migrate gotosocial from aspartame to fructose. changes include: changing database address, adding record to Caddyfile and updating the firewall rules.

2024-12-21 19:03:19 +02:00 · 2024-12-21 19:03:19 +02:00 · ec6eba2a3c
commit ec6eba2a3c
parent a4169ccaa9
4 changed files with 24 additions and 21 deletions
--- a/networking/firewall.mod.nix
+++ b/networking/firewall.mod.nix
@ -8,10 +8,10 @@
      networking.firewall.interfaces.wg0 = {
        # TODO: set up prometheus authentication, perhaps with a certificate. not *that* urgent because it's only on the wireguard netwrok, maybe it's not even needed at all -e
        allowedTCPPorts = [
-          6703
+          6703 # prometheus node exporter
        ];
        allowedUDPPorts = [
-          6703
+          6703 # prometheus node exporter
        ];
      };
    }
@ -22,7 +22,8 @@
      networking.firewall = {
        allowedUDPPorts = [];
        allowedTCPPorts = [
-          3000 # forgejo http
+          3000 # forgejo web
+          8080 # gotosocial web
          222 # forgejo ssh
        ];
      };
@ -34,13 +35,13 @@
      networking.firewall = {
        allowedTCPPorts = [
          64738 # murmur tcp
-          6700 # grafana
+          6700 # grafana web
          6750 # prometheus
        ];
        allowedUDPPorts = [
          64738 # murmur udp
-          6700 # grafana
-          6750 # prometheus
+          6700 # grafana web
+          6750 # prometheus data ap
        ];
      };
    }
--- a/services/caddy/Caddyfile
+++ b/services/caddy/Caddyfile
@ -38,7 +38,7 @@ https://gts.collective-conciousness.monster {
    encode zstd gzip

    # The actual proxy configuration to port 8080 (unless you've chosen another port number)
-    reverse_proxy 127.0.0.1:8080 {
+    reverse_proxy 10.24.1.9:8080 {
        # Flush immediately, to prevent buffered response to the client
        flush_interval -1
    }
--- a/services/social/gts.mod.nix
+++ b/services/social/gts.mod.nix
@ -1,5 +1,5 @@
 {
-  aspartame.modules = [
+  fructose.modules = [
    (
      {
        pkgs,
@ -24,16 +24,17 @@
            host = "gts.collective-conciousness.monster";
            account-domain = "";
            protocol = "https";
-            bind-address = "127.0.0.1";
+            bind-address = "0.0.0.0";
            port = 8080;
            trusted-proxies = [
+              "10.24.1.16/32"
              "127.0.0.1/32"
              "::1"
            ];

            ### Database config - still have to set this up.
            db-type = "postgres";
-            db-address = "10.24.1.9";
+            db-address = "127.0.0.1";
            db-port = "5432";
            #            db-password = ""; # commented out because it is being passed through env files. # GTS_DB_PASSWORD
            db-database = "gtsdb";
@ -84,7 +85,7 @@

            ### Storage config
            storage-backend = "local";
-            storage-local-base-path = "/var/gts/storage";
+            storage-local-base-path = "/var/services/gts/storage";
            # ommited settings related to s3

            ### Statuses config
--- a/sops.mod.nix
+++ b/sops.mod.nix
@ -20,16 +20,8 @@
      sops.secrets.remote-build-ssh-privkey = {};
    }
  ];
-  aspartame.modules = [
-    (
-      {config, ...}: {
-        sops.secrets.gts_db_pass = {};
-        sops.templates."gts.env.secrets.yaml".content = ''
-          GTS_DB_PASSWORD=${config.sops.placeholder."gts_db_pass"}
-        '';
-      }
-    )
-  ];
+ /* aspartame.modules = [
+  ]; */
  sucrose.modules = [
    (
      {config, ...}: {
@ -93,6 +85,15 @@
        '';
      }
    )
+    (
+      {config, ...}: {
+        sops.secrets.gts_db_pass = {};
+        sops.secrets.gts_db_pass.owner = "gotosocial";
+        sops.templates."gts.env.secrets.yaml".content = ''
+          GTS_DB_PASSWORD=${config.sops.placeholder."gts_db_pass"}
+        '';
+      }
+    )
  ];
  personal.modules = [
    (