server.nix/services/mastodon.nix

{ config, pkgs, lib, ... }: {
  services = {
    mastodon = {
      enable = true;
      enableUnixSocket = false;
      mediaAutoRemove.enable = true;
      localDomain = "fedi.catnip.ee";
      streamingProcesses = 10;
      extraConfig = {
        SMTP_TLS = "true";
      };
      smtp = {
        authenticate = true;
        user = "mastodon@catnip.ee";
        passwordFile = "/etc/secrets/mastodon-smtp";

        createLocally = false;
        host = "mx1.sly.ee";
        port = 465;
        fromAddress = "mastodon@catnip.ee";
      };
    };

    caddy.virtualHosts."fedi.catnip.ee".extraConfig = ''
      tls {
        dns cloudflare {env.CLOUDFLARE_API_TOKEN}
        resolvers 1.1.1.1
      }

      handle_path /system/* {
        file_server * {
          root /var/lib/mastodon/public-system
        }
      }

      handle /api/v1/streaming/* {
        reverse_proxy unix//run/mastodon-streaming/streaming.socket
      }

      route * {
        file_server * {
          root ${pkgs.mastodon}/public
          pass_thru
        }
        reverse_proxy :${toString config.services.mastodon.webPort}
      }

      handle_errors {
        root * ${pkgs.mastodon}/public
        rewrite 500.html
        file_server
      }

      encode gzip

      header /* {
        Strict-Transport-Security "max-age=31536000;"
      }
      header /emoji/* Cache-Control "public, max-age=31536000, immutable"
      header /packs/* Cache-Control "public, max-age=31536000, immutable"
      header /system/accounts/avatars/* Cache-Control "public, max-age=31536000, immutable"
      header /system/media_attachments/files/* Cache-Control "public, max-age=31536000, immutable"
    '';

    borgbackup.jobs."borgbase" = {
      paths = [
        "/var/lib/mastodon"
        "/var/lib/redis-mastodon"
      ];

      exclude = [
        "/var/lib/mastodon/public-system/cache" # could be bad? https://github.com/mastodon/mastodon/discussions/21287
      ];
    };
  };

  users.users.caddy.extraGroups = [
    config.services.mastodon.group # since caddy is serving mastodon files it needs access to it
  ];

  # Could maybe remove this?
  systemd.services.caddy.serviceConfig.ReadWriteDirectories = lib.mkForce [ "/var/lib/caddy" ];
}