Commit d3a6ace

HPCesia <me@hpcesia.com>
2025-10-03 16:26:21
refactor: migrate gotosocial
1 parent 860a8fb
hosts/chaser-pardofelis/caddy.nix
@@ -23,7 +23,6 @@ in {
         forgejo = "http://localhost:${builtins.toString config.services.forgejo.settings.server.HTTP_PORT}";
         goatcounter = "http://localhost:${builtins.toString config.services.goatcounter.port}";
         gokapi = "http://localhost:${builtins.toString config.services.gokapi.environment.GOKAPI_PORT}";
-        gotosocial = "http://localhost:${builtins.toString config.services.gotosocial.settings.port}";
         grafana = "http://localhost:${builtins.toString config.services.grafana.settings.server.http_port}";
         homepage = "http://localhost:${builtins.toString config.services.homepage-dashboard.listenPort}";
         prometheus = "http://${config.services.victoriametrics.listenAddress}";
@@ -92,10 +91,6 @@ in {
         encode zstd gzip
         reverse_proxy ${localAddress.gokapi}
       '';
-      "trin.one".extraConfig = ''
-        encode zstd gzip
-        reverse_proxy ${localAddress.gotosocial}
-      '';
     };
   };
 }
hosts/chaser-pardofelis/gotosocial.nix
@@ -1,58 +0,0 @@
-{config, ...}: {
-  services.gotosocial = {
-    enable = true;
-    settings = {
-      # Basic
-      host = "trin.one";
-      bind-address = "localhost";
-      port = 9291;
-      protocol = "https"; # Final used protocol, should be `https` even when utilizing a reverse proxy.
-      # Storage
-      db-type = "sqlite";
-      db-address = "/var/lib/gotosocial/sqlite.db";
-      storage-backend = "s3";
-      storage-s3-bucket = "trin-one";
-      storage-s3-redirect-url = "https://asset.trin.one";
-      # Instance
-      landing-page-user = "hpcesia";
-      instance-languages = ["zh-Hans" "en"];
-      instance-expose-public-timeline = true;
-      instance-inject-mastodon-version = true;
-      # SMTP
-      smtp-host = "glacier.mxrouting.net";
-      smtp-port = 587;
-      smtp-username = "no-reply@trin.one";
-      smtp-from = "no-reply@trin.one";
-      # OIDC
-      oidc-enabled = true;
-      oidc-idp-name = "Authelia";
-      oidc-issuer = "https://auth.trin.one";
-      oidc-client-id = "gts-trinnon";
-      oidc-scopes = ["openid" "email" "profile" "groups"];
-      oidc-allowed-groups = [];
-      oidc-admin-groups = ["admin"];
-      # Log
-      log-level = "info";
-      log-timestamp-format = "2006-01-02T15:04:05.000Z07:00";
-      # Metric
-      metrics-enabled = true;
-      metrics-auth-enabled = true;
-      metrics-auth-username = "trinnon-metrics";
-    };
-    environmentFile = config.sops.templates.gotosocial-env.path;
-  };
-
-  sops.templates.gotosocial-env = {
-    content = ''
-      GTS_STORAGE_S3_ENDPOINT=${config.sops.placeholder.gotosocial-s3-endpoint}
-      GTS_STORAGE_S3_ACCESS_KEY=${config.sops.placeholder.gotosocial-s3-access-key}
-      GTS_STORAGE_S3_SECRET_KEY=${config.sops.placeholder.gotosocial-s3-secret-key}
-      GTS_OIDC_CLIENT_SECRET=${config.sops.placeholder.gotosocial-oidc-secret}
-      GTS_SMTP_PASSWORD=${config.sops.placeholder.gotosocial-smtp-password}
-      GTS_METRICS_AUTH_PASSWORD=${config.sops.placeholder.gotosocial-metrics-password}
-    '';
-    owner = "root";
-    group = "gotosocial";
-    mode = "0440";
-  };
-}
modules/hosts/chaser-pardofelis/default.nix
@@ -14,6 +14,7 @@
         (n: config.flake.modules.nixos."${config.flake.meta.service.prefix}${n}")
         [
           "caddy"
+          "gotosocial"
           "podman"
         ]
       );
modules/services/gotosocial/default.nix
@@ -0,0 +1,78 @@
+{lib, ...}: {
+  flake.modules.nixos."services/gotosocial" = {config, ...}: {
+    services.gotosocial = {
+      enable = true;
+      settings = {
+        # Basic
+        host = "trin.one";
+        bind-address = "localhost";
+        port = 9291;
+        protocol = "https"; # Final used protocol, should be `https` even when utilizing a reverse proxy.
+        # Storage
+        db-type = "sqlite";
+        db-address = "/var/lib/gotosocial/sqlite.db";
+        storage-backend = "s3";
+        storage-s3-bucket = "trin-one";
+        storage-s3-redirect-url = "https://asset.trin.one";
+        # Instance
+        landing-page-user = "hpcesia";
+        instance-languages = ["zh-Hans" "en"];
+        instance-expose-public-timeline = true;
+        instance-inject-mastodon-version = true;
+        # SMTP
+        smtp-host = "glacier.mxrouting.net";
+        smtp-port = 587;
+        smtp-username = "no-reply@trin.one";
+        smtp-from = "no-reply@trin.one";
+        # OIDC
+        oidc-enabled = true;
+        oidc-idp-name = "Authelia";
+        oidc-issuer = "https://auth.trin.one";
+        oidc-client-id = "gts-trinnon";
+        oidc-scopes = ["openid" "email" "profile" "groups"];
+        oidc-allowed-groups = [];
+        oidc-admin-groups = ["admin"];
+        # Log
+        log-level = "info";
+        log-timestamp-format = "2006-01-02T15:04:05.000Z07:00";
+        # Metric
+        metrics-enabled = true;
+        metrics-auth-enabled = true;
+        metrics-auth-username = "trinnon-metrics";
+      };
+      environmentFile = config.vaultix.templates.gotosocial-env.path;
+    };
+
+    services.caddy.virtualHosts."trin.one".extraConfig =
+      lib.mkIf config.services.caddy.enable
+      (let
+        localAddress = "http://localhost:${builtins.toString config.services.gotosocial.settings.port}";
+      in ''
+        encode zstd gzip
+        reverse_proxy ${localAddress}
+      '');
+
+    vaultix.secrets.gotosocial-s3-endpoint.file = ./s3-endpoint.age;
+    vaultix.secrets.gotosocial-s3-access-key.file = ./s3-access-key.age;
+    vaultix.secrets.gotosocial-s3-secret-key.file = ./s3-secret-key.age;
+    vaultix.secrets.gotosocial-oidc-secret.file = ./oidc-secret.age;
+    vaultix.secrets.gotosocial-smtp-password.file = ./smtp-password.age;
+    vaultix.secrets.gotosocial-metrics-password.file = ./metrics-password.age;
+
+    vaultix.templates.gotosocial-env = {
+      content = let
+        cfg = config.vaultix;
+      in ''
+        GTS_STORAGE_S3_ENDPOINT=${cfg.placeholder.gotosocial-s3-endpoint}
+        GTS_STORAGE_S3_ACCESS_KEY=${cfg.placeholder.gotosocial-s3-access-key}
+        GTS_STORAGE_S3_SECRET_KEY=${cfg.placeholder.gotosocial-s3-secret-key}
+        GTS_OIDC_CLIENT_SECRET=${cfg.placeholder.gotosocial-oidc-secret}
+        GTS_SMTP_PASSWORD=${cfg.placeholder.gotosocial-smtp-password}
+        GTS_METRICS_AUTH_PASSWORD=${cfg.placeholder.gotosocial-metrics-password}
+      '';
+      owner = "root";
+      group = "gotosocial";
+      mode = "0440";
+    };
+  };
+}
modules/services/gotosocial/metrics-password.age
@@ -0,0 +1,7 @@
+age-encryption.org/v1
+-> X25519 n5g4JOgtY9TIzQMFjo7yGgKJplyFc9j1r+UvKmCXPnw
++Ysve21Lqfs0ujHSr5IqQtTBrszkybrf4hhhcs6SQok
+-> VX36-grease
+ENdS/xn/WLeSS7k+fYsWiNFiTve9+e9UTnro+pMW3V1H0iaFHeZWhaY
+--- Xu8s6dcKH6iJApGAc6shaY+L73QF53fJEqC9H+meJZU
+2��ѻҽp�I�C�a��W%�>t
&�@�����a��Q��F5Q���R��/���L�μt�=o�eU
\ No newline at end of file
modules/services/gotosocial/oidc-secret.age
@@ -0,0 +1,8 @@
+age-encryption.org/v1
+-> X25519 2q+pi6GJSux+fYKEt63qxxVeZLJPpnyIW+JOCBTaChc
+W5LKe6eaM38Nwu2h1wzSbUxPUEwCOQW6v9DlDDuoO3w
+-> /-grease tqH:W!zn t0n|u n_A3 1K)
+9gu0GPRqwE+QOtKPjZw1XhhfYNhiMBYPcBic7hQCx3dbgKiQVBDsnQFbGWIQqFJy
+vOeFYbhKzkflKJeaK5i7pzWDrxE2TCkdHFjTPPW5JbQKfyBzPWeljQeMehI
+--- 6roCY+cCQJ7WTCh2S3TdXBSbwj3DiGoTLBab2yCBIlI
+�}��B���D��� ̡���~�!��@��	�L��S.���6B�Gw{���0���Ww&��V�V�]N�_��	9�Ca�������™#�<E����~����\��(�
\ No newline at end of file
modules/services/gotosocial/s3-access-key.age
@@ -0,0 +1,7 @@
+age-encryption.org/v1
+-> X25519 LqUNP1BluYoTLe4uZeAEFEPjIIa3e9KookQT1n+t7Uc
+XxjcBzqoRjMXzHg32Glmd2Uu+pGwRbJSI5p/GLxiL84
+-> !9nPI-grease ZYM;i
+ilW4jLNPaxrn
+--- M+dKKtpC+TcQfKmWL3eSeMiiXP24QcPYGGpjDbFxIes
+�,�.� |������8q����L���Çص�a���YmLPuK|S���y )V[���DkoɋT�
\ No newline at end of file
modules/services/gotosocial/s3-endpoint.age
@@ -0,0 +1,9 @@
+age-encryption.org/v1
+-> X25519 +Akxa82G8ODtjGTnSBG6bYXEvOXt4p5AFInfyQMMolk
+4SVwcy+9+XNn5b6pNZkykWrnSuXC4WJGHMg9VyKypwM
+-> .xk9O-grease
+j64daUiW1kVPMtdbT16ANXmBg+sj5yVWeMqhyorR3Pc6CjL8XmsUi9sPwDDGyHbr
+ru40XmocyXzIaZ01Cy6BIIaprnsY8X70le9qIbM+VUg3oM4JL3l5gVN4TeblhJw+
+JA
+--- FmAwrR46SnudnnMUkniQ0pnKH/oEFhNWp+LIutOB02M
+��_?���qT1�^>1���t��ua�c��n'4�Q<��ҫ&�/��h��%��an�Ƽny�W._G����:��&�V��9ݥ��pMw���
\ No newline at end of file
modules/services/gotosocial/s3-secret-key.age
Binary file
modules/services/gotosocial/smtp-password.age
@@ -0,0 +1,8 @@
+age-encryption.org/v1
+-> X25519 2Y87GYnYPedumThjTyIufDSQnHBRf0VqBX66wsZdul8
+SlxUQqV6fi+9L5wl01tTGhDG6UOTPBef7Bzvp+Pcqlc
+-> "hy[5-grease A2s$S% B0QLZ6
+KY9UOHPMqbGCYIcCoWvyUixdLhL0Eqe89luhYpzmVe+BL4pbEf3T3vvrPusLzjjk
+4DyTZtm7fNWJjqxJw2PpHJbs3xsEvDCzfXdz6mKy
+--- 3TJXLTeoJ0mXyBhjk9/naefaQB6I1aY/d08Br7skE7Q
+���A�|��c	r�J�7]^Տ���Nz��n~+y�:�y˓]��n����o26�cǔ����q�My
\ No newline at end of file
secrets/cache/pardofelis/230a203373e5c5cc96ad697aabdfa6989b3fa1317cef0ec2f28beeb2d8df66ac
@@ -0,0 +1,8 @@
+age-encryption.org/v1
+-> ssh-ed25519 B1HLiw IGbwVHedKZBjpYEgz/mN66ftBrvop/uhaqlCWJergCM
+p81+s/MMLAEkCJd2ZlX0su8aaas0lnMAMlsc6PV5PEo
+-> Yo4?-grease p]y 1%GZ-Fw y
+IqXX4qakEzbUZ90dg3VTPCtRshFa9/CNCiC9LOFLY1q531va2hhcpfF34vgHdkbk
+tf7uuWUFwzUlvwgmJE7LxcCDOkJBS57f/djVVSko
+--- hs0CMblJdKrRD9Vg7bGQ8c2Yik4dAGdx0jd69yoK5S0
+�
�3A����ϨI�/�B��	`�R�)��ʎ����?��K6�ڦ�мTa;��*�^I��J���
\ No newline at end of file
secrets/cache/pardofelis/30f3f4528694d691ceb0b46b01c6ae46b080ae9d79b134c975a9936ebbb91bdc
@@ -0,0 +1,8 @@
+age-encryption.org/v1
+-> ssh-ed25519 B1HLiw WboGPFv3R4Q7+aWVbCYIseqzq3VIG1Ij7pDaB/WboEk
+D8pPQLIZzCW/E5QB+ZLKmfE/u0T1bpeoAEVVqf47odU
+-> L{V5-grease -Aw p~n<K_j/
+iHdsTDjmF4KKNueS5GOSdrmCyaPZ1Hwh4NrirM0bN7aQqqLCohEnteNezmnxi8sn
+S4sn1zJVGaaNBC+fFwdNAeHBq10K0MEerDAsDitcA9zsjppJhHqmyC1pxG8
+--- VfwUzJdDrvkWwnQRMtJ/Z20RVAnPRj4y+VvvJpsA5ZY
+7�D�2��v���vFɩ-h3֬�����\�CG6���G�4md����<�����&���KD;-Y
\ No newline at end of file
secrets/cache/pardofelis/80234b2d4a4c4388c595b25a51c71812ba432cc7ef45296a39719b2a55b8fc00
Binary file
secrets/cache/pardofelis/9515ebe3e9b5b2457e1b39373ab2c116b102feb4de3af7b0099c9dfb3802da13
@@ -0,0 +1,7 @@
+age-encryption.org/v1
+-> ssh-ed25519 B1HLiw yOGeN/Z9WNRjM/PNPUvSjy3c+WJ5+8gj3F3nk4aoGCA
+hQdRZmw2AuCz5g9SqlNNl0DupYwCJbPnpVka3gbkor0
+-> %^Lz;iz-grease ^ xf&]*FY c4PZ R8Vhom
+
+--- XZUtIEP4H52iMbXQHRl9afhg4e9mRg10WzIciT+uyNk
+�*ѽUG'gmo��Ds�$��ȓ�9��1���
��ϳhbG=*.�����j���/M���:����]�lZ�S���<=nfg���⽎h�L܈��$dЃ�
\ No newline at end of file
secrets/cache/pardofelis/decb891a1893ed5c39491041f83d3ba9c0f327c84ae913c9d748bf89bdf09101
@@ -0,0 +1,8 @@
+age-encryption.org/v1
+-> ssh-ed25519 B1HLiw sBtrNsckFScBBbijWRbMTuOHYxmXIPeEiGvwGD67Nmw
+VnQNNIAGU74Mp0wfjOVVlgDhAQmeE9ZKJZxNYwfJYjE
+-> as-grease yg gd
+np61YvX0FrQ+03lVvy1SC1ZyLA
+--- fU3ABKD/kWGcjbhvuLnPKBmTVX2xTWtZGGkARVkor60
+�ǻ}�G��*�W��k��_�wɇ=�
+0ij�`A�#ڇ�;���|��^�͢�����=���o���
\ No newline at end of file
secrets/cache/pardofelis/e6c762ccaab147dd5893e1302a90183db7ba0950813ebe70f8511e87cd660d3a
@@ -0,0 +1,9 @@
+age-encryption.org/v1
+-> ssh-ed25519 B1HLiw 39WZBdcSpFXDZa/KSzJ74JMrYzi2qa72QUyx0/bKqRc
+zykv3yAXZbLC2uCBeFe2qVV5+vebNxbq0YM/DAi5udc
+-> buE`#js-grease xQAfv]j 'f7
+mA6SdJyLwSPP3/fKWw1y/xqHMIk8/ElkhuqI5D3hjlj5lK4zOgc8F8X6Kg7EZTQg
+PmfesEo
+--- 97U4prtjWq5E1S1IAI3RQS8ORhoCKRJtqwalQI/Q3uM
+C>��H��B�+�q6%J)���p�WE@��x�]���N���*��$ <�EN�����P���V�{�DdOo�*����<=W�T��*�W�
+�m�
\ No newline at end of file