add email credentials to gotosocial

2023-09-02 18:17:03 +01:00 · 2023-09-02 18:17:03 +01:00 · 83baffbb8b
parent 3c2b9ffbe0
commit 83baffbb8b
6 changed files with 43 additions and 4 deletions
--- a/hosts/hetzner-vm/containers/mail/mail.nix
+++ b/hosts/hetzner-vm/containers/mail/mail.nix
@ -29,6 +29,7 @@
    "private_mail_aliases"
    "chaos_mail_passwd"
    "system_mail_passwd"
+    "gotosocial_mail_passwd"
  ];
  shared_files = [
    "/var/lib/acme/mail.owo.monster/fullchain.pem"
--- a/hosts/hetzner-vm/containers/mail/profiles/mailserver.nix
+++ b/hosts/hetzner-vm/containers/mail/profiles/mailserver.nix
@ -46,6 +46,13 @@ in {
        aliases = [];
        sieveScript = null;
      };
+
+      "gotosocial@owo.monster" = {
+        name = "gotosocial@owo.monster";
+        passwordFile = "${secrets.gotosocial_mail_passwd.path}";
+        aliases = [];
+        sieveScript = null;
+      };
    };
  };

--- a/hosts/hetzner-vm/containers/social/profiles/gotosocial.nix
+++ b/hosts/hetzner-vm/containers/social/profiles/gotosocial.nix
@ -1,17 +1,21 @@
-{...}: let
+{host_secrets, ...}: let
  container-addresses = import ../../../data/container-addresses.nix {};
  hostIP = container-addresses.host;
  containerIP = container-addresses.containers.social;
+
+  secrets = host_secrets;
 in {
  services.gotosocial = {
    enable = true;
    setupPostgresqlDB = true;
+    environmentFile = host_secrets.social_env_secrets.path;
+
    settings = {
      application-name = "chaos-gts";
      host = "gts-01.owo.monster";
      bind-address = "0.0.0.0";

-      log-level = "verbose";
+      log-level = "info";
      log-client-ip = false;

      trusted-proxies = [
@ -26,6 +30,12 @@ in {

      accounts-registration-open = false;

+      smtp-host = "mail.owo.monster";
+      smtp-port = 587;
+      smtp-username = "gotosocial@owo.monster";
+      smtp-password = ""; # set via env variables
+      smtp-from = "gotosocial@owo.monster";
+
      media-remote-cache-days = 2;

      media-image-max-size = 1000000 * 64; # MB
--- a/hosts/hetzner-vm/containers/social/social.nix
+++ b/hosts/hetzner-vm/containers/social/social.nix
@ -23,6 +23,9 @@ in {
      "${secrets.social_restic_env.path}" = {
        hostPath = "${secrets.social_restic_env.path}";
      };
+      "${secrets.social_env_secrets.path}" = {
+        hostPath = "${secrets.social_env_secrets.path}";
+      };
    };

    config = {
--- a/hosts/hetzner-vm/secrets.nix
+++ b/hosts/hetzner-vm/secrets.nix
@ -97,6 +97,14 @@
          htpasswd -nbB "" "$password" 2>/dev/null | cut -d: -f2 > $secretFile
        '';
      };
+      gotosocial_mail_passwd = {
+        user = "dovecot2";
+        group = "dovecot2";
+        fetchScript = ''
+          password=$(simple_get "/api-keys/chaos_mail/gotosocial" .password)
+          htpasswd -nbB "" "$password" 2>/dev/null | cut -d: -f2 > $secretFile
+        '';
+      };

      # Container: social
      social_restic_password = {
@ -111,6 +119,14 @@
          echo "RESTIC_REPOSITORY=rest:https://$RESTIC_USERNAME:$RESTIC_PASSWORD@storage-restic.owo.monster/Social" > $secretFile
        '';
      };
+      social_env_secrets = {
+        user = "root";
+        group = "root";
+        fetchScript = ''
+          smtp_password=$(simple_get "/api-keys/chaos_mail/gotosocial" .password)
+          echo "GTS_SMTP_PASSWORD=$smtp_password" > $secretFile
+        '';
+      };

      # Container: quassel
      quassel_restic_password = {
--- a/profiles/nginx.nix
+++ b/profiles/nginx.nix
@ -30,10 +30,12 @@ in {
      recommendedOptimisation = true;
      recommendedProxySettings = true;
      recommendedTlsSettings = true;
-      commonHttpConfig = "";
      clientMaxBodySize = lib.mkDefault "512m";
      serverNamesHashBucketSize = 1024;
-      mapHashMaxSize = 512;
+      appendHttpConfig = ''
+        proxy_headers_hash_max_size 1024;
+        proxy_headers_hash_bucket_size 256;
+      '';
    };

    services.logrotate.settings.nginx = {