From 759df9e9277bf039976828deeb2513f08a3135d7 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Sandro=20J=C3=A4ckel?= <sandro.jaeckel@gmail.com>
Date: Fri, 2 Dec 2022 00:33:14 +0100
Subject: [PATCH] Add certificate social.c3d2.de

---
 hosts/mastodon/default.nix | 97 +++++++++++++++++++++-----------------
 1 file changed, 54 insertions(+), 43 deletions(-)

diff --git a/hosts/mastodon/default.nix b/hosts/mastodon/default.nix
index 9d78768d..9557b126 100644
--- a/hosts/mastodon/default.nix
+++ b/hosts/mastodon/default.nix
@@ -5,6 +5,7 @@
     vcpu = 16;
     needForSpeed = true;
   };
+
   networking = {
     hostName = "mastodon";
     hosts = with zentralwerk.lib.config.site.net.serv; {
@@ -13,65 +14,75 @@
     };
     firewall.allowedTCPPorts = [ 80 443 ];
   };
+
   system.stateVersion = "22.11";
   nixpkgs.config.allowUnfreePredicate = pkg:
     lib.getName pkg == "elasticsearch";
   
-  services.postgresql = {
-    enable = true;
-    ensureUsers = [ {
-      name = "collectd";
-      ensurePermissions = {
-        "DATABASE \"${config.services.mastodon.database.name}\"" = "ALL PRIVILEGES";
+  services = {
+    elasticsearch = {
+      enable = true;
+      package = pkgs.elasticsearch7;
+    };
+
+    mastodon = {
+      enable = true;
+      localDomain = "c3d2.social";
+
+      smtp = {
+        host = "mail.c3d2.de";
+        port = 587;
+        fromAddress = "mail@c3d2.social";
+        authenticate = false;
       };
-    } ];
-  };
-  services.elasticsearch = {
-    enable = true;
-    package = pkgs.elasticsearch7;
-  };
-  services.mastodon = {
-    enable = true;
-    localDomain = "c3d2.social";
 
-    smtp = {
-      host = "mail.c3d2.de";
-      port = 587;
-      fromAddress = "mail@c3d2.social";
-      authenticate = false;
+      elasticsearch.host = "127.0.0.1";
+
+      extraConfig = {
+        ALTERNATE_DOMAINS = lib.concatStringsSep "," config.security.acme.certs."c3d2.social".extraDomainNames;
+        DEFAULT_LOCALE = "de";
+        WEB_CONCURRENCY = toString config.deployment.vcpu;
+        # MAX_THREADS = toString 5;
+
+        LDAP_ENABLED = "true";
+        LDAP_METHOD = "simple_tls";
+        LDAP_HOST = "auth.c3d2.de";
+        LDAP_PORT = "636";
+        LDAP_BIND_DN = "uid=search,ou=users,dc=c3d2,dc=de";
+        LDAP_BASE = "ou=users,dc=c3d2,dc=de";
+        LDAP_SEARCH_FILTER = "(&(objectclass=person)(|(%{uid}=%{email})(%{mail}=%{email})))";
+        LDAP_UID = "uid";
+      };
+
+      configureNginx = true;
     };
 
-    elasticsearch.host = "127.0.0.1";
+    nginx.virtualHosts.${config.services.mastodon.localDomain}.serverAliases = [
+      "${config.networking.hostName}.flpk.zentralwerk.org"
+      "social.c3d2.de"
+    ];
 
-    extraConfig = {
-      ALTERNATE_DOMAINS = lib.concatStringsSep "," [
-        "${config.networking.hostName}.flpk.zentralwerk.org"
-        "social.c3d2.de"
-      ];
-      DEFAULT_LOCALE = "de";
-      WEB_CONCURRENCY = toString config.deployment.vcpu;
-      # MAX_THREADS = toString 5;
-
-      LDAP_ENABLED = "true";
-      LDAP_METHOD = "simple_tls";
-      LDAP_HOST = "auth.c3d2.de";
-      LDAP_PORT = "636";
-      LDAP_BIND_DN = "uid=search,ou=users,dc=c3d2,dc=de";
-      LDAP_BASE = "ou=users,dc=c3d2,dc=de";
-      LDAP_SEARCH_FILTER = "(&(objectclass=person)(|(%{uid}=%{email})(%{mail}=%{email})))";
-      LDAP_UID = "uid";
+    postgresql = {
+      enable = true;
+      ensureUsers = [ {
+        name = "collectd";
+        ensurePermissions = {
+          "DATABASE \"${config.services.mastodon.database.name}\"" = "ALL PRIVILEGES";
+        };
+      } ];
     };
-
-    configureNginx = true;
   };
+
   # Inject LDAP secrets
   systemd.services.mastodon-init-dirs.script = lib.mkAfter ''
     cat ${config.sops.secrets."mastodon/env".path} >> /var/lib/mastodon/.secrets_env
   '';
 
-  sops.defaultSopsFile = ./secrets.yaml;
-  sops.secrets."mastodon/env" = {
-    owner = "mastodon";
+  sops = {
+    defaultSopsFile = ./secrets.yaml;
+    secrets."mastodon/env" = {
+      owner = "mastodon";
+    };
   };
 
   # Sidekiq monitoring