mastodon-container/mastodon-container.nix

{ config, lib, pkgs, ... }@toplevel:

with lib;
let cfg = config.services.mastodonContainer;

in {

  options.services.mastodonContainer = with types; {
    enable = mkEnableOption "Enable Mastodon running in an Arion container.";

    domain = mkOption {
      type = str;
      description = "Domain name of this Mastodon instance.";
    };

    hostname = mkOption {
      type = str;
      description = "Hostname of the Mastodon server.";
      default = toplevel.config.services.mastodonContainer.domain;
    };

    state-directory = mkOption {
      type = str;
      description = "Port at which to store server data.";
    };

    port = mkOption {
      type = port;
      description = "Port at which to serve Mastodon web requests.";
      default = 55001;
    };

    environment-files = mkOption {
      type = listOf str;
      description =
        "List of files with env variables to set for the Mastodon job.";
      default = [ ];
    };

    streaming-processes = mkOption {
      type = int;
      description =
        "Number of processes to use for Mastodon streaming. Recommended is (#cores - 1).";
      default = 4;
    };

    allow-registrations = mkOption {
      type = bool;
      description = "Enable the creation of new accounts.";
      default = true;
    };

    smtp = {
      host = mkOption {
        type = str;
        description = "Outgoing SMTP server.";
      };

      port = mkOption {
        type = port;
        description = "Outgoing SMTP server port.";
        default = 25;
      };

      user = mkOption {
        type = str;
        description = "User as which to authenticate to the SMTP server.";
        default = "mastodon";
      };

      password-file = mkOption {
        type = nullOr str;
        description = "Path to file containing SMTP password";
        default = null;
      };

      from-address = mkOption {
        type = str;
        description = "Address from which to send outgoing mail.";
        default =
          "${toplevel.config.services.mastodonContainer.smtp.user}@${toplevel.config.services.mastodonContainer.domain}";
      };
    };
  };

  config = mkIf cfg.enable {
    virtualisation.arion.projects.mastodon.settings = let
      image = { pkgs, ... }: {
        project.name = "mastodon";
        docker-compose.volumes = {
          postgres-data = { };
          redis-data = { };
          mastodon-data = { };
        };
        networks.external_network.internal = false;
        services = {
          mastodon = { pkgs, ... }: {
            service = {
              restart = "always";
              volumes = [
                "postgres-data:/var/lib/postgresql"
                "redis-data:/var/lib/redis"
                "mastodon-data:/var/lib/mastodon"
              ] ++ (map (env-file: "${env-file}:${env-file}:ro,Z")
                cfg.environment-files);
              ports = [ "${toString cfg.port}:80" ];
              networks = [ "external_network" ];
            };
            nixos = {
              useSystemd = true;
              configuration = {
                boot.tmp.useTmpfs = true;
                system.nssModules = mkForce [ ];
                services = {
                  nscd.enable = false;
                  postgresql.enable = true;
                  mastodon = {
                    enable = true;
                    webPort = cfg.port;
                    localDomain = cfg.domain;
                    extraEnvFiles = cfg.environment-files;
                    smtp = {
                      inherit (cfg.smtp) host port user;
                      fromAddress = cfg.smtp.from-address;
                      authenticate = !isNull cfg.smtp.password-file;
                      passwordFile = mkIf (!isNull cfg.smtp.password-file)
                        cfg.smtp.password-file;
                    };
                    redis.createLocally = true;
                    database.createLocally = true;
                    configureNginx = true;
                    automaticMigrations = true;
                    streamingProcesses = cfg.streaming-processes;
                    extraConfig.registrations_open =
                      if cfg.allow-registrations then "true" else "false";
                  };
                  nginx = {
                    recommendedTlsSettings = true;
                    recommendedGzipSettings = true;
                    recommendedOptimisation = true;
                    recommendedProxySettings = true;
                    commonHttpConfig = ''
                      log_format with_response_time '$remote_addr - $remote_user [$time_local] '
                                   '"$request" $status $body_bytes_sent '
                                   '"$http_referer" "$http_user_agent" '
                                   '"$request_time" "$upstream_response_time"';
                      access_log /var/log/nginx/access.log with_response_time;
                    '';
                    virtualHosts."${cfg.hostname}" = {
                      forceSSL = false;
                      enableACME = false;
                      locations = let
                        mkCacheLine = { maxAge ? 2419200, immutable ? false }:
                          let
                            immutableString = if immutable then
                              "immutable"
                            else
                              "must-revalidate";
                          in {
                            extraConfig = ''
                              add_header Cache-Control "public, max-age=${
                                toString maxAge
                              }, ${immutableString}";
                              add_header Strict-Transport-Security "max-age=63072000; includeSubDomains";
                              try_files $uri =404;
                            '';
                          };
                      in {
                        "/api/v1/streaming" = {
                          extraConfig = ''
                            proxy_set_header X-Forwarded-Proto $scheme;
                            proxy_buffering off;
                            proxy_redirect off;
                            add_header Strict-Transport-Security "max-age=63072000; includeSubDomains";
                            tcp_nodelay on;
                          '';

                        };
                        "@proxy" = {
                          extraConfig = ''
                            proxy_set_header X-Forwarded-Proto https; # NOTE: Lie and say we're on HTTPS! Otherwise Mastodon will refuse to serve.
                            proxy_pass_header Server;

                            proxy_buffering on;
                            proxy_redirect off;

                            ## TODO: consider uncommentingq
                            # proxy_cache CACHE;
                            # proxy_cache_valid 200 7d;
                            # proxy_cache_valid 410 24h;
                            # proxy_cache_use_stale error timeout updating http_500 http_502 http_503 http_504;
                            # add_header X-Cached $upstream_cache_status;

                            tcp_nodelay on;
                          '';
                        };

                        "/sw.js" = mkCacheLine { maxAge = 604800; };
                        "^/assets/" = mkCacheLine { };
                        "^/avatars/" = mkCacheLine { };
                        "^/emoji/" = mkCacheLine { };
                        "^/headers/" = mkCacheLine { };
                        "^/packs" = mkCacheLine { };
                        "^/shortcuts" = mkCacheLine { };
                        "^/sounds/" = mkCacheLine { };
                        "^/system" = mkCacheLine { immutable = true; };
                      };
                    };
                  };
                };
              };
            };
          };
        };
      };
    in { imports = [ image ]; };

    services.nginx = {
      enable = true;
      virtualHosts."${cfg.hostname}" = {
        enableACME = true;
        forceSSL = true;
        locations."/" = {
          proxyPass = "http://127.0.0.1:${toString cfg.port}/";
          proxyWebsockets = true;
          recommendedProxySettings = true;
        };
      };
    };
  };
}
Initial checkin 2023-07-25 18:37:43 -07:00			`{ config, lib, pkgs, ... }@toplevel:`

			`with lib;`
Switch to one nixos-using image 2024-01-17 12:57:19 -08:00			`let cfg = config.services.mastodonContainer;`
Pretend incoming is HTTPS to make Mastodon behave And tons of cache behavior 2024-01-18 14:43:41 -08:00
Initial checkin 2023-07-25 18:37:43 -07:00			`in {`

Need to import types 2024-01-17 13:13:47 -08:00			`options.services.mastodonContainer = with types; {`
Switch to one nixos-using image 2024-01-17 12:57:19 -08:00			`enable = mkEnableOption "Enable Mastodon running in an Arion container.";`
Add env files! Oops 2023-07-26 16:30:53 -07:00
Switch to one nixos-using image 2024-01-17 12:57:19 -08:00			`domain = mkOption {`
Add env files! Oops 2023-07-26 16:30:53 -07:00			`type = str;`
Switch to one nixos-using image 2024-01-17 12:57:19 -08:00			`description = "Domain name of this Mastodon instance.";`
Add env files! Oops 2023-07-26 16:30:53 -07:00			`};`

Switch to one nixos-using image 2024-01-17 12:57:19 -08:00			`hostname = mkOption {`
Initial checkin 2023-07-25 18:37:43 -07:00			`type = str;`
Switch to one nixos-using image 2024-01-17 12:57:19 -08:00			`description = "Hostname of the Mastodon server.";`
			`default = toplevel.config.services.mastodonContainer.domain;`
Initial checkin 2023-07-25 18:37:43 -07:00			`};`

			`state-directory = mkOption {`
			`type = str;`
			`description = "Port at which to store server data.";`
			`};`

Only need one port 2023-07-26 09:25:12 -07:00			`port = mkOption {`
			`type = port;`
			`description = "Port at which to serve Mastodon web requests.";`
Try not authenticating with SMTP? 2024-01-17 13:08:19 -08:00			`default = 55001;`
Initial checkin 2023-07-25 18:37:43 -07:00			`};`

Switch to one nixos-using image 2024-01-17 12:57:19 -08:00			`environment-files = mkOption {`
			`type = listOf str;`
			`description =`
			`"List of files with env variables to set for the Mastodon job.";`
			`default = [ ];`
Add environment variable option 2023-09-03 10:51:31 -07:00			`};`

Add streaming-processes option 2024-01-17 14:25:57 -08:00			`streaming-processes = mkOption {`
			`type = int;`
			`description =`
			`"Number of processes to use for Mastodon streaming. Recommended is (#cores - 1).";`
			`default = 4;`
			`};`

Change wording so it's clearer 2024-01-28 15:43:58 -08:00			`allow-registrations = mkOption {`
			`type = bool;`
			`description = "Enable the creation of new accounts.";`
			`default = true;`
			`};`
Allow disabled registrations 2024-01-28 12:26:11 -08:00
Add env files! Oops 2023-07-26 16:30:53 -07:00			`smtp = {`
Switch to one nixos-using image 2024-01-17 12:57:19 -08:00			`host = mkOption {`
Add env files! Oops 2023-07-26 16:30:53 -07:00			`type = str;`
			`description = "Outgoing SMTP server.";`
			`};`

			`port = mkOption {`
			`type = port;`
			`description = "Outgoing SMTP server port.";`
			`default = 25;`
			`};`

Switch to one nixos-using image 2024-01-17 12:57:19 -08:00			`user = mkOption {`
			`type = str;`
			`description = "User as which to authenticate to the SMTP server.";`
Try not authenticating with SMTP? 2024-01-17 13:08:19 -08:00			`default = "mastodon";`
Initial checkin 2023-07-25 18:37:43 -07:00			`};`

Switch to one nixos-using image 2024-01-17 12:57:19 -08:00			`password-file = mkOption {`
Try not authenticating with SMTP? 2024-01-17 13:08:19 -08:00			`type = nullOr str;`
Switch to one nixos-using image 2024-01-17 12:57:19 -08:00			`description = "Path to file containing SMTP password";`
Default password-file to null 2024-01-17 16:19:14 -08:00			`default = null;`
Add env files! Oops 2023-07-26 16:30:53 -07:00			`};`

Switch to one nixos-using image 2024-01-17 12:57:19 -08:00			`from-address = mkOption {`
			`type = str;`
			`description = "Address from which to send outgoing mail.";`
			`default =`
			`"${toplevel.config.services.mastodonContainer.smtp.user}@${toplevel.config.services.mastodonContainer.domain}";`
Mastodon needs network 2023-09-06 11:12:10 -07:00			`};`
			`};`
Switch to one nixos-using image 2024-01-17 12:57:19 -08:00			`};`
Ensure directories are created 2023-07-25 18:51:57 -07:00
Switch to one nixos-using image 2024-01-17 12:57:19 -08:00			`config = mkIf cfg.enable {`
Initial checkin 2023-07-25 18:37:43 -07:00			`virtualisation.arion.projects.mastodon.settings = let`
			`image = { pkgs, ... }: {`
			`project.name = "mastodon";`
Define volumes 2024-01-17 17:11:33 -08:00			`docker-compose.volumes = {`
			`postgres-data = { };`
			`redis-data = { };`
			`mastodon-data = { };`
			`};`
Add external network, to access auth 2024-01-18 18:55:43 -08:00			`networks.external_network.internal = false;`
Initial checkin 2023-07-25 18:37:43 -07:00			`services = {`
Switch to one nixos-using image 2024-01-17 12:57:19 -08:00			`mastodon = { pkgs, ... }: {`
			`service = {`
			`restart = "always";`
			`volumes = [`
Fuckin lost the db on reboot, can you believe it? 2024-01-29 11:49:49 -08:00			`"postgres-data:/var/lib/postgresql"`
Switch to one nixos-using image 2024-01-17 12:57:19 -08:00			`"redis-data:/var/lib/redis"`
			`"mastodon-data:/var/lib/mastodon"`
ro isn't part of the filename... 2024-01-18 10:46:04 -08:00			`] ++ (map (env-file: "${env-file}:${env-file}:ro,Z")`
Make env files available inside the container 2024-01-18 10:24:27 -08:00			`cfg.environment-files);`
Set the port on the container 2024-01-17 18:15:11 -08:00			`ports = [ "${toString cfg.port}:80" ];`
Add external network, to access auth 2024-01-18 18:55:43 -08:00			`networks = [ "external_network" ];`
Switch to one nixos-using image 2024-01-17 12:57:19 -08:00			`};`
Need to put config in `nixos` 2024-01-17 14:12:39 -08:00			`nixos = {`
			`useSystemd = true;`
			`configuration = {`
			`boot.tmp.useTmpfs = true;`
			`system.nssModules = mkForce [ ];`
			`services = {`
			`nscd.enable = false;`
			`postgresql.enable = true;`
			`mastodon = {`
			`enable = true;`
			`webPort = cfg.port;`
			`localDomain = cfg.domain;`
			`extraEnvFiles = cfg.environment-files;`
			`smtp = {`
			`inherit (cfg.smtp) host port user;`
			`fromAddress = cfg.smtp.from-address;`
			`authenticate = !isNull cfg.smtp.password-file;`
Default password-file to null 2024-01-17 16:19:14 -08:00			`passwordFile = mkIf (!isNull cfg.smtp.password-file)`
			`cfg.smtp.password-file;`
Need to put config in `nixos` 2024-01-17 14:12:39 -08:00			`};`
			`redis.createLocally = true;`
			`database.createLocally = true;`
			`configureNginx = true;`
			`automaticMigrations = true;`
Add streaming-processes option 2024-01-17 14:25:57 -08:00			`streamingProcesses = cfg.streaming-processes;`
Change it to a string, not a bool... 2024-01-28 15:50:55 -08:00			`extraConfig.registrations_open =`
s/_/-/ 2024-01-28 16:07:58 -08:00			`if cfg.allow-registrations then "true" else "false";`
Switch to one nixos-using image 2024-01-17 12:57:19 -08:00			`};`
Let mastodon configure nginx, but override forceSSL 2024-01-17 15:41:34 -08:00			`nginx = {`
Don't change the settings on the parent host. 2024-01-18 13:42:33 -08:00			`recommendedTlsSettings = true;`
			`recommendedGzipSettings = true;`
			`recommendedOptimisation = true;`
			`recommendedProxySettings = true;`
			`commonHttpConfig = ''`
			`log_format with_response_time '$remote_addr - $remote_user [$time_local] '`
			`'"$request" $status $body_bytes_sent '`
			`'"$http_referer" "$http_user_agent" '`
			`'"$request_time" "$upstream_response_time"';`
			`access_log /var/log/nginx/access.log with_response_time;`
			`'';`
Let mastodon configure nginx, but override forceSSL 2024-01-17 15:41:34 -08:00			`virtualHosts."${cfg.hostname}" = {`
			`forceSSL = false;`
			`enableACME = false;`
Pretend incoming is HTTPS to make Mastodon behave And tons of cache behavior 2024-01-18 14:43:41 -08:00			`locations = let`
			`mkCacheLine = { maxAge ? 2419200, immutable ? false }:`
			`let`
			`immutableString = if immutable then`
			`"immutable"`
			`else`
			`"must-revalidate";`
Need to wrap string in extraConfig 2024-01-18 14:52:06 -08:00			`in {`
			`extraConfig = ''`
			`add_header Cache-Control "public, max-age=${`
			`toString maxAge`
			`}, ${immutableString}";`
			`add_header Strict-Transport-Security "max-age=63072000; includeSubDomains";`
			`try_files $uri =404;`
			`'';`
			`};`
Pretend incoming is HTTPS to make Mastodon behave And tons of cache behavior 2024-01-18 14:43:41 -08:00			`in {`
			`"/api/v1/streaming" = {`
			`extraConfig = ''`
			`proxy_set_header X-Forwarded-Proto $scheme;`
			`proxy_buffering off;`
			`proxy_redirect off;`
			`add_header Strict-Transport-Security "max-age=63072000; includeSubDomains";`
			`tcp_nodelay on;`
			`'';`

			`};`
			`"@proxy" = {`
			`extraConfig = ''`
			`proxy_set_header X-Forwarded-Proto https; # NOTE: Lie and say we're on HTTPS! Otherwise Mastodon will refuse to serve.`
			`proxy_pass_header Server;`

			`proxy_buffering on;`
			`proxy_redirect off;`

Try removing Host header to avoid 403 errors 2024-01-18 18:25:49 -08:00			`## TODO: consider uncommentingq`
Remove the cache for now 2024-01-18 15:32:42 -08:00			`# proxy_cache CACHE;`
			`# proxy_cache_valid 200 7d;`
			`# proxy_cache_valid 410 24h;`
			`# proxy_cache_use_stale error timeout updating http_500 http_502 http_503 http_504;`
			`# add_header X-Cached $upstream_cache_status;`
Pretend incoming is HTTPS to make Mastodon behave And tons of cache behavior 2024-01-18 14:43:41 -08:00
			`tcp_nodelay on;`
			`'';`
			`};`

			`"/sw.js" = mkCacheLine { maxAge = 604800; };`
			`"^/assets/" = mkCacheLine { };`
			`"^/avatars/" = mkCacheLine { };`
			`"^/emoji/" = mkCacheLine { };`
			`"^/headers/" = mkCacheLine { };`
			`"^/packs" = mkCacheLine { };`
			`"^/shortcuts" = mkCacheLine { };`
			`"^/sounds/" = mkCacheLine { };`
			`"^/system" = mkCacheLine { immutable = true; };`
			`};`
Let mastodon configure nginx, but override forceSSL 2024-01-17 15:41:34 -08:00			`};`
			`};`
Switch to one nixos-using image 2024-01-17 12:57:19 -08:00			`};`
			`};`
			`};`
Initial checkin 2023-07-25 18:37:43 -07:00			`};`
			`};`
			`};`
			`in { imports = [ image ]; };`
Switch to one nixos-using image 2024-01-17 12:57:19 -08:00
			`services.nginx = {`
			`enable = true;`
			`virtualHosts."${cfg.hostname}" = {`
Let mastodon configure nginx, but override forceSSL 2024-01-17 15:41:34 -08:00			`enableACME = true;`
			`forceSSL = true;`
Switch to one nixos-using image 2024-01-17 12:57:19 -08:00			`locations."/" = {`
Oh fer FUCKS sake 2024-01-17 23:32:24 -08:00			`proxyPass = "http://127.0.0.1:${toString cfg.port}/";`
Switch to one nixos-using image 2024-01-17 12:57:19 -08:00			`proxyWebsockets = true;`
Add a trailing /.... And put proxyPass in the right place? 2024-01-17 22:59:15 -08:00			`recommendedProxySettings = true;`
Switch to one nixos-using image 2024-01-17 12:57:19 -08:00			`};`
			`};`
			`};`
Initial checkin 2023-07-25 18:37:43 -07:00			`};`
			`}`