nix-infra/config/hosts/mastodon/mastodon.nix

{ pkgs, ... }:
let
  tangerineUI = pkgs.fetchgit {
    url = "https://github.com/nileane/TangerineUI-for-Mastodon.git";
    rev = "v2.4.4";
    hash = "sha256-58xiS2yzv4z24IULJQWpkqV1Op6e+U6SFd1XjpAB6Go=";
  };
  mastodonModern = pkgs.fetchgit {
    url = "https://git.gay/freeplay/Mastodon-Modern.git";
    rev = "9f8db85eda2a65aa020ab6b81d100a121d39d4c4";
    hash = "sha256-W6zwjAjBGARiRPM0hWCnq63nIT2Or0SOQq82bpNtqAk=";
  };
  mastodonNekoversePatches = pkgs.fetchgit {
    url = "https://github.com/yuri-qq/nekoverse-mastodon-patches.git";
    hash = "sha256-NtdJWMi8/siduX2iFD+GAsK9J+Y6T/tZ/fXqb/QH284=";
  };
  mastodonNekoverseOverlay = final: prev: {
    mastodon = (prev.mastodon.override rec {
      version = "4.4.8";
      srcOverride = final.applyPatches {
        src = pkgs.stdenv.mkDerivation {
          name = "mastodonWithThemes";
          src = pkgs.fetchgit {
            url = "https://github.com/mastodon/mastodon.git";
            rev = "v${version}";
            sha256 = "sha256-EE0A9EH+8ND9Whig2dhM27EONjJfdVtd9g+Mo0/2iHo=";
          };
          # mastodon ships with broken symlinks, disable the check for that for now
          dontCheckForBrokenSymlinks = true;
          installPhase = ''
            cp -r ./ $out/
            cp -r ${tangerineUI}/mastodon/app/javascript/styles/* $out/app/javascript/styles/
            echo "@import 'mastodon/variables';
            @import 'application';" >> $out/app/javascript/styles/modern-dark.scss
            cat ${mastodonModern}/modern.css >> $out/app/javascript/styles/modern-dark.scss
            echo "tangerineui: styles/tangerineui.scss
            tangerineui-purple: styles/tangerineui-purple.scss
            tangerineui-cherry: styles/tangerineui-cherry.scss
            tangerineui-lagoon: styles/tangerineui-lagoon.scss
            modern-dark: styles/modern-dark.scss" >> $out/config/themes.yml
          '';
        };
        patches = [
          "${mastodonNekoversePatches}/patches/001_increase_image_dimensions_limit.patch"
          "${mastodonNekoversePatches}/patches/002_disable_image_reprocessing.patch"
          "${mastodonNekoversePatches}/patches/003_make_toot_cute.patch"
          "${mastodonNekoversePatches}/patches/004_improve_custom_emoji_support.patch"
          "${mastodonNekoversePatches}/patches/005_increase_profile_limits.patch"
          "${mastodonNekoversePatches}/patches/006_increase_toot_character_limit.patch"
        ];
      };
      yarnHash = prev.mastodon.src.yarnHash;
      yarnMissingHashes = prev.mastodon.src.yarnMissingHashes;
    });
  };
  pkgs-overlay = pkgs.extend mastodonNekoverseOverlay;
  vapidPublicKey = pkgs.writeText "vapid-public-key" "BDCbFEDCZ8eFuWr3uEq4Qc30UFZUQeNpF8OCw6OjPwAtaKS1yTM3Ue749Xjqy5WhBDjakzlixh4Gk7gluUhIdsU=";
in
{
  services.mastodon = {
    enable = true;
    package = pkgs-overlay.mastodon;
    localDomain = "social.nekover.se";
    secretKeyBaseFile = "/secrets/mastodon-secret-key-base.secret";
    vapidPublicKeyFile = "${vapidPublicKey}";
    vapidPrivateKeyFile = "/secrets/mastodon-vapid-private-key.secret";
    smtp = {
      authenticate = true;
      host = "mail-1.grzb.de";
      port = 465;
      user = "social@nekover.se";
      passwordFile = "/secrets/mastodon-email-smtp-pass.secret";
      fromAddress = "Nekoverse <nyareply@nekover.se>";
    };
    streamingProcesses = 3;
    activeRecordEncryptionPrimaryKeyFile = "/secrets/mastodon-active-record-encryption-primary-key.secret";
    activeRecordEncryptionKeyDerivationSaltFile = "/secrets/mastodon-active-record-encryption-key-derivation-salt.secret";
    activeRecordEncryptionDeterministicKeyFile = "/secrets/mastodon-active-record-encryption-deterministic-key.secret";
    extraConfig = {
      SMTP_TLS = "true";
      ES_PRESET = "single_node_cluster";
      OIDC_CLIENT_ID = "mastodon";
      OIDC_ENABLED = "true";
      OMNIAUTH_ONLY = "false";
      OIDC_DISPLAY_NAME = "Login with Nekoverse ID";
      OIDC_ISSUER = "https://id.nekover.se/realms/nekoverse";
      OIDC_DISCOVERY = "true";
      OIDC_SCOPE = "openid,profile,email";
      OIDC_UID_FIELD = "preferred_username";
      OIDC_REDIRECT_URI = "https://social.nekover.se/auth/auth/openid_connect/callback";
      OIDC_SECURITY_ASSUME_EMAIL_IS_VERIFIED = "true";
      OIDC_END_SESSION_ENDPOINT = "https://id.nekover.se/realms/nekoverse/protocol/openid-connect/logout";
      FETCH_REPLIES_ENABLED = "true";
      AUTHORIZED_FETCH = "true";
    };
    extraEnvFiles = [
      "/secrets/mastodon-keycloak-client-secret.secret"
    ];
    elasticsearch.host = "127.0.0.1";
  };
}