Migrate Mastodon to NixOS

config/hosts/mastodon/configuration.nix

@@ -0,0 +1,43 @@
+{ ... }:
+{
+  boot.loader.grub = {
+    enable = true;
+    device = "/dev/vda";
+  };
+
+  networking = {
+    hostName = "mastodon";
+    firewall = {
+      enable = true;
+      allowedTCPPorts = [ 80 8443 ];
+    };
+  };
+
+  fileSystems = {
+    "/mnt/data" = {
+      device = "/dev/disk/by-label/data";
+      fsType = "ext4";
+      autoResize = true;
+    };
+    "/var/lib/mastodon/public-system" = {
+      depends = [ "/mnt/data" ];
+      device = "/mnt/data/mastodon";
+      fsType = "none";
+      options = [ "bind" "X-mount.owner=mastodon" "X-mount.group=mastodon" ];
+    };
+    "/var/lib/postgresql" = {
+      depends = [ "/mnt/data" ];
+      device = "/mnt/data/postgresql";
+      fsType = "none";
+      options = [ "bind" "X-mount.owner=postgres" "X-mount.group=postgres" ];
+    };
+    "/var/lib/private/opensearch/data" = {
+      depends = [ "/mnt/data" ];
+      device = "/mnt/data/opensearch";
+      fsType = "none";
+      options = [ "bind" "X-mount.owner=opensearch" "X-mount.group=opensearch" ];
+    };
+  };
+
+  system.stateVersion = "23.05";
+}

config/hosts/mastodon/default.nix

@@ -0,0 +1,9 @@
+{ ... }:
+{
+  imports = [
+    ./configuration.nix
+    ./mastodon.nix
+    ./opensearch.nix
+    ./nginx.nix
+  ];
+}

config/hosts/mastodon/mastodon.nix

@@ -0,0 +1,51 @@
+{ pkgs, ... }:
+let
+  mastodonNekoversePatches = pkgs.fetchgit {
+    url = "https://github.com/yuri-qq/nekoverse-mastodon-patches.git";
+    hash = "sha256-+HoE3rXiJUpAUYiXj4BaOL68cCG1tN8p+TI7vRxrA1Y=";
+  };
+  mastodonNekoverseOverlay = final: prev: {
+    mastodon = (prev.mastodon.override rec {
+      version = "4.1.9";
+      srcOverride = final.applyPatches {
+        src = final.fetchgit {
+          url = "https://github.com/mastodon/mastodon.git";
+          rev = "v${version}";
+          sha256 = "sha256-xpE/mg2AeioW6NThUjLS+SBxGavG4w1xtp3BOMADfYo=";
+        };
+        patches = [
+          "${mastodonNekoversePatches}/patches/001_increase_image_dimensions_limit.patch"
+          "${mastodonNekoversePatches}/patches/002_disable_image_reprocessing.patch"
+          "${mastodonNekoversePatches}/patches/003_make_toot_cute.patch"
+          "${mastodonNekoversePatches}/patches/005_improve_custom_emoji_support.patch"
+          "${mastodonNekoversePatches}/patches/006_increase_display_name_character_limit.patch"
+          "${mastodonNekoversePatches}/patches/007_increase_toot_character_limit.patch"
+        ];
+      };
+    });
+  };
+  pkgs-overlay = pkgs.extend mastodonNekoverseOverlay;
+in
+{
+  services.mastodon = {
+    enable = true;
+    package = pkgs-overlay.mastodon;
+    localDomain = "social.nekover.se";
+    secretKeyBaseFile = "/secrets/mastodon-secret-key-base.secret";
+    otpSecretFile = "/secrets/mastodon-otp-secret.secret";
+    vapidPrivateKeyFile = "/secrets/mastodon-vapid-private-key.secret";
+    smtp = {
+      authenticate = true;
+      host = "mail-1.grzb.de";
+      port = 465;
+      user = "social@nekover.se";
+      passwordFile = "/secrets/mastodon-email-smtp-pass.secret";
+      fromAddress = "Nekoverse <nyareply@nekover.se>";
+    };
+    extraConfig = {
+      SMTP_TLS = "true";
+      ES_PRESET = "single_node_cluster";
+    };
+    elasticsearch.host = "127.0.0.1";
+  };
+}

config/hosts/mastodon/nginx.nix

@@ -0,0 +1,48 @@
+{ config, ... }:
+{
+  services.nginx = {
+    enable = true;
+    group = "mastodon";
+    virtualHosts."social.nekover.se" = {
+      forceSSL = true;
+      enableACME = true;
+      listen = [
+        {
+          addr = "0.0.0.0";
+          port = 80;
+        }
+        {
+          addr = "0.0.0.0";
+          port = 8443;
+          ssl = true;
+          extraParameters = [ "proxy_protocol" ];
+        }
+      ];
+
+      root = "${config.services.mastodon.package}/public/";
+
+      locations = {
+        "/" = {
+          tryFiles = "$uri @proxy";
+        };
+
+        "/system/".alias = "/var/lib/mastodon/public-system/";
+
+        "^~ /api/v1/streaming" = {
+          proxyPass = "http://unix:/run/mastodon-streaming/streaming.socket";
+          proxyWebsockets = true;
+        };
+
+        "@proxy" = {
+          proxyPass = "http://unix:/run/mastodon-web/web.socket";
+          proxyWebsockets = true;
+        };
+      };
+
+      extraConfig = ''
+        set_real_ip_from 10.202.41.100;
+        real_ip_header proxy_protocol;
+      '';
+    };
+  };
+}

config/hosts/mastodon/opensearch.nix

@@ -0,0 +1,5 @@
+{ ... }: {
+  services.opensearch = {
+    enable = true;
+  };
+}

config/hosts/mastodon/secrets.nix

@@ -0,0 +1,37 @@
+{ ... }:
+{
+  deployment.keys = {
+    "mastodon-secret-key-base.secret" = {
+      keyCommand = [ "env" "GNUPGHOME=/home/yuri/.passinfra_gnupg" "PASSWORD_STORE_DIR=/home/yuri/pass/infra" "pass" "mastodon/secret-key-base" ];
+      destDir = "/secrets";
+      user = "mastodon";
+      group = "mastodon";
+      permissions = "0640";
+      uploadAt = "pre-activation";
+    };
+    "mastodon-otp-secret.secret" = {
+      keyCommand = [ "env" "GNUPGHOME=/home/yuri/.passinfra_gnupg" "PASSWORD_STORE_DIR=/home/yuri/pass/infra" "pass" "mastodon/otp-secret" ];
+      destDir = "/secrets";
+      user = "mastodon";
+      group = "mastodon";
+      permissions = "0640";
+      uploadAt = "pre-activation";
+    };
+    "mastodon-vapid-private-key.secret" = {
+      keyCommand = [ "env" "GNUPGHOME=/home/yuri/.passinfra_gnupg" "PASSWORD_STORE_DIR=/home/yuri/pass/infra" "pass" "mastodon/vapid-private-key" ];
+      destDir = "/secrets";
+      user = "mastodon";
+      group = "mastodon";
+      permissions = "0640";
+      uploadAt = "pre-activation";
+    };
+    "mastodon-email-smtp-pass.secret" = {
+      keyCommand = [ "env" "GNUPGHOME=/home/yuri/.passinfra_gnupg" "PASSWORD_STORE_DIR=/home/yuri/pass/infra" "pass" "mastodon/email-smtp-pass" ];
+      destDir = "/secrets";
+      user = "mastodon";
+      group = "mastodon";
+      permissions = "0640";
+      uploadAt = "pre-activation";
+    };
+  };
+}