54 lines
1.6 KiB
Nix
54 lines
1.6 KiB
Nix
{ mastodonHost, mastodonHostname, mastodonWebDomain, mastodonOidcClientId
|
|
, mastodonOidcClientSecret, ... }:
|
|
|
|
{ config, lib, pkgs, ... }:
|
|
|
|
with lib;
|
|
let
|
|
hostname = config.instance.hostname;
|
|
isMastodon = hostname == mastodonHost;
|
|
mkEnvFile = vars:
|
|
pkgs.writeText "mastodon.env"
|
|
(concatStringsSep "\n" (mapAttrsToList (k: v: ''${k}="${v}"'') vars));
|
|
|
|
in {
|
|
config = {
|
|
fudo.secrets.host-secrets."${hostname}".mastodonEnv = {
|
|
source-file = mkEnvFile {
|
|
OIDC_ENABLED = "true";
|
|
OIDC_DISPLAY_NAME = "fudo auth";
|
|
OIDC_DISCOVERY = "true";
|
|
OIDC_ISSUER = "https://authentik.fudo.org/application/o/mastodon/";
|
|
OIDC_AUTH_ENDPOINT =
|
|
"https://authentik.fudo.org/application/o/authorize/";
|
|
OIDC_SCOPE = "openid,profile,email";
|
|
OIDC_UID_FIELD = "sub";
|
|
OIDC_CLIENT_ID = readFile mastodonOidcClientId;
|
|
OIDC_CLIENT_SECRET = readFile mastodonOidcClientSecret;
|
|
OIDC_REDIRECT_URI =
|
|
"https://fudo.live/auth/auth/openid_connect/callback";
|
|
OIDC_SECURITY_ASSUME_EMAIL_IS_VERIFIED = "true";
|
|
OMNIAUTH_ONLY = "true";
|
|
ONE_CLICK_SSO_LOGIN = "true";
|
|
};
|
|
target-file = "/run/mastodon/env";
|
|
};
|
|
|
|
services = {
|
|
mastodonContainer = mkIf isMastodon {
|
|
enable = true;
|
|
hostname = mastodonHostname;
|
|
domain = mastodonWebDomain;
|
|
environment-files = [
|
|
config.fudo.secrets.host-secrets."${hostname}".mastodonEnv.target-file
|
|
];
|
|
smtp = {
|
|
host = "mail.fudo.org";
|
|
port = 25;
|
|
};
|
|
allow-registrations = false;
|
|
};
|
|
};
|
|
};
|
|
}
|