ctucx.git: nixfiles

machines/trabbi: add `masto-fe` for gotosocial

diff --git a/machines/trabbi/configuration.nix b/machines/trabbi/configuration.nix
@@ -20,7 +20,7 @@
     ./grafana
 
     # communication
-    ./gotosocial.nix
+    ./fedi
     ./matrix-synapse.nix
     ./mail.nix
 

diff --git a/machines/trabbi/fedi/default.nix b/machines/trabbi/fedi/default.nix
@@ -0,0 +1,10 @@
+{ ... }:
+
+{
+
+  imports = [
+    ./gotosocial.nix
+    ./masto-fe.nix
+  ];
+
+}+
\ No newline at end of file

diff --git a/machines/trabbi/fedi/gotosocial.nix b/machines/trabbi/fedi/gotosocial.nix
@@ -0,0 +1,128 @@
+{ pkgs, lib, config, ... }:
+
+let
+  gotosocial = pkgs.callPackage ../../../pkgs/gotosocial {};
+
+in {
+
+  dns.zones."ctu.cx".subdomains."fedi".CNAME = [ "${config.networking.fqdn}." ];
+
+  age.secrets.restic-gotosocial.file = ./. + "/../../../secrets/${config.networking.hostName}/restic/gotosocial.age";
+
+  systemd.services.restic-backup-gotosocial.serviceConfig.ReadWritePaths = [ "/var/lib/gotosocial" ];
+
+  restic-backups.gotosocial = {
+    user            = "gotosocial";
+    passwordFile    = config.age.secrets.restic-gotosocial.path;
+    sqliteDatabases = [ "/var/lib/gotosocial/db.sqlite" ];
+    paths           = [ "/var/lib/gotosocial/storage" "/var/lib/gotosocial/backup.json" ];
+    runBeforeBackup = ''
+      ${gotosocial}/bin/gotosocial --config-path /etc/gotosocial.yaml admin export --path /var/lib/gotosocial/backup.json
+    '';
+  };
+
+
+  systemd.services.gotosocial.serviceConfig.Group = lib.mkForce config.services.nginx.group;
+
+  services.gotosocial = {
+    enable   = true;
+    package  = gotosocial;
+    group    = "nginx";
+    settings = {
+      application-name = "ctucx.fedi";
+
+      host             = "fedi.ctu.cx";
+      account-domain   = "ctu.cx";
+      protocol         = "https";
+
+      bind-address     = "[::1]";
+      port             = 8085;
+
+      trusted-proxies  = [ "::1/128" "172.17.0.0/24" ];
+
+      db-type          = "sqlite";
+      db-address       = "/var/lib/gotosocial/db.sqlite";
+
+      accounts-allow-custom-css  = true;
+      accounts-registration-open = false;
+
+      instance-expose-peers         = true;
+      instance-expose-suspended     = true;
+      instance-expose-suspended-web = true;
+
+      storage-backend            = "local";
+      storage-local-base-path    = "/var/lib/gotosocial/storage";
+
+      media-image-max-size       = 10000000;
+      media-remote-cache-days    = 3;
+    };
+  };
+
+  services.nginx.appendHttpConfig = ''
+    proxy_cache_path /var/cache/nginx keys_zone=gotosocial_ap_public_responses:10m inactive=1w;
+  '';
+
+  services.nginx.virtualHosts."ctu.cx" = {
+    enableACME = true;
+    forceSSL   = true;
+    kTLS       = true;
+    locations."/.well-known/host-meta".extraConfig = "return 301 https://fedi.ctu.cx$request_uri;";
+    locations."/.well-known/webfinger".extraConfig = "return 301 https://fedi.ctu.cx$request_uri;";
+    locations."/.well-known/nodeinfo".extraConfig  = "return 301 https://fedi.ctu.cx$request_uri;";
+  };
+
+  services.nginx.virtualHosts."fedi.ctu.cx" = {
+    enableACME = true;
+    forceSSL   = true;
+    kTLS       = true;
+    extraConfig = ''
+      if ($http_user_agent ~* (mnemo.social)) {
+        return 403;
+      }
+    '';
+    locations  = {
+      "= /".return = "307 /@leah";
+
+      "/" = {
+        proxyPass       = "http://[::1]:8085";
+        proxyWebsockets = true;
+      };
+
+      "~ /.well-known/(webfinger|host-meta)$" = {
+        proxyPass   = "http://[::1]:8085";
+        extraConfig = ''
+          proxy_cache gotosocial_ap_public_responses;
+          proxy_cache_background_update on;
+          proxy_cache_key $scheme://$host$uri$is_args$query_string;
+          proxy_cache_valid 200 10m;
+          proxy_cache_use_stale error timeout updating http_500 http_502 http_503 http_504 http_429;
+          proxy_cache_lock on;
+          add_header X-Cache-Status $upstream_cache_status;
+        '';
+      };
+
+      "~ ^\/users\/(?:[a-z0-9_\.]+)\/main-key$" = {
+        proxyPass   = "http://[::1]:8085";
+        extraConfig = ''
+          proxy_cache gotosocial_ap_public_responses;
+          proxy_cache_background_update on;
+          proxy_cache_key $scheme://$host$uri;
+          proxy_cache_valid 200 604800s;
+          proxy_cache_use_stale error timeout updating http_500 http_502 http_503 http_504 http_429;
+          proxy_cache_lock on;
+
+          add_header X-Cache-Status $upstream_cache_status;
+        '';
+      };
+
+      "/assets/".extraConfig = ''
+        alias ${config.services.gotosocial.package}/share/web/assets/;
+        autoindex off;
+        expires max;
+        add_header Cache-Control "public, immutable";
+      '';
+    };
+
+  };
+
+}

diff --git a/machines/trabbi/fedi/masto-fe.nix b/machines/trabbi/fedi/masto-fe.nix
@@ -0,0 +1,19 @@
+{ pkgs, lib, config, ... }:
+
+{
+
+  dns.zones."ctu.cx".subdomains."masto.fedi".CNAME = [ "${config.networking.fqdn}." ];
+
+
+  services.nginx.virtualHosts."masto.fedi.ctu.cx" = {
+    enableACME = true;
+    forceSSL   = true;
+    kTLS       = true;
+    locations."/" = {
+      root     = pkgs.mastoFE-standalone;
+      index    = "index.html";
+      tryFiles = "$uri /index.html";
+    };
+  };
+
+}

diff --git a/machines/trabbi/gotosocial.nix b/machines/trabbi/gotosocial.nix
@@ -1,129 +0,0 @@
-{ pkgs, lib, config, ... }:
-
-let
-  gotosocial = pkgs.callPackage ../../pkgs/gotosocial {};
-
-in {
-
-  dns.zones."ctu.cx".subdomains."fedi".CNAME = [ "${config.networking.fqdn}." ];
-
-
-  age.secrets.restic-gotosocial.file = ./. + "/../../secrets/${config.networking.hostName}/restic/gotosocial.age";
-
-  systemd.services.restic-backup-gotosocial.serviceConfig.ReadWritePaths = [ "/var/lib/gotosocial" ];
-
-  restic-backups.gotosocial = {
-    user            = "gotosocial";
-    passwordFile    = config.age.secrets.restic-gotosocial.path;
-    sqliteDatabases = [ "/var/lib/gotosocial/db.sqlite" ];
-    paths           = [ "/var/lib/gotosocial/storage" "/var/lib/gotosocial/backup.json" ];
-    runBeforeBackup = ''
-      ${gotosocial}/bin/gotosocial --config-path /etc/gotosocial.yaml admin export --path /var/lib/gotosocial/backup.json
-    '';
-  };
-
-
-  systemd.services.gotosocial.serviceConfig.Group = lib.mkForce config.services.nginx.group;
-
-  services.gotosocial = {
-    enable   = true;
-    package  = gotosocial;
-    group    = "nginx";
-    settings = {
-      application-name = "ctucx.fedi";
-
-      host             = "fedi.ctu.cx";
-      account-domain   = "ctu.cx";
-      protocol         = "https";
-
-      bind-address     = "[::1]";
-      port             = 8085;
-
-      trusted-proxies  = [ "::1/128" "172.17.0.0/24" ];
-
-      db-type          = "sqlite";
-      db-address       = "/var/lib/gotosocial/db.sqlite";
-
-      accounts-allow-custom-css  = true;
-      accounts-registration-open = false;
-
-      instance-expose-peers         = true;
-      instance-expose-suspended     = true;
-      instance-expose-suspended-web = true;
-
-      storage-backend            = "local";
-      storage-local-base-path    = "/var/lib/gotosocial/storage";
-
-      media-image-max-size       = 10000000;
-      media-remote-cache-days    = 3;
-    };
-  };
-
-  services.nginx.appendHttpConfig = ''
-    proxy_cache_path /var/cache/nginx keys_zone=gotosocial_ap_public_responses:10m inactive=1w;
-  '';
-
-  services.nginx.virtualHosts."ctu.cx" = {
-    enableACME = true;
-    forceSSL   = true;
-    kTLS       = true;
-    locations."/.well-known/host-meta".extraConfig = "return 301 https://fedi.ctu.cx$request_uri;";
-    locations."/.well-known/webfinger".extraConfig = "return 301 https://fedi.ctu.cx$request_uri;";
-    locations."/.well-known/nodeinfo".extraConfig  = "return 301 https://fedi.ctu.cx$request_uri;";
-  };
-
-  services.nginx.virtualHosts."fedi.ctu.cx" = {
-    enableACME = true;
-    forceSSL   = true;
-    kTLS       = true;
-    extraConfig = ''
-      if ($http_user_agent ~* (mnemo.social)) {
-        return 403;
-      }
-    '';
-    locations  = {
-      "= /".return = "307 /@leah";
-
-      "/" = {
-        proxyPass       = "http://[::1]:8085";
-        proxyWebsockets = true;
-      };
-
-      "~ /.well-known/(webfinger|host-meta)$" = {
-        proxyPass   = "http://[::1]:8085";
-        extraConfig = ''
-          proxy_cache gotosocial_ap_public_responses;
-          proxy_cache_background_update on;
-          proxy_cache_key $scheme://$host$uri$is_args$query_string;
-          proxy_cache_valid 200 10m;
-          proxy_cache_use_stale error timeout updating http_500 http_502 http_503 http_504 http_429;
-          proxy_cache_lock on;
-          add_header X-Cache-Status $upstream_cache_status;
-        '';
-      };
-
-      "~ ^\/users\/(?:[a-z0-9_\.]+)\/main-key$" = {
-        proxyPass   = "http://[::1]:8085";
-        extraConfig = ''
-          proxy_cache gotosocial_ap_public_responses;
-          proxy_cache_background_update on;
-          proxy_cache_key $scheme://$host$uri;
-          proxy_cache_valid 200 604800s;
-          proxy_cache_use_stale error timeout updating http_500 http_502 http_503 http_504 http_429;
-          proxy_cache_lock on;
-
-          add_header X-Cache-Status $upstream_cache_status;
-        '';
-      };
-
-      "/assets/".extraConfig = ''
-        alias ${config.services.gotosocial.package}/share/web/assets/;
-        autoindex off;
-        expires max;
-        add_header Cache-Control "public, immutable";
-      '';
-
-    };
-  };
-
-}