Remove old cruff, server is 23.11 now

2023-12-01 23:19:34 +01:00 · 2023-12-01 23:19:34 +01:00 · 44305d6805
commit 44305d6805
parent 2d726f8c04
8 changed files with 40 additions and 904 deletions
--- a/modules/cloud/gotosocial/default.nix
+++ b/modules/cloud/gotosocial/default.nix
@ -4,38 +4,11 @@ let
  cfg = config.cloud.gotosocial;

  dbUser = "gotosocial";
-
-  configFile = pkgs.writeText "config.yml" (generators.toYAML { } {
-    # General
-    host = cfg.host;
-    account-domain = cfg.accountDomain;
-    bind-address = "localhost";
-    port = cfg.port;
-    # Database
-    db-port = 0; # Use socket
-    db-user = dbUser;
-    db-database = dbUser;
-    # Web
-    web-template-base-dir = "${cfg.package}/share/web/template";
-    web-asset-base-dir = "${cfg.package}/share/web/assets";
-    # Media
-    media-emoji-remote-max-size = 256 * 1024 /* bytes */;
-    media-emoji-local-max-size = 256 * 1024 /* bytes */;
-    # OIDC
-    oidc-enabled = true;
-    oidc-idp-name = "DTTH";
-    oidc-scopes = [ "openid" "email" "profile" ];
-    # HTTP Client
-    http-client.block-ips = [ "11.0.0.0/24" ];
-    # Advanced
-    advanced-rate-limit-requests = 0;
-    # instance-inject-mastodon-version = true;
-  });
 in
 {
  options.cloud.gotosocial = {
    enable = mkEnableOption "Enable our local GtS server";
-    package = mkPackageOption pkgs "gotosocial-bin" { };
+    package = mkPackageOption pkgs "gotosocial" { };
    host = mkOption {
      type = types.str;
      description = "The GtS host";
@ -75,49 +48,39 @@ in
        };
      } else { });
    # The service itself
-    systemd.services.gotosocial = {
-      after = [ "network.target" ];
-      serviceConfig = {
-        User = dbUser;
-        Group = dbUser;
-        ExecStart = "${cfg.package}/bin/gotosocial --config-path ${configFile} server start";
-        EnvironmentFile = cfg.envFile;
-        # Sandboxing options to harden security
-        # Details for these options: https://www.freedesktop.org/software/systemd/man/systemd.exec.html
-        NoNewPrivileges = "yes";
-        PrivateTmp = "yes";
-        PrivateDevices = "yes";
-        RestrictAddressFamilies = "AF_UNIX AF_INET AF_INET6";
-        RestrictNamespaces = "yes";
-        RestrictRealtime = "yes";
-        DevicePolicy = "closed";
-        ProtectSystem = "full";
-        ProtectControlGroups = "yes";
-        ProtectKernelModules = "yes";
-        ProtectKernelTunables = "yes";
-        LockPersonality = "yes";
-        SystemCallFilter = "~@clock @debug @module @mount @obsolete @reboot @setuid @swap";
-
-        # Denying access to capabilities that should not be relevant
-        # Doc: https://man7.org/linux/man-pages/man7/capabilities.7.html
-        CapabilityBoundingSet = strings.concatStringsSep " " [
-          "CAP_RAWIO CAP_MKNOD"
-          "CAP_AUDIT_CONTROL CAP_AUDIT_READ CAP_AUDIT_WRITE"
-          "CAP_SYS_BOOT CAP_SYS_TIME CAP_SYS_MODULE CAP_SYS_PACCT"
-          "CAP_LEASE CAP_LINUX_IMMUTABLE CAP_IPC_LOCK"
-          "CAP_BLOCK_SUSPEND CAP_WAKE_ALARM"
-          "CAP_SYS_TTY_CONFIG"
-          "CAP_MAC_ADMIN CAP_MAC_OVERRIDE"
-          "CAP_NET_ADMIN CAP_NET_BROADCAST CAP_NET_RAW"
-          "CAP_SYS_ADMIN CAP_SYS_PTRACE CAP_SYSLOG "
-        ];
-        # You might need this if you are running as non-root on a privileged port (below 1024)
-        #AmbientCapabilities=CAP_NET_BIND_SERVICE
-        StateDirectory = "gotosocial";
-        WorkingDirectory = "/var/lib/gotosocial";
+    services.gotosocial = {
+      enable = true;
+      package = cfg.package;
+      environmentFile = cfg.envFile;
+      settings = {
+        # General
+        host = cfg.host;
+        account-domain = cfg.accountDomain;
+        bind-address = "localhost";
+        port = cfg.port;
+        # Database
+        db-type = "postgres";
+        db-address = "/run/postgresql"; # Use socket
+        db-user = dbUser;
+        db-database = dbUser;
+        # Web
+        web-template-base-dir = "${cfg.package}/share/gotosocial/web/template";
+        web-asset-base-dir = "${cfg.package}/share/gotosocial/web/assets";
+        # Media
+        media-emoji-remote-max-size = 256 * 1024 /* bytes */;
+        media-emoji-local-max-size = 256 * 1024 /* bytes */;
+        # OIDC
+        oidc-enabled = true;
+        oidc-idp-name = "DTTH";
+        oidc-scopes = [ "openid" "email" "profile" ];
+        # HTTP Client
+        http-client.block-ips = [ "11.0.0.0/24" ];
+        # Advanced
+        advanced-rate-limit-requests = 0;
+        # instance-inject-mastodon-version = true;
      };
-      wantedBy = [ "multi-user.target" ];
-      requires = [ "minio.service" "postgresql.service" ];
    };
+    systemd.services.gotosocial.requires = mkAfter [ "minio.service" "postgresql.service" ];
+    systemd.services.gotosocial.after = mkAfter [ "minio.service" "postgresql.service" ];
  };
 }