From 96363ea2138ac53afb2052f6636903e60ec209e5 Mon Sep 17 00:00:00 2001 From: Clara Dautermann Date: Fri, 12 Sep 2025 14:24:10 +0200 Subject: [PATCH 1/4] setup mastodon --- .sops.yaml | 4 +++ configs/services/mastodon.nix | 68 ++++++++++++++++------------------- configs/services/misskey.nix | 44 +++++++++++++++++++++++ secrets/mastodon/secrets.yaml | 37 +++++++++++++++++++ 4 files changed, 115 insertions(+), 38 deletions(-) create mode 100644 configs/services/misskey.nix create mode 100644 secrets/mastodon/secrets.yaml diff --git a/.sops.yaml b/.sops.yaml index e1d781a..cb717ff 100644 --- a/.sops.yaml +++ b/.sops.yaml @@ -28,3 +28,7 @@ creation_rules: key_groups: - pgp: [*clara] age: [*vikunja] + - path_regex: secrets\/mastodon\/* + key_groups: + - pgp: [*clara] + age: [*mastodon] diff --git a/configs/services/mastodon.nix b/configs/services/mastodon.nix index b41e0e0..ce6fe9d 100644 --- a/configs/services/mastodon.nix +++ b/configs/services/mastodon.nix @@ -1,44 +1,36 @@ { lib, pkgs, config, ... }: -let - http_port = 3000; - dbuname = "misskey"; - dbport = 5432; -in { - services = { - misskey = { - enable = true; - settings = { - url = "https://puppyplaypissparty.de"; - port = http_port; - }; - settings = { - db = { - user = dbuname; - port = dbport; - }; - setupPassword = "VMoV33ov$C6JxVVXHffuVxHaqf^Cbmr9V1GSNgkyF6pq939Wr@c1hgfN7iD9%$De"; - }; - }; + security.acme = { + acceptTerms = true; + defaults.email = "fedi@cdaut.de"; + }; - postgresql = { - enable = true; - ensureUsers = [ - { - name = dbuname; - ensureDBOwnership = true; - } - ]; - ensureDatabases = [ - dbuname - ]; - settings.port = dbport; - }; - redis = { - servers."" = { - enable = true; - }; + # set up smtp pass + sops = { + age.sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ]; + secrets.smtp_pass = { + sopsFile = ../../secrets/mastodon/secrets.yaml; }; }; - networking.firewall.allowedTCPPorts = [ http_port ]; + + services.mastodon = { + enable = true; + streamingProcesses = 1; + localDomain = "puppyplaypissparty.de"; + configureNginx = true; + + smtp = { + fromAddress = "fedi@cdaut.de"; + host = "mail.cdaut.de"; + user = "fedi@cdaut.de"; + port = 587; + authenticate = true; + passwordFile = config.sops.secrets.smtp_pass.path; + }; + + database = { + createLocally = true; + }; + }; + networking.firewall.allowedTCPPorts = [ 80 443 ]; } diff --git a/configs/services/misskey.nix b/configs/services/misskey.nix new file mode 100644 index 0000000..b41e0e0 --- /dev/null +++ b/configs/services/misskey.nix @@ -0,0 +1,44 @@ +{ lib, pkgs, config, ... }: +let + http_port = 3000; + dbuname = "misskey"; + dbport = 5432; +in +{ + services = { + misskey = { + enable = true; + settings = { + url = "https://puppyplaypissparty.de"; + port = http_port; + }; + settings = { + db = { + user = dbuname; + port = dbport; + }; + setupPassword = "VMoV33ov$C6JxVVXHffuVxHaqf^Cbmr9V1GSNgkyF6pq939Wr@c1hgfN7iD9%$De"; + }; + }; + + postgresql = { + enable = true; + ensureUsers = [ + { + name = dbuname; + ensureDBOwnership = true; + } + ]; + ensureDatabases = [ + dbuname + ]; + settings.port = dbport; + }; + redis = { + servers."" = { + enable = true; + }; + }; + }; + networking.firewall.allowedTCPPorts = [ http_port ]; +} diff --git a/secrets/mastodon/secrets.yaml b/secrets/mastodon/secrets.yaml new file mode 100644 index 0000000..09c28b9 --- /dev/null +++ b/secrets/mastodon/secrets.yaml @@ -0,0 +1,37 @@ +smtp_pass: ENC[AES256_GCM,data:S1vB0GIb9c0Yov/wkGiqpt6goN/XmIWPFx0TYMvqhJUXtGgjKNtkmijYBsT0,iv:xnKh4edcHRDjxHRo84KxQKx6OrZlErla3yvLIZyqeUo=,tag:ftVNoc0qnRru+Z8TF3E0wQ==,type:str] +sops: + age: + - recipient: age19efecaur72d92g452zpe4uxjtwev2ktjtaezascxg9l2p8544s8s05d93r + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA2bkMvTUZKbkpCeFg2Z3I4 + L095TkFhVUNSWmNxWERicGdrZXF3dFFTcTFBCnhNTGxYSitrcGlYY2ZpTXNlQUhW + MmVocHFENmNGWXZ1QWxabG8xSTNWSmcKLS0tIFBkY1JXd3JuTVE4NEVFL2lLeUZT + YUdTMTk2V3QvN2NXWXlqbDh1SkNBZVUKI7aHgopbId8rjAKVXYstsXa36mLm1j4f + nknPOngq++hMoY/v3P2ipV+Ml0lgJt+Nk0BlA9RTBQ2FYg4cJhiOuA== + -----END AGE ENCRYPTED FILE----- + lastmodified: "2025-09-12T11:36:49Z" + mac: ENC[AES256_GCM,data:VWTDVy7Eoe71XNfKPcNUTZbfxH6BBkS+hHOCRImnZZnu8bEvdmrbvDFtKgvsmolijg870G4YVgdKiZc9REJAD2Egcq4rX6XXZi4F5AQISlU/vkQ5amUdvHAjbW9U+O67c1qxDsSOP489x3zDlR4LeoWALCXpnFNFCjBQwIIjKzM=,iv:uedmYsLS5TIMPprREzn5aRGXXJj8xKtr1mEocugiokA=,tag:jqXp8DCzqywu18gvfm5Qtw==,type:str] + pgp: + - created_at: "2025-09-12T10:53:07Z" + enc: |- + -----BEGIN PGP MESSAGE----- + + hQIMAzwtBoBqH5ZOAQ//ePQhgxIhAoV0FXav0+Z8i9I+hri/OAvN0Isrjohss1uj + TRruFq0fxVQuvlbA1qXixPL/7bxE5dV2YGQbw+SmzD+joAo0VMvKzQzxd2cM4XUy + +S4T97lH8MlziGOTTi82Uw31PCvMy7HfgTS5ftIVPbsJ7VegDcs2OtWyqXDmNR/q + 96gSGGGb0sIirVrv1mtSlmd2vKqN7pO72DNUsnJ8wTQ3h4ntH4LB3i859q1mwLSz + OSc7BQYY2GmtdFfhHrLT0b8abF19lD/JZEGRLgfOngPlR3aDJgtoh06x3zBcQ0Hp + aqLWr1HttJNEAET80zO38cdHUPe11G+3Vw7+7EgbRjOMKKORVpby0GSjZLWJJI3M + fR3er4CgVXSeCKkNuIQx/prwEMm5iHouKMN0fruy5R4eg07mZhIuGg7RsZs1T4Sr + ekPXHtK6HCD2XmXHM2dteWbO+DMOMKsF/lihM/ct5KAGHd+cLyHk98n3extmworv + PVzOTLE5xzGmAK87OtGL7DOlpxOfhgHYf1x9idLJorJMbg5MyAK/b8fjYtibN+nJ + sSQruHhBoc0ekyeyqIWY5vgd+oRf5Rma3CcJSMTEk09SlVYSN9n7ys+lSaD4DL3z + rck2N2FG+/L5cv3FfON3yJ+c4NUydehUzihWVGTE5LLSrwCMi8Lhp87Kse3vFmTS + XAFkdKenVseFcCGk271PCSThphSKdZYGJIuoRuyrVSFbhL/L7dTAHXRu6VHuXBTP + TfeUEyRqY6zaCOAEbS4K5NhcGbhVdXATWOgTSdLYGYVXPCtTYKrwEQPtzxyN + =cTu+ + -----END PGP MESSAGE----- + fp: 58EF8D71114EF548DEE3320DE6F04916B6EEBD83 + unencrypted_suffix: _unencrypted + version: 3.10.2 From 9cf0afe3e4793d92bb9ddadb2c95217ddeb0940c Mon Sep 17 00:00:00 2001 From: Clara Dautermann Date: Fri, 12 Sep 2025 14:24:31 +0200 Subject: [PATCH 2/4] flake.lock: Update MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Flake lock file updates: • Updated input 'nixpkgs': 'github:NixOS/nixpkgs/d0fc30899600b9b3466ddb260fd83deb486c32f1?narHash=sha256-rw/PHa1cqiePdBxhF66V7R%2BWAP8WekQ0mCDG4CFqT8Y%3D' (2025-09-02) → 'github:NixOS/nixpkgs/ab0f3607a6c7486ea22229b92ed2d355f1482ee0?narHash=sha256-zwE/e7CuPJUWKdvvTCB7iunV4E/%2BG0lKfv4kk/5Izdg%3D' (2025-09-10) • Updated input 'sops-nix': 'github:Mic92/sops-nix/3223c7a92724b5d804e9988c6b447a0d09017d48?narHash=sha256-t%2Bvoe2961vCgrzPFtZxha0/kmFSHFobzF00sT8p9h0U%3D' (2025-08-12) → 'github:Mic92/sops-nix/0bf793823386187dff101ee2a9d4ed26de8bbf8c?narHash=sha256-S9F6bHUBh%2BCFEUalv/qxNImRapCxvSnOzWBUZgK1zDU%3D' (2025-09-10) • Updated input 'sops-nix/nixpkgs': 'github:NixOS/nixpkgs/ebe4301cbd8f81c4f8d3244b3632338bbeb6d49c?narHash=sha256-5RJTdUHDmj12Qsv7XOhuospjAjATNiTMElplWnJE9Hs%3D' (2025-04-17) → 'github:NixOS/nixpkgs/ca77296380960cd497a765102eeb1356eb80fed0?narHash=sha256-PgLSZDBEWUHpfTRfFyklmiiLBE1i1aGCtz4eRA3POao%3D' (2025-09-05) --- flake.lock | 18 +++++++++--------- 1 file changed, 9 insertions(+), 9 deletions(-) diff --git a/flake.lock b/flake.lock index ba84dd6..b7c5cfe 100644 --- a/flake.lock +++ b/flake.lock @@ -2,11 +2,11 @@ "nodes": { "nixpkgs": { "locked": { - "lastModified": 1756787288, - "narHash": "sha256-rw/PHa1cqiePdBxhF66V7R+WAP8WekQ0mCDG4CFqT8Y=", + "lastModified": 1757487488, + "narHash": "sha256-zwE/e7CuPJUWKdvvTCB7iunV4E/+G0lKfv4kk/5Izdg=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "d0fc30899600b9b3466ddb260fd83deb486c32f1", + "rev": "ab0f3607a6c7486ea22229b92ed2d355f1482ee0", "type": "github" }, "original": { @@ -18,11 +18,11 @@ }, "nixpkgs_2": { "locked": { - "lastModified": 1744868846, - "narHash": "sha256-5RJTdUHDmj12Qsv7XOhuospjAjATNiTMElplWnJE9Hs=", + "lastModified": 1757034884, + "narHash": "sha256-PgLSZDBEWUHpfTRfFyklmiiLBE1i1aGCtz4eRA3POao=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "ebe4301cbd8f81c4f8d3244b3632338bbeb6d49c", + "rev": "ca77296380960cd497a765102eeb1356eb80fed0", "type": "github" }, "original": { @@ -43,11 +43,11 @@ "nixpkgs": "nixpkgs_2" }, "locked": { - "lastModified": 1754988908, - "narHash": "sha256-t+voe2961vCgrzPFtZxha0/kmFSHFobzF00sT8p9h0U=", + "lastModified": 1757503115, + "narHash": "sha256-S9F6bHUBh+CFEUalv/qxNImRapCxvSnOzWBUZgK1zDU=", "owner": "Mic92", "repo": "sops-nix", - "rev": "3223c7a92724b5d804e9988c6b447a0d09017d48", + "rev": "0bf793823386187dff101ee2a9d4ed26de8bbf8c", "type": "github" }, "original": { From 437e954072a2e2cf77c69c9bffd8fae952379e4b Mon Sep 17 00:00:00 2001 From: Clara Dautermann Date: Fri, 12 Sep 2025 14:35:31 +0200 Subject: [PATCH 3/4] disable old mc server and paperless --- flake.nix | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/flake.nix b/flake.nix index 47d2054..d425d61 100644 --- a/flake.nix +++ b/flake.nix @@ -12,7 +12,7 @@ specialArgs = { inherit inputs; }; }; - mcserver = import ./configs/containers/mc_container.nix; + #mcserver = import ./configs/containers/mc_container.nix; wireguard = import ./configs/containers/wg_container.nix; @@ -22,7 +22,7 @@ mastodon = import ./configs/containers/mastodon_container.nix; - paperless = import ./configs/containers/paperless_container.nix; + #paperless = import ./configs/containers/paperless_container.nix; vikunja = import ./configs/containers/vikunja_container.nix; }; From 682aff159ff19823598100316c65f55b30ced8ea Mon Sep 17 00:00:00 2001 From: Clara Dautermann Date: Mon, 22 Sep 2025 20:56:04 +0200 Subject: [PATCH 4/4] flake.lock: Update MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Flake lock file updates: • Updated input 'nixpkgs': 'github:NixOS/nixpkgs/ab0f3607a6c7486ea22229b92ed2d355f1482ee0?narHash=sha256-zwE/e7CuPJUWKdvvTCB7iunV4E/%2BG0lKfv4kk/5Izdg%3D' (2025-09-10) → 'github:NixOS/nixpkgs/8eaee110344796db060382e15d3af0a9fc396e0e?narHash=sha256-iCGWf/LTy%2BaY0zFu8q12lK8KuZp7yvdhStehhyX1v8w%3D' (2025-09-19) • Updated input 'sops-nix': 'github:Mic92/sops-nix/0bf793823386187dff101ee2a9d4ed26de8bbf8c?narHash=sha256-S9F6bHUBh%2BCFEUalv/qxNImRapCxvSnOzWBUZgK1zDU%3D' (2025-09-10) → 'github:Mic92/sops-nix/e0fdaea3c31646e252a60b42d0ed8eafdb289762?narHash=sha256-L3N8zV6wsViXiD8i3WFyrvjDdz76g3tXKEdZ4FkgQ%2BY%3D' (2025-09-21) • Updated input 'sops-nix/nixpkgs': 'github:NixOS/nixpkgs/ca77296380960cd497a765102eeb1356eb80fed0?narHash=sha256-PgLSZDBEWUHpfTRfFyklmiiLBE1i1aGCtz4eRA3POao%3D' (2025-09-05) → 'github:NixOS/nixpkgs/12bd230118a1901a4a5d393f9f56b6ad7e571d01?narHash=sha256-aBGl3XEOsjWw6W3AHiKibN7FeoG73dutQQEqnd/etR8%3D' (2025-09-19) --- flake.lock | 18 +++++++++--------- 1 file changed, 9 insertions(+), 9 deletions(-) diff --git a/flake.lock b/flake.lock index b7c5cfe..8446fb7 100644 --- a/flake.lock +++ b/flake.lock @@ -2,11 +2,11 @@ "nodes": { "nixpkgs": { "locked": { - "lastModified": 1757487488, - "narHash": "sha256-zwE/e7CuPJUWKdvvTCB7iunV4E/+G0lKfv4kk/5Izdg=", + "lastModified": 1758277210, + "narHash": "sha256-iCGWf/LTy+aY0zFu8q12lK8KuZp7yvdhStehhyX1v8w=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "ab0f3607a6c7486ea22229b92ed2d355f1482ee0", + "rev": "8eaee110344796db060382e15d3af0a9fc396e0e", "type": "github" }, "original": { @@ -18,11 +18,11 @@ }, "nixpkgs_2": { "locked": { - "lastModified": 1757034884, - "narHash": "sha256-PgLSZDBEWUHpfTRfFyklmiiLBE1i1aGCtz4eRA3POao=", + "lastModified": 1758262103, + "narHash": "sha256-aBGl3XEOsjWw6W3AHiKibN7FeoG73dutQQEqnd/etR8=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "ca77296380960cd497a765102eeb1356eb80fed0", + "rev": "12bd230118a1901a4a5d393f9f56b6ad7e571d01", "type": "github" }, "original": { @@ -43,11 +43,11 @@ "nixpkgs": "nixpkgs_2" }, "locked": { - "lastModified": 1757503115, - "narHash": "sha256-S9F6bHUBh+CFEUalv/qxNImRapCxvSnOzWBUZgK1zDU=", + "lastModified": 1758425756, + "narHash": "sha256-L3N8zV6wsViXiD8i3WFyrvjDdz76g3tXKEdZ4FkgQ+Y=", "owner": "Mic92", "repo": "sops-nix", - "rev": "0bf793823386187dff101ee2a9d4ed26de8bbf8c", + "rev": "e0fdaea3c31646e252a60b42d0ed8eafdb289762", "type": "github" }, "original": {