Merge branch 'feat/keycloak' of git.pub.solar:pub-solar/infra-new into feat/keycloak

This commit is contained in:
Benjamin Bädorf 2023-10-28 23:08:23 +02:00
commit 806e9dde34
No known key found for this signature in database
GPG key ID: 1B7BF5B77A521346
5 changed files with 53 additions and 3 deletions

View file

@ -36,7 +36,6 @@
enable = true; enable = true;
# Different from WEB_DOMAIN in our case # Different from WEB_DOMAIN in our case
localDomain = "pub.solar"; localDomain = "pub.solar";
configureNginx = true;
enableUnixSocket = true; enableUnixSocket = true;
# Processes used by the mastodon-streaming service. Defaults to the number # Processes used by the mastodon-streaming service. Defaults to the number
# of CPU cores minus one # of CPU cores minus one

View file

@ -26,7 +26,7 @@ in
} }
resolver 8.8.8.8; resolver 8.8.8.8;
proxy_set_header Host $host; proxy_set_header Host ${objStorHost};
proxy_set_header Connection \'\'; proxy_set_header Connection \'\';
proxy_set_header Authorization \'\'; proxy_set_header Authorization \'\';
proxy_hide_header Set-Cookie; proxy_hide_header Set-Cookie;
@ -42,8 +42,10 @@ in
proxy_ignore_headers Set-Cookie; proxy_ignore_headers Set-Cookie;
proxy_pass https://${objStorHost}/${objStorBucket}$request_uri?download; proxy_pass https://${objStorHost}/${objStorBucket}$request_uri?download;
proxy_intercept_errors off; proxy_intercept_errors off;
proxy_ssl_protocols TLSv1.2 TLSv1.3;
proxy_ssl_server_name on;
proxy_cache mastodon_files; proxy_cache cache;
proxy_cache_valid 200 48h; proxy_cache_valid 200 48h;
proxy_cache_use_stale error timeout updating http_500 http_502 http_503 http_504; proxy_cache_use_stale error timeout updating http_500 http_502 http_503 http_504;
proxy_cache_lock on; proxy_cache_lock on;

View file

@ -0,0 +1,42 @@
{ config, lib, ... }:
let
cfg = config.services.mastodon;
in
{
services.nginx.virtualHosts = {
"mastodon.pub.solar" = {
root = "${cfg.package}/public/";
# mastodon only supports https, but you can override this if you offload tls elsewhere.
forceSSL = lib.mkDefault true;
enableACME = lib.mkDefault true;
locations."/system/".alias = "/var/lib/mastodon/public-system/";
locations."/" = {
tryFiles = "$uri @proxy";
};
locations."/auth/sign_up".extraConfig = ''
return 302 /auth/sign_in;
'';
locations."/auth/confirmation/new".extraConfig = ''
return 302 https://auth.pub.solar/realms/pub.solar/login-actions/reset-credentials?client_id=mastodon;
'';
locations."/auth/password/new".extraConfig = ''
return 302 https://auth.pub.solar/realms/pub.solar/login-actions/reset-credentials?client_id=mastodon;
'';
locations."@proxy" = {
proxyPass = (if cfg.enableUnixSocket then "http://unix:/run/mastodon-web/web.socket" else "http://127.0.0.1:${toString(cfg.webPort)}");
proxyWebsockets = true;
};
locations."/api/v1/streaming/" = {
proxyPass = (if cfg.enableUnixSocket then "http://unix:/run/mastodon-streaming/streaming.socket" else "http://127.0.0.1:${toString(cfg.streamingPort)}/");
proxyWebsockets = true;
};
};
};
}

View file

@ -12,7 +12,13 @@ in {
enable = true; enable = true;
group = webserverGroup; group = webserverGroup;
enableReload = true; enableReload = true;
proxyCachePath.cache = {
enable = true;
}; };
recommendedProxySettings = true;
};
# Nginx user needs access to mastodon unix sockets
users.users.nginx.extraGroups = [ "mastodon" ];
security.acme = { security.acme = {
acceptTerms = true; acceptTerms = true;

View file

@ -10,6 +10,7 @@
./nix.nix ./nix.nix
./apps/nginx.nix ./apps/nginx.nix
./apps/nginx-mastodon.nix
./apps/nginx-mastodon-files.nix ./apps/nginx-mastodon-files.nix
./apps/nginx-website.nix ./apps/nginx-website.nix
./apps/mastodon.nix ./apps/mastodon.nix