From 1983edcc5b17efc325e6a2b5a116db1d5a4c4942 Mon Sep 17 00:00:00 2001 From: teutat3s Date: Sat, 28 Oct 2023 18:56:22 +0200 Subject: [PATCH 1/7] fix: add nginx virtualHost for mastodon We use pub.solar as our LOCAL_DOMAIN and mastodon.pub.solar as our WEB_DOMAIN. The NixOS module does not support this special use case. See: https://github.com/NixOS/nixpkgs/issues/202399 --- hosts/nachtigall/apps/mastodon.nix | 1 - hosts/nachtigall/apps/nginx-mastodon.nix | 30 ++++++++++++++++++++++++ hosts/nachtigall/default.nix | 1 + 3 files changed, 31 insertions(+), 1 deletion(-) create mode 100644 hosts/nachtigall/apps/nginx-mastodon.nix diff --git a/hosts/nachtigall/apps/mastodon.nix b/hosts/nachtigall/apps/mastodon.nix index a71a521..18299a1 100644 --- a/hosts/nachtigall/apps/mastodon.nix +++ b/hosts/nachtigall/apps/mastodon.nix @@ -36,7 +36,6 @@ enable = true; # Different from WEB_DOMAIN in our case localDomain = "pub.solar"; - configureNginx = true; enableUnixSocket = true; # Processes used by the mastodon-streaming service. Defaults to the number # of CPU cores minus one diff --git a/hosts/nachtigall/apps/nginx-mastodon.nix b/hosts/nachtigall/apps/nginx-mastodon.nix new file mode 100644 index 0000000..aa81ce2 --- /dev/null +++ b/hosts/nachtigall/apps/nginx-mastodon.nix @@ -0,0 +1,30 @@ +{ config, lib, ... }: +let + cfg = config.services.mastodon; +in +{ + services.nginx.virtualHosts = { + "mastodon.pub.solar" = { + root = "${cfg.package}/public/"; + # mastodon only supports https, but you can override this if you offload tls elsewhere. + forceSSL = lib.mkDefault true; + enableACME = lib.mkDefault true; + + locations."/system/".alias = "/var/lib/mastodon/public-system/"; + + locations."/" = { + tryFiles = "$uri @proxy"; + }; + + locations."@proxy" = { + proxyPass = (if cfg.enableUnixSocket then "http://unix:/run/mastodon-web/web.socket" else "http://127.0.0.1:${toString(cfg.webPort)}"); + proxyWebsockets = true; + }; + + locations."/api/v1/streaming/" = { + proxyPass = (if cfg.enableUnixSocket then "http://unix:/run/mastodon-streaming/streaming.socket" else "http://127.0.0.1:${toString(cfg.streamingPort)}/"); + proxyWebsockets = true; + }; + }; + }; +} diff --git a/hosts/nachtigall/default.nix b/hosts/nachtigall/default.nix index f312e68..f25f489 100644 --- a/hosts/nachtigall/default.nix +++ b/hosts/nachtigall/default.nix @@ -10,6 +10,7 @@ ./nix.nix ./apps/nginx.nix + ./apps/nginx-mastodon.nix ./apps/nginx-mastodon-files.nix ./apps/nginx-website.nix ./apps/mastodon.nix -- 2.44.1 From 6f4741fae04860d56e88aabaac2733f7cb35690b Mon Sep 17 00:00:00 2001 From: teutat3s Date: Sat, 28 Oct 2023 21:12:33 +0200 Subject: [PATCH 2/7] fix: missing nginx proxy cache zone --- hosts/nachtigall/apps/nginx-mastodon-files.nix | 2 +- hosts/nachtigall/apps/nginx.nix | 3 +++ 2 files changed, 4 insertions(+), 1 deletion(-) diff --git a/hosts/nachtigall/apps/nginx-mastodon-files.nix b/hosts/nachtigall/apps/nginx-mastodon-files.nix index 1f615d4..b52b4cd 100644 --- a/hosts/nachtigall/apps/nginx-mastodon-files.nix +++ b/hosts/nachtigall/apps/nginx-mastodon-files.nix @@ -43,7 +43,7 @@ in proxy_pass https://${objStorHost}/${objStorBucket}$request_uri?download; proxy_intercept_errors off; - proxy_cache mastodon_files; + proxy_cache cache; proxy_cache_valid 200 48h; proxy_cache_use_stale error timeout updating http_500 http_502 http_503 http_504; proxy_cache_lock on; diff --git a/hosts/nachtigall/apps/nginx.nix b/hosts/nachtigall/apps/nginx.nix index 37943f0..fc95c22 100644 --- a/hosts/nachtigall/apps/nginx.nix +++ b/hosts/nachtigall/apps/nginx.nix @@ -12,6 +12,9 @@ in { enable = true; group = webserverGroup; enableReload = true; + proxyCachePath.cache = { + enable = true; + }; }; security.acme = { -- 2.44.1 From 8b09f19add67ac4496169a7d986df85603645497 Mon Sep 17 00:00:00 2001 From: teutat3s Date: Sat, 28 Oct 2023 21:30:37 +0200 Subject: [PATCH 3/7] fix: nginx user needs access to mastodon's unix socket --- hosts/nachtigall/apps/nginx.nix | 2 ++ 1 file changed, 2 insertions(+) diff --git a/hosts/nachtigall/apps/nginx.nix b/hosts/nachtigall/apps/nginx.nix index fc95c22..abc71a1 100644 --- a/hosts/nachtigall/apps/nginx.nix +++ b/hosts/nachtigall/apps/nginx.nix @@ -16,6 +16,8 @@ in { enable = true; }; }; + # Nginx user needs access to mastodon unix sockets + users.users.nginx.extraGroups = [ "mastodon" ]; security.acme = { acceptTerms = true; -- 2.44.1 From e9fc2dabbea4254d46782a9abf5a28bf9657f148 Mon Sep 17 00:00:00 2001 From: teutat3s Date: Sat, 28 Oct 2023 21:42:01 +0200 Subject: [PATCH 4/7] fix: enable recommendedProxySettings for nginx https://search.nixos.org/options?channel=unstable&from=0&size=50&sort=relevance&type=packages&query=recommendedProxySettings --- hosts/nachtigall/apps/nginx.nix | 1 + 1 file changed, 1 insertion(+) diff --git a/hosts/nachtigall/apps/nginx.nix b/hosts/nachtigall/apps/nginx.nix index abc71a1..2715583 100644 --- a/hosts/nachtigall/apps/nginx.nix +++ b/hosts/nachtigall/apps/nginx.nix @@ -15,6 +15,7 @@ in { proxyCachePath.cache = { enable = true; }; + recommendedProxySettings = true; }; # Nginx user needs access to mastodon unix sockets users.users.nginx.extraGroups = [ "mastodon" ]; -- 2.44.1 From 401baf59007935ffb773af5eb05fb27fd325114a Mon Sep 17 00:00:00 2001 From: teutat3s Date: Sat, 28 Oct 2023 22:15:40 +0200 Subject: [PATCH 5/7] fix: nginx files.pub.solar proxy_pass host header --- hosts/nachtigall/apps/nginx-mastodon-files.nix | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/hosts/nachtigall/apps/nginx-mastodon-files.nix b/hosts/nachtigall/apps/nginx-mastodon-files.nix index b52b4cd..9b43cf6 100644 --- a/hosts/nachtigall/apps/nginx-mastodon-files.nix +++ b/hosts/nachtigall/apps/nginx-mastodon-files.nix @@ -26,7 +26,7 @@ in } resolver 8.8.8.8; - proxy_set_header Host $host; + proxy_set_header Host ${objStorHost}; proxy_set_header Connection \'\'; proxy_set_header Authorization \'\'; proxy_hide_header Set-Cookie; -- 2.44.1 From 310723a18c194627864c323d1b712db09408d194 Mon Sep 17 00:00:00 2001 From: teutat3s Date: Sat, 28 Oct 2023 22:52:57 +0200 Subject: [PATCH 6/7] fix: nginx tls connection to upstream --- hosts/nachtigall/apps/nginx-mastodon-files.nix | 2 ++ 1 file changed, 2 insertions(+) diff --git a/hosts/nachtigall/apps/nginx-mastodon-files.nix b/hosts/nachtigall/apps/nginx-mastodon-files.nix index 9b43cf6..8ca4499 100644 --- a/hosts/nachtigall/apps/nginx-mastodon-files.nix +++ b/hosts/nachtigall/apps/nginx-mastodon-files.nix @@ -42,6 +42,8 @@ in proxy_ignore_headers Set-Cookie; proxy_pass https://${objStorHost}/${objStorBucket}$request_uri?download; proxy_intercept_errors off; + proxy_ssl_protocols TLSv1.2 TLSv1.3; + proxy_ssl_server_name on; proxy_cache cache; proxy_cache_valid 200 48h; -- 2.44.1 From 347d175a8a2b54b94cc31521fea01b7cf7e7819d Mon Sep 17 00:00:00 2001 From: teutat3s Date: Sat, 28 Oct 2023 23:00:07 +0200 Subject: [PATCH 7/7] feat: add mastodon redirects for OIDC using keycloak --- hosts/nachtigall/apps/nginx-mastodon.nix | 12 ++++++++++++ 1 file changed, 12 insertions(+) diff --git a/hosts/nachtigall/apps/nginx-mastodon.nix b/hosts/nachtigall/apps/nginx-mastodon.nix index aa81ce2..4712a59 100644 --- a/hosts/nachtigall/apps/nginx-mastodon.nix +++ b/hosts/nachtigall/apps/nginx-mastodon.nix @@ -16,6 +16,18 @@ in tryFiles = "$uri @proxy"; }; + locations."/auth/sign_up".extraConfig = '' + return 302 /auth/sign_in; + ''; + + locations."/auth/confirmation/new".extraConfig = '' + return 302 https://auth.pub.solar/realms/pub.solar/login-actions/reset-credentials?client_id=mastodon; + ''; + + locations."/auth/password/new".extraConfig = '' + return 302 https://auth.pub.solar/realms/pub.solar/login-actions/reset-credentials?client_id=mastodon; + ''; + locations."@proxy" = { proxyPass = (if cfg.enableUnixSocket then "http://unix:/run/mastodon-web/web.socket" else "http://127.0.0.1:${toString(cfg.webPort)}"); proxyWebsockets = true; -- 2.44.1