Add certificate social.c3d2.de

2022-12-02 00:33:14 +01:00 · 2022-12-02 00:33:14 +01:00 · 759df9e927
parent 67a8de43f1
commit 759df9e927
1 changed files with 54 additions and 43 deletions
--- a/hosts/mastodon/default.nix
+++ b/hosts/mastodon/default.nix
@ -5,6 +5,7 @@
    vcpu = 16;
    needForSpeed = true;
  };
+
  networking = {
    hostName = "mastodon";
    hosts = with zentralwerk.lib.config.site.net.serv; {
@ -13,24 +14,18 @@
    };
    firewall.allowedTCPPorts = [ 80 443 ];
  };
+
  system.stateVersion = "22.11";
  nixpkgs.config.allowUnfreePredicate = pkg:
    lib.getName pkg == "elasticsearch";
  
-  services.postgresql = {
-    enable = true;
-    ensureUsers = [ {
-      name = "collectd";
-      ensurePermissions = {
-        "DATABASE \"${config.services.mastodon.database.name}\"" = "ALL PRIVILEGES";
-      };
-    } ];
-  };
-  services.elasticsearch = {
+  services = {
+    elasticsearch = {
      enable = true;
      package = pkgs.elasticsearch7;
    };
-  services.mastodon = {
+
+    mastodon = {
      enable = true;
      localDomain = "c3d2.social";

@ -44,10 +39,7 @@
      elasticsearch.host = "127.0.0.1";

      extraConfig = {
-      ALTERNATE_DOMAINS = lib.concatStringsSep "," [
-        "${config.networking.hostName}.flpk.zentralwerk.org"
-        "social.c3d2.de"
-      ];
+        ALTERNATE_DOMAINS = lib.concatStringsSep "," config.security.acme.certs."c3d2.social".extraDomainNames;
        DEFAULT_LOCALE = "de";
        WEB_CONCURRENCY = toString config.deployment.vcpu;
        # MAX_THREADS = toString 5;
@ -64,15 +56,34 @@

      configureNginx = true;
    };
+
+    nginx.virtualHosts.${config.services.mastodon.localDomain}.serverAliases = [
+      "${config.networking.hostName}.flpk.zentralwerk.org"
+      "social.c3d2.de"
+    ];
+
+    postgresql = {
+      enable = true;
+      ensureUsers = [ {
+        name = "collectd";
+        ensurePermissions = {
+          "DATABASE \"${config.services.mastodon.database.name}\"" = "ALL PRIVILEGES";
+        };
+      } ];
+    };
+  };
+
  # Inject LDAP secrets
  systemd.services.mastodon-init-dirs.script = lib.mkAfter ''
    cat ${config.sops.secrets."mastodon/env".path} >> /var/lib/mastodon/.secrets_env
  '';

-  sops.defaultSopsFile = ./secrets.yaml;
-  sops.secrets."mastodon/env" = {
+  sops = {
+    defaultSopsFile = ./secrets.yaml;
+    secrets."mastodon/env" = {
      owner = "mastodon";
    };
+  };

  # Sidekiq monitoring
  c3d2.hq.statistics.enable = true;