diff --git a/hosts/hetzner-arm/containers/postgresql/profiles/postgres.nix b/hosts/hetzner-arm/containers/postgresql/profiles/postgres.nix index f98ae16..c55239a 100644 --- a/hosts/hetzner-arm/containers/postgresql/profiles/postgres.nix +++ b/hosts/hetzner-arm/containers/postgresql/profiles/postgres.nix @@ -13,7 +13,6 @@ in { enableTCPIP = true; ensureDatabases = [ "gotosocial" - "gotosocial_new" "quassel" ]; ensureUsers = [ @@ -21,10 +20,6 @@ in { name = "gotosocial"; ensureDBOwnership = true; } - { - name = "gotosocial_new"; - ensureDBOwnership = true; - } { name = "quassel"; ensureDBOwnership = true; @@ -34,7 +29,6 @@ in { # otherwise use the host's IP authentication = '' host gotosocial gotosocial ${localContainersAddresses.containers."social"}/32 trust - host gotosocial_new gotosocial_new ${localContainersAddresses.containers."social-02"}/32 trust host quassel quassel ${localContainersAddresses.containers."quassel"}/32 trust ''; }; diff --git a/hosts/hetzner-arm/containers/postgresql/profiles/restic.nix b/hosts/hetzner-arm/containers/postgresql/profiles/restic.nix index edcc8ad..ce6ce66 100644 --- a/hosts/hetzner-arm/containers/postgresql/profiles/restic.nix +++ b/hosts/hetzner-arm/containers/postgresql/profiles/restic.nix @@ -8,7 +8,6 @@ backupPrepareCommand = "${ (pkgs.writeShellScriptBin "backupPrepareCommand" '' systemctl start remotePostgreSQLBackup-gotosocial --wait - systemctl start remotePostgreSQLBackup-gotosocial_new --wait systemctl start remotePostgreSQLBackup-quassel --wait '') }/bin/backupPrepareCommand"; @@ -52,7 +51,6 @@ in { backupUser = "postgres"; databases = [ "gotosocial" - "gotosocial_new" "quassel" ]; }; diff --git a/hosts/hetzner-arm/containers/social-02/default.nix b/hosts/hetzner-arm/containers/social-02/default.nix deleted file mode 100644 index 57c7a6e..0000000 --- a/hosts/hetzner-arm/containers/social-02/default.nix +++ /dev/null @@ -1,67 +0,0 @@ -{ - self, - hostPath, - tree, - inputs, - config, - pkgs, - ... -}: let - containerAddresses = import "${hostPath}/data/containerAddresses.nix"; - hostIP = containerAddresses.host; - containerIP = containerAddresses.containers.social-02; -in { - containers.social-02 = { - autoStart = true; - privateNetwork = true; - hostAddress = hostIP; - localAddress = containerIP; - - specialArgs = { - inherit inputs; - inherit tree; - inherit self; - inherit hostPath; - }; - - config = {...}: { - nixpkgs.pkgs = pkgs; - - imports = with tree; - [ - presets.nixos.containerBase - ./secrets.nix - ] - ++ (with hosts.hetzner-arm.containers.social-02.profiles; [ - gotosocial - #restic - ]); - - networking.firewall = { - enable = true; - allowedTCPPorts = [8080]; - }; - - home-manager.users.root.home.stateVersion = "23.05"; - system.stateVersion = "23.05"; - }; - }; - - services.nginx.virtualHosts."gts-02.owo.monster" = { - forceSSL = true; - enableACME = true; - locations."/" = { - proxyPass = "http://${containerIP}:8080"; - proxyWebsockets = true; - extraConfig = '' - # uncomment if running nginx without recommendedProxySettings - # proxy_set_header Host $host; - # proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; - # proxy_set_header X-Forwarded-Proto $scheme; - ''; - }; - extraConfig = '' - client_max_body_size 128M; - ''; - }; -} diff --git a/hosts/hetzner-arm/containers/social-02/profiles/gotosocial.nix b/hosts/hetzner-arm/containers/social-02/profiles/gotosocial.nix deleted file mode 100644 index 0e95378..0000000 --- a/hosts/hetzner-arm/containers/social-02/profiles/gotosocial.nix +++ /dev/null @@ -1,74 +0,0 @@ -{ - hostPath, - config, - ... -}: let - containerAddresses = import "${hostPath}/data/containerAddresses.nix"; - hostIP = containerAddresses.host; - containerIP = containerAddresses.containers.social-02; - - secrets = config.services.secrets.secrets; -in { - services.gotosocial = { - enable = true; - setupPostgresqlDB = false; - environmentFile = secrets.env_secrets.path; - - settings = { - application-name = "chaos-gts"; - host = "gts-02.owo.monster"; - bind-address = "0.0.0.0"; - - log-level = "info"; - log-client-ip = true; - - db-type = "postgres"; - db-user = "gotosocial_new"; - db-database = "gotosocial_new"; - db-address = "${containerAddresses.containers.postgresql}"; - - trusted-proxies = [ - "127.0.0.1/32" - "::1" - hostIP - containerIP - ]; - - port = 8080; - letsencrypt-enabled = false; - - accounts-registration-open = false; - - smtp-host = "mail.owo.monster"; - smtp-port = 587; - smtp-from = "gotosocial@owo.monster"; - smtp-username = "gotosocial@owo.monster"; - smtp-password = ""; # set via env variables - - instance-languages = ["en" "de"]; - - media-image-max-size = 1000000 * 64; # MB - media-video-max-size = 1000000 * 1024; # MB - media-description-max-chars = 4000; - media-emoji-local-max-size = 102400; - media-emoji-remote-max-size = 102400; - - media-remote-cache-days = 1; - media-cleanup-every = "6h"; - - statuses-cw-max-chars = 150; - statuses-poll-max-options = 10; - statuses-media-max-files = 8; - - advanced-rate-limit-requests = 0; - - # only enable when testing out mastodon-api applications - # that use instance version for api compatibility checks - # instance-inject-mastodon-version = true; - - cache = { - memory-target = "512MiB"; - }; - }; - }; -} diff --git a/hosts/hetzner-arm/containers/social-02/secrets.nix b/hosts/hetzner-arm/containers/social-02/secrets.nix deleted file mode 100644 index a5e64e8..0000000 --- a/hosts/hetzner-arm/containers/social-02/secrets.nix +++ /dev/null @@ -1,46 +0,0 @@ -{...}: { - services.secrets = { - enable = true; - - vaultLogin = { - enable = true; - loginUsername = "hetzner-arm-container-social"; - }; - - autoSecrets = { - enable = true; - }; - - requiredVaultPaths = [ - "private-public-keys/data/restic/Social" - - "api-keys/data/storage/restic/Social" - - "api-keys/data/chaos_mail/gotosocial" - ]; - - secrets = { - vault_password = { - manual = true; - }; - - restic_password = { - fetchScript = '' - simple_get "/private-public-keys/restic/Social" .password > "$secretFile" - ''; - }; - restic_env = { - fetchScript = '' - RESTIC_PASSWORD=$(simple_get "/api-keys/storage/restic/Social" .restic) - echo "RESTIC_REPOSITORY=rest:https://restic:$RESTIC_PASSWORD@storage-restic.owo.monster/Social" > "$secretFile" - ''; - }; - env_secrets = { - fetchScript = '' - smtp_password=$(simple_get "/api-keys/chaos_mail/gotosocial" .password) - echo "GTS_SMTP_PASSWORD=$smtp_password" > "$secretFile" - ''; - }; - }; - }; -} diff --git a/hosts/hetzner-arm/containers/social/default.nix b/hosts/hetzner-arm/containers/social/default.nix index a6a10da..83c543a 100644 --- a/hosts/hetzner-arm/containers/social/default.nix +++ b/hosts/hetzner-arm/containers/social/default.nix @@ -34,6 +34,7 @@ in { ] ++ (with hosts.hetzner-arm.containers.social.profiles; [ gotosocial + restic ]); networking.firewall = { @@ -46,7 +47,7 @@ in { }; }; - services.nginx.virtualHosts."gts-01.owo.monster" = { + services.nginx.virtualHosts."gts-02.owo.monster" = { forceSSL = true; enableACME = true; locations."/" = { diff --git a/hosts/hetzner-arm/containers/social/profiles/gotosocial.nix b/hosts/hetzner-arm/containers/social/profiles/gotosocial.nix index 602934e..ac6dcc5 100644 --- a/hosts/hetzner-arm/containers/social/profiles/gotosocial.nix +++ b/hosts/hetzner-arm/containers/social/profiles/gotosocial.nix @@ -16,16 +16,16 @@ in { settings = { application-name = "chaos-gts"; - host = "gts-01.owo.monster"; + host = "gts-02.owo.monster"; bind-address = "0.0.0.0"; log-level = "info"; log-client-ip = true; db-type = "postgres"; - db-address = "${containerAddresses.containers.postgresql}"; - db-database = "gotosocial"; db-user = "gotosocial"; + db-database = "gotosocial"; + db-address = "${containerAddresses.containers.postgresql}"; trusted-proxies = [ "127.0.0.1/32" diff --git a/hosts/hetzner-arm/containers/social-02/profiles/restic.nix b/hosts/hetzner-arm/containers/social/profiles/restic.nix similarity index 83% rename from hosts/hetzner-arm/containers/social-02/profiles/restic.nix rename to hosts/hetzner-arm/containers/social/profiles/restic.nix index d5b3aa4..c327cbc 100644 --- a/hosts/hetzner-arm/containers/social-02/profiles/restic.nix +++ b/hosts/hetzner-arm/containers/social/profiles/restic.nix @@ -7,23 +7,23 @@ # Because gotosocial-admin isn't a seporate package we need to generate a seperate config # and duplicate the wrapper for use in a systemd unit - goToSocialConfigFile = (pkgs.formats.yaml {}).generate "config.yml" config.services.gotosocial.settings; - goToSocialAdmin = "${(pkgs.writeShellScriptBin "goToSocialAdmin" '' + gotoSocialConfigFile = (pkgs.formats.yaml {}).generate "config.yml" config.services.gotosocial.settings; + gotoSocialAdmin = "${(pkgs.writeShellScriptBin "gts-admin" '' exec systemd-run \ -u gotosocial-admin.service \ -p Group=gotosocial \ -p User=gotosocial \ -q -t -G --wait --service-type=exec \ - ${pkgs.gotosocial}/bin/gotosocial --config-path ${goToSocialConfigFile} admin "$@" - '')}/bin/goToSocialAdmin"; + ${pkgs.gotosocial}/bin/gotosocial --config-path ${gotoSocialConfigFile} admin "$@" + '')}/bin/gts-admin"; backupPrepareCommand = "${ (pkgs.writeShellScriptBin "backupPrepareCommand" '' systemctl stop gotosocial - ${goToSocialAdmin} export --path /var/lib/gotosocial/gts-export.json + ${gotoSocialAdmin} export --path /var/lib/gotosocial/gts-export.json - ${goToSocialAdmin} media prune all --dry-run=false + ${gotoSocialAdmin} media prune all --dry-run=false systemctl start gotosocial '') diff --git a/hosts/hetzner-arm/containers/social/secrets.nix b/hosts/hetzner-arm/containers/social/secrets.nix index 41160b6..a5e64e8 100644 --- a/hosts/hetzner-arm/containers/social/secrets.nix +++ b/hosts/hetzner-arm/containers/social/secrets.nix @@ -12,6 +12,10 @@ }; requiredVaultPaths = [ + "private-public-keys/data/restic/Social" + + "api-keys/data/storage/restic/Social" + "api-keys/data/chaos_mail/gotosocial" ]; @@ -20,6 +24,17 @@ manual = true; }; + restic_password = { + fetchScript = '' + simple_get "/private-public-keys/restic/Social" .password > "$secretFile" + ''; + }; + restic_env = { + fetchScript = '' + RESTIC_PASSWORD=$(simple_get "/api-keys/storage/restic/Social" .restic) + echo "RESTIC_REPOSITORY=rest:https://restic:$RESTIC_PASSWORD@storage-restic.owo.monster/Social" > "$secretFile" + ''; + }; env_secrets = { fetchScript = '' smtp_password=$(simple_get "/api-keys/chaos_mail/gotosocial" .password) diff --git a/hosts/hetzner-arm/data/containerAddresses.nix b/hosts/hetzner-arm/data/containerAddresses.nix index b33e732..62af287 100644 --- a/hosts/hetzner-arm/data/containerAddresses.nix +++ b/hosts/hetzner-arm/data/containerAddresses.nix @@ -10,6 +10,5 @@ caldav = "10.0.1.8"; owncast = "10.0.1.9"; jellyfin = "10.0.1.10"; - social-02 = "10.0.1.11"; }; } diff --git a/hosts/hetzner-arm/hetzner-arm.nix b/hosts/hetzner-arm/hetzner-arm.nix index 3f353d0..2abfc8d 100644 --- a/hosts/hetzner-arm/hetzner-arm.nix +++ b/hosts/hetzner-arm/hetzner-arm.nix @@ -21,7 +21,6 @@ in { ] ++ (forEach [ "social" - "social-02" "storage" "music" "quassel"