:ulrfLiTBExN5D9hjg3rgSA==,type:str]
monit: ENC[AES256_GCM,data:p/Vtc9MM8BeNF2V3l0VL82oOk0JUeKY/hAqPtW45Sdm8hiZbCNdF68jurvoI2oBu8b0d2Fer0n4ybAQJ,iv:R7PhqwaWaxx7g1gyYnh0UdoQILYHKuFG84AGghiOJ9g=,tag:S/IpeyVHLzHyqPDHIxAT8w==,type:str] monit: ENC[AES256_GCM,data:p/Vtc9MM8BeNF2V3l0VL82oOk0JUeKY/hAqPtW45Sdm8hiZbCNdF68jurvoI2oBu8b0d2Fer0n4ybAQJ,iv:R7PhqwaWaxx7g1gyYnh0UdoQILYHKuFG84AGghiOJ9g=,tag:S/IpeyVHLzHyqPDHIxAT8w==,type:str]
noreply_banditlair: ENC[AES256_GCM,data:qTeu6VcUN5NEAtGaINHoIU0JHaRc9PzJUwgRl/UEbVFmZ/Hs532DqaE81Io3AcQbzv4GnB9IAoVIiAoG,iv:9m5Y4xb2gyqOOQaWl0nIWRElwws3mwwwg9zq8lIF7ko=,tag:0yJIVHhF/wlRdwjgTQ1Jhg==,type:str]
noreply_banditlair_clear: ENC[AES256_GCM,data:2860Gha3T19BqzmZ96UfgrXTOEMU7gleBxh2m8K7f1cmVjgCWVZxBkVqtYbRFrv7jxZ/Q2228CiE29KR,iv:2Zj6ej8FQX34W2AE9g7rc+kL0YYaOGUheMZZ3zjuJBc=,tag:u9fyUQABHfHm4hEabvjTLQ==,type:str]
noreply_froidmont: ENC[AES256_GCM,data:iWf1e/r+QMZ+Ysy5GpK4g5IfS0DCfg0aV84Bn6vE7j+DhqYUuxeFRO6kLQbinN0+Nm6LNuTJwYHcqs6D,iv:Eu9brnP+v3D2ATAPQRHorwRtngPx+zcBaJoTf1EXKMs=,tag:PxQFatjpzEYLz7m6fEadag==,type:str]
noreply_froidmont_clear: ENC[AES256_GCM,data:QCoE97FbaQKN0JvEeLS99ppMerGJ0hPge6EhtvAyQginUxIK66MoUhJdoUCVwR8cm3RLIkl1wScC0Dtd,iv:InALAMNwNCnE+t4KJy+0KxwdoL0fuQNdKKJzJdxF27U=,tag:pXnnuHIiAvV9LsWqzTFE6A==,type:str]
dmarc_exporter: dmarc_exporter:
password: ENC[AES256_GCM,data:eWTv3x0uDhvW8U9ZW/FTNIEkDB0vhMoauZWNju2xZoIV2MhBeOwBHQ==,iv:+GQji5bqDCXOyt8+Vjsb08UW5zaA0KLGMQqhRBQUxcg=,tag:FvRoUrabkEn0PA8DZLIayA==,type:str] password: ENC[AES256_GCM,data:eWTv3x0uDhvW8U9ZW/FTNIEkDB0vhMoauZWNju2xZoIV2MhBeOwBHQ==,iv:+GQji5bqDCXOyt8+Vjsb08UW5zaA0KLGMQqhRBQUxcg=,tag:FvRoUrabkEn0PA8DZLIayA==,type:str]
monit: monit:
@ -59,8 +66,8 @@ sops:
azure_kv: [] azure_kv: []
hc_vault: [] hc_vault: []
age: [] age: []
lastmodified: "2022-11-07T15:15:00Z" lastmodified: "2022-11-30T23:53:32Z"
mac: ENC[AES256_GCM,data:YBMmTgwhCAzLx4a07IFgehry9YyWDijloEYafYBsWSvyJMWl5ilwL75rIKEeWFNDjg2qc1prxwhypZIux79y9c9VsScJvcjbt8mR0lpce3ov0n8V2APP84ypiboiedCcBq0AgoW+wDW/jNupKfRs2jyUwRyuTnh4pM2qqFmOtEo=,iv:72Q09ge81Ngpv+9toujTi85lz7EZjz6PXeSshSdG+zA=,tag:EmyXMETtfXQFJ37M1wCutw==,type:str] mac: ENC[AES256_GCM,data:zb23kjrAAAsgSzkpx3fU2vzaZXii5euZyrkv8v4nyq20dLbuoW0N7UuvLushRq8t0PHaDaBvH/iiiBJkGq0r+pFasyKaFu7dGh2ApEBcm4Nu7SUbOslZRvzXakBbEChMvMBUEn2LcXu8P9144L83ztygmDO3VDGRP7SCSSExz7s=,iv:R/JbRCFFSQSNbmcq41MpDF/tTVls+3djiSxZ+NYWrew=,tag:ajwb+40N/vCzikvonBNH4w==,type:str]
pgp: pgp:
- created_at: "2021-11-29T00:57:34Z" - created_at: "2021-11-29T00:57:34Z"
enc: | enc: |