58 lines
1.8 KiB
Nix
58 lines
1.8 KiB
Nix
{ mastodonHost, mastodonHostname, mastodonWebDomain, mastodonOidcClientId
|
|
, mastodonOidcClientSecret, ... }:
|
|
|
|
{ config, lib, pkgs, ... }:
|
|
|
|
with lib;
|
|
let
|
|
hostname = config.instance.hostname;
|
|
isMastodon = hostname == mastodonHost;
|
|
|
|
in {
|
|
config = {
|
|
services = {
|
|
mastodonContainer = mkIf isMastodon {
|
|
enable = true;
|
|
hostname = mastodonWebDomain;
|
|
web-domain = mastodonHostname;
|
|
version = "v4.1.6";
|
|
state-directory = "/state/services/mastodon";
|
|
smtp.server = "mail.fudo.org";
|
|
environment = {
|
|
OIDC_ENABLED = "true";
|
|
OIDC_DISPLAY_NAME = "fudo auth";
|
|
OIDC_DISCOVERY = "true";
|
|
OIDC_ISSUER = "https://authentik.fudo.org/application/o/mastodon/";
|
|
OIDC_AUTH_ENDPOINT =
|
|
"https://authentik.fudo.org/application/o/authorize/";
|
|
OIDC_SCOPE = "openid,profile,email";
|
|
OIDC_UID_FIELD = "sub";
|
|
OIDC_CLIENT_ID = readFile mastodonOidcClientId;
|
|
OIDC_CLIENT_SECRET = readFile mastodonOidcClientSecret;
|
|
OIDC_REDIRECT_URI =
|
|
"https://mastodon.fudo.org/auth/auth/openid_connect/callback";
|
|
OIDC_SECURITY_ASSUME_EMAIL_IS_VERIFIED = "true";
|
|
};
|
|
};
|
|
nginx = mkIf isMastodon {
|
|
enable = true;
|
|
recommendedGzipSettings = true;
|
|
recommendedOptimisation = true;
|
|
recommendedProxySettings = true;
|
|
virtualHosts = {
|
|
"${mastodonHostname}" = {
|
|
enableACME = true;
|
|
forceSSL = true;
|
|
locations."/" = {
|
|
proxyPass = "http://localhost:${
|
|
toString config.services.mastodonContainer.port
|
|
}";
|
|
proxyWebsockets = true;
|
|
};
|
|
};
|
|
};
|
|
};
|
|
};
|
|
};
|
|
}
|