forked from pub-solar/infra
Merge branch 'feat/keycloak' of git.pub.solar:pub-solar/infra-new into feat/keycloak
This commit is contained in:
commit
806e9dde34
|
@ -36,7 +36,6 @@
|
||||||
enable = true;
|
enable = true;
|
||||||
# Different from WEB_DOMAIN in our case
|
# Different from WEB_DOMAIN in our case
|
||||||
localDomain = "pub.solar";
|
localDomain = "pub.solar";
|
||||||
configureNginx = true;
|
|
||||||
enableUnixSocket = true;
|
enableUnixSocket = true;
|
||||||
# Processes used by the mastodon-streaming service. Defaults to the number
|
# Processes used by the mastodon-streaming service. Defaults to the number
|
||||||
# of CPU cores minus one
|
# of CPU cores minus one
|
||||||
|
|
|
@ -26,7 +26,7 @@ in
|
||||||
}
|
}
|
||||||
|
|
||||||
resolver 8.8.8.8;
|
resolver 8.8.8.8;
|
||||||
proxy_set_header Host $host;
|
proxy_set_header Host ${objStorHost};
|
||||||
proxy_set_header Connection \'\';
|
proxy_set_header Connection \'\';
|
||||||
proxy_set_header Authorization \'\';
|
proxy_set_header Authorization \'\';
|
||||||
proxy_hide_header Set-Cookie;
|
proxy_hide_header Set-Cookie;
|
||||||
|
@ -42,8 +42,10 @@ in
|
||||||
proxy_ignore_headers Set-Cookie;
|
proxy_ignore_headers Set-Cookie;
|
||||||
proxy_pass https://${objStorHost}/${objStorBucket}$request_uri?download;
|
proxy_pass https://${objStorHost}/${objStorBucket}$request_uri?download;
|
||||||
proxy_intercept_errors off;
|
proxy_intercept_errors off;
|
||||||
|
proxy_ssl_protocols TLSv1.2 TLSv1.3;
|
||||||
|
proxy_ssl_server_name on;
|
||||||
|
|
||||||
proxy_cache mastodon_files;
|
proxy_cache cache;
|
||||||
proxy_cache_valid 200 48h;
|
proxy_cache_valid 200 48h;
|
||||||
proxy_cache_use_stale error timeout updating http_500 http_502 http_503 http_504;
|
proxy_cache_use_stale error timeout updating http_500 http_502 http_503 http_504;
|
||||||
proxy_cache_lock on;
|
proxy_cache_lock on;
|
||||||
|
|
42
hosts/nachtigall/apps/nginx-mastodon.nix
Normal file
42
hosts/nachtigall/apps/nginx-mastodon.nix
Normal file
|
@ -0,0 +1,42 @@
|
||||||
|
{ config, lib, ... }:
|
||||||
|
let
|
||||||
|
cfg = config.services.mastodon;
|
||||||
|
in
|
||||||
|
{
|
||||||
|
services.nginx.virtualHosts = {
|
||||||
|
"mastodon.pub.solar" = {
|
||||||
|
root = "${cfg.package}/public/";
|
||||||
|
# mastodon only supports https, but you can override this if you offload tls elsewhere.
|
||||||
|
forceSSL = lib.mkDefault true;
|
||||||
|
enableACME = lib.mkDefault true;
|
||||||
|
|
||||||
|
locations."/system/".alias = "/var/lib/mastodon/public-system/";
|
||||||
|
|
||||||
|
locations."/" = {
|
||||||
|
tryFiles = "$uri @proxy";
|
||||||
|
};
|
||||||
|
|
||||||
|
locations."/auth/sign_up".extraConfig = ''
|
||||||
|
return 302 /auth/sign_in;
|
||||||
|
'';
|
||||||
|
|
||||||
|
locations."/auth/confirmation/new".extraConfig = ''
|
||||||
|
return 302 https://auth.pub.solar/realms/pub.solar/login-actions/reset-credentials?client_id=mastodon;
|
||||||
|
'';
|
||||||
|
|
||||||
|
locations."/auth/password/new".extraConfig = ''
|
||||||
|
return 302 https://auth.pub.solar/realms/pub.solar/login-actions/reset-credentials?client_id=mastodon;
|
||||||
|
'';
|
||||||
|
|
||||||
|
locations."@proxy" = {
|
||||||
|
proxyPass = (if cfg.enableUnixSocket then "http://unix:/run/mastodon-web/web.socket" else "http://127.0.0.1:${toString(cfg.webPort)}");
|
||||||
|
proxyWebsockets = true;
|
||||||
|
};
|
||||||
|
|
||||||
|
locations."/api/v1/streaming/" = {
|
||||||
|
proxyPass = (if cfg.enableUnixSocket then "http://unix:/run/mastodon-streaming/streaming.socket" else "http://127.0.0.1:${toString(cfg.streamingPort)}/");
|
||||||
|
proxyWebsockets = true;
|
||||||
|
};
|
||||||
|
};
|
||||||
|
};
|
||||||
|
}
|
|
@ -12,7 +12,13 @@ in {
|
||||||
enable = true;
|
enable = true;
|
||||||
group = webserverGroup;
|
group = webserverGroup;
|
||||||
enableReload = true;
|
enableReload = true;
|
||||||
|
proxyCachePath.cache = {
|
||||||
|
enable = true;
|
||||||
|
};
|
||||||
|
recommendedProxySettings = true;
|
||||||
};
|
};
|
||||||
|
# Nginx user needs access to mastodon unix sockets
|
||||||
|
users.users.nginx.extraGroups = [ "mastodon" ];
|
||||||
|
|
||||||
security.acme = {
|
security.acme = {
|
||||||
acceptTerms = true;
|
acceptTerms = true;
|
||||||
|
|
|
@ -10,6 +10,7 @@
|
||||||
./nix.nix
|
./nix.nix
|
||||||
./apps/nginx.nix
|
./apps/nginx.nix
|
||||||
|
|
||||||
|
./apps/nginx-mastodon.nix
|
||||||
./apps/nginx-mastodon-files.nix
|
./apps/nginx-mastodon-files.nix
|
||||||
./apps/nginx-website.nix
|
./apps/nginx-website.nix
|
||||||
./apps/mastodon.nix
|
./apps/mastodon.nix
|
||||||
|
|
Loading…
Reference in a new issue