diff --git a/caddy.nix b/caddy.nix index 0b91eab..fe0310f 100644 --- a/caddy.nix +++ b/caddy.nix @@ -22,6 +22,42 @@ in { enable = true; email = "ssl@catnip.ee"; virtualHosts = { + "fedi.catnip.ee".extraConfig = '' + handle_path /system/* { + file_server * { + root /var/lib/mastodon/public-system + } + } + + handle /api/v1/streaming/* { + reverse_proxy unix//run/mastodon-streaming/streaming.socket + } + + route * { + file_server * { + root ${pkgs.mastodon}/public + pass_thru + } + reverse_proxy * unix//run/mastodon-web/web.socket + } + + handle_errors { + root * ${pkgs.mastodon}/public + rewrite 500.html + file_server + } + + encode gzip + + header /* { + Strict-Transport-Security "max-age=31536000;" + } + header /emoji/* Cache-Control "public, max-age=31536000, immutable" + header /packs/* Cache-Control "public, max-age=31536000, immutable" + header /system/accounts/avatars/* Cache-Control "public, max-age=31536000, immutable" + header /system/media_attachments/files/* Cache-Control "public, max-age=31536000, immutable" + ''; + ${config.services.coturn.realm} = { extraConfig = '' root /.well-known/acme-challenge/* ${settings.turnAcmeDir} diff --git a/configuration.nix b/configuration.nix index 34074e2..d71e37d 100644 --- a/configuration.nix +++ b/configuration.nix @@ -3,6 +3,7 @@ pkgs, inputs, system, + lib, ... }: let settings = import ./settings.nix {}; @@ -64,6 +65,13 @@ in { }; systemd.services = { + caddy.serviceConfig.ReadWriteDirectories = lib.mkForce ["/var/lib/caddy" "/run/mastodon-web"]; + + mautrix-telegram.path = with pkgs; [ + lottieconverter # for animated stickers conversion, unfree package + ffmpeg # if converting animated stickers to webm (very slow!) + ]; + tailscaled.environment = { TS_NO_LOGS_NO_SUPPORT = "true"; }; @@ -243,12 +251,25 @@ in { }; }; - systemd.services.mautrix-telegram.path = with pkgs; [ - lottieconverter # for animated stickers conversion, unfree package - ffmpeg # if converting animated stickers to webm (very slow!) - ]; - services = { + mastodon = { + enable = true; + localDomain = "fedi.catnip.ee"; + streamingProcesses = 10; + extraConfig = { + SMTP_TLS = "true"; + }; + smtp = { + authenticate = true; + user = "mastodon@catnip.ee"; + passwordFile = "/etc/secrets/mastodon-smtp"; + + createLocally = false; + host = "mx1.sly.ee"; + port = 465; + fromAddress = "mastodon@catnip.ee"; + }; + }; displayManager.sddm.enable = true; lastfm-status = { @@ -620,6 +641,9 @@ in { ''; identMap = '' + superuser_map root mastodon + superuser_map mastodon mastodon + superuser_map root matrix-synapse superuser_map matrix-synapse matrix-synapse @@ -851,31 +875,32 @@ in { users = { defaultUserShell = pkgs.fish; - groups = { - # caddy user needs to be part of coturn's group for certs - ${config.systemd.services.coturn.serviceConfig.Group}.members = [ - config.systemd.services.caddy.serviceConfig.User - ]; - }; - users.owo = { - isNormalUser = true; - extraGroups = ["networkmanager" "wheel" "docker"]; - openssh.authorizedKeys.keys = [ - "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDhXnulnINZ/hBBwHhzl35UsFcFUwxwaaFVFwCgIgOHmlJhknhpq5UQDbV6JoouFMgN48uBDD5/vcYjvS0UYFMBTox0MmJK+Yt4AnNusHkf8j1XCiXxHsicQilxJgu7yZJJRd2TAIqWlautW+VjuXOssN08x0pvtiupefDz6Li7A4SnS1iGsNTgypJaemquEYRge3hC043kaubuSgqNKknK65zA9aLp9h31r9W5K6N+k+ll+TPyyWZdsJMnaqWmoIS1+fpAdG5wMPZbR503dLPFzdprwy8FSoTzkD8aKyEdtzzQboS3b7s2DfFvOy3uoKy5bcMOl6Fm1dos90TFiOjCQmF9+WKG8qteeAtizd04Fmi8JRipODCgkvDFj8YAHaB2w5+xNpCYwJTOdHQZflOo25725aIDXZ2afg3evSdVZgJ0PPiWs6fnJMqbJCrzLsBxfN7vAbWzHHTBIuXrtidwY/x/XTs5n4mm4OukyOQF5YjYXy39WIlzjk3uMR0m8ec= lain@navi" - "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDTbuZLmu2F2EWMl1cXwZqYQwuFDyMyPf+d6MospDs+UaFzKFJdtDlb5+uFkkz9gHf8rCBOnXi6bLGgZNxUhTgEBka0RQVCIqRDjOJAWtwG0zLg/mQ9c1Ug2/9kH/PRjy+GGGzz3GVw7HNZNUjAkNr/kIX4t0L8uBqqkgcM/woBH8S/rV3Xs30XWi9mNkx1J4Z5fqtBBeF2GAd02i2PsUMnGfZSwwJy3mhBhI+Vw5mtsS1QJWd9LrsRfLbtzVHWm4MGr3O0F34ij8BV1uzaHfopn0vKilI/dq8HfjuYjKr33CB5f3C1OdcuFfwqE3ZDxZcaOshqXimt9MrYLXaMv0i7I7a3r33ij2hl9d9oh3Z72yt+wAAdgTJ23Xrwzr4P9Iu4BsayG5bQC6IVLv3Eef5TcPKSXmmtCr2hFLYUMQmlPptrUOf1tmB/7oYo3vJe2cz07PxuxZZ20F3MXugoUTfsnuwAH2chT4xL/TnS4Kbs12QoPFjdG1v/0Z8fVD1ysoU= mina@navi" - ]; - packages = with pkgs; [ - firefox - helix - mpv - croc - ffmpeg - speedtest-cli - htop - progress - duperemove - tmux + users = { + caddy.extraGroups = [ + config.services.mastodon.group # since caddy is serving mastodon files it needs access to it + config.systemd.services.coturn.serviceConfig.Group # caddy user needs to be part of coturn's group for certs ]; + + owo = { + isNormalUser = true; + extraGroups = ["networkmanager" "wheel" "docker"]; + openssh.authorizedKeys.keys = [ + "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDhXnulnINZ/hBBwHhzl35UsFcFUwxwaaFVFwCgIgOHmlJhknhpq5UQDbV6JoouFMgN48uBDD5/vcYjvS0UYFMBTox0MmJK+Yt4AnNusHkf8j1XCiXxHsicQilxJgu7yZJJRd2TAIqWlautW+VjuXOssN08x0pvtiupefDz6Li7A4SnS1iGsNTgypJaemquEYRge3hC043kaubuSgqNKknK65zA9aLp9h31r9W5K6N+k+ll+TPyyWZdsJMnaqWmoIS1+fpAdG5wMPZbR503dLPFzdprwy8FSoTzkD8aKyEdtzzQboS3b7s2DfFvOy3uoKy5bcMOl6Fm1dos90TFiOjCQmF9+WKG8qteeAtizd04Fmi8JRipODCgkvDFj8YAHaB2w5+xNpCYwJTOdHQZflOo25725aIDXZ2afg3evSdVZgJ0PPiWs6fnJMqbJCrzLsBxfN7vAbWzHHTBIuXrtidwY/x/XTs5n4mm4OukyOQF5YjYXy39WIlzjk3uMR0m8ec= lain@navi" + "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDTbuZLmu2F2EWMl1cXwZqYQwuFDyMyPf+d6MospDs+UaFzKFJdtDlb5+uFkkz9gHf8rCBOnXi6bLGgZNxUhTgEBka0RQVCIqRDjOJAWtwG0zLg/mQ9c1Ug2/9kH/PRjy+GGGzz3GVw7HNZNUjAkNr/kIX4t0L8uBqqkgcM/woBH8S/rV3Xs30XWi9mNkx1J4Z5fqtBBeF2GAd02i2PsUMnGfZSwwJy3mhBhI+Vw5mtsS1QJWd9LrsRfLbtzVHWm4MGr3O0F34ij8BV1uzaHfopn0vKilI/dq8HfjuYjKr33CB5f3C1OdcuFfwqE3ZDxZcaOshqXimt9MrYLXaMv0i7I7a3r33ij2hl9d9oh3Z72yt+wAAdgTJ23Xrwzr4P9Iu4BsayG5bQC6IVLv3Eef5TcPKSXmmtCr2hFLYUMQmlPptrUOf1tmB/7oYo3vJe2cz07PxuxZZ20F3MXugoUTfsnuwAH2chT4xL/TnS4Kbs12QoPFjdG1v/0Z8fVD1ysoU= mina@navi" + ]; + packages = with pkgs; [ + firefox + helix + mpv + croc + ffmpeg + speedtest-cli + htop + progress + duperemove + tmux + ]; + }; }; };