Add certificate social.c3d2.de

2022-12-02 00:33:14 +01:00 · 2022-12-02 00:33:14 +01:00 · 759df9e927
parent 67a8de43f1
commit 759df9e927
1 changed files with 54 additions and 43 deletions
--- a/hosts/mastodon/default.nix
+++ b/hosts/mastodon/default.nix
@ -5,6 +5,7 @@
    vcpu = 16;
    needForSpeed = true;
  };
+
  networking = {
    hostName = "mastodon";
    hosts = with zentralwerk.lib.config.site.net.serv; {
@ -13,65 +14,75 @@
    };
    firewall.allowedTCPPorts = [ 80 443 ];
  };
+
  system.stateVersion = "22.11";
  nixpkgs.config.allowUnfreePredicate = pkg:
    lib.getName pkg == "elasticsearch";
  
-  services.postgresql = {
-    enable = true;
-    ensureUsers = [ {
-      name = "collectd";
-      ensurePermissions = {
-        "DATABASE \"${config.services.mastodon.database.name}\"" = "ALL PRIVILEGES";
+  services = {
+    elasticsearch = {
+      enable = true;
+      package = pkgs.elasticsearch7;
+    };
+
+    mastodon = {
+      enable = true;
+      localDomain = "c3d2.social";
+
+      smtp = {
+        host = "mail.c3d2.de";
+        port = 587;
+        fromAddress = "mail@c3d2.social";
+        authenticate = false;
      };
-    } ];
-  };
-  services.elasticsearch = {
-    enable = true;
-    package = pkgs.elasticsearch7;
-  };
-  services.mastodon = {
-    enable = true;
-    localDomain = "c3d2.social";

-    smtp = {
-      host = "mail.c3d2.de";
-      port = 587;
-      fromAddress = "mail@c3d2.social";
-      authenticate = false;
+      elasticsearch.host = "127.0.0.1";
+
+      extraConfig = {
+        ALTERNATE_DOMAINS = lib.concatStringsSep "," config.security.acme.certs."c3d2.social".extraDomainNames;
+        DEFAULT_LOCALE = "de";
+        WEB_CONCURRENCY = toString config.deployment.vcpu;
+        # MAX_THREADS = toString 5;
+
+        LDAP_ENABLED = "true";
+        LDAP_METHOD = "simple_tls";
+        LDAP_HOST = "auth.c3d2.de";
+        LDAP_PORT = "636";
+        LDAP_BIND_DN = "uid=search,ou=users,dc=c3d2,dc=de";
+        LDAP_BASE = "ou=users,dc=c3d2,dc=de";
+        LDAP_SEARCH_FILTER = "(&(objectclass=person)(|(%{uid}=%{email})(%{mail}=%{email})))";
+        LDAP_UID = "uid";
+      };
+
+      configureNginx = true;
    };

-    elasticsearch.host = "127.0.0.1";
+    nginx.virtualHosts.${config.services.mastodon.localDomain}.serverAliases = [
+      "${config.networking.hostName}.flpk.zentralwerk.org"
+      "social.c3d2.de"
+    ];

-    extraConfig = {
-      ALTERNATE_DOMAINS = lib.concatStringsSep "," [
-        "${config.networking.hostName}.flpk.zentralwerk.org"
-        "social.c3d2.de"
-      ];
-      DEFAULT_LOCALE = "de";
-      WEB_CONCURRENCY = toString config.deployment.vcpu;
-      # MAX_THREADS = toString 5;
-
-      LDAP_ENABLED = "true";
-      LDAP_METHOD = "simple_tls";
-      LDAP_HOST = "auth.c3d2.de";
-      LDAP_PORT = "636";
-      LDAP_BIND_DN = "uid=search,ou=users,dc=c3d2,dc=de";
-      LDAP_BASE = "ou=users,dc=c3d2,dc=de";
-      LDAP_SEARCH_FILTER = "(&(objectclass=person)(|(%{uid}=%{email})(%{mail}=%{email})))";
-      LDAP_UID = "uid";
+    postgresql = {
+      enable = true;
+      ensureUsers = [ {
+        name = "collectd";
+        ensurePermissions = {
+          "DATABASE \"${config.services.mastodon.database.name}\"" = "ALL PRIVILEGES";
+        };
+      } ];
    };
-
-    configureNginx = true;
  };
+
  # Inject LDAP secrets
  systemd.services.mastodon-init-dirs.script = lib.mkAfter ''
    cat ${config.sops.secrets."mastodon/env".path} >> /var/lib/mastodon/.secrets_env
  '';

-  sops.defaultSopsFile = ./secrets.yaml;
-  sops.secrets."mastodon/env" = {
-    owner = "mastodon";
+  sops = {
+    defaultSopsFile = ./secrets.yaml;
+    secrets."mastodon/env" = {
+      owner = "mastodon";
+    };
  };

  # Sidekiq monitoring