Compare commits
8 Commits
e556dae87d
...
yshtola-bu
| Author | SHA1 | Date | |
|---|---|---|---|
| af0357aa1e | |||
| 4e0a2fc86f | |||
| 8b7c4fd871 | |||
| 1d04c5b5cd | |||
| 754635dafc | |||
| edada4c1c9 | |||
| a2899cf823 | |||
| 807d099a70 |
@@ -1,4 +1,5 @@
|
||||
{
|
||||
lib,
|
||||
pkgs,
|
||||
config,
|
||||
userName,
|
||||
@@ -17,8 +18,10 @@
|
||||
# After deploying Mastodon, register an OAuth application at
|
||||
# https://social.wyattjmiller.com/settings/applications and write the
|
||||
# client ID / secret to these paths (chmod 400, owned by the tuwunel user):
|
||||
mastodonOauthClientIdFile = "/var/lib/tuwunel/mastodon-oauth-client-id";
|
||||
mastodonOauthClientSecretFile = "/var/lib/tuwunel/mastodon-oauth-client-secret";
|
||||
mastodonOauthClientIdFile = "/var/lib/private/tuwunel/matrix-oauth-client-id";
|
||||
mastodonOauthClientSecretFile = "/var/lib/private/tuwunel/matrix-oauth-client-secret";
|
||||
mastodonOauthClientId = builtins.readFile mastodonOauthClientIdFile;
|
||||
mastodonOauthClientSecret = builtins.readFile mastodonOauthClientSecretFile;
|
||||
in {
|
||||
imports = [
|
||||
../../pwrMgmt
|
||||
@@ -129,11 +132,14 @@ in {
|
||||
services.mastodon = {
|
||||
enable = true;
|
||||
localDomain = mastodonFqdn;
|
||||
webPort = 3000;
|
||||
enableUnixSocket = false;
|
||||
configureNginx = false;
|
||||
secretKeyBaseFile = "${mastodonSecretsDir}/secret_key_base";
|
||||
otpSecretFile = "${mastodonSecretsDir}/otp_secret";
|
||||
# otpSecretFile = "${mastodonSecretsDir}/otp_secret";
|
||||
vapidPrivateKeyFile = "${mastodonSecretsDir}/vapid_private_key";
|
||||
vapidPublicKeyFile = "${mastodonSecretsDir}/vapid_public_key";
|
||||
streamingProcesses = 3;
|
||||
# Configure SMTP after initial deploy via mastodonSecretsDir or a separate
|
||||
# NixOS secrets manager (sops-nix / agenix).
|
||||
smtp = {
|
||||
@@ -189,18 +195,21 @@ in {
|
||||
# 1. Visit https://social.wyattjmiller.com/settings/applications
|
||||
# 2. Create a new application with the redirect URI:
|
||||
# https://chat.wyattjmiller.com/_matrix/client/v3/login/sso/redirect/oidc-mastodon
|
||||
# and scopes: read:accounts
|
||||
# 3. Write the Application ID → /var/lib/tuwunel/mastodon-oauth-client-id (chmod 400, owned by tuwunel)
|
||||
# Write the Client Secret → /var/lib/tuwunel/mastodon-oauth-client-secret
|
||||
# and scopes: profile
|
||||
# 3. Write the Client Key → /var/lib/private/tuwunel/matrix-oauth-client-id (chmod 400, owned by tuwunel)
|
||||
# Write the Client Secret → /var/lib/private/tuwunel/matrix-oauth-client-secret
|
||||
# 4. nixos-rebuild switch (or restart tuwunel.service)
|
||||
identity_provider= [
|
||||
identity_provider = [
|
||||
{
|
||||
brand = "Mastodon";
|
||||
issuer_url = "https://${mastodonFqdn}";
|
||||
id = "oidc-mastodon";
|
||||
client_id = mastodonOauthClientIdFile;
|
||||
client_secret = mastodonOauthClientSecretFile;
|
||||
scope = ["openid" "read:accounts"];
|
||||
# id = mastodonOauthClientId;
|
||||
callback_url = "https://${matrixFqdn}/_matrix/client/unstable/login/sso/callback/${lib.removeSuffix "\n" (mastodonOauthClientId)}";
|
||||
discovery_url = "https://${mastodonFqdn}/.well-known/oauth-authorization-server";
|
||||
client_id = lib.removeSuffix "\n" (mastodonOauthClientId);
|
||||
client_secret = lib.removeSuffix "\n" (mastodonOauthClientSecret);
|
||||
scope = ["profile"];
|
||||
userid_claims = ["preferred_username"];
|
||||
}
|
||||
];
|
||||
};
|
||||
|
||||
Reference in New Issue
Block a user