fi/nix-infra
1
2
Fork 1
Code Issues Pull requests Projects Releases Packages Wiki Activity

Migrate mastodon to sops-nix

Browse source
This commit is contained in:
Fiona Grzebien 2026-05-17 18:46:41 +02:00
commit dc965c3329
Signed by: fi
SSH key fingerprint: SHA256:HQgl5VGC4+Yw3ds/0I/DqTge63SPBXvXwhNG/gRW26U
2 changed files with 51 additions and 68 deletions
Download patch file Download diff file Expand all files Collapse all files

58
config/hosts/mastodon/mastodon.nix
View file

@ -61,21 +61,21 @@ in
enable = true; enable = true;
package = pkgs-overlay.mastodon; package = pkgs-overlay.mastodon;
localDomain = "social.nekover.se"; localDomain = "social.nekover.se";
secretKeyBaseFile = "/secrets/mastodon-secret-key-base.secret"; secretKeyBaseFile = "/run/secrets/mastodon-secret-key-base";
vapidPublicKeyFile = "${vapidPublicKey}"; vapidPublicKeyFile = "${vapidPublicKey}";
vapidPrivateKeyFile = "/secrets/mastodon-vapid-private-key.secret"; vapidPrivateKeyFile = "/run/secrets/mastodon-vapid-private-key";
smtp = { smtp = {
authenticate = true; authenticate = true;
host = "mail-1.grzb.de"; host = "mail-1.grzb.de";
port = 465; port = 465;
user = "social@nekover.se"; user = "social@nekover.se";
passwordFile = "/secrets/mastodon-email-smtp-pass.secret"; passwordFile = "/run/secrets/mastodon-email-smtp-pass";
fromAddress = "Nekoverse <nyareply@nekover.se>"; fromAddress = "Nekoverse <nyareply@nekover.se>";
}; };
streamingProcesses = 3; streamingProcesses = 3;
activeRecordEncryptionPrimaryKeyFile = "/secrets/mastodon-active-record-encryption-primary-key.secret"; activeRecordEncryptionPrimaryKeyFile = "/run/secrets/mastodon-active-record-encryption-primary-key";
activeRecordEncryptionKeyDerivationSaltFile = "/secrets/mastodon-active-record-encryption-key-derivation-salt.secret"; activeRecordEncryptionKeyDerivationSaltFile = "/run/secrets/mastodon-active-record-encryption-key-derivation-salt";
activeRecordEncryptionDeterministicKeyFile = "/secrets/mastodon-active-record-encryption-deterministic-key.secret"; activeRecordEncryptionDeterministicKeyFile = "/run/secrets/mastodon-active-record-encryption-deterministic-key";
extraConfig = { extraConfig = {
SMTP_TLS = "true"; SMTP_TLS = "true";
ES_PRESET = "single_node_cluster"; ES_PRESET = "single_node_cluster";
@ -94,8 +94,52 @@ in
AUTHORIZED_FETCH = "true"; AUTHORIZED_FETCH = "true";
}; };
extraEnvFiles = [ extraEnvFiles = [
"/secrets/mastodon-keycloak-client-secret.secret" "/run/secrets/mastodon-keycloak-client-secret"
]; ];
elasticsearch.host = "127.0.0.1"; elasticsearch.host = "127.0.0.1";
}; };
sops.secrets."mastodon-secret-key-base" = {
mode = "0440";
owner = "mastodon";
group = "mastodon";
restartUnits = [ "mastodon-web.service" ];
};
sops.secrets."mastodon-vapid-private-key" = {
mode = "0440";
owner = "mastodon";
group = "mastodon";
restartUnits = [ "mastodon-web.service" ];
};
sops.secrets."mastodon-email-smtp-pass" = {
mode = "0440";
owner = "mastodon";
group = "mastodon";
restartUnits = [ "mastodon-web.service" ];
};
sops.secrets."mastodon-active-record-encryption-primary-key" = {
mode = "0440";
owner = "mastodon";
group = "mastodon";
restartUnits = [ "mastodon-web.service" ];
};
sops.secrets."mastodon-active-record-encryption-key-derivation-salt" = {
mode = "0440";
owner = "mastodon";
group = "mastodon";
restartUnits = [ "mastodon-web.service" ];
};
sops.secrets."mastodon-active-record-encryption-deterministic-key" = {
mode = "0440";
owner = "mastodon";
group = "mastodon";
restartUnits = [ "mastodon-web.service" ];
};
sops.secrets."mastodon-keycloak-client-secret" = {
mode = "0440";
owner = "mastodon";
group = "mastodon";
restartUnits = [ "mastodon-web.service" ];
};
} }

61
config/hosts/mastodon/secrets.nix
View file

@ -1,61 +0,0 @@
{ keyCommandEnv, ... }:
{
deployment.keys = {
"mastodon-secret-key-base.secret" = {
keyCommand = keyCommandEnv ++ [ "pass" "mastodon/secret-key-base" ];
destDir = "/secrets";
user = "mastodon";
group = "mastodon";
permissions = "0640";
uploadAt = "pre-activation";
};
"mastodon-vapid-private-key.secret" = {
keyCommand = keyCommandEnv ++ [ "pass" "mastodon/vapid-private-key" ];
destDir = "/secrets";
user = "mastodon";
group = "mastodon";
permissions = "0640";
uploadAt = "pre-activation";
};
"mastodon-email-smtp-pass.secret" = {
keyCommand = keyCommandEnv ++ [ "pass" "mastodon/email-smtp-pass" ];
destDir = "/secrets";
user = "mastodon";
group = "mastodon";
permissions = "0640";
uploadAt = "pre-activation";
};
"mastodon-keycloak-client-secret.secret" = {
keyCommand = keyCommandEnv ++ [ "pass" "mastodon/keycloak-client-secret" ];
destDir = "/secrets";
user = "mastodon";
group = "mastodon";
permissions = "0640";
uploadAt = "pre-activation";
};
"mastodon-active-record-encryption-primary-key.secret" = {
keyCommand = keyCommandEnv ++ [ "pass" "mastodon/active-record-encryption-primary-key" ];
destDir = "/secrets";
user = "mastodon";
group = "mastodon";
permissions = "0640";
uploadAt = "pre-activation";
};
"mastodon-active-record-encryption-key-derivation-salt.secret" = {
keyCommand = keyCommandEnv ++ [ "pass" "mastodon/active-record-encryption-key-derivation-salt" ];
destDir = "/secrets";
user = "mastodon";
group = "mastodon";
permissions = "0640";
uploadAt = "pre-activation";
};
"mastodon-active-record-encryption-deterministic-key.secret" = {
keyCommand = keyCommandEnv ++ [ "pass" "mastodon/active-record-encryption-deterministic-key" ];
destDir = "/secrets";
user = "mastodon";
group = "mastodon";
permissions = "0640";
uploadAt = "pre-activation";
};
};
}