working gotosocial

4 files changed, 104 insertions, 0 deletions

diff --git a/nix/hosts/corrino/configuration.nix b/nix/hosts/corrino/configuration.nix
index 2617272..9e0198f 100644
--- a/nix/hosts/corrino/configuration.nix
+++ b/nix/hosts/corrino/configuration.nix
@@ -28,6 +28,7 @@ in {
       ./www/pgweb.emile.space.nix
       ./www/ctf.emile.space.nix
       ./www/md.emile.space.nix
+      ./www/social.emile.space.nix
       # ./www/magic-hash.emile.space.nix
       # ./www/znc.emile.space.nix
 
diff --git a/nix/hosts/corrino/secrets/gotosocial_environment_file.age b/nix/hosts/corrino/secrets/gotosocial_environment_file.age
new file mode 100644
index 0000000..9a4cde7
--- /dev/null
+++ b/nix/hosts/corrino/secrets/gotosocial_environment_file.age
Binary files differdiff --git a/nix/hosts/corrino/secrets/gotosocial_oidc_secret.age b/nix/hosts/corrino/secrets/gotosocial_oidc_secret.age
new file mode 100644
index 0000000..97c137d
--- /dev/null
+++ b/nix/hosts/corrino/secrets/gotosocial_oidc_secret.age
@@ -0,0 +1,7 @@
+age-encryption.org/v1
+-> ssh-ed25519 gvwQ2Q vEFIHqykCjD9ovHnoLclnIy5QMw9zUycM/slN51X418
+iVIkw3sjSett8bStg2xsoQfzV7JHnkwbIJXj7TZJQJY
+-> ssh-ed25519 m8VklA B3q5dWVEY6DXYJ6FnEoxw5Z8mxee38AdShGtjCcBAgM
+gFE0Azw1d0mRImAAJif/vfVwS5IKNEid4TlXz84w8i4
+--- 0CR4WyrtOz+WrfvIqENf+3Z3ym8Ajmld1CVtL/7xJXc
+2��lCg3?�3-o�|hr#mMH��BE��賟̖�Bz#W��)۰����c��P�.�k�.(9S�9���M�S�#]0W�g��S�·	g\�c���9��@�f�
\ No newline at end of file
diff --git a/nix/hosts/corrino/www/social.emile.space.nix b/nix/hosts/corrino/www/social.emile.space.nix
new file mode 100644
index 0000000..ddfa5ef
--- /dev/null
+++ b/nix/hosts/corrino/www/social.emile.space.nix
@@ -0,0 +1,96 @@
+{ config, pkgs, ... }:
+
+let
+	ports = import ../ports.nix;
+in {
+
+	# the reverse proxy to gotosocial
+  services.nginx.virtualHosts."social.emile.space" = {
+    forceSSL = true;
+    enableACME = true;
+    locations = {
+      "/" = {
+        proxyPass = "http://127.0.0.1:${toString ports.gotosocial}";
+				proxyWebsockets = true;
+        extraConfig = ''
+          client_max_body_size 40M;
+        '';
+      };
+
+    };
+  };
+
+	# Redirects from emile.space to social.emile.space
+	# Without this, other instances have problems getting from the username
+	#   @hanemile@emile.space to the host social.emile.space
+	# https://docs.gotosocial.org/en/latest/advanced/host-account-domain/
+  services.nginx.virtualHosts."emile.space" = {
+    locations = {
+		  "/.well-known/webfinger".extraConfig = ''
+		    rewrite ^.*$ https://social.emile.space/.well-known/webfinger permanent;
+      '';
+
+		  "/.well-known/host-meta".extraConfig = ''
+	      rewrite ^.*$ https://social.emile.space/.well-known/host-meta permanent;
+			'';
+
+		  "/.well-known/nodeinfo".extraConfig = ''
+	      rewrite ^.*$ https://social.emile.space/.well-known/nodeinfo permanent;
+			'';
+		};
+	};
+
+
+	# auth via authelia
+	services.authelia.instances.main.settings.identity_providers.oidc.clients = [
+		{
+			id = "gotosocial";
+
+			# ; nix run nixpkgs#authelia -- crypto hash generate pbkdf2 --variant sha512 --random --random.length 72 --random.charset rfc3986
+			secret = "$pbkdf2-sha512$310000$oDpZ5FuO965TbjPoophJXw$dbkAwWFvLN1h1Zh9US2ZOE5ilPRdEHMdGF/x0uorou2UqURrXF0KQmXxsV38F2yYMS7u/ecramKlvfMwsqHOcg"; 
+			public = false;
+			authorization_policy = "two_factor";
+			redirect_uris = [
+				"https://social.emile.space/auth/callback"
+			];
+			scopes = [
+				"openid"
+				"email"
+				"profile"
+				"groups"
+			];
+			grant_types = [
+				"refresh_token"
+				"authorization_code"
+			];
+			response_types = [
+				"code"
+			];
+			response_modes = [
+				"form_post"
+				"query"
+				"fragment"
+			];
+		}
+	];
+					
+	services.gotosocial = {
+		enable = true;
+		package = pkgs.gotosocial;
+		settings = {
+			host = "social.emile.space";
+			port = ports.gotosocial;
+			bind-address = "127.0.0.1";
+			account-domain = "emile.space";
+			db-type = "sqlite";
+			db-address = "/var/lib/gotosocial/database.sqlite";
+			protocol = "https";
+			storage-local-base-path = "/var/lib/gotosocial/storage";
+			oidc-idp-name = "authelia";
+			oidc-client-id = "gotosocial";
+			advanced-rate-limit-requests = 0;
+			accounts-allow-custom-css = true;
+		};
+		environmentFile = config.age.secrets.gotosocial_environment_file.path;
+	};
+}