add email credentials to gotosocial

hosts/hetzner-vm/containers/mail/mail.nix

@@ -29,6 +29,7 @@
     "private_mail_aliases"
     "chaos_mail_passwd"
     "system_mail_passwd"
+    "gotosocial_mail_passwd"
   ];
   shared_files = [
     "/var/lib/acme/mail.owo.monster/fullchain.pem"

hosts/hetzner-vm/containers/mail/profiles/mailserver.nix

@@ -46,6 +46,13 @@ in {
         aliases = [];
         sieveScript = null;
       };
+
+      "gotosocial@owo.monster" = {
+        name = "gotosocial@owo.monster";
+        passwordFile = "${secrets.gotosocial_mail_passwd.path}";
+        aliases = [];
+        sieveScript = null;
+      };
     };
   };
 

hosts/hetzner-vm/containers/social/profiles/gotosocial.nix

@@ -1,17 +1,21 @@
-{...}: let
+{host_secrets, ...}: let
   container-addresses = import ../../../data/container-addresses.nix {};
   hostIP = container-addresses.host;
   containerIP = container-addresses.containers.social;
+
+  secrets = host_secrets;
 in {
   services.gotosocial = {
     enable = true;
     setupPostgresqlDB = true;
+    environmentFile = host_secrets.social_env_secrets.path;
+
     settings = {
       application-name = "chaos-gts";
       host = "gts-01.owo.monster";
       bind-address = "0.0.0.0";
 
-      log-level = "verbose";
+      log-level = "info";
       log-client-ip = false;
 
       trusted-proxies = [
@@ -26,6 +30,12 @@ in {
 
       accounts-registration-open = false;
 
+      smtp-host = "mail.owo.monster";
+      smtp-port = 587;
+      smtp-username = "gotosocial@owo.monster";
+      smtp-password = ""; # set via env variables
+      smtp-from = "gotosocial@owo.monster";
+
       media-remote-cache-days = 2;
 
       media-image-max-size = 1000000 * 64; # MB

hosts/hetzner-vm/containers/social/social.nix

@@ -23,6 +23,9 @@ in {
       "${secrets.social_restic_env.path}" = {
         hostPath = "${secrets.social_restic_env.path}";
       };
+      "${secrets.social_env_secrets.path}" = {
+        hostPath = "${secrets.social_env_secrets.path}";
+      };
     };
 
     config = {

hosts/hetzner-vm/secrets.nix

@@ -97,6 +97,14 @@
           htpasswd -nbB "" "$password" 2>/dev/null | cut -d: -f2 > $secretFile
         '';
       };
+      gotosocial_mail_passwd = {
+        user = "dovecot2";
+        group = "dovecot2";
+        fetchScript = ''
+          password=$(simple_get "/api-keys/chaos_mail/gotosocial" .password)
+          htpasswd -nbB "" "$password" 2>/dev/null | cut -d: -f2 > $secretFile
+        '';
+      };
 
       # Container: social
       social_restic_password = {
@@ -111,6 +119,14 @@
           echo "RESTIC_REPOSITORY=rest:https://$RESTIC_USERNAME:$RESTIC_PASSWORD@storage-restic.owo.monster/Social" > $secretFile
         '';
       };
+      social_env_secrets = {
+        user = "root";
+        group = "root";
+        fetchScript = ''
+          smtp_password=$(simple_get "/api-keys/chaos_mail/gotosocial" .password)
+          echo "GTS_SMTP_PASSWORD=$smtp_password" > $secretFile
+        '';
+      };
 
       # Container: quassel
       quassel_restic_password = {

profiles/nginx.nix

@@ -30,10 +30,12 @@ in {
       recommendedOptimisation = true;
       recommendedProxySettings = true;
       recommendedTlsSettings = true;
-      commonHttpConfig = "";
       clientMaxBodySize = lib.mkDefault "512m";
       serverNamesHashBucketSize = 1024;
-      mapHashMaxSize = 512;
+      appendHttpConfig = ''
+        proxy_headers_hash_max_size 1024;
+        proxy_headers_hash_bucket_size 256;
+      '';
     };
 
     services.logrotate.settings.nginx = {