commit 3c29a5ab8660d0db7f15b4d2ff2831eee4059685
parent bd13befcd43a14780f4f098241df49821c023af6
Author: Leah (ctucx) <git@ctu.cx>
Date: Mon, 3 Jul 2023 21:38:35 +0200
parent bd13befcd43a14780f4f098241df49821c023af6
Author: Leah (ctucx) <git@ctu.cx>
Date: Mon, 3 Jul 2023 21:38:35 +0200
machines/trabbi: add gotosocial instance `fedi.ctu.cx`
4 files changed, 139 insertions(+), 0 deletions(-)
A
|
124
+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
diff --git a/machines/trabbi/configuration.nix b/machines/trabbi/configuration.nix @@ -18,11 +18,13 @@ # communication #./pleroma + ./gotosocial.nix ./matrix-synapse.nix ./mail.nix # websites ./websites + ]; networking.primaryIP = "2a0a:4cc0:1:2d7::1";
diff --git a/machines/trabbi/gotosocial.nix b/machines/trabbi/gotosocial.nix @@ -0,0 +1,124 @@ +{ pkgs, lib, config, ... }: + +let + gotosocial = pkgs.callPackage ../../pkgs/gotosocial {}; + +in { + + dns.zones."ctu.cx".subdomains."fedi".CNAME = [ "${config.networking.fqdn}." ]; + + + age.secrets.restic-gotosocial.file = ./. + "/../../secrets/${config.networking.hostName}/restic/gotosocial.age"; + + systemd.services.restic-backup-gotosocial.serviceConfig.ReadWritePaths = [ "/var/lib/gotosocial" ]; + + restic-backups.gotosocial = { + user = "gotosocial"; + passwordFile = config.age.secrets.restic-gotosocial.path; + sqliteDatabases = [ "/var/lib/gotosocial/db.sqlite" ]; + paths = [ "/var/lib/gotosocial/storage" "/var/lib/gotosocial/backup.json" ]; + runBeforeBackup = '' + ${gotosocial}/bin/gotosocial --config-path /etc/gotosocial.yaml admin export --path /var/lib/gotosocial/backup.json + ''; + }; + + + systemd.services.gotosocial.serviceConfig.Group = lib.mkForce config.services.nginx.group; + + services.gotosocial = { + enable = true; + package = gotosocial; + group = "nginx"; + settings = { + application-name = "ctucx.fedi"; + + host = "fedi.ctu.cx"; + account-domain = "ctu.cx"; + protocol = "https"; + + bind-address = "[::1]"; + port = 8085; + + trusted-proxies = [ "::1/128" "172.17.0.0/24" ]; + + db-type = "sqlite"; + db-address = "/var/lib/gotosocial/db.sqlite"; + + accounts-allow-custom-css = true; + accounts-registration-open = false; + + instance-expose-peers = true; + instance-expose-suspended = true; + instance-expose-suspended-web = true; + + storage-backend = "local"; + storage-local-base-path = "/var/lib/gotosocial/storage"; + + media-image-max-size = 10000000; + media-remote-cache-days = 3; + }; + }; + + services.nginx.appendHttpConfig = '' + proxy_cache_path /var/cache/nginx keys_zone=gotosocial_ap_public_responses:10m inactive=1w; + ''; + + services.nginx.virtualHosts."ctu.cx" = { + enableACME = true; + forceSSL = true; + kTLS = true; + locations."/.well-known/host-meta".extraConfig = "return 301 https://fedi.ctu.cx$request_uri;"; + locations."/.well-known/webfinger".extraConfig = "return 301 https://fedi.ctu.cx$request_uri;"; + locations."/.well-known/nodeinfo".extraConfig = "return 301 https://fedi.ctu.cx$request_uri;"; + }; + + services.nginx.virtualHosts."fedi.ctu.cx" = { + enableACME = true; + forceSSL = true; + kTLS = true; + locations = { + "= /".return = "307 /@leah"; + + "/" = { + proxyPass = "http://[::1]:8085"; + proxyWebsockets = true; + }; + + "~ /.well-known/(webfinger|host-meta)$" = { + proxyPass = "http://[::1]:8085"; + extraConfig = '' + proxy_cache gotosocial_ap_public_responses; + proxy_cache_background_update on; + proxy_cache_key $scheme://$host$uri$is_args$query_string; + proxy_cache_valid 200 10m; + proxy_cache_use_stale error timeout updating http_500 http_502 http_503 http_504 http_429; + proxy_cache_lock on; + add_header X-Cache-Status $upstream_cache_status; + ''; + }; + + "~ ^\/users\/(?:[a-z0-9_\.]+)\/main-key$" = { + proxyPass = "http://[::1]:8085"; + extraConfig = '' + proxy_cache gotosocial_ap_public_responses; + proxy_cache_background_update on; + proxy_cache_key $scheme://$host$uri; + proxy_cache_valid 200 604800s; + proxy_cache_use_stale error timeout updating http_500 http_502 http_503 http_504 http_429; + proxy_cache_lock on; + + add_header X-Cache-Status $upstream_cache_status; + ''; + }; + + "/assets/".extraConfig = '' + alias ${config.services.gotosocial.package}/share/web/assets/; + autoindex off; + expires max; + add_header Cache-Control "public, immutable"; + ''; + + }; + }; + +}
diff --git a/secrets/secrets.nix b/secrets/secrets.nix @@ -83,6 +83,7 @@ in { "trabbi/restic/pleroma.age".publicKeys = [ leah trabbi ]; "trabbi/restic/matrix-synapse.age".publicKeys = [ leah trabbi ]; "trabbi/restic/mail.age".publicKeys = [ leah trabbi ]; + "trabbi/restic/gotosocial.age".publicKeys = [ leah trabbi ]; "trabbi/mail/password-leah-ctu.cx.age".publicKeys = [ leah trabbi ]; "trabbi/mail/password-mail-zug.network.age".publicKeys = [ leah trabbi ];
diff --git a/secrets/trabbi/restic/gotosocial.age b/secrets/trabbi/restic/gotosocial.age @@ -0,0 +1,12 @@ +-----BEGIN AGE ENCRYPTED FILE----- +YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB1NExSYkNLMUZnVlVHTlNj +SEFPZFVZUjZYQnRJSkFvWmFNRE1yYnYzYlJ3Ck5OY0NYRjZFWWlMV1B2K2tTclI1 +K3k2cU5McWRNZmpsRlg2dGtzT0NZY1EKLT4gc3NoLWVkMjU1MTkgVjB1VXJ3IGR0 +WjlDdEt1YnlzWklYaWRmS0lFMnhkSTlLYjJvMlhyQ1ZqRmhQNkJqRlEKeHIwUmFO +UjFodTlGd1FlNllnd25SbWFHemxHYjF1djBPckRVa2FFa2drSQotPiBoXkBQJC1n +cmVhc2UgSmNmdyZgICZUCnRlL3F3K0N5UUVSMlJXK2NIVDhPUGlSdkZuTitHdEpu +ZThNZW5HOHk1NHh0QjRQNUlKZWxtNitXTzFmYzlnMGUKN3prS0N6QVpQOWxxdjRR +c0ZJcVdqQ3N3bzBKYUtjaU5iNWV3YnBIbwotLS0gT1gzNVBBYml2SW45WjJlRmFX +OVVJOUx0dUxDMDhJZVdVcnVtaFVEbzgrVQo/zt/xvxlVCDrZQNRwvKXYawEFIIBM +eHFmFgFKyS3Yh0k91ezuIQiUXdDSP2AEXHhIsd/ULqmF1X/2BLDUoUkIRw== +-----END AGE ENCRYPTED FILE-----