ctucx.git: nixfiles

ctucx' nixfiles

commit a5d327def216a4d0c2c95a3be82e15a12e65f698
parent 9d9ea73b3c91f8f8a3276f869ff26868ec04cd7f
Author: Katja (ctucx) <git@ctu.cx>
Date: Wed, 1 Jan 2025 14:03:23 +0100

machines/trabbi: add `gotosocial`

5 files changed, 162 insertions(+), 0 deletions(-)
M
machines/trabbi/default.nix
|
1
+
A
machines/trabbi/gotosocial.nix
|
132
+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
M
secrets/secrets.nix
|
5
+++++
A
secrets/trabbi/gotosocial-env.age
|
12
++++++++++++
A
secrets/trabbi/restic/gotosocial.age
|
12
++++++++++++
diff --git a/machines/trabbi/default.nix b/machines/trabbi/default.nix
@@ -8,6 +8,7 @@
   imports = [
     ./hardware-configuration.nix
 
+    ./gotosocial.nix
   ];
 
   dns.zones."ctu.cx".subdomains."${config.networking.hostName}" = (pkgs.dns.lib.combinators.host config.networking.primaryIP4 config.networking.primaryIP);

diff --git a/machines/trabbi/gotosocial.nix b/machines/trabbi/gotosocial.nix
@@ -0,0 +1,132 @@
+{ pkgs, lib, config, ... }:
+
+let
+  gotosocial = pkgs.callPackage ../../pkgs/gotosocial {};
+
+in {
+
+  dns.zones."zuggeschmack.de" =  (pkgs.dns.lib.combinators.host config.networking.primaryIP4 config.networking.primaryIP);
+
+  age.secrets = {
+    restic-gotosocial.file = ./. + "/../../secrets/${config.networking.hostName}/restic/gotosocial.age";
+    gotosocial-env.file    = ./. + "/../../secrets/${config.networking.hostName}/gotosocial-env.age";
+  };
+
+  systemd.services.restic-backup-gotosocial.serviceConfig.ReadWritePaths = [ "/var/lib/gotosocial" ];
+
+  restic-backups.gotosocial = {
+    user            = "gotosocial";
+    passwordFile    = config.age.secrets.restic-gotosocial.path;
+    sqliteDatabases = [ "/var/lib/gotosocial/db.sqlite" ];
+    paths           = [ "/var/lib/gotosocial/storage" "/var/lib/gotosocial/backup.json" ];
+    runBeforeBackup = ''
+      ${gotosocial}/bin/gotosocial --config-path /etc/gotosocial.yaml admin export --path /var/lib/gotosocial/backup.json
+    '';
+  };
+
+  systemd.services.gotosocial.serviceConfig.Group = lib.mkForce config.services.nginx.group;
+
+  services.gotosocial = {
+    enable          = true;
+    package         = gotosocial;
+    group           = "nginx";
+    environmentFile = config.age.secrets.gotosocial-env.path;
+    settings        = {
+      application-name = "ZugGeschmack.de";
+
+      host             = "zuggeschmack.de";
+      account-domain   = "zuggeschmack.de";
+      protocol         = "https";
+
+      bind-address     = "[::1]";
+      port             = 8085;
+
+      trusted-proxies  = [ "::1/128" "172.17.0.0/24" ];
+
+      db-type          = "sqlite";
+      db-address       = "/var/lib/gotosocial/db.sqlite";
+
+      accounts-allow-custom-css  = true;
+      accounts-registration-open = true;
+
+      instance-expose-peers         = true;
+      instance-expose-suspended     = true;
+      instance-expose-suspended-web = true;
+
+      instance-languages            = [ "de" "en-us" ];
+
+      storage-backend            = "local";
+      storage-local-base-path    = "/var/lib/gotosocial/storage";
+
+      media-local-max-size       = "50MiB";
+      media-remote-max-size      = "50MiB";
+
+      media-remote-cache-days    = 3;
+      media-cleanup-from         = "01:00";
+
+
+      smtp-host     = "hector.ctu.cx";
+      smtp-port     = 587;
+      smtp-username = "gts@zuggeschmack.de";
+      smtp-from     = "gts@zuggeschmack.de";
+    };
+  };
+
+  services.nginx.appendHttpConfig = ''
+    proxy_cache_path /var/cache/nginx keys_zone=gotosocial_ap_public_responses:10m inactive=1w;
+  '';
+
+  services.nginx.virtualHosts."zuggeschmack.de" = {
+    enableACME  = true;
+    forceSSL    = true;
+    kTLS        = true;
+    extraConfig = ''
+      client_max_body_size 50M;
+    '';
+    locations = {
+      "/" = {
+        proxyPass   = "http://${toString config.services.gotosocial.settings.bind-address}:${toString config.services.gotosocial.settings.port}";
+        proxyWebsockets = true;
+        extraConfig = ''
+          client_max_body_size 50M;
+        '';
+      };
+
+      "~ /.well-known/(webfinger|host-meta)$" = {
+        proxyPass   = "http://${toString config.services.gotosocial.settings.bind-address}:${toString config.services.gotosocial.settings.port}";
+        extraConfig = ''
+          proxy_cache gotosocial_ap_public_responses;
+          proxy_cache_background_update on;
+          proxy_cache_key $scheme://$host$uri$is_args$query_string;
+          proxy_cache_valid 200 10m;
+          proxy_cache_use_stale error timeout updating http_500 http_502 http_503 http_504 http_429;
+          proxy_cache_lock on;
+          add_header X-Cache-Status $upstream_cache_status;
+        '';
+      };
+
+      "~ ^\/users\/(?:[a-z0-9_\.]+)\/main-key$" = {
+        proxyPass   = "http://${toString config.services.gotosocial.settings.bind-address}:${toString config.services.gotosocial.settings.port}";
+        extraConfig = ''
+          proxy_cache gotosocial_ap_public_responses;
+          proxy_cache_background_update on;
+          proxy_cache_key $scheme://$host$uri;
+          proxy_cache_valid 200 604800s;
+          proxy_cache_use_stale error timeout updating http_500 http_502 http_503 http_504 http_429;
+          proxy_cache_lock on;
+
+          add_header X-Cache-Status $upstream_cache_status;
+        '';
+      };
+
+      "/assets/".extraConfig = ''
+        alias ${config.services.gotosocial.package}/share/web/assets/;
+        autoindex off;
+        expires max;
+        add_header Cache-Control "public, immutable";
+      '';
+    };
+
+  };
+
+}

diff --git a/secrets/secrets.nix b/secrets/secrets.nix
@@ -94,6 +94,11 @@ in {
   "hector/matrix-synapse/registration_shared_secret.age".publicKeys = [ main-key hector ];
 
 
+  "trabbi/restic/gotosocial.age".publicKeys                         = [ main-key trabbi];
+
+  "trabbi/gotosocial-env.age".publicKeys                            = [ main-key trabbi ];
+
+
   "wanderduene/wireguard-privkey.age".publicKeys                    = [ main-key wanderduene ];
   "wanderduene/restic-server-htpasswd.age".publicKeys               = [ main-key wanderduene ];
   "wanderduene/rclone-config.age".publicKeys                        = [ main-key wanderduene ];

diff --git a/secrets/trabbi/gotosocial-env.age b/secrets/trabbi/gotosocial-env.age
@@ -0,0 +1,12 @@
+-----BEGIN AGE ENCRYPTED FILE-----
+YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA3cWdvdkljVkVOYm1uZjh1
+YnluUUNTN21INldON2YweGZhczJTcDgyZFdvCmJsK3R3TEhWeTU5QnRNclFrbnhN
+eGNLWi8yYStObXRUZktnQy9udTBEU1EKLT4gc3NoLWVkMjU1MTkgcThvY3pnIDZM
+TFVoRG4wZm1jZGpXTXFMcFJ1eVo4d1FLcTQ5U1phcVRkUFFCeWtNakEKamQ5cW5P
+REZTSXN6WFVQaS9IVTN4eWZwa1hqMUJMNzhFZXUxS1NrTEwxNAotPiBeVVBZZ20q
+Oy1ncmVhc2UgaApabWtLMEJSY3VWRWNkYlNlSWVSMG1jcSt2U0x6R3JvU2dackwz
+aEZYS09XV05kMUVLNkFacmkxY002T0VDSnowCmpIdlF4VVFQRGRLOGRwUkVpWE5k
+cDBJCi0tLSBwdTJreS9PajhUKzcvSjNJUEwvVTdtdDRaK2F1clhzbTNPZXZSUith
+T1ZJCp011i6rTwpmMhDN8iLqKnrfUAWqT4jipcBaa4TDaqdpo/DDq97cFpP8lH28
+m7EEduvJHks+YZg34NZshz8iHKnIN6xxAfjUrNae+MARA5QZIrCFXQ==
+-----END AGE ENCRYPTED FILE-----

diff --git a/secrets/trabbi/restic/gotosocial.age b/secrets/trabbi/restic/gotosocial.age
@@ -0,0 +1,12 @@
+-----BEGIN AGE ENCRYPTED FILE-----
+YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBodDlKUlBrVjIzYVRnRERz
+R1NUcXdwbE9hSGFLZGJOQ3l4OW0rT1FmVDFFCklsNUd4OFhKeklGbG1TWjRRNEov
+bUJuaVIxOVNYUFBpUjk3Rkd2OWxiQTQKLT4gc3NoLWVkMjU1MTkgcThvY3pnIEFw
+MGkzNG12U3lkUXh5Rjd3T3JJenJvSjh4VDFkOWNzekFhZmxsMWtVM00KeEt0ZmZB
+bnZSYVg3QnBoSW04SlJKTDVuek9IZW81L3ltSmU3QUZtTC9uWQotPiBUPS1ncmVh
+c2UgJGFKMQoxR3BvL1JrcG84cXlnM2JmZE9ibThQVm9aSFlTS1VPR0VubzRWVCtZ
+c2xuZ3BRZGZjcHgvckZZWEhCVHhHNVc4Clh0cVE4TVcrNXA0d251RVp0KzNKMFVR
+SGZVYUVUNDdONDBOZGtySDF0THprWnZrdUpMNU0zQQotLS0gNU9OMURPRFI5MXp6
+YytJKzNZNXo3cjI4OWtERHJQSTNZU3o3V1AwbWM4UQoMQZcd19D3CcmrY146uCO/
+fdyafAhZxibj9n/80TpPwBT0/4XHDZmkmUu2oI+sxzMWijihHh9nW0bHbjNnGY0T
+-----END AGE ENCRYPTED FILE-----