diff --git a/nixos/doc/manual/from_md/release-notes/rl-2305.section.xml b/nixos/doc/manual/from_md/release-notes/rl-2305.section.xml
index b43af0758e5e..0fd0382998c2 100644
--- a/nixos/doc/manual/from_md/release-notes/rl-2305.section.xml
+++ b/nixos/doc/manual/from_md/release-notes/rl-2305.section.xml
@@ -119,6 +119,15 @@
services.opensnitch.rules
+
+
+ services.mastodon gained a tootctl wrapped
+ named mastodon-tootctl similar to
+ nextcloud-occ which can be executed from
+ any user and switches to the configured mastodon user with
+ sudo and sources the environment variables.
+
+
A new virtualisation.rosetta module was
diff --git a/nixos/doc/manual/release-notes/rl-2305.section.md b/nixos/doc/manual/release-notes/rl-2305.section.md
index fd58623a68ef..39550d44733a 100644
--- a/nixos/doc/manual/release-notes/rl-2305.section.md
+++ b/nixos/doc/manual/release-notes/rl-2305.section.md
@@ -41,6 +41,8 @@ In addition to numerous new and upgraded packages, this release has the followin
- The module for the application firewall `opensnitch` got the ability to configure rules. Available as [services.opensnitch.rules](#opt-services.opensnitch.rules)
+- `services.mastodon` gained a tootctl wrapped named `mastodon-tootctl` similar to `nextcloud-occ` which can be executed from any user and switches to the configured mastodon user with sudo and sources the environment variables.
+
- A new `virtualisation.rosetta` module was added to allow running `x86_64` binaries through [Rosetta](https://developer.apple.com/documentation/apple-silicon/about-the-rosetta-translation-environment) inside virtualised NixOS guests on Apple silicon. This feature works by default with the [UTM](https://docs.getutm.app/) virtualisation [package](https://search.nixos.org/packages?channel=unstable&show=utm&from=0&size=1&sort=relevance&type=packages&query=utm).
- Resilio sync secret keys can now be provided using a secrets file at runtime, preventing these secrets from ending up in the Nix store.
diff --git a/nixos/modules/services/web-apps/mastodon.nix b/nixos/modules/services/web-apps/mastodon.nix
index a221186adf64..8122c2449491 100644
--- a/nixos/modules/services/web-apps/mastodon.nix
+++ b/nixos/modules/services/web-apps/mastodon.nix
@@ -92,12 +92,18 @@ let
] else []
) env))));
- mastodonEnv = pkgs.writeShellScriptBin "mastodon-env" ''
+ mastodonTootctl = pkgs.writeShellScriptBin "mastodon-tootctl" ''
+ #! ${pkgs.runtimeShell}
set -a
export RAILS_ROOT="${cfg.package}"
source "${envFile}"
source /var/lib/mastodon/.secrets_env
- eval -- "\$@"
+
+ sudo=exec
+ if [[ "$USER" != ${cfg.user} ]]; then
+ sudo='exec /run/wrappers/bin/sudo -u ${cfg.user} --preserve-env'
+ fi
+ $sudo ${cfg.package}/bin/tootctl "$@"
'';
in {
@@ -133,15 +139,10 @@ in {
description = lib.mdDoc ''
User under which mastodon runs. If it is set to "mastodon",
that user will be created, otherwise it should be set to the
- name of a user created elsewhere. In both cases,
- `mastodon` and a package containing only
- the shell script `mastodon-env` will be added to
- the user's package set. To run a command from
- `mastodon` such as `tootctl`
- with the environment configured by this module use
- `mastodon-env`, as in:
-
- `mastodon-env tootctl accounts create newuser --email newuser@example.com`
+ name of a user created elsewhere.
+ In both cases, the `mastodon` package will be added to the user's package set
+ and a tootctl wrapper to system packages that switches to the configured account
+ and load the right environment.
'';
type = lib.types.str;
default = "mastodon";
@@ -485,6 +486,8 @@ in {
}
];
+ environment.systemPackages = [ mastodonTootctl ];
+
systemd.services.mastodon-init-dirs = {
script = ''
umask 077
@@ -704,7 +707,7 @@ in {
inherit (cfg) group;
};
})
- (lib.attrsets.setAttrByPath [ cfg.user "packages" ] [ cfg.package mastodonEnv pkgs.imagemagick ])
+ (lib.attrsets.setAttrByPath [ cfg.user "packages" ] [ cfg.package pkgs.imagemagick ])
];
users.groups.${cfg.group}.members = lib.optional cfg.configureNginx config.services.nginx.user;
diff --git a/nixos/tests/web-apps/mastodon.nix b/nixos/tests/web-apps/mastodon.nix
index d3d53dc31946..f10cb8cdc677 100644
--- a/nixos/tests/web-apps/mastodon.nix
+++ b/nixos/tests/web-apps/mastodon.nix
@@ -104,24 +104,24 @@ in
# Simple check tootctl commands
# Check Mastodon version
- server.succeed("su - mastodon -s /bin/sh -c 'mastodon-env tootctl version' | grep '${pkgs.mastodon.version}'")
+ server.succeed("mastodon-tootctl version | grep '${pkgs.mastodon.version}'")
# Manage accounts
- server.succeed("su - mastodon -s /bin/sh -c 'mastodon-env tootctl email_domain_blocks add example.com'")
- server.succeed("su - mastodon -s /bin/sh -c 'mastodon-env tootctl email_domain_blocks list' | grep 'example.com'")
- server.fail("su - mastodon -s /bin/sh -c 'mastodon-env tootctl email_domain_blocks list' | grep 'mastodon.local'")
- server.fail("su - mastodon -s /bin/sh -c 'mastodon-env tootctl accounts create alice --email=alice@example.com'")
- server.succeed("su - mastodon -s /bin/sh -c 'mastodon-env tootctl email_domain_blocks remove example.com'")
- server.succeed("su - mastodon -s /bin/sh -c 'mastodon-env tootctl accounts create bob --email=bob@example.com'")
- server.succeed("su - mastodon -s /bin/sh -c 'mastodon-env tootctl accounts approve bob'")
- server.succeed("su - mastodon -s /bin/sh -c 'mastodon-env tootctl accounts delete bob'")
+ server.succeed("mastodon-tootctl email_domain_blocks add example.com")
+ server.succeed("mastodon-tootctl email_domain_blocks list | grep example.com")
+ server.fail("mastodon-tootctl email_domain_blocks list | grep mastodon.local")
+ server.fail("mastodon-tootctl accounts create alice --email=alice@example.com")
+ server.succeed("mastodon-tootctl email_domain_blocks remove example.com")
+ server.succeed("mastodon-tootctl accounts create bob --email=bob@example.com")
+ server.succeed("mastodon-tootctl accounts approve bob")
+ server.succeed("mastodon-tootctl accounts delete bob")
# Manage IP access
- server.succeed("su - mastodon -s /bin/sh -c 'mastodon-env tootctl ip_blocks add 192.168.0.0/16 --severity=no_access'")
- server.succeed("su - mastodon -s /bin/sh -c 'mastodon-env tootctl ip_blocks export' | grep '192.168.0.0/16'")
- server.fail("su - mastodon -s /bin/sh -c 'mastodon-env tootctl ip_blocks export' | grep '172.16.0.0/16'")
+ server.succeed("mastodon-tootctl ip_blocks add 192.168.0.0/16 --severity=no_access")
+ server.succeed("mastodon-tootctl ip_blocks export | grep 192.168.0.0/16")
+ server.fail("mastodon-tootctl ip_blocks export | grep 172.16.0.0/16")
client.fail("curl --fail https://mastodon.local/about")
- server.succeed("su - mastodon -s /bin/sh -c 'mastodon-env tootctl ip_blocks remove 192.168.0.0/16'")
+ server.succeed("mastodon-tootctl ip_blocks remove 192.168.0.0/16")
client.succeed("curl --fail https://mastodon.local/about")
server.shutdown()