2022-03-22 19:21:47 +00:00
|
|
|
{ lib, pkgs, config, options, ... }:
|
2019-05-02 15:51:12 +01:00
|
|
|
|
|
|
|
|
let
|
|
|
|
|
cfg = config.services.mastodon;
|
2022-03-22 19:21:47 +00:00
|
|
|
opt = options.services.mastodon;
|
|
|
|
|
|
2024-02-16 18:29:30 +00:00
|
|
|
# We only want to create a Redis and PostgreSQL databases if we're actually going to connect to it local.
|
|
|
|
|
redisActuallyCreateLocally = cfg.redis.createLocally && (cfg.redis.host == "127.0.0.1" || cfg.redis.enableUnixSocket);
|
2019-05-02 15:51:12 +01:00
|
|
|
databaseActuallyCreateLocally = cfg.database.createLocally && cfg.database.host == "/run/postgresql";
|
|
|
|
|
|
|
|
|
|
env = {
|
|
|
|
|
RAILS_ENV = "production";
|
|
|
|
|
NODE_ENV = "production";
|
|
|
|
|
|
2022-03-26 16:35:32 +00:00
|
|
|
LD_PRELOAD = "${pkgs.jemalloc}/lib/libjemalloc.so";
|
|
|
|
|
|
2021-09-04 10:07:04 +01:00
|
|
|
# mastodon-web concurrency.
|
|
|
|
|
WEB_CONCURRENCY = toString cfg.webProcesses;
|
|
|
|
|
MAX_THREADS = toString cfg.webThreads;
|
|
|
|
|
|
2019-05-02 15:51:12 +01:00
|
|
|
DB_USER = cfg.database.user;
|
|
|
|
|
|
|
|
|
|
DB_HOST = cfg.database.host;
|
|
|
|
|
DB_NAME = cfg.database.name;
|
|
|
|
|
LOCAL_DOMAIN = cfg.localDomain;
|
|
|
|
|
SMTP_SERVER = cfg.smtp.host;
|
|
|
|
|
SMTP_PORT = toString(cfg.smtp.port);
|
|
|
|
|
SMTP_FROM_ADDRESS = cfg.smtp.fromAddress;
|
|
|
|
|
PAPERCLIP_ROOT_PATH = "/var/lib/mastodon/public-system";
|
|
|
|
|
PAPERCLIP_ROOT_URL = "/system";
|
|
|
|
|
ES_ENABLED = if (cfg.elasticsearch.host != null) then "true" else "false";
|
2021-02-13 15:37:26 +00:00
|
|
|
|
|
|
|
|
TRUSTED_PROXY_IP = cfg.trustedProxy;
|
2019-05-02 15:51:12 +01:00
|
|
|
}
|
2024-02-17 17:46:55 +00:00
|
|
|
// lib.optionalAttrs (cfg.redis.host != null) { REDIS_HOST = cfg.redis.host; }
|
|
|
|
|
// lib.optionalAttrs (cfg.redis.port != null) { REDIS_PORT = toString(cfg.redis.port); }
|
2023-11-29 07:20:16 +00:00
|
|
|
// lib.optionalAttrs (cfg.redis.createLocally && cfg.redis.enableUnixSocket) { REDIS_URL = "unix://${config.services.redis.servers.mastodon.unixSocket}"; }
|
2022-03-22 19:21:47 +00:00
|
|
|
// lib.optionalAttrs (cfg.database.host != "/run/postgresql" && cfg.database.port != null) { DB_PORT = toString cfg.database.port; }
|
|
|
|
|
// lib.optionalAttrs cfg.smtp.authenticate { SMTP_LOGIN = cfg.smtp.user; }
|
2023-10-21 20:42:47 +01:00
|
|
|
// lib.optionalAttrs (cfg.elasticsearch.host != null) { ES_HOST = cfg.elasticsearch.host; }
|
|
|
|
|
// lib.optionalAttrs (cfg.elasticsearch.host != null) { ES_PORT = toString(cfg.elasticsearch.port); }
|
|
|
|
|
// lib.optionalAttrs (cfg.elasticsearch.host != null) { ES_PRESET = cfg.elasticsearch.preset; }
|
|
|
|
|
// lib.optionalAttrs (cfg.elasticsearch.user != null) { ES_USER = cfg.elasticsearch.user; }
|
2019-05-02 15:51:12 +01:00
|
|
|
// cfg.extraConfig;
|
|
|
|
|
|
2021-05-12 09:34:26 +01:00
|
|
|
systemCallsList = [ "@cpu-emulation" "@debug" "@keyring" "@ipc" "@mount" "@obsolete" "@privileged" "@setuid" ];
|
2021-04-24 13:43:26 +01:00
|
|
|
|
2021-02-13 18:47:41 +00:00
|
|
|
cfgService = {
|
|
|
|
|
# User and group
|
|
|
|
|
User = cfg.user;
|
|
|
|
|
Group = cfg.group;
|
2022-11-19 21:55:13 +00:00
|
|
|
# Working directory
|
|
|
|
|
WorkingDirectory = cfg.package;
|
2021-02-13 18:47:41 +00:00
|
|
|
# State directory and mode
|
|
|
|
|
StateDirectory = "mastodon";
|
|
|
|
|
StateDirectoryMode = "0750";
|
|
|
|
|
# Logs directory and mode
|
|
|
|
|
LogsDirectory = "mastodon";
|
|
|
|
|
LogsDirectoryMode = "0750";
|
2021-05-12 09:22:44 +01:00
|
|
|
# Proc filesystem
|
|
|
|
|
ProcSubset = "pid";
|
|
|
|
|
ProtectProc = "invisible";
|
2021-02-13 18:47:41 +00:00
|
|
|
# Access write directories
|
|
|
|
|
UMask = "0027";
|
2021-02-14 19:07:40 +00:00
|
|
|
# Capabilities
|
|
|
|
|
CapabilityBoundingSet = "";
|
|
|
|
|
# Security
|
|
|
|
|
NoNewPrivileges = true;
|
2021-02-13 18:47:41 +00:00
|
|
|
# Sandboxing
|
2021-02-14 19:07:40 +00:00
|
|
|
ProtectSystem = "strict";
|
|
|
|
|
ProtectHome = true;
|
2021-02-13 18:47:41 +00:00
|
|
|
PrivateTmp = true;
|
2021-02-14 19:07:40 +00:00
|
|
|
PrivateDevices = true;
|
|
|
|
|
PrivateUsers = true;
|
|
|
|
|
ProtectClock = true;
|
|
|
|
|
ProtectHostname = true;
|
|
|
|
|
ProtectKernelLogs = true;
|
|
|
|
|
ProtectKernelModules = true;
|
|
|
|
|
ProtectKernelTunables = true;
|
|
|
|
|
ProtectControlGroups = true;
|
|
|
|
|
RestrictAddressFamilies = [ "AF_UNIX" "AF_INET" "AF_INET6" "AF_NETLINK" ];
|
|
|
|
|
RestrictNamespaces = true;
|
|
|
|
|
LockPersonality = true;
|
|
|
|
|
MemoryDenyWriteExecute = false;
|
|
|
|
|
RestrictRealtime = true;
|
|
|
|
|
RestrictSUIDSGID = true;
|
2021-05-12 09:22:44 +01:00
|
|
|
RemoveIPC = true;
|
2021-02-14 19:07:40 +00:00
|
|
|
PrivateMounts = true;
|
|
|
|
|
# System Call Filtering
|
|
|
|
|
SystemCallArchitectures = "native";
|
2021-02-13 18:47:41 +00:00
|
|
|
};
|
|
|
|
|
|
2024-02-17 17:58:45 +00:00
|
|
|
# Services that all Mastodon units After= and Requires= on
|
|
|
|
|
commonServices = lib.optional redisActuallyCreateLocally "redis-mastodon.service"
|
|
|
|
|
++ lib.optional databaseActuallyCreateLocally "postgresql.service"
|
|
|
|
|
++ lib.optional cfg.automaticMigrations "mastodon-init-db.service";
|
|
|
|
|
|
2019-05-02 15:51:12 +01:00
|
|
|
envFile = pkgs.writeText "mastodon.env" (lib.concatMapStrings (s: s + "\n") (
|
|
|
|
|
(lib.concatLists (lib.mapAttrsToList (name: value:
|
2023-06-25 10:47:43 +01:00
|
|
|
lib.optional (value != null) ''${name}="${toString value}"''
|
2019-05-02 15:51:12 +01:00
|
|
|
) env))));
|
|
|
|
|
|
2022-12-18 19:19:44 +00:00
|
|
|
mastodonTootctl = let
|
|
|
|
|
sourceExtraEnv = lib.concatMapStrings (p: "source ${p}\n") cfg.extraEnvFiles;
|
|
|
|
|
in pkgs.writeShellScriptBin "mastodon-tootctl" ''
|
2019-05-02 15:51:12 +01:00
|
|
|
set -a
|
2022-02-19 15:29:51 +00:00
|
|
|
export RAILS_ROOT="${cfg.package}"
|
2019-05-02 15:51:12 +01:00
|
|
|
source "${envFile}"
|
|
|
|
|
source /var/lib/mastodon/.secrets_env
|
2022-12-18 19:19:44 +00:00
|
|
|
${sourceExtraEnv}
|
2022-11-30 23:13:57 +00:00
|
|
|
|
|
|
|
|
sudo=exec
|
|
|
|
|
if [[ "$USER" != ${cfg.user} ]]; then
|
|
|
|
|
sudo='exec /run/wrappers/bin/sudo -u ${cfg.user} --preserve-env'
|
|
|
|
|
fi
|
|
|
|
|
$sudo ${cfg.package}/bin/tootctl "$@"
|
2019-05-02 15:51:12 +01:00
|
|
|
'';
|
|
|
|
|
|
2022-11-19 21:55:13 +00:00
|
|
|
sidekiqUnits = lib.attrsets.mapAttrs' (name: processCfg:
|
|
|
|
|
lib.nameValuePair "mastodon-sidekiq-${name}" (let
|
|
|
|
|
jobClassArgs = toString (builtins.map (c: "-q ${c}") processCfg.jobClasses);
|
|
|
|
|
jobClassLabel = toString ([""] ++ processCfg.jobClasses);
|
|
|
|
|
threads = toString (if processCfg.threads == null then cfg.sidekiqThreads else processCfg.threads);
|
|
|
|
|
in {
|
2024-02-17 17:58:45 +00:00
|
|
|
after = [ "network.target" "mastodon-init-dirs.service" ] ++ commonServices;
|
|
|
|
|
requires = [ "mastodon-init-dirs.service" ] ++ commonServices;
|
2022-11-19 21:55:13 +00:00
|
|
|
description = "Mastodon sidekiq${jobClassLabel}";
|
|
|
|
|
wantedBy = [ "mastodon.target" ];
|
|
|
|
|
environment = env // {
|
|
|
|
|
PORT = toString(cfg.sidekiqPort);
|
|
|
|
|
DB_POOL = threads;
|
|
|
|
|
};
|
|
|
|
|
serviceConfig = {
|
|
|
|
|
ExecStart = "${cfg.package}/bin/sidekiq ${jobClassArgs} -c ${threads} -r ${cfg.package}";
|
|
|
|
|
Restart = "always";
|
|
|
|
|
RestartSec = 20;
|
|
|
|
|
EnvironmentFile = [ "/var/lib/mastodon/.secrets_env" ] ++ cfg.extraEnvFiles;
|
|
|
|
|
WorkingDirectory = cfg.package;
|
2024-01-26 11:30:57 +00:00
|
|
|
LimitNOFILE = "1024000";
|
2022-11-19 21:55:13 +00:00
|
|
|
# System Call Filtering
|
|
|
|
|
SystemCallFilter = [ ("~" + lib.concatStringsSep " " systemCallsList) "@chown" "pipe" "pipe2" ];
|
|
|
|
|
} // cfgService;
|
2023-12-20 15:01:55 +00:00
|
|
|
path = with pkgs; [ ffmpeg-headless file imagemagick ];
|
2022-11-19 21:55:13 +00:00
|
|
|
})
|
|
|
|
|
) cfg.sidekiqProcesses;
|
|
|
|
|
|
2023-08-23 15:26:32 +01:00
|
|
|
streamingUnits = builtins.listToAttrs
|
|
|
|
|
(map (i: {
|
|
|
|
|
name = "mastodon-streaming-${toString i}";
|
|
|
|
|
value = {
|
2024-02-17 17:58:45 +00:00
|
|
|
after = [ "network.target" "mastodon-init-dirs.service" ] ++ commonServices;
|
|
|
|
|
requires = [ "mastodon-init-dirs.service" ] ++ commonServices;
|
2023-08-23 15:26:32 +01:00
|
|
|
wantedBy = [ "mastodon.target" "mastodon-streaming.target" ];
|
|
|
|
|
description = "Mastodon streaming ${toString i}";
|
|
|
|
|
environment = env // { SOCKET = "/run/mastodon-streaming/streaming-${toString i}.socket"; };
|
|
|
|
|
serviceConfig = {
|
|
|
|
|
ExecStart = "${cfg.package}/run-streaming.sh";
|
|
|
|
|
Restart = "always";
|
|
|
|
|
RestartSec = 20;
|
|
|
|
|
EnvironmentFile = [ "/var/lib/mastodon/.secrets_env" ] ++ cfg.extraEnvFiles;
|
|
|
|
|
WorkingDirectory = cfg.package;
|
|
|
|
|
# Runtime directory and mode
|
|
|
|
|
RuntimeDirectory = "mastodon-streaming";
|
|
|
|
|
RuntimeDirectoryMode = "0750";
|
|
|
|
|
# System Call Filtering
|
|
|
|
|
SystemCallFilter = [ ("~" + lib.concatStringsSep " " (systemCallsList ++ [ "@memlock" "@resources" ])) "pipe" "pipe2" ];
|
|
|
|
|
} // cfgService;
|
|
|
|
|
};
|
|
|
|
|
})
|
|
|
|
|
(lib.range 1 cfg.streamingProcesses));
|
|
|
|
|
|
2019-05-02 15:51:12 +01:00
|
|
|
in {
|
|
|
|
|
|
2023-08-23 15:26:32 +01:00
|
|
|
imports = [
|
|
|
|
|
(lib.mkRemovedOptionModule
|
|
|
|
|
[ "services" "mastodon" "streamingPort" ]
|
|
|
|
|
"Mastodon currently doesn't support streaming via TCP ports. Please open a PR if you need this."
|
|
|
|
|
)
|
|
|
|
|
];
|
|
|
|
|
|
2019-05-02 15:51:12 +01:00
|
|
|
options = {
|
|
|
|
|
services.mastodon = {
|
|
|
|
|
enable = lib.mkEnableOption "Mastodon, a federated social network server";
|
|
|
|
|
|
|
|
|
|
configureNginx = lib.mkOption {
|
|
|
|
|
description = ''
|
|
|
|
|
Configure nginx as a reverse proxy for mastodon.
|
|
|
|
|
Note that this makes some assumptions on your setup, and sets settings that will
|
|
|
|
|
affect other virtualHosts running on your nginx instance, if any.
|
|
|
|
|
Alternatively you can configure a reverse-proxy of your choice to serve these paths:
|
|
|
|
|
|
|
|
|
|
`/ -> $(nix-instantiate --eval '<nixpkgs>' -A mastodon.outPath)/public`
|
|
|
|
|
|
|
|
|
|
`/ -> 127.0.0.1:{{ webPort }} `(If there was no file in the directory above.)
|
|
|
|
|
|
|
|
|
|
`/system/ -> /var/lib/mastodon/public-system/`
|
|
|
|
|
|
|
|
|
|
`/api/v1/streaming/ -> 127.0.0.1:{{ streamingPort }}`
|
|
|
|
|
|
|
|
|
|
Make sure that websockets are forwarded properly. You might want to set up caching
|
|
|
|
|
of some requests. Take a look at mastodon's provided nginx configuration at
|
2022-03-30 15:13:03 +01:00
|
|
|
`https://github.com/mastodon/mastodon/blob/master/dist/nginx.conf`.
|
2019-05-02 15:51:12 +01:00
|
|
|
'';
|
|
|
|
|
type = lib.types.bool;
|
|
|
|
|
default = false;
|
|
|
|
|
};
|
|
|
|
|
|
|
|
|
|
user = lib.mkOption {
|
|
|
|
|
description = ''
|
|
|
|
|
User under which mastodon runs. If it is set to "mastodon",
|
|
|
|
|
that user will be created, otherwise it should be set to the
|
2022-11-30 23:13:57 +00:00
|
|
|
name of a user created elsewhere.
|
|
|
|
|
In both cases, the `mastodon` package will be added to the user's package set
|
|
|
|
|
and a tootctl wrapper to system packages that switches to the configured account
|
|
|
|
|
and load the right environment.
|
2019-05-02 15:51:12 +01:00
|
|
|
'';
|
|
|
|
|
type = lib.types.str;
|
|
|
|
|
default = "mastodon";
|
|
|
|
|
};
|
|
|
|
|
|
|
|
|
|
group = lib.mkOption {
|
|
|
|
|
description = ''
|
|
|
|
|
Group under which mastodon runs.
|
|
|
|
|
'';
|
|
|
|
|
type = lib.types.str;
|
|
|
|
|
default = "mastodon";
|
|
|
|
|
};
|
|
|
|
|
|
2021-09-04 10:07:04 +01:00
|
|
|
streamingProcesses = lib.mkOption {
|
|
|
|
|
description = ''
|
2023-08-23 15:26:32 +01:00
|
|
|
Number of processes used by the mastodon-streaming service.
|
2023-11-27 23:49:16 +00:00
|
|
|
Please define this explicitly, recommended is the amount of your CPU cores minus one.
|
2021-09-04 10:07:04 +01:00
|
|
|
'';
|
2023-08-23 15:26:32 +01:00
|
|
|
type = lib.types.ints.positive;
|
|
|
|
|
example = 3;
|
2021-09-04 10:07:04 +01:00
|
|
|
};
|
2019-05-02 15:51:12 +01:00
|
|
|
|
|
|
|
|
webPort = lib.mkOption {
|
|
|
|
|
description = "TCP port used by the mastodon-web service.";
|
|
|
|
|
type = lib.types.port;
|
|
|
|
|
default = 55001;
|
|
|
|
|
};
|
2021-09-04 10:07:04 +01:00
|
|
|
webProcesses = lib.mkOption {
|
|
|
|
|
description = "Processes used by the mastodon-web service.";
|
|
|
|
|
type = lib.types.int;
|
|
|
|
|
default = 2;
|
|
|
|
|
};
|
|
|
|
|
webThreads = lib.mkOption {
|
|
|
|
|
description = "Threads per process used by the mastodon-web service.";
|
|
|
|
|
type = lib.types.int;
|
|
|
|
|
default = 5;
|
|
|
|
|
};
|
2019-05-02 15:51:12 +01:00
|
|
|
|
|
|
|
|
sidekiqPort = lib.mkOption {
|
2021-09-04 09:53:09 +01:00
|
|
|
description = "TCP port used by the mastodon-sidekiq service.";
|
2019-05-02 15:51:12 +01:00
|
|
|
type = lib.types.port;
|
|
|
|
|
default = 55002;
|
|
|
|
|
};
|
2022-11-19 21:55:13 +00:00
|
|
|
|
2021-09-04 09:53:09 +01:00
|
|
|
sidekiqThreads = lib.mkOption {
|
2022-11-19 21:55:13 +00:00
|
|
|
description = "Worker threads used by the mastodon-sidekiq-all service. If `sidekiqProcesses` is configured and any processes specify null `threads`, this value is used.";
|
2021-09-04 09:53:09 +01:00
|
|
|
type = lib.types.int;
|
|
|
|
|
default = 25;
|
|
|
|
|
};
|
2019-05-02 15:51:12 +01:00
|
|
|
|
2022-11-19 21:55:13 +00:00
|
|
|
sidekiqProcesses = lib.mkOption {
|
|
|
|
|
description = "How many Sidekiq processes should be used to handle background jobs, and which job classes they handle. *Read the [upstream documentation](https://docs.joinmastodon.org/admin/scaling/#sidekiq) before configuring this!*";
|
|
|
|
|
type = with lib.types; attrsOf (submodule {
|
|
|
|
|
options = {
|
|
|
|
|
jobClasses = lib.mkOption {
|
|
|
|
|
type = listOf (enum [ "default" "push" "pull" "mailers" "scheduler" "ingress" ]);
|
|
|
|
|
description = "If not empty, which job classes should be executed by this process. *Only one process should handle the 'scheduler' class. If left empty, this process will handle the 'scheduler' class.*";
|
|
|
|
|
};
|
|
|
|
|
threads = lib.mkOption {
|
|
|
|
|
type = nullOr int;
|
|
|
|
|
description = "Number of threads this process should use for executing jobs. If null, the configured `sidekiqThreads` are used.";
|
|
|
|
|
};
|
|
|
|
|
};
|
|
|
|
|
});
|
|
|
|
|
default = {
|
|
|
|
|
all = {
|
|
|
|
|
jobClasses = [ ];
|
|
|
|
|
threads = null;
|
|
|
|
|
};
|
|
|
|
|
};
|
|
|
|
|
example = {
|
|
|
|
|
all = {
|
|
|
|
|
jobClasses = [ ];
|
|
|
|
|
threads = null;
|
|
|
|
|
};
|
|
|
|
|
ingress = {
|
|
|
|
|
jobClasses = [ "ingress" ];
|
|
|
|
|
threads = 5;
|
|
|
|
|
};
|
|
|
|
|
default = {
|
|
|
|
|
jobClasses = [ "default" ];
|
|
|
|
|
threads = 10;
|
|
|
|
|
};
|
|
|
|
|
push-pull = {
|
|
|
|
|
jobClasses = [ "push" "pull" ];
|
|
|
|
|
threads = 5;
|
|
|
|
|
};
|
|
|
|
|
};
|
|
|
|
|
};
|
|
|
|
|
|
2019-05-02 15:51:12 +01:00
|
|
|
vapidPublicKeyFile = lib.mkOption {
|
|
|
|
|
description = ''
|
|
|
|
|
Path to file containing the public key used for Web Push
|
|
|
|
|
Voluntary Application Server Identification. A new keypair can
|
|
|
|
|
be generated by running:
|
|
|
|
|
|
|
|
|
|
`nix build -f '<nixpkgs>' mastodon; cd result; bin/rake webpush:generate_keys`
|
|
|
|
|
|
|
|
|
|
If {option}`mastodon.vapidPrivateKeyFile`does not
|
|
|
|
|
exist, it and this file will be created with a new keypair.
|
|
|
|
|
'';
|
|
|
|
|
default = "/var/lib/mastodon/secrets/vapid-public-key";
|
|
|
|
|
type = lib.types.str;
|
|
|
|
|
};
|
|
|
|
|
|
|
|
|
|
localDomain = lib.mkOption {
|
|
|
|
|
description = "The domain serving your Mastodon instance.";
|
|
|
|
|
example = "social.example.org";
|
|
|
|
|
type = lib.types.str;
|
|
|
|
|
};
|
|
|
|
|
|
|
|
|
|
secretKeyBaseFile = lib.mkOption {
|
|
|
|
|
description = ''
|
|
|
|
|
Path to file containing the secret key base.
|
|
|
|
|
A new secret key base can be generated by running:
|
|
|
|
|
|
|
|
|
|
`nix build -f '<nixpkgs>' mastodon; cd result; bin/rake secret`
|
|
|
|
|
|
|
|
|
|
If this file does not exist, it will be created with a new secret key base.
|
|
|
|
|
'';
|
|
|
|
|
default = "/var/lib/mastodon/secrets/secret-key-base";
|
|
|
|
|
type = lib.types.str;
|
|
|
|
|
};
|
|
|
|
|
|
|
|
|
|
otpSecretFile = lib.mkOption {
|
|
|
|
|
description = ''
|
|
|
|
|
Path to file containing the OTP secret.
|
|
|
|
|
A new OTP secret can be generated by running:
|
|
|
|
|
|
|
|
|
|
`nix build -f '<nixpkgs>' mastodon; cd result; bin/rake secret`
|
|
|
|
|
|
|
|
|
|
If this file does not exist, it will be created with a new OTP secret.
|
|
|
|
|
'';
|
|
|
|
|
default = "/var/lib/mastodon/secrets/otp-secret";
|
|
|
|
|
type = lib.types.str;
|
|
|
|
|
};
|
|
|
|
|
|
|
|
|
|
vapidPrivateKeyFile = lib.mkOption {
|
|
|
|
|
description = ''
|
|
|
|
|
Path to file containing the private key used for Web Push
|
|
|
|
|
Voluntary Application Server Identification. A new keypair can
|
|
|
|
|
be generated by running:
|
|
|
|
|
|
|
|
|
|
`nix build -f '<nixpkgs>' mastodon; cd result; bin/rake webpush:generate_keys`
|
|
|
|
|
|
|
|
|
|
If this file does not exist, it will be created with a new
|
|
|
|
|
private key.
|
|
|
|
|
'';
|
|
|
|
|
default = "/var/lib/mastodon/secrets/vapid-private-key";
|
|
|
|
|
type = lib.types.str;
|
|
|
|
|
};
|
|
|
|
|
|
2021-02-13 15:37:26 +00:00
|
|
|
trustedProxy = lib.mkOption {
|
|
|
|
|
description = ''
|
|
|
|
|
You need to set it to the IP from which your reverse proxy sends requests to Mastodon's web process,
|
|
|
|
|
otherwise Mastodon will record the reverse proxy's own IP as the IP of all requests, which would be
|
|
|
|
|
bad because IP addresses are used for important rate limits and security functions.
|
|
|
|
|
'';
|
|
|
|
|
type = lib.types.str;
|
|
|
|
|
default = "127.0.0.1";
|
|
|
|
|
};
|
|
|
|
|
|
2021-02-13 17:47:14 +00:00
|
|
|
enableUnixSocket = lib.mkOption {
|
|
|
|
|
description = ''
|
|
|
|
|
Instead of binding to an IP address like 127.0.0.1, you may bind to a Unix socket. This variable
|
|
|
|
|
is process-specific, e.g. you need different values for every process, and it works for both web (Puma)
|
|
|
|
|
processes and streaming API (Node.js) processes.
|
|
|
|
|
'';
|
|
|
|
|
type = lib.types.bool;
|
|
|
|
|
default = true;
|
|
|
|
|
};
|
|
|
|
|
|
2019-05-02 15:51:12 +01:00
|
|
|
redis = {
|
|
|
|
|
createLocally = lib.mkOption {
|
|
|
|
|
description = "Configure local Redis server for Mastodon.";
|
|
|
|
|
type = lib.types.bool;
|
|
|
|
|
default = true;
|
|
|
|
|
};
|
|
|
|
|
|
|
|
|
|
host = lib.mkOption {
|
|
|
|
|
description = "Redis host.";
|
2024-02-17 17:46:55 +00:00
|
|
|
type = lib.types.nullOr lib.types.str;
|
|
|
|
|
default = if cfg.redis.createLocally && !cfg.redis.enableUnixSocket then "127.0.0.1" else null;
|
|
|
|
|
defaultText = lib.literalExpression ''
|
|
|
|
|
if config.${opt.redis.createLocally} && !config.${opt.redis.enableUnixSocket} then "127.0.0.1" else null
|
|
|
|
|
'';
|
2019-05-02 15:51:12 +01:00
|
|
|
};
|
|
|
|
|
|
|
|
|
|
port = lib.mkOption {
|
|
|
|
|
description = "Redis port.";
|
2024-02-17 17:46:55 +00:00
|
|
|
type = lib.types.nullOr lib.types.port;
|
|
|
|
|
default = if cfg.redis.createLocally && !cfg.redis.enableUnixSocket then 31637 else null;
|
|
|
|
|
defaultText = lib.literalExpression ''
|
|
|
|
|
if config.${opt.redis.createLocally} && !config.${opt.redis.enableUnixSocket} then 31637 else null
|
|
|
|
|
'';
|
2019-05-02 15:51:12 +01:00
|
|
|
};
|
2023-11-29 07:20:16 +00:00
|
|
|
|
2024-02-16 18:29:30 +00:00
|
|
|
passwordFile = lib.mkOption {
|
|
|
|
|
description = "A file containing the password for Redis database.";
|
|
|
|
|
type = lib.types.nullOr lib.types.path;
|
|
|
|
|
default = null;
|
|
|
|
|
example = "/run/keys/mastodon-redis-password";
|
|
|
|
|
};
|
|
|
|
|
|
2023-11-29 07:20:16 +00:00
|
|
|
enableUnixSocket = lib.mkOption {
|
|
|
|
|
description = "Use Unix socket";
|
|
|
|
|
type = lib.types.bool;
|
|
|
|
|
default = true;
|
|
|
|
|
};
|
2019-05-02 15:51:12 +01:00
|
|
|
};
|
|
|
|
|
|
|
|
|
|
database = {
|
|
|
|
|
createLocally = lib.mkOption {
|
|
|
|
|
description = "Configure local PostgreSQL database server for Mastodon.";
|
|
|
|
|
type = lib.types.bool;
|
|
|
|
|
default = true;
|
|
|
|
|
};
|
|
|
|
|
|
|
|
|
|
host = lib.mkOption {
|
|
|
|
|
type = lib.types.str;
|
|
|
|
|
default = "/run/postgresql";
|
|
|
|
|
example = "192.168.23.42";
|
|
|
|
|
description = "Database host address or unix socket.";
|
|
|
|
|
};
|
|
|
|
|
|
|
|
|
|
port = lib.mkOption {
|
2022-03-22 19:21:47 +00:00
|
|
|
type = lib.types.nullOr lib.types.port;
|
|
|
|
|
default = if cfg.database.createLocally then null else 5432;
|
|
|
|
|
defaultText = lib.literalExpression ''
|
|
|
|
|
if config.${opt.database.createLocally}
|
|
|
|
|
then null
|
|
|
|
|
else 5432
|
|
|
|
|
'';
|
2019-05-02 15:51:12 +01:00
|
|
|
description = "Database host port.";
|
|
|
|
|
};
|
|
|
|
|
|
|
|
|
|
name = lib.mkOption {
|
|
|
|
|
type = lib.types.str;
|
|
|
|
|
default = "mastodon";
|
|
|
|
|
description = "Database name.";
|
|
|
|
|
};
|
|
|
|
|
|
|
|
|
|
user = lib.mkOption {
|
|
|
|
|
type = lib.types.str;
|
|
|
|
|
default = "mastodon";
|
|
|
|
|
description = "Database user.";
|
|
|
|
|
};
|
|
|
|
|
|
|
|
|
|
passwordFile = lib.mkOption {
|
|
|
|
|
type = lib.types.nullOr lib.types.path;
|
2022-03-22 19:21:47 +00:00
|
|
|
default = null;
|
|
|
|
|
example = "/var/lib/mastodon/secrets/db-password";
|
2019-05-02 15:51:12 +01:00
|
|
|
description = ''
|
|
|
|
|
A file containing the password corresponding to
|
|
|
|
|
{option}`database.user`.
|
|
|
|
|
'';
|
|
|
|
|
};
|
|
|
|
|
};
|
|
|
|
|
|
|
|
|
|
smtp = {
|
|
|
|
|
createLocally = lib.mkOption {
|
|
|
|
|
description = "Configure local Postfix SMTP server for Mastodon.";
|
|
|
|
|
type = lib.types.bool;
|
|
|
|
|
default = true;
|
|
|
|
|
};
|
|
|
|
|
|
|
|
|
|
authenticate = lib.mkOption {
|
|
|
|
|
description = "Authenticate with the SMTP server using username and password.";
|
|
|
|
|
type = lib.types.bool;
|
2021-02-13 14:49:13 +00:00
|
|
|
default = false;
|
2019-05-02 15:51:12 +01:00
|
|
|
};
|
|
|
|
|
|
|
|
|
|
host = lib.mkOption {
|
|
|
|
|
description = "SMTP host used when sending emails to users.";
|
|
|
|
|
type = lib.types.str;
|
|
|
|
|
default = "127.0.0.1";
|
|
|
|
|
};
|
|
|
|
|
|
|
|
|
|
port = lib.mkOption {
|
|
|
|
|
description = "SMTP port used when sending emails to users.";
|
|
|
|
|
type = lib.types.port;
|
|
|
|
|
default = 25;
|
|
|
|
|
};
|
|
|
|
|
|
|
|
|
|
fromAddress = lib.mkOption {
|
|
|
|
|
description = ''"From" address used when sending Emails to users.'';
|
|
|
|
|
type = lib.types.str;
|
|
|
|
|
};
|
|
|
|
|
|
|
|
|
|
user = lib.mkOption {
|
2022-05-14 16:12:55 +01:00
|
|
|
type = lib.types.nullOr lib.types.str;
|
|
|
|
|
default = null;
|
|
|
|
|
example = "mastodon@example.com";
|
2019-05-02 15:51:12 +01:00
|
|
|
description = "SMTP login name.";
|
|
|
|
|
};
|
|
|
|
|
|
|
|
|
|
passwordFile = lib.mkOption {
|
2022-05-14 16:12:55 +01:00
|
|
|
type = lib.types.nullOr lib.types.path;
|
|
|
|
|
default = null;
|
|
|
|
|
example = "/var/lib/mastodon/secrets/smtp-password";
|
2019-05-02 15:51:12 +01:00
|
|
|
description = ''
|
|
|
|
|
Path to file containing the SMTP password.
|
|
|
|
|
'';
|
|
|
|
|
};
|
|
|
|
|
};
|
|
|
|
|
|
|
|
|
|
elasticsearch = {
|
|
|
|
|
host = lib.mkOption {
|
|
|
|
|
description = ''
|
|
|
|
|
Elasticsearch host.
|
|
|
|
|
If it is not null, Elasticsearch full text search will be enabled.
|
|
|
|
|
'';
|
|
|
|
|
type = lib.types.nullOr lib.types.str;
|
|
|
|
|
default = null;
|
|
|
|
|
};
|
|
|
|
|
|
|
|
|
|
port = lib.mkOption {
|
|
|
|
|
description = "Elasticsearch port.";
|
|
|
|
|
type = lib.types.port;
|
|
|
|
|
default = 9200;
|
|
|
|
|
};
|
2023-10-21 20:42:47 +01:00
|
|
|
|
|
|
|
|
preset = lib.mkOption {
|
|
|
|
|
description = ''
|
|
|
|
|
It controls the ElasticSearch indices configuration (number of shards and replica).
|
|
|
|
|
'';
|
|
|
|
|
type = lib.types.enum [ "single_node_cluster" "small_cluster" "large_cluster" ];
|
|
|
|
|
default = "single_node_cluster";
|
|
|
|
|
example = "large_cluster";
|
|
|
|
|
};
|
|
|
|
|
|
|
|
|
|
user = lib.mkOption {
|
|
|
|
|
description = "Used for optionally authenticating with Elasticsearch.";
|
|
|
|
|
type = lib.types.nullOr lib.types.str;
|
|
|
|
|
default = null;
|
|
|
|
|
example = "elasticsearch-mastodon";
|
|
|
|
|
};
|
|
|
|
|
|
|
|
|
|
passwordFile = lib.mkOption {
|
|
|
|
|
description = ''
|
|
|
|
|
Path to file containing password for optionally authenticating with Elasticsearch.
|
|
|
|
|
'';
|
|
|
|
|
type = lib.types.nullOr lib.types.path;
|
|
|
|
|
default = null;
|
|
|
|
|
example = "/var/lib/mastodon/secrets/elasticsearch-password";
|
|
|
|
|
};
|
2019-05-02 15:51:12 +01:00
|
|
|
};
|
|
|
|
|
|
|
|
|
|
package = lib.mkOption {
|
|
|
|
|
type = lib.types.package;
|
|
|
|
|
default = pkgs.mastodon;
|
2021-10-03 17:06:03 +01:00
|
|
|
defaultText = lib.literalExpression "pkgs.mastodon";
|
2019-05-02 15:51:12 +01:00
|
|
|
description = "Mastodon package to use.";
|
|
|
|
|
};
|
|
|
|
|
|
|
|
|
|
extraConfig = lib.mkOption {
|
|
|
|
|
type = lib.types.attrs;
|
|
|
|
|
default = {};
|
|
|
|
|
description = ''
|
|
|
|
|
Extra environment variables to pass to all mastodon services.
|
|
|
|
|
'';
|
|
|
|
|
};
|
|
|
|
|
|
2022-12-18 19:19:44 +00:00
|
|
|
extraEnvFiles = lib.mkOption {
|
|
|
|
|
type = with lib.types; listOf path;
|
|
|
|
|
default = [];
|
|
|
|
|
description = ''
|
2023-05-20 03:11:38 +01:00
|
|
|
Extra environment files to pass to all mastodon services. Useful for passing down environmental secrets.
|
2022-12-18 19:19:44 +00:00
|
|
|
'';
|
|
|
|
|
example = [ "/etc/mastodon/s3config.env" ];
|
|
|
|
|
};
|
|
|
|
|
|
2019-05-02 15:51:12 +01:00
|
|
|
automaticMigrations = lib.mkOption {
|
|
|
|
|
type = lib.types.bool;
|
|
|
|
|
default = true;
|
|
|
|
|
description = ''
|
|
|
|
|
Do automatic database migrations.
|
|
|
|
|
'';
|
|
|
|
|
};
|
2022-11-01 20:30:20 +00:00
|
|
|
|
|
|
|
|
mediaAutoRemove = {
|
|
|
|
|
enable = lib.mkOption {
|
|
|
|
|
type = lib.types.bool;
|
|
|
|
|
default = true;
|
|
|
|
|
example = false;
|
|
|
|
|
description = ''
|
|
|
|
|
Automatically remove remote media attachments and preview cards older than the configured amount of days.
|
|
|
|
|
|
|
|
|
|
Recommended in https://docs.joinmastodon.org/admin/setup/.
|
|
|
|
|
'';
|
|
|
|
|
};
|
|
|
|
|
|
|
|
|
|
startAt = lib.mkOption {
|
|
|
|
|
type = lib.types.str;
|
|
|
|
|
default = "daily";
|
|
|
|
|
example = "hourly";
|
|
|
|
|
description = ''
|
|
|
|
|
How often to remove remote media.
|
|
|
|
|
|
|
|
|
|
The format is described in {manpage}`systemd.time(7)`.
|
|
|
|
|
'';
|
|
|
|
|
};
|
|
|
|
|
|
|
|
|
|
olderThanDays = lib.mkOption {
|
|
|
|
|
type = lib.types.int;
|
|
|
|
|
default = 30;
|
|
|
|
|
example = 14;
|
|
|
|
|
description = ''
|
|
|
|
|
How old remote media needs to be in order to be removed.
|
|
|
|
|
'';
|
|
|
|
|
};
|
|
|
|
|
};
|
2019-05-02 15:51:12 +01:00
|
|
|
};
|
|
|
|
|
};
|
|
|
|
|
|
2022-11-19 21:55:13 +00:00
|
|
|
config = lib.mkIf cfg.enable (lib.mkMerge [{
|
2019-05-02 15:51:12 +01:00
|
|
|
assertions = [
|
2024-02-17 17:46:55 +00:00
|
|
|
{
|
|
|
|
|
assertion = !redisActuallyCreateLocally -> (cfg.redis.host != "127.0.0.1" && cfg.redis.port != null);
|
|
|
|
|
message = ''
|
|
|
|
|
`services.mastodon.redis.host` and `services.mastodon.redis.port` need to be set if
|
|
|
|
|
`services.mastodon.redis.createLocally` is not enabled.
|
|
|
|
|
'';
|
|
|
|
|
}
|
|
|
|
|
{
|
|
|
|
|
assertion = redisActuallyCreateLocally -> (!cfg.redis.enableUnixSocket || (cfg.redis.host == null && cfg.redis.port == null));
|
|
|
|
|
message = ''
|
|
|
|
|
`services.mastodon.redis.enableUnixSocket` needs to be disabled if
|
|
|
|
|
`services.mastodon.redis.host` and `services.mastodon.redis.port` is used.
|
|
|
|
|
'';
|
|
|
|
|
}
|
2024-02-16 18:29:30 +00:00
|
|
|
{
|
|
|
|
|
assertion = redisActuallyCreateLocally -> (!cfg.redis.enableUnixSocket || cfg.redis.passwordFile == null);
|
|
|
|
|
message = ''
|
|
|
|
|
<option>services.mastodon.redis.enableUnixSocket</option> needs to be disabled if
|
|
|
|
|
<option>services.mastodon.redis.passwordFile</option> is used.
|
|
|
|
|
'';
|
|
|
|
|
}
|
2019-05-02 15:51:12 +01:00
|
|
|
{
|
nixos/postgresql: drop ensurePermissions, fix ensureUsers for postgresql15
Closes #216989
First of all, a bit of context: in PostgreSQL, newly created users don't
have the CREATE privilege on the public schema of a database even with
`ALL PRIVILEGES` granted via `ensurePermissions` which is how most of
the DB users are currently set up "declaratively"[1]. This means e.g. a
freshly deployed Nextcloud service will break early because Nextcloud
itself cannot CREATE any tables in the public schema anymore.
The other issue here is that `ensurePermissions` is a mere hack. It's
effectively a mixture of SQL code (e.g. `DATABASE foo` is relying on how
a value is substituted in a query. You'd have to parse a subset of SQL
to actually know which object are permissions granted to for a user).
After analyzing the existing modules I realized that in every case with
a single exception[2] the UNIX system user is equal to the db user is
equal to the db name and I don't see a compelling reason why people
would change that in 99% of the cases. In fact, some modules would even
break if you'd change that because the declarations of the system user &
the db user are mixed up[3].
So I decided to go with something new which restricts the ways to use
`ensure*` options rather than expanding those[4]. Effectively this means
that
* The DB user _must_ be equal to the DB name.
* Permissions are granted via `ensureDBOwnerhip` for an attribute-set in
`ensureUsers`. That way, the user is actually the owner and can
perform `CREATE`.
* For such a postgres user, a database must be declared in
`ensureDatabases`.
For anything else, a custom state management should be implemented. This
can either be `initialScript`, doing it manual, outside of the module or
by implementing proper state management for postgresql[5], but the
current state of `ensure*` isn't even declarative, but a convergent tool
which is what Nix actually claims to _not_ do.
Regarding existing setups: there are effectively two options:
* Leave everything as-is (assuming that system user == db user == db
name): then the DB user will automatically become the DB owner and
everything else stays the same.
* Drop the `createDatabase = true;` declarations: nothing will change
because a removal of `ensure*` statements is ignored, so it doesn't
matter at all whether this option is kept after the first deploy (and
later on you'd usually restore from backups anyways).
The DB user isn't the owner of the DB then, but for an existing setup
this is irrelevant because CREATE on the public schema isn't revoked
from existing users (only not granted for new users).
[1] not really declarative though because removals of these statements
are simply ignored for instance: https://github.com/NixOS/nixpkgs/issues/206467
[2] `services.invidious`: I removed the `ensure*` part temporarily
because it IMHO falls into the category "manage the state on your
own" (see the commit message). See also
https://github.com/NixOS/nixpkgs/pull/265857
[3] e.g. roundcube had `"DATABASE ${cfg.database.username}" = "ALL PRIVILEGES";`
[4] As opposed to other changes that are considered a potential fix, but
also add more things like collation for DBs or passwords that are
_never_ touched again when changing those.
[5] As suggested in e.g. https://github.com/NixOS/nixpkgs/issues/206467
2023-11-08 11:50:09 +00:00
|
|
|
assertion = databaseActuallyCreateLocally -> (cfg.user == cfg.database.user && cfg.database.user == cfg.database.name);
|
2022-03-22 19:21:47 +00:00
|
|
|
message = ''
|
|
|
|
|
For local automatic database provisioning (services.mastodon.database.createLocally == true) with peer
|
|
|
|
|
authentication (services.mastodon.database.host == "/run/postgresql") to work services.mastodon.user
|
|
|
|
|
and services.mastodon.database.user must be identical.
|
|
|
|
|
'';
|
|
|
|
|
}
|
|
|
|
|
{
|
|
|
|
|
assertion = !databaseActuallyCreateLocally -> (cfg.database.host != "/run/postgresql");
|
|
|
|
|
message = ''
|
|
|
|
|
<option>services.mastodon.database.host</option> needs to be set if
|
|
|
|
|
<option>services.mastodon.database.createLocally</option> is not enabled.
|
|
|
|
|
'';
|
2019-05-02 15:51:12 +01:00
|
|
|
}
|
2022-05-14 16:12:55 +01:00
|
|
|
{
|
|
|
|
|
assertion = cfg.smtp.authenticate -> (cfg.smtp.user != null);
|
|
|
|
|
message = ''
|
|
|
|
|
<option>services.mastodon.smtp.user</option> needs to be set if
|
|
|
|
|
<option>services.mastodon.smtp.authenticate</option> is enabled.
|
|
|
|
|
'';
|
|
|
|
|
}
|
|
|
|
|
{
|
|
|
|
|
assertion = cfg.smtp.authenticate -> (cfg.smtp.passwordFile != null);
|
|
|
|
|
message = ''
|
|
|
|
|
<option>services.mastodon.smtp.passwordFile</option> needs to be set if
|
|
|
|
|
<option>services.mastodon.smtp.authenticate</option> is enabled.
|
|
|
|
|
'';
|
|
|
|
|
}
|
2023-04-06 15:12:51 +01:00
|
|
|
{
|
2023-04-20 21:57:03 +01:00
|
|
|
assertion = 1 ==
|
|
|
|
|
(lib.count (x: x)
|
|
|
|
|
(lib.mapAttrsToList
|
|
|
|
|
(_: v: builtins.elem "scheduler" v.jobClasses || v.jobClasses == [ ])
|
|
|
|
|
cfg.sidekiqProcesses));
|
|
|
|
|
message = "There must be exactly one Sidekiq queue in services.mastodon.sidekiqProcesses with jobClass \"scheduler\".";
|
2023-04-06 15:12:51 +01:00
|
|
|
}
|
2019-05-02 15:51:12 +01:00
|
|
|
];
|
|
|
|
|
|
2022-11-30 23:13:57 +00:00
|
|
|
environment.systemPackages = [ mastodonTootctl ];
|
|
|
|
|
|
2022-11-19 21:55:13 +00:00
|
|
|
systemd.targets.mastodon = {
|
|
|
|
|
description = "Target for all Mastodon services";
|
|
|
|
|
wantedBy = [ "multi-user.target" ];
|
|
|
|
|
after = [ "network.target" ];
|
|
|
|
|
};
|
|
|
|
|
|
2023-08-23 15:26:32 +01:00
|
|
|
systemd.targets.mastodon-streaming = {
|
|
|
|
|
description = "Target for all Mastodon streaming services";
|
|
|
|
|
wantedBy = [ "multi-user.target" "mastodon.target" ];
|
|
|
|
|
after = [ "network.target" ];
|
|
|
|
|
};
|
|
|
|
|
|
2019-05-02 15:51:12 +01:00
|
|
|
systemd.services.mastodon-init-dirs = {
|
|
|
|
|
script = ''
|
|
|
|
|
umask 077
|
|
|
|
|
|
|
|
|
|
if ! test -f ${cfg.secretKeyBaseFile}; then
|
|
|
|
|
mkdir -p $(dirname ${cfg.secretKeyBaseFile})
|
|
|
|
|
bin/rake secret > ${cfg.secretKeyBaseFile}
|
|
|
|
|
fi
|
|
|
|
|
if ! test -f ${cfg.otpSecretFile}; then
|
|
|
|
|
mkdir -p $(dirname ${cfg.otpSecretFile})
|
|
|
|
|
bin/rake secret > ${cfg.otpSecretFile}
|
|
|
|
|
fi
|
|
|
|
|
if ! test -f ${cfg.vapidPrivateKeyFile}; then
|
|
|
|
|
mkdir -p $(dirname ${cfg.vapidPrivateKeyFile}) $(dirname ${cfg.vapidPublicKeyFile})
|
|
|
|
|
keypair=$(bin/rake webpush:generate_keys)
|
|
|
|
|
echo $keypair | grep --only-matching "Private -> [^ ]\+" | sed 's/^Private -> //' > ${cfg.vapidPrivateKeyFile}
|
|
|
|
|
echo $keypair | grep --only-matching "Public -> [^ ]\+" | sed 's/^Public -> //' > ${cfg.vapidPublicKeyFile}
|
|
|
|
|
fi
|
|
|
|
|
|
|
|
|
|
cat > /var/lib/mastodon/.secrets_env <<EOF
|
|
|
|
|
SECRET_KEY_BASE="$(cat ${cfg.secretKeyBaseFile})"
|
|
|
|
|
OTP_SECRET="$(cat ${cfg.otpSecretFile})"
|
|
|
|
|
VAPID_PRIVATE_KEY="$(cat ${cfg.vapidPrivateKeyFile})"
|
|
|
|
|
VAPID_PUBLIC_KEY="$(cat ${cfg.vapidPublicKeyFile})"
|
2024-02-16 18:29:30 +00:00
|
|
|
'' + lib.optionalString (cfg.redis.passwordFile != null)''
|
|
|
|
|
REDIS_PASSWORD="$(cat ${cfg.redis.passwordFile})"
|
2022-03-22 19:21:47 +00:00
|
|
|
'' + lib.optionalString (cfg.database.passwordFile != null) ''
|
2019-05-02 15:51:12 +01:00
|
|
|
DB_PASS="$(cat ${cfg.database.passwordFile})"
|
2022-03-22 19:21:47 +00:00
|
|
|
'' + lib.optionalString cfg.smtp.authenticate ''
|
2019-05-02 15:51:12 +01:00
|
|
|
SMTP_PASSWORD="$(cat ${cfg.smtp.passwordFile})"
|
2023-10-21 20:42:47 +01:00
|
|
|
'' + lib.optionalString (cfg.elasticsearch.passwordFile != null) ''
|
|
|
|
|
ES_PASS="$(cat ${cfg.elasticsearch.passwordFile})"
|
2022-03-22 19:21:47 +00:00
|
|
|
'' + ''
|
2019-05-02 15:51:12 +01:00
|
|
|
EOF
|
|
|
|
|
'';
|
2021-02-12 19:31:44 +00:00
|
|
|
environment = env;
|
2019-05-02 15:51:12 +01:00
|
|
|
serviceConfig = {
|
|
|
|
|
Type = "oneshot";
|
2022-11-19 21:55:13 +00:00
|
|
|
SyslogIdentifier = "mastodon-init-dirs";
|
2021-04-24 13:43:26 +01:00
|
|
|
# System Call Filtering
|
2021-05-12 09:34:26 +01:00
|
|
|
SystemCallFilter = [ ("~" + lib.concatStringsSep " " (systemCallsList ++ [ "@resources" ])) "@chown" "pipe" "pipe2" ];
|
2021-02-13 18:47:41 +00:00
|
|
|
} // cfgService;
|
|
|
|
|
|
2019-05-02 15:51:12 +01:00
|
|
|
after = [ "network.target" ];
|
|
|
|
|
};
|
|
|
|
|
|
|
|
|
|
systemd.services.mastodon-init-db = lib.mkIf cfg.automaticMigrations {
|
2021-02-15 15:44:38 +00:00
|
|
|
script = lib.optionalString (!databaseActuallyCreateLocally) ''
|
|
|
|
|
umask 077
|
2023-12-15 22:13:37 +00:00
|
|
|
export PGPASSWORD="$(cat '${cfg.database.passwordFile}')"
|
2021-02-15 15:44:38 +00:00
|
|
|
'' + ''
|
2024-03-22 15:53:27 +00:00
|
|
|
result="$(psql -t --csv -c \
|
|
|
|
|
"select count(*) from pg_class c \
|
|
|
|
|
join pg_namespace s on s.oid = c.relnamespace \
|
|
|
|
|
where s.nspname not in ('pg_catalog', 'pg_toast', 'information_schema') \
|
|
|
|
|
and s.nspname not like 'pg_temp%';")" || error_code=$?
|
|
|
|
|
if [ "''${error_code:-0}" -ne 0 ]; then
|
|
|
|
|
echo "Failure checking if database is seeded. psql gave exit code $error_code"
|
|
|
|
|
exit "$error_code"
|
|
|
|
|
fi
|
|
|
|
|
if [ "$result" -eq 0 ]; then
|
2023-12-15 22:13:37 +00:00
|
|
|
echo "Seeding database"
|
2021-05-17 20:03:40 +01:00
|
|
|
SAFETY_ASSURED=1 rails db:schema:load
|
|
|
|
|
rails db:seed
|
2019-05-02 15:51:12 +01:00
|
|
|
else
|
2023-12-15 22:13:37 +00:00
|
|
|
echo "Migrating database (this might be a noop)"
|
2021-05-17 20:03:40 +01:00
|
|
|
rails db:migrate
|
2019-05-02 15:51:12 +01:00
|
|
|
fi
|
2021-02-15 15:44:38 +00:00
|
|
|
'' + lib.optionalString (!databaseActuallyCreateLocally) ''
|
2023-12-15 22:13:37 +00:00
|
|
|
unset PGPASSWORD
|
2019-05-02 15:51:12 +01:00
|
|
|
'';
|
2024-08-17 12:41:24 +01:00
|
|
|
path = [ cfg.package config.services.postgresql.package ];
|
2022-03-22 19:21:47 +00:00
|
|
|
environment = env // lib.optionalAttrs (!databaseActuallyCreateLocally) {
|
|
|
|
|
PGHOST = cfg.database.host;
|
2023-12-15 22:13:37 +00:00
|
|
|
PGPORT = toString cfg.database.port;
|
|
|
|
|
PGDATABASE = cfg.database.name;
|
2022-03-22 19:21:47 +00:00
|
|
|
PGUSER = cfg.database.user;
|
|
|
|
|
};
|
2019-05-02 15:51:12 +01:00
|
|
|
serviceConfig = {
|
|
|
|
|
Type = "oneshot";
|
2022-12-18 19:19:44 +00:00
|
|
|
EnvironmentFile = [ "/var/lib/mastodon/.secrets_env" ] ++ cfg.extraEnvFiles;
|
2019-05-02 15:51:12 +01:00
|
|
|
WorkingDirectory = cfg.package;
|
2021-04-24 13:43:26 +01:00
|
|
|
# System Call Filtering
|
2021-05-12 09:34:26 +01:00
|
|
|
SystemCallFilter = [ ("~" + lib.concatStringsSep " " (systemCallsList ++ [ "@resources" ])) "@chown" "pipe" "pipe2" ];
|
2021-02-13 18:47:41 +00:00
|
|
|
} // cfgService;
|
2022-10-26 12:30:18 +01:00
|
|
|
after = [ "network.target" "mastodon-init-dirs.service" ]
|
|
|
|
|
++ lib.optional databaseActuallyCreateLocally "postgresql.service";
|
|
|
|
|
requires = [ "mastodon-init-dirs.service" ]
|
|
|
|
|
++ lib.optional databaseActuallyCreateLocally "postgresql.service";
|
2019-05-02 15:51:12 +01:00
|
|
|
};
|
|
|
|
|
|
|
|
|
|
systemd.services.mastodon-web = {
|
2024-02-17 17:58:45 +00:00
|
|
|
after = [ "network.target" "mastodon-init-dirs.service" ] ++ commonServices;
|
|
|
|
|
requires = [ "mastodon-init-dirs.service" ] ++ commonServices;
|
2022-11-19 21:55:13 +00:00
|
|
|
wantedBy = [ "mastodon.target" ];
|
2022-10-26 12:30:18 +01:00
|
|
|
description = "Mastodon web";
|
2021-02-13 17:47:14 +00:00
|
|
|
environment = env // (if cfg.enableUnixSocket
|
|
|
|
|
then { SOCKET = "/run/mastodon-web/web.socket"; }
|
|
|
|
|
else { PORT = toString(cfg.webPort); }
|
|
|
|
|
);
|
2019-05-02 15:51:12 +01:00
|
|
|
serviceConfig = {
|
|
|
|
|
ExecStart = "${cfg.package}/bin/puma -C config/puma.rb";
|
|
|
|
|
Restart = "always";
|
|
|
|
|
RestartSec = 20;
|
2022-12-18 19:19:44 +00:00
|
|
|
EnvironmentFile = [ "/var/lib/mastodon/.secrets_env" ] ++ cfg.extraEnvFiles;
|
2021-02-13 18:47:41 +00:00
|
|
|
WorkingDirectory = cfg.package;
|
2021-02-13 17:47:14 +00:00
|
|
|
# Runtime directory and mode
|
|
|
|
|
RuntimeDirectory = "mastodon-web";
|
|
|
|
|
RuntimeDirectoryMode = "0750";
|
2021-04-24 13:43:26 +01:00
|
|
|
# System Call Filtering
|
2021-11-06 18:39:27 +00:00
|
|
|
SystemCallFilter = [ ("~" + lib.concatStringsSep " " systemCallsList) "@chown" "pipe" "pipe2" ];
|
2021-02-13 18:47:41 +00:00
|
|
|
} // cfgService;
|
2023-12-20 15:01:55 +00:00
|
|
|
path = with pkgs; [ ffmpeg-headless file imagemagick ];
|
2019-05-02 15:51:12 +01:00
|
|
|
};
|
|
|
|
|
|
2022-11-01 20:30:20 +00:00
|
|
|
systemd.services.mastodon-media-auto-remove = lib.mkIf cfg.mediaAutoRemove.enable {
|
|
|
|
|
description = "Mastodon media auto remove";
|
|
|
|
|
environment = env;
|
|
|
|
|
serviceConfig = {
|
|
|
|
|
Type = "oneshot";
|
2022-12-18 19:19:44 +00:00
|
|
|
EnvironmentFile = [ "/var/lib/mastodon/.secrets_env" ] ++ cfg.extraEnvFiles;
|
2022-11-01 20:30:20 +00:00
|
|
|
} // cfgService;
|
2022-11-11 22:05:10 +00:00
|
|
|
script = let
|
|
|
|
|
olderThanDays = toString cfg.mediaAutoRemove.olderThanDays;
|
|
|
|
|
in ''
|
|
|
|
|
${cfg.package}/bin/tootctl media remove --days=${olderThanDays}
|
|
|
|
|
${cfg.package}/bin/tootctl preview_cards remove --days=${olderThanDays}
|
|
|
|
|
'';
|
|
|
|
|
startAt = cfg.mediaAutoRemove.startAt;
|
2022-11-01 20:30:20 +00:00
|
|
|
};
|
|
|
|
|
|
2019-05-02 15:51:12 +01:00
|
|
|
services.nginx = lib.mkIf cfg.configureNginx {
|
|
|
|
|
enable = true;
|
|
|
|
|
recommendedProxySettings = true; # required for redirections to work
|
|
|
|
|
virtualHosts."${cfg.localDomain}" = {
|
|
|
|
|
root = "${cfg.package}/public/";
|
2022-12-09 19:23:50 +00:00
|
|
|
# mastodon only supports https, but you can override this if you offload tls elsewhere.
|
|
|
|
|
forceSSL = lib.mkDefault true;
|
|
|
|
|
enableACME = lib.mkDefault true;
|
2019-05-02 15:51:12 +01:00
|
|
|
|
|
|
|
|
locations."/system/".alias = "/var/lib/mastodon/public-system/";
|
|
|
|
|
|
|
|
|
|
locations."/" = {
|
|
|
|
|
tryFiles = "$uri @proxy";
|
|
|
|
|
};
|
|
|
|
|
|
|
|
|
|
locations."@proxy" = {
|
2021-02-13 17:47:14 +00:00
|
|
|
proxyPass = (if cfg.enableUnixSocket then "http://unix:/run/mastodon-web/web.socket" else "http://127.0.0.1:${toString(cfg.webPort)}");
|
2019-05-02 15:51:12 +01:00
|
|
|
proxyWebsockets = true;
|
|
|
|
|
};
|
|
|
|
|
|
|
|
|
|
locations."/api/v1/streaming/" = {
|
2023-08-23 15:26:32 +01:00
|
|
|
proxyPass = "http://mastodon-streaming";
|
2019-05-02 15:51:12 +01:00
|
|
|
proxyWebsockets = true;
|
|
|
|
|
};
|
|
|
|
|
};
|
2023-08-23 15:26:32 +01:00
|
|
|
upstreams.mastodon-streaming = {
|
|
|
|
|
extraConfig = ''
|
|
|
|
|
least_conn;
|
|
|
|
|
'';
|
|
|
|
|
servers = builtins.listToAttrs
|
|
|
|
|
(map (i: {
|
|
|
|
|
name = "unix:/run/mastodon-streaming/streaming-${toString i}.socket";
|
|
|
|
|
value = { };
|
|
|
|
|
}) (lib.range 1 cfg.streamingProcesses));
|
|
|
|
|
};
|
2019-05-02 15:51:12 +01:00
|
|
|
};
|
|
|
|
|
|
|
|
|
|
services.postfix = lib.mkIf (cfg.smtp.createLocally && cfg.smtp.host == "127.0.0.1") {
|
|
|
|
|
enable = true;
|
2021-02-13 14:49:13 +00:00
|
|
|
hostname = lib.mkDefault "${cfg.localDomain}";
|
2019-05-02 15:51:12 +01:00
|
|
|
};
|
2024-02-16 18:29:30 +00:00
|
|
|
services.redis.servers.mastodon = lib.mkIf redisActuallyCreateLocally (lib.mkMerge [
|
2023-11-29 07:20:16 +00:00
|
|
|
{
|
|
|
|
|
enable = true;
|
|
|
|
|
}
|
|
|
|
|
(lib.mkIf (!cfg.redis.enableUnixSocket) {
|
|
|
|
|
port = cfg.redis.port;
|
|
|
|
|
})
|
|
|
|
|
]);
|
2019-05-02 15:51:12 +01:00
|
|
|
services.postgresql = lib.mkIf databaseActuallyCreateLocally {
|
|
|
|
|
enable = true;
|
|
|
|
|
ensureUsers = [
|
|
|
|
|
{
|
nixos/postgresql: drop ensurePermissions, fix ensureUsers for postgresql15
Closes #216989
First of all, a bit of context: in PostgreSQL, newly created users don't
have the CREATE privilege on the public schema of a database even with
`ALL PRIVILEGES` granted via `ensurePermissions` which is how most of
the DB users are currently set up "declaratively"[1]. This means e.g. a
freshly deployed Nextcloud service will break early because Nextcloud
itself cannot CREATE any tables in the public schema anymore.
The other issue here is that `ensurePermissions` is a mere hack. It's
effectively a mixture of SQL code (e.g. `DATABASE foo` is relying on how
a value is substituted in a query. You'd have to parse a subset of SQL
to actually know which object are permissions granted to for a user).
After analyzing the existing modules I realized that in every case with
a single exception[2] the UNIX system user is equal to the db user is
equal to the db name and I don't see a compelling reason why people
would change that in 99% of the cases. In fact, some modules would even
break if you'd change that because the declarations of the system user &
the db user are mixed up[3].
So I decided to go with something new which restricts the ways to use
`ensure*` options rather than expanding those[4]. Effectively this means
that
* The DB user _must_ be equal to the DB name.
* Permissions are granted via `ensureDBOwnerhip` for an attribute-set in
`ensureUsers`. That way, the user is actually the owner and can
perform `CREATE`.
* For such a postgres user, a database must be declared in
`ensureDatabases`.
For anything else, a custom state management should be implemented. This
can either be `initialScript`, doing it manual, outside of the module or
by implementing proper state management for postgresql[5], but the
current state of `ensure*` isn't even declarative, but a convergent tool
which is what Nix actually claims to _not_ do.
Regarding existing setups: there are effectively two options:
* Leave everything as-is (assuming that system user == db user == db
name): then the DB user will automatically become the DB owner and
everything else stays the same.
* Drop the `createDatabase = true;` declarations: nothing will change
because a removal of `ensure*` statements is ignored, so it doesn't
matter at all whether this option is kept after the first deploy (and
later on you'd usually restore from backups anyways).
The DB user isn't the owner of the DB then, but for an existing setup
this is irrelevant because CREATE on the public schema isn't revoked
from existing users (only not granted for new users).
[1] not really declarative though because removals of these statements
are simply ignored for instance: https://github.com/NixOS/nixpkgs/issues/206467
[2] `services.invidious`: I removed the `ensure*` part temporarily
because it IMHO falls into the category "manage the state on your
own" (see the commit message). See also
https://github.com/NixOS/nixpkgs/pull/265857
[3] e.g. roundcube had `"DATABASE ${cfg.database.username}" = "ALL PRIVILEGES";`
[4] As opposed to other changes that are considered a potential fix, but
also add more things like collation for DBs or passwords that are
_never_ touched again when changing those.
[5] As suggested in e.g. https://github.com/NixOS/nixpkgs/issues/206467
2023-11-08 11:50:09 +00:00
|
|
|
name = cfg.database.name;
|
|
|
|
|
ensureDBOwnership = true;
|
2019-05-02 15:51:12 +01:00
|
|
|
}
|
|
|
|
|
];
|
|
|
|
|
ensureDatabases = [ cfg.database.name ];
|
|
|
|
|
};
|
|
|
|
|
|
|
|
|
|
users.users = lib.mkMerge [
|
|
|
|
|
(lib.mkIf (cfg.user == "mastodon") {
|
|
|
|
|
mastodon = {
|
|
|
|
|
isSystemUser = true;
|
|
|
|
|
home = cfg.package;
|
|
|
|
|
inherit (cfg) group;
|
|
|
|
|
};
|
|
|
|
|
})
|
2022-11-30 23:13:57 +00:00
|
|
|
(lib.attrsets.setAttrByPath [ cfg.user "packages" ] [ cfg.package pkgs.imagemagick ])
|
2023-11-29 07:20:16 +00:00
|
|
|
(lib.mkIf (cfg.redis.createLocally && cfg.redis.enableUnixSocket) {${config.services.mastodon.user}.extraGroups = [ "redis-mastodon" ];})
|
2019-05-02 15:51:12 +01:00
|
|
|
];
|
|
|
|
|
|
2021-02-17 01:07:01 +00:00
|
|
|
users.groups.${cfg.group}.members = lib.optional cfg.configureNginx config.services.nginx.user;
|
2022-11-19 21:55:13 +00:00
|
|
|
}
|
2023-08-23 15:26:32 +01:00
|
|
|
{ systemd.services = lib.mkMerge [ sidekiqUnits streamingUnits ]; }
|
2022-11-19 21:55:13 +00:00
|
|
|
]);
|
2019-05-02 15:51:12 +01:00
|
|
|
|
|
|
|
|
meta.maintainers = with lib.maintainers; [ happy-river erictapen ];
|
|
|
|
|
|
|
|
|
|
}
|
