diff --git a/nixos/modules/services/web-apps/mastodon.nix b/nixos/modules/services/web-apps/mastodon.nix
index aea1c9228676..7fc710c6fcec 100644
--- a/nixos/modules/services/web-apps/mastodon.nix
+++ b/nixos/modules/services/web-apps/mastodon.nix
@@ -4,7 +4,8 @@ let
cfg = config.services.mastodon;
opt = options.services.mastodon;
- # We only want to create a database if we're actually going to connect to it.
+ # We only want to create a Redis and PostgreSQL databases if we're actually going to connect to it local.
+ redisActuallyCreateLocally = cfg.redis.createLocally && (cfg.redis.host == "127.0.0.1" || cfg.redis.enableUnixSocket);
databaseActuallyCreateLocally = cfg.database.createLocally && cfg.database.host == "/run/postgresql";
env = {
@@ -117,11 +118,11 @@ let
threads = toString (if processCfg.threads == null then cfg.sidekiqThreads else processCfg.threads);
in {
after = [ "network.target" "mastodon-init-dirs.service" ]
- ++ lib.optional cfg.redis.createLocally "redis-mastodon.service"
+ ++ lib.optional redisActuallyCreateLocally "redis-mastodon.service"
++ lib.optional databaseActuallyCreateLocally "postgresql.service"
++ lib.optional cfg.automaticMigrations "mastodon-init-db.service";
requires = [ "mastodon-init-dirs.service" ]
- ++ lib.optional cfg.redis.createLocally "redis-mastodon.service"
+ ++ lib.optional redisActuallyCreateLocally "redis-mastodon.service"
++ lib.optional databaseActuallyCreateLocally "postgresql.service"
++ lib.optional cfg.automaticMigrations "mastodon-init-db.service";
description = "Mastodon sidekiq${jobClassLabel}";
@@ -149,11 +150,11 @@ let
name = "mastodon-streaming-${toString i}";
value = {
after = [ "network.target" "mastodon-init-dirs.service" ]
- ++ lib.optional cfg.redis.createLocally "redis-mastodon.service"
+ ++ lib.optional redisActuallyCreateLocally "redis-mastodon.service"
++ lib.optional databaseActuallyCreateLocally "postgresql.service"
++ lib.optional cfg.automaticMigrations "mastodon-init-db.service";
requires = [ "mastodon-init-dirs.service" ]
- ++ lib.optional cfg.redis.createLocally "redis-mastodon.service"
+ ++ lib.optional redisActuallyCreateLocally "redis-mastodon.service"
++ lib.optional databaseActuallyCreateLocally "postgresql.service"
++ lib.optional cfg.automaticMigrations "mastodon-init-db.service";
wantedBy = [ "mastodon.target" "mastodon-streaming.target" ];
@@ -410,6 +411,13 @@ in {
default = 31637;
};
+ passwordFile = lib.mkOption {
+ description = lib.mdDoc "A file containing the password for Redis database.";
+ type = lib.types.nullOr lib.types.path;
+ default = null;
+ example = "/run/keys/mastodon-redis-password";
+ };
+
enableUnixSocket = lib.mkOption {
description = lib.mdDoc "Use Unix socket";
type = lib.types.bool;
@@ -623,6 +631,13 @@ in {
config = lib.mkIf cfg.enable (lib.mkMerge [{
assertions = [
+ {
+ assertion = redisActuallyCreateLocally -> (!cfg.redis.enableUnixSocket || cfg.redis.passwordFile == null);
+ message = ''
+ needs to be disabled if
+ is used.
+ '';
+ }
{
assertion = databaseActuallyCreateLocally -> (cfg.user == cfg.database.user && cfg.database.user == cfg.database.name);
message = ''
@@ -700,6 +715,8 @@ in {
OTP_SECRET="$(cat ${cfg.otpSecretFile})"
VAPID_PRIVATE_KEY="$(cat ${cfg.vapidPrivateKeyFile})"
VAPID_PUBLIC_KEY="$(cat ${cfg.vapidPublicKeyFile})"
+ '' + lib.optionalString (cfg.redis.passwordFile != null)''
+ REDIS_PASSWORD="$(cat ${cfg.redis.passwordFile})"
'' + lib.optionalString (cfg.database.passwordFile != null) ''
DB_PASS="$(cat ${cfg.database.passwordFile})"
'' + lib.optionalString cfg.smtp.authenticate ''
@@ -762,11 +779,11 @@ in {
systemd.services.mastodon-web = {
after = [ "network.target" "mastodon-init-dirs.service" ]
- ++ lib.optional cfg.redis.createLocally "redis-mastodon.service"
+ ++ lib.optional redisActuallyCreateLocally "redis-mastodon.service"
++ lib.optional databaseActuallyCreateLocally "postgresql.service"
++ lib.optional cfg.automaticMigrations "mastodon-init-db.service";
requires = [ "mastodon-init-dirs.service" ]
- ++ lib.optional cfg.redis.createLocally "redis-mastodon.service"
+ ++ lib.optional redisActuallyCreateLocally "redis-mastodon.service"
++ lib.optional databaseActuallyCreateLocally "postgresql.service"
++ lib.optional cfg.automaticMigrations "mastodon-init-db.service";
wantedBy = [ "mastodon.target" ];
@@ -847,7 +864,7 @@ in {
enable = true;
hostname = lib.mkDefault "${cfg.localDomain}";
};
- services.redis.servers.mastodon = lib.mkIf cfg.redis.createLocally (lib.mkMerge [
+ services.redis.servers.mastodon = lib.mkIf redisActuallyCreateLocally (lib.mkMerge [
{
enable = true;
}
diff --git a/nixos/tests/web-apps/mastodon/default.nix b/nixos/tests/web-apps/mastodon/default.nix
index 411ebfcd731b..178590d13b63 100644
--- a/nixos/tests/web-apps/mastodon/default.nix
+++ b/nixos/tests/web-apps/mastodon/default.nix
@@ -5,5 +5,5 @@ let
in
{
standard = handleTestOn supportedSystems ./standard.nix { inherit system; };
- remote-postgresql = handleTestOn supportedSystems ./remote-postgresql.nix { inherit system; };
+ remote-databases = handleTestOn supportedSystems ./remote-databases.nix { inherit system; };
}
diff --git a/nixos/tests/web-apps/mastodon/remote-postgresql.nix b/nixos/tests/web-apps/mastodon/remote-databases.nix
similarity index 80%
rename from nixos/tests/web-apps/mastodon/remote-postgresql.nix
rename to nixos/tests/web-apps/mastodon/remote-databases.nix
index 6548883db452..fa6430a99353 100644
--- a/nixos/tests/web-apps/mastodon/remote-postgresql.nix
+++ b/nixos/tests/web-apps/mastodon/remote-databases.nix
@@ -16,7 +16,14 @@ in
meta.maintainers = with pkgs.lib.maintainers; [ erictapen izorkin ];
nodes = {
- database = { config, ... }: {
+ databases = { config, ... }: {
+ environment = {
+ etc = {
+ "redis/password-redis-db".text = ''
+ ogjhJL8ynrP7MazjYOF6
+ '';
+ };
+ };
networking = {
interfaces.eth1 = {
ipv4.addresses = [
@@ -24,7 +31,17 @@ in
];
};
extraHosts = hosts;
- firewall.allowedTCPPorts = [ config.services.postgresql.port ];
+ firewall.allowedTCPPorts = [
+ config.services.redis.servers.mastodon.port
+ config.services.postgresql.port
+ ];
+ };
+
+ services.redis.servers.mastodon = {
+ enable = true;
+ bind = "0.0.0.0";
+ port = 31637;
+ requirePassFile = "/etc/redis/password-redis-db";
};
services.postgresql = {
@@ -83,6 +100,9 @@ in
environment = {
etc = {
+ "mastodon/password-redis-db".text = ''
+ ogjhJL8ynrP7MazjYOF6
+ '';
"mastodon/password-posgressql-db".text = ''
SoDTZcISc3f1M1LJsRLT
'';
@@ -108,6 +128,12 @@ in
localDomain = "mastodon.local";
enableUnixSocket = false;
streamingProcesses = 2;
+ redis = {
+ createLocally = false;
+ host = "192.168.2.102";
+ port = 31637;
+ passwordFile = "/etc/mastodon/password-redis-db";
+ };
database = {
createLocally = false;
host = "192.168.2.102";
@@ -151,12 +177,14 @@ in
extraInit = ''
nginx.wait_for_unit("nginx.service")
nginx.wait_for_open_port(443)
- database.wait_for_unit("postgresql.service")
- database.wait_for_open_port(5432)
+ databases.wait_for_unit("redis-mastodon.service")
+ databases.wait_for_unit("postgresql.service")
+ databases.wait_for_open_port(31637)
+ databases.wait_for_open_port(5432)
'';
extraShutdown = ''
nginx.shutdown()
- database.shutdown()
+ databases.shutdown()
'';
};
})
diff --git a/nixos/tests/web-apps/mastodon/script.nix b/nixos/tests/web-apps/mastodon/script.nix
index afb7c0e0a0eb..9184c63c8941 100644
--- a/nixos/tests/web-apps/mastodon/script.nix
+++ b/nixos/tests/web-apps/mastodon/script.nix
@@ -8,7 +8,6 @@
${extraInit}
- server.wait_for_unit("redis-mastodon.service")
server.wait_for_unit("mastodon-sidekiq-all.service")
server.wait_for_unit("mastodon-streaming.target")
server.wait_for_unit("mastodon-web.service")
diff --git a/nixos/tests/web-apps/mastodon/standard.nix b/nixos/tests/web-apps/mastodon/standard.nix
index e14cf592332e..ddc764e2168c 100644
--- a/nixos/tests/web-apps/mastodon/standard.nix
+++ b/nixos/tests/web-apps/mastodon/standard.nix
@@ -83,6 +83,7 @@ in
extraInit = ''
server.wait_for_unit("nginx.service")
server.wait_for_open_port(443)
+ server.wait_for_unit("redis-mastodon.service")
server.wait_for_unit("postgresql.service")
server.wait_for_open_port(5432)
'';