{ config, pkgs, lib, ... }: { services = { mastodon = { enable = true; enableUnixSocket = false; mediaAutoRemove.enable = true; localDomain = "fedi.catnip.ee"; streamingProcesses = 10; extraConfig = { SMTP_TLS = "true"; }; smtp = { authenticate = true; user = "mastodon@catnip.ee"; passwordFile = "/etc/secrets/mastodon-smtp"; createLocally = false; host = "mx1.sly.ee"; port = 465; fromAddress = "mastodon@catnip.ee"; }; }; caddy.virtualHosts."fedi.catnip.ee".extraConfig = '' tls { dns cloudflare {env.CLOUDFLARE_API_TOKEN} resolvers 1.1.1.1 } handle_path /system/* { file_server * { root /var/lib/mastodon/public-system } } handle /api/v1/streaming/* { reverse_proxy unix//run/mastodon-streaming/streaming.socket } route * { file_server * { root ${pkgs.mastodon}/public pass_thru } reverse_proxy :${toString config.services.mastodon.webPort} } handle_errors { root * ${pkgs.mastodon}/public rewrite 500.html file_server } encode gzip header /* { Strict-Transport-Security "max-age=31536000;" } header /emoji/* Cache-Control "public, max-age=31536000, immutable" header /packs/* Cache-Control "public, max-age=31536000, immutable" header /system/accounts/avatars/* Cache-Control "public, max-age=31536000, immutable" header /system/media_attachments/files/* Cache-Control "public, max-age=31536000, immutable" ''; borgbackup.jobs."borgbase" = { paths = [ "/var/lib/mastodon" "/var/lib/redis-mastodon" ]; exclude = [ "/var/lib/mastodon/public-system/cache" # could be bad? https://github.com/mastodon/mastodon/discussions/21287 ]; }; }; users.users.caddy.extraGroups = [ config.services.mastodon.group # since caddy is serving mastodon files it needs access to it ]; # Could maybe remove this? systemd.services.caddy.serviceConfig.ReadWriteDirectories = lib.mkForce [ "/var/lib/caddy" ]; }