From 0bc6dc0ce8f24469bb81b772720fbbee8ca5c203 Mon Sep 17 00:00:00 2001
From: Julien Malka <julien@malka.sh>
Date: Fri, 10 Jan 2025 02:33:09 +0100
Subject: [PATCH] feat(gustave): init mastodon

---
 machines/biblios/garage.nix   |  25 +++++++++++++++++++++
 machines/gustave/default.nix  |   1 +
 machines/gustave/mastodon.nix |  41 ++++++++++++++++++++++++++++++++++
 secrets/mastodon-env.age      | Bin 0 -> 685 bytes
 secrets/secrets.nix           |   6 +++++
 5 files changed, 73 insertions(+)
 create mode 100644 machines/gustave/mastodon.nix
 create mode 100644 secrets/mastodon-env.age

diff --git a/machines/biblios/garage.nix b/machines/biblios/garage.nix
index 20b3822..b7109c1 100644
--- a/machines/biblios/garage.nix
+++ b/machines/biblios/garage.nix
@@ -21,6 +21,12 @@ in
         api_bind_addr = "[::]:3900";
         root_domain = ".${api_domain}";
       };
+      s3_web = {
+        bind_addr = "127.0.0.1:3902";
+        root_domain = ".cdn.luj.fr";
+        index = "index.html";
+      };
+
       rpc_bind_addr = "[::]:3901";
       rpc_public_addr = "127.0.0.1:3901";
 
@@ -43,4 +49,23 @@ in
       '';
     };
   };
+
+  services.nginx.virtualHosts."cdn.luj.fr" = {
+    enableACME = true;
+    forceSSL = true;
+    serverAliases = [ "cdn.social.luj.fr" ];
+    locations."/".extraConfig = ''
+      proxy_pass http://127.0.0.1:3902;
+      proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+      proxy_set_header Host $host;
+    '';
+  };
+
+  machine.meta.zones."luj.fr".subdomains."social".subdomains."cdn".A = [
+    config.machine.meta.ips.public.ipv4
+  ];
+  machine.meta.zones."luj.fr".subdomains."social".subdomains."cdn".AAAA = [
+    config.machine.meta.ips.public.ipv6
+  ];
+
 }
diff --git a/machines/gustave/default.nix b/machines/gustave/default.nix
index 418cffd..370a90c 100644
--- a/machines/gustave/default.nix
+++ b/machines/gustave/default.nix
@@ -15,6 +15,7 @@
     ./readeck.nix
     ./plausible.nix
     ./nextcloud.nix
+    ./mastodon.nix
   ];
 
   machine.meta = {
diff --git a/machines/gustave/mastodon.nix b/machines/gustave/mastodon.nix
new file mode 100644
index 0000000..f5a6c08
--- /dev/null
+++ b/machines/gustave/mastodon.nix
@@ -0,0 +1,41 @@
+{ config, ... }:
+
+{
+
+  age.secrets."mastodon-env".file = ../../secrets/mastodon-env.age;
+
+  services.mastodon = {
+    enable = true;
+    localDomain = "social.luj.fr";
+    configureNginx = true;
+    extraConfig.SINGLE_USER_MODE = "true";
+    streamingProcesses = 10;
+    extraConfig = {
+      OIDC_ENABLED = "true";
+      OIDC_DISPLAY_NAME = "Luj - SSO";
+      OIDC_DISCOVERY = "true";
+      OIDC_ISSUER = "https://auth.luj.fr/oauth2/openid/mastodon";
+      OIDC_SCOPE = "openid,profile,email";
+      OIDC_UID_FIELD = "email";
+      OIDC_CLIENT_ID = "mastodon";
+      OIDC_REDIRECT_URI = "https://social.luj.fr/auth/auth/openid_connect/callback";
+      OIDC_SECURITY_ASSUME_EMAIL_IS_VERIFIED = "true";
+      ONE_CLICK_SSO_LOGIN = "true";
+
+      # S3
+      S3_ENABLED = "true";
+      S3_BUCKET = "mastodon";
+      S3_REGION = "paris";
+      S3_ENDPOINT = "https://s3.luj.fr";
+      S3_HOSTNAME = "s3.luj.fr";
+      S3_ALIAS_HOST = "cdn.social.luj.fr";
+      SMTP_SERVER = "mail.luj.fr";
+      SMTP_PORT = "587";
+      SMTP_FROM_ADDRESS = "infra@luj.fr";
+      SMTP_LOGIN = "luj";
+    };
+    extraEnvFiles = [ config.age.secrets."mastodon-env".path ];
+
+  };
+
+}
diff --git a/secrets/mastodon-env.age b/secrets/mastodon-env.age
new file mode 100644
index 0000000000000000000000000000000000000000..d5a0eb3bff1f522208e133f40ccb1450abf618ba
GIT binary patch
literal 685
zcmYdHPt{G$OD?J`D9Oyv)5|YP*Do{V(zR14F3!+RO))YxHMCT4EQ~NJNmmGRPs;YF
z3{5LB&31CL2rP4T2{bS;DG3ZSjnWU%cQi9{52-Ns3oa}5FyS(DEr~47Hucapw8#h!
z2{ug0@u?_INpTEyDK3b}FfOxjtuS;B4e{1@^hCF<)VMMtDp0|x%C{)Y#HY|PDAdWo
z!p+}5z{}I1+@dNuC@(j!!qKp}$Sc!HKh@3CFqA9YGu<-HG}R}qu&~nIFD;|UHP<An
zC@dn&IbS=!JW|`c!XQ7*+|fI<$`Rc*&ma%SY)1tr6W^r3G?OeJ$I`M~BO`+_7pJP^
zC^KWTw2IvHfb0@W=bWI3NGD^9z-+Ecx3a8U*QAuxvO?{|io{6$0LwDZV&^EoZ2i>y
zluEzk)Y9bC;PfhYA73tAU0ns2>~QU<!m4slFUQJ4qZHpF-$-r8kN~5qe1o8%@|=P~
zZO3H4Y@^7c#B{D*?6Yoq&)6G~Dsl47?VR_UJ{^`ZlV$qnoNadht8}dVzi+Odc4sHe
z%#eOj7<caSf7a=&Q>K<anK5&wy`o9i0i{JxGQu7yHavIg|F^k>;X>t6$xjcu7YIKw
zu6l5T+mdg^OxatXRzD2nTy<;beUI>LSGnIk726dGPeeBee`q(okSc#D%tg=USDKW6
z62sZhLls+VU%d^qvy3{cP-yRzF2y~8G0`T*ba{%^oOr`I9Jg5F-qc=_nfHAyUrp$n
z-Sx|3%tOMh&vG1@ry6vLbwa+x3m<3Z^^FS{&&UKTZa!npyM4yKpD)A9e}*WgE2>NW
z&Ab~aeTr4P@Ze9Q?N=WqZdL7n<#bqFbH|?<6?4re^t}5o6~h?geYtk7@vOYS@Jp5e
D9uo;S

literal 0
HcmV?d00001

diff --git a/secrets/secrets.nix b/secrets/secrets.nix
index 85b401b..d94c717 100644
--- a/secrets/secrets.nix
+++ b/secrets/secrets.nix
@@ -168,4 +168,10 @@ in
     gustave
   ];
 
+  "mastodon-env.age".publicKeys = [
+    tower
+    gallifrey
+    gustave
+  ];
+
 }