blob: 62e1933d7a7961998fff9c163a80b7b7986e459f (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
|
{ config, pkgs, ... }:
{
# the reverse proxy to gotosocial
services.nginx.virtualHosts."social.emile.space" = {
forceSSL = true;
enableACME = true;
locations = {
"/" = {
proxyPass = "http://127.0.0.1:${toString config.emile.ports.gotosocial}";
proxyWebsockets = true;
extraConfig = ''
client_max_body_size 40M;
'';
};
};
};
# Redirects from emile.space to social.emile.space
# Without this, other instances have problems getting from the username
# @hanemile@emile.space to the host social.emile.space
# https://docs.gotosocial.org/en/latest/advanced/host-account-domain/
services.nginx.virtualHosts."emile.space" = {
locations = {
"/.well-known/webfinger".extraConfig = ''
rewrite ^.*$ https://social.emile.space/.well-known/webfinger permanent;
'';
"/.well-known/host-meta".extraConfig = ''
rewrite ^.*$ https://social.emile.space/.well-known/host-meta permanent;
'';
"/.well-known/nodeinfo".extraConfig = ''
rewrite ^.*$ https://social.emile.space/.well-known/nodeinfo permanent;
'';
};
};
# auth via authelia
services.authelia.instances.main.settings.identity_providers.oidc.clients = [
{
id = "gotosocial";
# ; nix run nixpkgs#authelia -- crypto hash generate pbkdf2 --variant sha512 --random --random.length 72 --random.charset rfc3986
secret = "$pbkdf2-sha512$310000$oDpZ5FuO965TbjPoophJXw$dbkAwWFvLN1h1Zh9US2ZOE5ilPRdEHMdGF/x0uorou2UqURrXF0KQmXxsV38F2yYMS7u/ecramKlvfMwsqHOcg";
public = false;
authorization_policy = "two_factor";
redirect_uris = [
"https://social.emile.space/auth/callback"
];
scopes = [
"openid"
"email"
"profile"
"groups"
];
grant_types = [
"refresh_token"
"authorization_code"
];
response_types = [
"code"
];
response_modes = [
"form_post"
"query"
"fragment"
];
}
];
services.gotosocial = {
enable = true;
package = pkgs.gotosocial;
settings = {
host = "social.emile.space";
port = config.emile.ports.gotosocial;
bind-address = "127.0.0.1";
account-domain = "emile.space";
db-type = "sqlite";
db-address = "/var/lib/gotosocial/database.sqlite";
protocol = "https";
storage-local-base-path = "/var/lib/gotosocial/storage";
oidc-idp-name = "authelia";
oidc-client-id = "gotosocial";
advanced-rate-limit-requests = 0;
accounts-allow-custom-css = true;
};
environmentFile = config.age.secrets.gotosocial_environment_file.path;
};
}
|
