Merge branch 'feat/keycloak' of git.pub.solar:pub-solar/infra-new into feat/keycloak

hosts/nachtigall/apps/mastodon.nix

@@ -36,7 +36,6 @@
     enable = true;
     # Different from WEB_DOMAIN in our case
     localDomain = "pub.solar";
-    configureNginx = true;
     enableUnixSocket = true;
     # Processes used by the mastodon-streaming service. Defaults to the number
     # of CPU cores minus one

hosts/nachtigall/apps/nginx-mastodon-files.nix

@@ -26,7 +26,7 @@ in
             }
 
             resolver 8.8.8.8;
-            proxy_set_header Host $host;
+            proxy_set_header Host ${objStorHost};
             proxy_set_header Connection \'\';
             proxy_set_header Authorization \'\';
             proxy_hide_header Set-Cookie;
@@ -42,8 +42,10 @@ in
             proxy_ignore_headers Set-Cookie;
             proxy_pass https://${objStorHost}/${objStorBucket}$request_uri?download;
             proxy_intercept_errors off;
+            proxy_ssl_protocols TLSv1.2 TLSv1.3;
+            proxy_ssl_server_name on;
 
-            proxy_cache mastodon_files;
+            proxy_cache cache;
             proxy_cache_valid 200 48h;
             proxy_cache_use_stale error timeout updating http_500 http_502 http_503 http_504;
             proxy_cache_lock on;

hosts/nachtigall/apps/nginx-mastodon.nix

@@ -0,0 +1,42 @@
+{ config, lib, ... }:
+let
+  cfg = config.services.mastodon;
+in
+{
+  services.nginx.virtualHosts = {
+    "mastodon.pub.solar" = {
+      root = "${cfg.package}/public/";
+      # mastodon only supports https, but you can override this if you offload tls elsewhere.
+      forceSSL = lib.mkDefault true;
+      enableACME = lib.mkDefault true;
+
+      locations."/system/".alias = "/var/lib/mastodon/public-system/";
+
+      locations."/" = {
+        tryFiles = "$uri @proxy";
+      };
+
+      locations."/auth/sign_up".extraConfig = ''
+        return 302 /auth/sign_in;
+      '';
+
+      locations."/auth/confirmation/new".extraConfig = ''
+        return 302 https://auth.pub.solar/realms/pub.solar/login-actions/reset-credentials?client_id=mastodon;
+      '';
+
+      locations."/auth/password/new".extraConfig = ''
+        return 302 https://auth.pub.solar/realms/pub.solar/login-actions/reset-credentials?client_id=mastodon;
+      '';
+
+      locations."@proxy" = {
+        proxyPass = (if cfg.enableUnixSocket then "http://unix:/run/mastodon-web/web.socket" else "http://127.0.0.1:${toString(cfg.webPort)}");
+        proxyWebsockets = true;
+      };
+
+      locations."/api/v1/streaming/" = {
+        proxyPass = (if cfg.enableUnixSocket then "http://unix:/run/mastodon-streaming/streaming.socket" else "http://127.0.0.1:${toString(cfg.streamingPort)}/");
+        proxyWebsockets = true;
+      };
+    };
+  };
+}

hosts/nachtigall/apps/nginx.nix

@@ -12,7 +12,13 @@ in {
     enable = true;
     group = webserverGroup;
     enableReload = true;
+    proxyCachePath.cache = {
+      enable = true;
+    };
+    recommendedProxySettings = true;
   };
+  # Nginx user needs access to mastodon unix sockets
+  users.users.nginx.extraGroups = [ "mastodon" ];
   
   security.acme = {
     acceptTerms = true;

hosts/nachtigall/default.nix

@@ -10,6 +10,7 @@
       ./nix.nix
       ./apps/nginx.nix
 
+      ./apps/nginx-mastodon.nix
       ./apps/nginx-mastodon-files.nix
       ./apps/nginx-website.nix
       ./apps/mastodon.nix