commit b70e74d00bb61ae7935e455720b1259d1c5dbdca
parent 842001d4c860c8f6d5ba25c4c4c2db5b6685da16
Author: Katja (ctucx) <git@ctu.cx>
Date: Fri, 7 Mar 2025 14:11:30 +0100
parent 842001d4c860c8f6d5ba25c4c4c2db5b6685da16
Author: Katja (ctucx) <git@ctu.cx>
Date: Fri, 7 Mar 2025 14:11:30 +0100
configurations/nixos/websites: refactor gotosocial instances
6 files changed, 138 insertions(+), 273 deletions(-)
A
|
104
+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
M
|
110
++++++++-----------------------------------------------------------------------
M
|
92
+++++++++----------------------------------------------------------------------
M
|
101
+++++++++----------------------------------------------------------------------
diff --git a/configurations/nixos/services/gotosocial.nix b/configurations/nixos/services/gotosocial.nix @@ -0,0 +1,104 @@ +{ pkgs, lib, config, ... }: + +{ + + age.secrets.restic-gotosocial.file = ./. + "/../../../secrets/${config.networking.hostName}/restic/gotosocial.age"; + + systemd.services.restic-backup-gotosocial.serviceConfig.ReadWritePaths = [ config.services.gotosocial.stateDir ]; + + restic-backups.gotosocial = { + user = config.services.gotosocial.user; + passwordFile = config.age.secrets.restic-gotosocial.path; + sqliteDatabases = [ (lib.mkIf (config.services.gotosocial.settings.db-type == "sqlite") config.services.gotosocial.settings.db-address) ]; + paths = [ + (lib.mkIf (config.services.gotosocial.settings.storage-backend == "local") config.services.gotosocial.settings.storage-local-base-path) + "${config.services.gotosocial.stateDir}/backup.json" + ]; + runBeforeBackup = ''${pkgs.gotosocial}/bin/gotosocial --config-path /etc/gotosocial.yaml admin export --path ${config.services.gotosocial.stateDir}/backup.json''; + }; + + systemd.services.gotosocial.serviceConfig = { + Group = lib.mkForce config.services.nginx.group; + }; + + services.gotosocial = { + enable = true; + group = config.services.nginx.group; + settings = { + protocol = lib.mkDefault "https"; + + bind-address = lib.mkDefault "[::1]"; + port = lib.mkDefault 8085; + + trusted-proxies = lib.mkDefault [ "::1/128" "172.17.0.0/24" ]; + + db-type = lib.mkDefault "sqlite"; + db-address = lib.mkDefault "${config.services.gotosocial.stateDir}/db.sqlite"; + + storage-backend = lib.mkDefault "local"; + storage-local-base-path = "${config.services.gotosocial.stateDir}/storage"; + }; + }; + + services.nginx.appendHttpConfig = '' + proxy_cache_path /var/cache/nginx keys_zone=gotosocial_ap_public_responses:10m inactive=1w; + ''; + + services.nginx.virtualHosts = { + "${config.services.gotosocial.settings.host}" = { + useACMEHost = lib.mkDefault "${config.networking.fqdn}"; + forceSSL = lib.mkDefault true; + kTLS = lib.mkDefault true; + locations = { + "/" = { + proxyPass = "http://${toString config.services.gotosocial.settings.bind-address}:${toString config.services.gotosocial.settings.port}"; + proxyWebsockets = true; + }; + + "~ /.well-known/(webfinger|host-meta)$" = { + proxyPass = "http://${toString config.services.gotosocial.settings.bind-address}:${toString config.services.gotosocial.settings.port}"; + extraConfig = '' + proxy_cache gotosocial_ap_public_responses; + proxy_cache_background_update on; + proxy_cache_key $scheme://$host$uri$is_args$query_string; + proxy_cache_valid 200 10m; + proxy_cache_use_stale error timeout updating http_500 http_502 http_503 http_504 http_429; + proxy_cache_lock on; + add_header X-Cache-Status $upstream_cache_status; + ''; + }; + + "~ ^\/users\/(?:[a-z0-9_\.]+)\/main-key$" = { + proxyPass = "http://${toString config.services.gotosocial.settings.bind-address}:${toString config.services.gotosocial.settings.port}"; + extraConfig = '' + proxy_cache gotosocial_ap_public_responses; + proxy_cache_background_update on; + proxy_cache_key $scheme://$host$uri; + proxy_cache_valid 200 604800s; + proxy_cache_use_stale error timeout updating http_500 http_502 http_503 http_504 http_429; + proxy_cache_lock on; + + add_header X-Cache-Status $upstream_cache_status; + ''; + }; + + "/assets/".extraConfig = '' + alias ${config.services.gotosocial.package}/share/web/assets/; + autoindex off; + expires max; + add_header Cache-Control "public, immutable"; + ''; + }; + }; + } // (if (config.services.gotosocial.settings.account-domain != config.services.gotosocial.settings.host) then { + "${config.services.gotosocial.settings.account-domain}" = { + useACMEHost = lib.mkDefault "${config.networking.fqdn}"; + forceSSL = lib.mkDefault true; + kTLS = lib.mkDefault true; + locations."/.well-known/host-meta".extraConfig = "return 301 https://${config.services.gotosocial.settings.host}$request_uri;"; + locations."/.well-known/webfinger".extraConfig = "return 301 https://${config.services.gotosocial.settings.host}$request_uri;"; + locations."/.well-known/nodeinfo".extraConfig = "return 301 https://${config.services.gotosocial.settings.host}$request_uri;"; + }; + } else {}); + +}
diff --git a/configurations/nixos/websites/fedi.ctu.cx.nix b/configurations/nixos/websites/fedi.ctu.cx.nix @@ -1,48 +1,29 @@ -{ pkgs, lib, config, ... }: +{ ctucxConfig, config, ... }: { - dns.zones."ctu.cx".subdomains."fedi".CNAME = [ "${config.networking.fqdn}." ]; - - age.secrets = { - restic-gotosocial.file = ./. + "/../../../secrets/${config.networking.hostName}/restic/gotosocial.age"; - gotosocial-env.file = ./. + "/../../../secrets/${config.networking.hostName}/gotosocial-env.age"; - }; + imports = [ + ctucxConfig.services.gotosocial + ]; - systemd.services.restic-backup-gotosocial.serviceConfig.ReadWritePaths = [ "/var/lib/gotosocial" ]; - - restic-backups.gotosocial = { - user = "gotosocial"; - passwordFile = config.age.secrets.restic-gotosocial.path; - sqliteDatabases = [ "/var/lib/gotosocial/db.sqlite" ]; - paths = [ "/var/lib/gotosocial/storage" "/var/lib/gotosocial/backup.json" ]; - runBeforeBackup = '' - ${pkgs.gotosocial}/bin/gotosocial --config-path /etc/gotosocial.yaml admin export --path /var/lib/gotosocial/backup.json - ''; - }; + # + # these are just specific settings for this installation! + # the settings in `../services/gotosical.nix` are also used! + # + dns.zones."ctu.cx".subdomains."fedi".CNAME = [ "${config.networking.fqdn}." ]; - systemd.services.gotosocial.serviceConfig.Group = lib.mkForce config.services.nginx.group; + age.secrets.gotosocial-env.file = ./. + "/../../../secrets/${config.networking.hostName}/gotosocial-env.age"; services.gotosocial = { - enable = true; - package = pkgs.gotosocial; - group = "nginx"; environmentFile = config.age.secrets.gotosocial-env.path; settings = { application-name = "ctucx.fedi"; host = "fedi.ctu.cx"; account-domain = "ctu.cx"; - protocol = "https"; - bind-address = "[::1]"; - port = 8085; - - trusted-proxies = [ "::1/128" "172.17.0.0/24" ]; - - db-type = "sqlite"; - db-address = "/var/lib/gotosocial/db.sqlite"; + landing-page-user = "katja"; accounts-allow-custom-css = true; accounts-registration-open = false; @@ -53,16 +34,12 @@ instance-languages = [ "de" "en-us" ]; - storage-backend = "local"; - storage-local-base-path = "/var/lib/gotosocial/storage"; - media-local-max-size = "50MiB"; media-remote-max-size = "50MiB"; media-remote-cache-days = 3; media-cleanup-from = "01:00"; - smtp-host = "hector.ctu.cx"; smtp-port = 587; smtp-username = "gts@ctu.cx"; @@ -70,69 +47,4 @@ }; }; - services.nginx.appendHttpConfig = '' - proxy_cache_path /var/cache/nginx keys_zone=gotosocial_ap_public_responses:10m inactive=1w; - ''; - - services.nginx.virtualHosts."ctu.cx" = { - useACMEHost = "${config.networking.fqdn}"; - forceSSL = true; - kTLS = true; - locations."/.well-known/host-meta".extraConfig = "return 301 https://fedi.ctu.cx$request_uri;"; - locations."/.well-known/webfinger".extraConfig = "return 301 https://fedi.ctu.cx$request_uri;"; - locations."/.well-known/nodeinfo".extraConfig = "return 301 https://fedi.ctu.cx$request_uri;"; - }; - - services.nginx.virtualHosts."fedi.ctu.cx" = { - useACMEHost = "${config.networking.fqdn}"; - forceSSL = true; - kTLS = true; - locations = { - "= /".return = "307 /@katja"; - - "/" = { - proxyPass = "http://${toString config.services.gotosocial.settings.bind-address}:${toString config.services.gotosocial.settings.port}"; - proxyWebsockets = true; - extraConfig = '' - client_max_body_size 50M; - ''; - }; - - "~ /.well-known/(webfinger|host-meta)$" = { - proxyPass = "http://${toString config.services.gotosocial.settings.bind-address}:${toString config.services.gotosocial.settings.port}"; - extraConfig = '' - proxy_cache gotosocial_ap_public_responses; - proxy_cache_background_update on; - proxy_cache_key $scheme://$host$uri$is_args$query_string; - proxy_cache_valid 200 10m; - proxy_cache_use_stale error timeout updating http_500 http_502 http_503 http_504 http_429; - proxy_cache_lock on; - add_header X-Cache-Status $upstream_cache_status; - ''; - }; - - "~ ^\/users\/(?:[a-z0-9_\.]+)\/main-key$" = { - proxyPass = "http://${toString config.services.gotosocial.settings.bind-address}:${toString config.services.gotosocial.settings.port}"; - extraConfig = '' - proxy_cache gotosocial_ap_public_responses; - proxy_cache_background_update on; - proxy_cache_key $scheme://$host$uri; - proxy_cache_valid 200 604800s; - proxy_cache_use_stale error timeout updating http_500 http_502 http_503 http_504 http_429; - proxy_cache_lock on; - - add_header X-Cache-Status $upstream_cache_status; - ''; - }; - - "/assets/".extraConfig = '' - alias ${config.services.gotosocial.package}/share/web/assets/; - autoindex off; - expires max; - add_header Cache-Control "public, immutable"; - ''; - }; - - }; - }
diff --git a/configurations/nixos/websites/fedi.home.ctu.cx.nix b/configurations/nixos/websites/fedi.home.ctu.cx.nix @@ -1,26 +1,17 @@ -{ pkgs, lib, config, ... }: +{ ctucxConfig, config, ... }: { - dns.zones."ctu.cx".subdomains."fedi.home".AAAA = [ config.networking.primaryIP ]; - - age.secrets.restic-gotosocial.file = ./. + "/../../../secrets/${config.networking.hostName}/restic/gotosocial.age"; + imports = [ + ctucxConfig.services.gotosocial + ]; - systemd.services.restic-backup-gotosocial.serviceConfig.ReadWritePaths = [ "/var/lib/gotosocial" ]; + # + # these are just specific settings for this installation! + # the settings in `../services/gotosical.nix` are also used! + # - restic-backups.gotosocial = { - user = "gotosocial"; - passwordFile = config.age.secrets.restic-gotosocial.path; - sqliteDatabases = [ "/var/lib/gotosocial/db.sqlite" ]; - paths = [ "/var/lib/gotosocial/storage" "/var/lib/gotosocial/backup.json" ]; - runBeforeBackup = '' - ${pkgs.gotosocial}/bin/gotosocial --config-path /etc/gotosocial.yaml admin export --path /var/lib/gotosocial/backup.json - ''; - }; - - systemd.services.gotosocial.serviceConfig = { - Group = lib.mkForce config.services.nginx.group; - }; + dns.zones."ctu.cx".subdomains."fedi.home".AAAA = [ config.networking.primaryIP ]; services.gotosocial = { enable = true; @@ -30,15 +21,8 @@ host = "fedi.home.ctu.cx"; account-domain = "fedi.home.ctu.cx"; - protocol = "https"; - - bind-address = "[::1]"; - port = 8085; - - trusted-proxies = [ "::1/128" "172.17.0.0/24" ]; - db-type = "sqlite"; - db-address = "/var/lib/gotosocial/db.sqlite"; + landing-page-user = "leah"; accounts-allow-custom-css = true; accounts-registration-open = false; @@ -49,66 +33,10 @@ instance-languages = [ "de" "en-us" ]; - storage-backend = "local"; - storage-local-base-path = "/var/lib/gotosocial/storage"; - media-remote-max-size = 0; media-remote-cache-days = 3; media-cleanup-from = "02:00"; }; }; - services.nginx.appendHttpConfig = '' - proxy_cache_path /var/cache/nginx keys_zone=gotosocial_ap_public_responses:10m inactive=1w; - ''; - - services.nginx.virtualHosts."fedi.home.ctu.cx" = { - useACMEHost = "${config.networking.fqdn}"; - forceSSL = true; - kTLS = true; - locations = { - "= /".return = "307 /@leah"; - - "/" = { - proxyPass = "http://${toString config.services.gotosocial.settings.bind-address}:${toString config.services.gotosocial.settings.port}"; - proxyWebsockets = true; - }; - - "~ /.well-known/(webfinger|host-meta)$" = { - proxyPass = "http://${toString config.services.gotosocial.settings.bind-address}:${toString config.services.gotosocial.settings.port}"; - extraConfig = '' - proxy_cache gotosocial_ap_public_responses; - proxy_cache_background_update on; - proxy_cache_key $scheme://$host$uri$is_args$query_string; - proxy_cache_valid 200 10m; - proxy_cache_use_stale error timeout updating http_500 http_502 http_503 http_504 http_429; - proxy_cache_lock on; - add_header X-Cache-Status $upstream_cache_status; - ''; - }; - - "~ ^\/users\/(?:[a-z0-9_\.]+)\/main-key$" = { - proxyPass = "http://${toString config.services.gotosocial.settings.bind-address}:${toString config.services.gotosocial.settings.port}"; - extraConfig = '' - proxy_cache gotosocial_ap_public_responses; - proxy_cache_background_update on; - proxy_cache_key $scheme://$host$uri; - proxy_cache_valid 200 604800s; - proxy_cache_use_stale error timeout updating http_500 http_502 http_503 http_504 http_429; - proxy_cache_lock on; - - add_header X-Cache-Status $upstream_cache_status; - ''; - }; - - "/assets/".extraConfig = '' - alias ${config.services.gotosocial.package}/share/web/assets/; - autoindex off; - expires max; - add_header Cache-Control "public, immutable"; - ''; - - }; - }; - }
diff --git a/configurations/nixos/websites/zuggeschmack.de.nix b/configurations/nixos/websites/zuggeschmack.de.nix @@ -1,48 +1,29 @@ -{ dnsNix, pkgs, lib, config, ... }: +{ ctucxConfig, dnsNix, pkgs, config, ... }: { - dns.zones."zuggeschmack.de" = (dnsNix.combinators.host config.networking.primaryIP4 config.networking.primaryIP) // { - subdomains."client".CNAME = [ "${config.networking.fqdn}." ]; - }; + imports = [ + ctucxConfig.services.gotosocial + ]; - age.secrets = { - restic-gotosocial.file = ./. + "/../../../secrets/${config.networking.hostName}/restic/gotosocial.age"; - gotosocial-env.file = ./. + "/../../../secrets/${config.networking.hostName}/gotosocial-env.age"; - }; + # + # these are just specific settings for this installation! + # the settings in `../services/gotosical.nix` are also used! + # - systemd.services.restic-backup-gotosocial.serviceConfig.ReadWritePaths = [ "/var/lib/gotosocial" ]; - - restic-backups.gotosocial = { - user = "gotosocial"; - passwordFile = config.age.secrets.restic-gotosocial.path; - sqliteDatabases = [ "/var/lib/gotosocial/db.sqlite" ]; - paths = [ "/var/lib/gotosocial/storage" "/var/lib/gotosocial/backup.json" ]; - runBeforeBackup = '' - ${pkgs.gotosocial}/bin/gotosocial --config-path /etc/gotosocial.yaml admin export --path /var/lib/gotosocial/backup.json - ''; + dns.zones."zuggeschmack.de" = (dnsNix.combinators.host config.networking.primaryIP4 config.networking.primaryIP) // { + subdomains."client".CNAME = [ "${config.networking.fqdn}." ]; }; - systemd.services.gotosocial.serviceConfig.Group = lib.mkForce config.services.nginx.group; + age.secrets.gotosocial-env.file = ./. + "/../../../secrets/${config.networking.hostName}/gotosocial-env.age"; services.gotosocial = { - enable = true; - group = "nginx"; environmentFile = config.age.secrets.gotosocial-env.path; settings = { application-name = "ZugGeschmack.de"; host = "zuggeschmack.de"; account-domain = "zuggeschmack.de"; - protocol = "https"; - - bind-address = "[::1]"; - port = 8085; - - trusted-proxies = [ "::1/128" "172.17.0.0/24" ]; - - db-type = "sqlite"; - db-address = "/var/lib/gotosocial/db.sqlite"; accounts-allow-custom-css = true; accounts-registration-open = true; @@ -53,9 +34,6 @@ instance-languages = [ "de" "en-us" ]; - storage-backend = "local"; - storage-local-base-path = "/var/lib/gotosocial/storage"; - media-local-max-size = "50MiB"; media-remote-max-size = "50MiB"; @@ -69,63 +47,6 @@ }; }; - services.nginx.appendHttpConfig = '' - proxy_cache_path /var/cache/nginx keys_zone=gotosocial_ap_public_responses:10m inactive=1w; - ''; - - services.nginx.virtualHosts."zuggeschmack.de" = { - useACMEHost = "${config.networking.fqdn}"; - forceSSL = true; - kTLS = true; - extraConfig = '' - client_max_body_size 50M; - ''; - locations = { - "/" = { - proxyPass = "http://${toString config.services.gotosocial.settings.bind-address}:${toString config.services.gotosocial.settings.port}"; - proxyWebsockets = true; - extraConfig = '' - client_max_body_size 50M; - ''; - }; - - "~ /.well-known/(webfinger|host-meta)$" = { - proxyPass = "http://${toString config.services.gotosocial.settings.bind-address}:${toString config.services.gotosocial.settings.port}"; - extraConfig = '' - proxy_cache gotosocial_ap_public_responses; - proxy_cache_background_update on; - proxy_cache_key $scheme://$host$uri$is_args$query_string; - proxy_cache_valid 200 10m; - proxy_cache_use_stale error timeout updating http_500 http_502 http_503 http_504 http_429; - proxy_cache_lock on; - add_header X-Cache-Status $upstream_cache_status; - ''; - }; - - "~ ^\/users\/(?:[a-z0-9_\.]+)\/main-key$" = { - proxyPass = "http://${toString config.services.gotosocial.settings.bind-address}:${toString config.services.gotosocial.settings.port}"; - extraConfig = '' - proxy_cache gotosocial_ap_public_responses; - proxy_cache_background_update on; - proxy_cache_key $scheme://$host$uri; - proxy_cache_valid 200 604800s; - proxy_cache_use_stale error timeout updating http_500 http_502 http_503 http_504 http_429; - proxy_cache_lock on; - - add_header X-Cache-Status $upstream_cache_status; - ''; - }; - - "/assets/".extraConfig = '' - alias ${config.services.gotosocial.package}/share/web/assets/; - autoindex off; - expires max; - add_header Cache-Control "public, immutable"; - ''; - }; - - }; - services.nginx.virtualHosts."client.zuggeschmack.de" = { useACMEHost = "${config.networking.fqdn}"; forceSSL = true;
diff --git a/flake.nix b/flake.nix @@ -141,7 +141,7 @@ deploy.sshUser = "root"; deploy.nodes = builtins.mapAttrs (name: machine: { hostname = inputs.self.nixosConfigurations."${name}".config.networking.fqdn; - sshOpts = [ "-p" "${builtins.toString (inputs.nixpkgs.lib.head inputs.self.nixosConfigurations."${name}".config.services.openssh.ports)}" ]; + sshOpts = [ "-p" "${builtins.toString (nixpkgsLib.head inputs.self.nixosConfigurations."${name}".config.services.openssh.ports)}" ]; profiles.system.user = "root"; profiles.system.path = inputs.deploy-rs.lib."${machine.system}".activate.nixos inputs.self.nixosConfigurations."${name}"; }) nixosMachines;
diff --git a/modules/nixos/gotosocial.nix b/modules/nixos/gotosocial.nix @@ -89,7 +89,7 @@ in { user = lib.mkDefault "gotosocial"; group = lib.mkDefault "gotosocial"; - storage-local-base-path = lib.mkDefault "/var/lib/gotosocial"; # SystemD StateDirectory + storage-local-base-path = lib.mkDefault cfg.stateDir; web-template-base-dir = lib.mkDefault "${cfg.package}/share/web/template/"; web-asset-base-dir = lib.mkDefault "${cfg.package}/share/web/assets/";