Init, with Mastodon and Akkoma support.

.gitignore

@@ -0,0 +1,2 @@
+data
+cert

flake.lock

@@ -0,0 +1,25 @@
+{
+  "nodes": {
+    "nixpkgs": {
+      "locked": {
+        "lastModified": 1688221086,
+        "narHash": "sha256-cdW6qUL71cNWhHCpMPOJjlw0wzSRP0pVlRn2vqX/VVg=",
+        "owner": "NixOS",
+        "repo": "nixpkgs",
+        "rev": "cd99c2b3c9f160cd004318e0697f90bbd5960825",
+        "type": "github"
+      },
+      "original": {
+        "id": "nixpkgs",
+        "type": "indirect"
+      }
+    },
+    "root": {
+      "inputs": {
+        "nixpkgs": "nixpkgs"
+      }
+    }
+  },
+  "root": "root",
+  "version": 7
+}

flake.nix

@@ -0,0 +1,80 @@
+{
+  outputs = { self, nixpkgs }: {
+    # nixosModules.base = {pkgs, ...}: {
+    #   system.stateVersion = "22.05";
+
+    #   # Configure networking
+    #   networking.useDHCP = false;
+    #   networking.interfaces.eth0.useDHCP = true;
+
+    #   # Create user "test"
+    #   services.getty.autologinUser = "test";
+    #   users.users.test.isNormalUser = true;
+
+    #   # Enable passwordless ‘sudo’ for the "test" user
+    #   users.users.test.extraGroups = ["wheel"];
+    #   security.sudo.wheelNeedsPassword = false;
+    # };
+    # nixosModules.vm = {...}: {
+    #   # Make VM output to the terminal instead of a separate window
+    #   virtualisation.vmVariant.virtualisation.graphics = false;
+    # };
+    # nixosConfigurations.darwinVM = nixpkgs.lib.nixosSystem {
+    #   system = "x86_64-linux";
+    #   modules = [
+    #     (builtins.trace (builtins.attrNames self) self.nixosModules.base)
+    #     self.nixosModules.vm
+    #     {
+    #       virtualisation.vmVariant.virtualisation.host.pkgs = nixpkgs.legacyPackages.x86_64-darwin;
+    #     }
+    #   ];
+    # };
+    # packages.x86_64-darwin.darwinVM = self.nixosConfigurations.darwinVM.config.system.build.vm;
+    apps.x86_64-darwin.default = let
+      pkgs = nixpkgs.legacyPackages.x86_64-darwin;
+      s6 = (import ./nix/s6.nix {
+        inherit pkgs;
+        services = pkgs.lib.attrsets.mapAttrs (_: v: v.service)
+          (import ./nix/services.nix { inherit pkgs; });
+        path = "service";
+      });
+    in {
+      type = "app";
+      program = let
+        script = pkgs.writeShellScript "minifedi" ''
+          export PATH=${pkgs.gnugrep}/bin:${pkgs.gnused}/bin:${pkgs.coreutils}/bin
+
+          if ! [[ -e .is-minifedi ]]; then
+            echo "please run this from the minifedi directory"
+            exit 1
+          fi
+          mkdir -p data
+          mkdir -p cert
+          rm -rf data/run
+          mkdir data/run
+          export MINIFEDI_CERT=$(pwd)/cert
+          export MINIFEDI_DATA=$(pwd)/data
+          export MINIFEDI_RUN=$(pwd)/data/run
+          exec ${s6.start}
+        '';
+      in "${script}";
+    };
+    apps.x86_64-darwin.install-cert =
+      let pkgs = nixpkgs.legacyPackages.x86_64-darwin;
+      in {
+        type = "app";
+        program = let
+          script = pkgs.writeShellScript "minifedi-install-cert" ''
+            if ! [[ -e .is-minifedi ]]; then
+              echo "please run this from the minifedi directory"
+              exit 1
+            fi
+
+            mkdir -p cert
+
+            CAROOT=$MINIFEDI_CERT ${pkgs.mkcert}/bin/mkcert -install
+          '';
+        in "${script}";
+      };
+  };
+}

nix/fedi/akkoma/default.nix

@@ -0,0 +1,214 @@
+{ pkgs, name, }:
+let
+  env = {
+    MIX_ENV = "prod";
+    ERL_EPMD_ADDRESS = "127.0.0.1";
+  };
+
+  static = pkgs.linkFarm "static" {
+    frontends = pkgs.linkFarm "frontends" {
+      akkoma =
+        pkgs.linkFarm "pleroma" { stable = pkgs.akkoma-frontends.akkoma-fe; };
+      # admin =
+      #   pkgs.linkFarm "admin" { stable = pkgs.akkoma-frontends.admin-fe; };
+    };
+  };
+
+  config = pkgs.writeText "config.exs" ''
+    import Config
+
+    config :pleroma, Pleroma.Web.Endpoint,
+      url: [host: "${name}.lvh.me", scheme: "https", port: 443],
+      http: [ip: {:local, "$MINIFEDI_RUN/${name}/akkoma.sock"}, port: 0],
+      secret_key_base: "$SECRET_KEY_BASE",
+      live_view: [signing_salt: "$LIVE_VIEW_SIGNING_SALT"],
+      signing_salt: "$SIGNING_SALT"
+
+    config :pleroma, :instance,
+      name: "${name}",
+      email: "a@${name}.example",
+      notify_email: "noreply@${name}.example",
+      limit: 5000,
+      registrations_open: true
+
+    config :pleroma, :media_proxy,
+      enabled: false,
+      redirect_on_failure: true
+      #base_url: "https://cache.pleroma.social"
+
+    config :pleroma, Pleroma.Repo,
+      adapter: Ecto.Adapters.Postgres,
+      username: "${name}",
+      password: "",
+      database: "${name}",
+      socket_dir: "$MINIFEDI_RUN/postgres/"
+
+    # Configure web push notifications
+    config :web_push_encryption, :vapid_details,
+      subject: "mailto:a@${name}.example",
+      public_key: "$WEB_PUSH_PUBLIC_KEY",
+      private_key: "$WEB_PUSH_PRIVATE_KEY"
+
+    config :pleroma, :database, rum_enabled: false
+    config :pleroma, :instance, static_dir: "${static}"
+    config :pleroma, Pleroma.Uploaders.Local, uploads: "$MINIFEDI_DATA/${name}/uploads"
+
+    config :joken, default_signer: "$JWT_SECRET"
+
+    config :pleroma, configurable_from_database: false
+
+    config :tzdata, :data_dir, "$MINIFEDI_DATA/${name}/tzdata"
+
+    config :pleroma, :frontends,
+      primary: %{
+        "name" => "akkoma",
+        "ref" => "stable"
+      }
+
+    config :pleroma, :http, adapter: [pools: %{default: [conn_opts: [transport_opts: [cacertfile: "$MINIFEDI_CERT/rootCA.pem"]]]}]
+  '';
+  # admin: %{
+  #   "name" => "admin",
+  #   "ref" => "stable"
+  # }
+
+  path = pkgs.lib.strings.concatStrings (builtins.map (x: "${x}/bin:") [
+    pkgs.akkoma
+    pkgs.elixir
+    pkgs.s6
+    pkgs.postgresql
+    # used by pleroma shell script for rpc
+    pkgs.gawk
+    # envsubst
+    pkgs.gettext
+    # used to generate keys
+    pkgs.openssl
+  ]);
+in {
+  service = pkgs.linkFarm name [{
+    name = "run";
+    path = pkgs.writeShellScript "run-${name}" ''
+      set -e
+
+      export PATH=${path}$PATH
+
+      cd ${pkgs.akkoma}
+
+      data=$MINIFEDI_DATA/${name}
+      run=$MINIFEDI_RUN/${name}
+      postgres=$MINIFEDI_RUN/postgres
+
+      mkdir -p $data
+      mkdir -p $data/uploads
+      mkdir -p $data/tzdata
+      mkdir -p $run
+
+      s6-svwait -U $MINIFEDI_RUN/service/postgres
+
+      ${pkgs.lib.strings.concatStrings (pkgs.lib.attrsets.mapAttrsToList
+        (k: v: ''
+          export ${k}=${v}
+        '') env)}
+
+      if ! [ -e $data/setup-done ]; then
+        openssl rand -base64 64 | head -c 64 > $data/secret_key_base
+        openssl rand -base64 64 | head -c 64 > $data/jwt_secret
+        openssl rand -base64 8 | head -c 8 > $data/signing_salt
+        openssl rand -base64 8 | head -c 8 > $data/live_view_signing_salt
+        openssl ecparam -genkey -name prime256v1 | openssl ec -out $data/web_push_keypair.pem
+        openssl ec -in $data/web_push_keypair.pem -pubout -out $data/web_push_public_key
+        openssl ec -in $data/web_push_keypair.pem -out $data/web_push_private_key
+      fi
+
+      export SECRET_KEY_BASE=$(cat $data/secret_key_base)
+      export JWT_SECRET=$(cat $data/jwt_secret)
+      export SIGNING_SALT=$(cat $data/jwt_secret)
+      export LIVE_VIEW_SIGNING_SALT=$(cat $data/live_view_signing_salt)
+      export WEB_PUSH_PRIVATE_KEY=$(cat $data/web_push_private_key)
+      export WEB_PUSH_PUBLIC_KEY=$(cat $data/web_push_public_key)
+
+      export RELEASE_COOKIE=$(openssl rand -base64 64)
+
+      cat ${config} | envsubst > $data/config.exs
+      export AKKOMA_CONFIG_PATH=$data/config.exs
+
+      if ! [ -e $data/setup-done ]; then
+        createuser -h$postgres ${name}
+        createdb -h$postgres ${name} -O${name}
+
+        psql -h$postgres -d${name} -c 'CREATE EXTENSION IF NOT EXISTS citext;'
+        psql -h$postgres -d${name} -c 'CREATE EXTENSION IF NOT EXISTS pg_trgm;'
+        psql -h$postgres -d${name} -c 'CREATE EXTENSION IF NOT EXISTS "uuid-ossp";'
+
+        pleroma_ctl migrate
+
+        export PLEROMA_CTL_RPC_DISABLED=true
+        pleroma_ctl user new a a@${name}.example --assume-yes --password Aa12345! --admin
+        pleroma_ctl user new b b@${name}.example --assume-yes --password Bb12345!
+        pleroma_ctl user new c c@${name}.example --assume-yes --password Cc12345!
+        pleroma_ctl user new d d@${name}.example --assume-yes --password Dd12345!
+        pleroma_ctl user new e e@${name}.example --assume-yes --password Ee12345!
+        
+        touch $data/setup-done
+      fi
+
+      # elixir takes 2 sigints to exit if it has something on stdin
+      exec </dev/null
+      exec pleroma start
+    '';
+  }];
+  nginxConfig = ''
+    upstream ${name}_phoenix {
+      server unix:$MINIFEDI_RUN/${name}/akkoma.sock max_fails=5 fail_timeout=60s;
+    }
+
+    # Enable SSL session caching for improved performance
+    ssl_session_cache shared:ssl_session_cache:10m;
+
+    server {
+      server_name ${name}.lvh.me;
+
+      listen 443 ssl http2;
+      listen [::]:443 ssl http2;
+      ssl_session_timeout 1d;
+      ssl_session_cache shared:MozSSL:10m;  # about 40000 sessions
+      ssl_session_tickets off;
+
+      ssl_certificate           $MINIFEDI_DATA/nginx/fullchain.pem;
+      ssl_certificate_key       $MINIFEDI_DATA/nginx/key.pem;
+
+      ssl_protocols TLSv1.2 TLSv1.3;
+      ssl_ciphers "ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:!aNULL:!eNULL:!EXPORT:!DES:!MD5:!PSK:!RC4";
+      ssl_prefer_server_ciphers off;
+      ssl_ecdh_curve X25519:prime256v1:secp384r1:secp521r1;
+
+      gzip_vary on;
+      gzip_proxied any;
+      gzip_comp_level 6;
+      gzip_buffers 16 8k;
+      gzip_http_version 1.1;
+      gzip_types text/plain text/css application/json application/javascript text/xml application/xml application/xml+rss text/javascript application/activity+json application/atom+xml;
+
+      # the nginx default is 1m, not enough for large media uploads
+      client_max_body_size 16m;
+      ignore_invalid_headers off;
+
+      proxy_http_version 1.1;
+      proxy_set_header Upgrade $http_upgrade;
+      proxy_set_header Connection "upgrade";
+      proxy_set_header Host $http_host;
+      proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+
+      location / {
+        proxy_pass http://${name}_phoenix;
+      }
+
+      location ~ ^/(media|proxy) {
+        proxy_ignore_client_abort on;
+        proxy_buffering    on;
+        chunked_transfer_encoding on;
+        proxy_pass         http://${name}_phoenix;
+      }
+    }
+  '';
+}

nix/fedi/mastodon/build.nix

@@ -0,0 +1,168 @@
+{ lib, stdenv, nodejs-slim, mkYarnPackage, fetchFromGitHub, bundlerEnv
+, nixosTests, yarn, callPackage, imagemagick, ffmpeg, file, ruby_3_0
+, writeShellScript, fetchYarnDeps, fixup_yarn_lock, brotli
+
+# Allow building a fork or custom version of Mastodon:
+, pname ? "mastodon", version ? import ./version.nix, srcOverride ? null
+, dependenciesDir ? ./. # Should contain gemset.nix, yarn.nix and package.json.
+}:
+
+stdenv.mkDerivation rec {
+  inherit pname version;
+
+  # Using overrideAttrs on src does not build the gems and modules with the overridden src.
+  # Putting the callPackage up in the arguments list also does not work.
+  src =
+    if srcOverride != null then srcOverride else callPackage ./source.nix { };
+
+  mastodonGems = bundlerEnv {
+    name = "${pname}-gems-${version}";
+    inherit version;
+    ruby = ruby_3_0;
+    gemdir = src;
+    gemset = dependenciesDir + "/gemset.nix";
+    # This fix (copied from https://github.com/NixOS/nixpkgs/pull/76765) replaces the gem
+    # symlinks with directories, resolving this error when running rake:
+    #   /nix/store/451rhxkggw53h7253izpbq55nrhs7iv0-mastodon-gems-3.0.1/lib/ruby/gems/2.6.0/gems/bundler-1.17.3/lib/bundler/settings.rb:6:in `<module:Bundler>': uninitialized constant Bundler::Settings (NameError)
+    postBuild = ''
+      for gem in "$out"/lib/ruby/gems/*/gems/*; do
+        cp -a "$gem/" "$gem.new"
+        rm "$gem"
+        # needed on macOS, otherwise the mv yields permission denied
+        chmod +w "$gem.new"
+        mv "$gem.new" "$gem"
+      done
+    '';
+  };
+
+  mastodonModules = stdenv.mkDerivation {
+    pname = "${pname}-modules";
+    inherit src version;
+
+    yarnOfflineCache = fetchYarnDeps {
+      yarnLock = "${src}/yarn.lock";
+      sha256 = "sha256-e3rl/WuKXaUdeDEYvo1sSubuIwtBjkbguCYdAijwXOA=";
+    };
+
+    nativeBuildInputs = [
+      fixup_yarn_lock
+      nodejs-slim
+      yarn
+      mastodonGems
+      mastodonGems.wrappedRuby
+      brotli
+    ];
+
+    RAILS_ENV = "production";
+    NODE_ENV = "production";
+
+    buildPhase = ''
+      runHook preBuild
+
+      export HOME=$PWD
+      # This option is needed for openssl-3 compatibility
+      # Otherwise we encounter this upstream issue: https://github.com/mastodon/mastodon/issues/17924
+      export NODE_OPTIONS=--openssl-legacy-provider
+      fixup_yarn_lock ~/yarn.lock
+      yarn config --offline set yarn-offline-mirror $yarnOfflineCache
+      yarn install --offline --frozen-lockfile --ignore-engines --ignore-scripts --no-progress
+
+      patchShebangs ~/bin
+      patchShebangs ~/node_modules
+
+      # skip running yarn install
+      rm -rf ~/bin/yarn
+
+      OTP_SECRET=precompile_placeholder SECRET_KEY_BASE=precompile_placeholder \
+        rails assets:precompile
+      yarn cache clean --offline
+      rm -rf ~/node_modules/.cache
+
+      # Create missing static gzip and brotli files
+      gzip --best --keep ~/public/assets/500.html
+      gzip --best --keep ~/public/packs/report.html
+      find ~/public/assets -maxdepth 1 -type f -name '.*.json' \
+        -exec gzip --best --keep --force {} ';'
+      brotli --best --keep ~/public/packs/report.html
+      find ~/public/assets -type f -regextype posix-extended -iregex '.*\.(css|js|json|html)' \
+        -exec brotli --best --keep {} ';'
+
+      runHook postBuild
+    '';
+
+    installPhase = ''
+      runHook preInstall
+
+      mkdir -p $out/public
+      cp -r node_modules $out/node_modules
+      cp -r public/assets $out/public
+      cp -r public/packs $out/public
+
+      runHook postInstall
+    '';
+  };
+
+  propagatedBuildInputs = [ imagemagick ffmpeg file mastodonGems.wrappedRuby ];
+  buildInputs = [ mastodonGems nodejs-slim ];
+
+  buildPhase = ''
+    runHook preBuild
+
+    ln -s $mastodonModules/node_modules node_modules
+    ln -s $mastodonModules/public/assets public/assets
+    ln -s $mastodonModules/public/packs public/packs
+
+    patchShebangs bin/
+    for b in $(ls $mastodonGems/bin/)
+    do
+      if [ ! -f bin/$b ]; then
+        ln -s $mastodonGems/bin/$b bin/$b
+      fi
+    done
+
+    # Remove execute permissions
+    chmod 0444 public/emoji/*.svg
+
+    # Create missing static gzip and brotli files
+    find public -maxdepth 1 -type f -regextype posix-extended -iregex '.*\.(css|js|svg|txt|xml)' \
+      -exec gzip --best --keep --force {} ';' \
+      -exec brotli --best --keep {} ';'
+    find public/emoji -type f -name '.*.svg' \
+      -exec gzip --best --keep --force {} ';' \
+      -exec brotli --best --keep {} ';'
+    ln -s assets/500.html.gz public/500.html.gz
+    ln -s assets/500.html.br public/500.html.br
+    ln -s packs/sw.js.gz public/sw.js.gz
+    ln -s packs/sw.js.br public/sw.js.br
+    ln -s packs/sw.js.map.gz public/sw.js.map.gz
+    ln -s packs/sw.js.map.br public/sw.js.map.br
+
+    rm -rf log
+    ln -s /var/log/mastodon log
+    ln -s /tmp tmp
+
+    runHook postBuild
+  '';
+
+  installPhase = let
+    run-streaming = writeShellScript "run-streaming.sh" ''
+      # NixOS helper script to consistently use the same NodeJS version the package was built with.
+      ${nodejs-slim}/bin/node ./streaming
+    '';
+  in ''
+    runHook preInstall
+
+    mkdir -p $out
+    cp -r * $out/
+    ln -s ${run-streaming} $out/run-streaming.sh
+
+    runHook postInstall
+  '';
+
+  meta = with lib; {
+    description =
+      "Self-hosted, globally interconnected microblogging software based on ActivityPub";
+    homepage = "https://joinmastodon.org";
+    license = licenses.agpl3Plus;
+  };
+}

nix/fedi/mastodon/default.nix

@@ -0,0 +1,277 @@
+{ pkgs, name }:
+let
+  mastodon = pkgs.callPackage ./build.nix { };
+  env = {
+    LOCAL_DOMAIN = "${name}.lvh.me";
+    WEB_DOMAIN = "${name}.lvh.me";
+    ALLOWED_PRIVATE_ADDRESSES = "127.0.0.1";
+    RAILS_ENV = "production";
+    NODE_ENV = "production";
+    DB_USER = name;
+    DB_NAME = name;
+    REDIS_NAMESPACE = "${name}_";
+    EMAIL_DOMAIN_ALLOWLIST = "${name}.example";
+    SMTP_DELIVERY_METHOD = "file";
+  };
+  s6 = import ../../s6.nix {
+    inherit pkgs;
+    services = {
+      web = pkgs.linkFarm "web" {
+        run = pkgs.writeShellScript "run-web" ''
+          cd ${mastodon}
+
+          export SOCKET=$MINIFEDI_RUN/${name}/web.sock
+
+          puma -C config/puma.rb
+        '';
+      };
+      sidekiq = pkgs.linkFarm "sidekiq" {
+        run = pkgs.writeShellScript "run-sidekiq" ''
+          cd ${mastodon}
+          sidekiq
+        '';
+      };
+      streaming = pkgs.linkFarm "sidekiq" {
+        run = pkgs.writeShellScript "run-sidekiq" ''
+          cd ${mastodon}
+
+          export SOCKET=$MINIFEDI_RUN/${name}/streaming.sock
+
+          ${mastodon}/run-streaming.sh
+        '';
+      };
+    };
+    path = "${name}/service";
+  };
+  path = pkgs.lib.strings.concatStrings (builtins.map (x: "${x}/bin:") [
+    mastodon
+    pkgs.postgresql
+    pkgs.s6
+    # used by mastodon file upload:
+    pkgs.file
+    pkgs.imagemagick
+    # used by sidekiq:
+    pkgs.ps
+  ]);
+in {
+  service = pkgs.linkFarm name [{
+    name = "run";
+    path = pkgs.writeShellScript "run-${name}" ''
+      set -e
+
+      export PATH=${path}$PATH
+
+      data=$MINIFEDI_DATA/${name}
+      run=$MINIFEDI_RUN/${name}
+      postgres=$MINIFEDI_RUN/postgres
+
+      mkdir -p $data
+      mkdir -p $data/files
+      mkdir -p $run
+
+      cd ${mastodon}
+
+      ${pkgs.lib.strings.concatStrings (pkgs.lib.attrsets.mapAttrsToList
+        (k: v: ''
+          export ${k}=${v}
+        '') env)}
+
+      if ! [ -e $data/setup-done ]; then
+        rake secret > $data/secret_key_base
+        rake secret > $data/otp_secret
+        # from nixos
+        keypair=$(rake webpush:generate_keys)
+        echo $keypair | grep --only-matching "Private -> [^ ]\+" | sed 's/^Private -> //' > $data/vapid_private_key
+        echo $keypair | grep --only-matching "Public -> [^ ]\+" | sed 's/^Public -> //' > $data/vapid_public_key
+      fi
+
+      export SECRET_KEY_BASE=$(cat $data/secret_key_base)
+      export OTP_SECRET=$(cat $data/otp_secret)
+      export VAPID_PRIVATE_KEY=$(cat $data/vapid_private_key)
+      export VAPID_PUBLIC_KEY=$(cat $data/vapid_public_key)
+
+      export DB_HOST=$postgres
+      export REDIS_URL=unix://$MINIFEDI_RUN/redis/redis.sock
+      export NIX_SSL_CERT_FILE=$MINIFEDI_CERT/rootCA.pem
+      export PAPERCLIP_ROOT_PATH=$data/files
+
+      s6-svwait -U $MINIFEDI_RUN/service/postgres
+
+      if ! [ -e $data/setup-done ]; then
+        createdb -h$postgres ${name}
+        createuser -h$postgres ${name}
+
+        rails db:schema:load
+        rails db:seed
+
+        touch $data/setup-done
+
+        tootctl accounts create a --email=a@${name}.example --confirmed --role Owner
+        rails runner "Account.find_local('a').user.update!(password: 'Aa12345!')"
+        tootctl accounts create b --email=b@${name}.example --confirmed
+        rails runner "Account.find_local('b').user.update!(password: 'Bb12345!')"
+        tootctl accounts create c --email=c@${name}.example --confirmed
+        rails runner "Account.find_local('c').user.update!(password: 'Cc12345!')"
+        tootctl accounts create d --email=d@${name}.example --confirmed
+        rails runner "Account.find_local('d').user.update!(password: 'Dd12345!')"
+        tootctl accounts create e --email=e@${name}.example --confirmed
+        rails runner "Account.find_local('e').user.update!(password: 'Ee12345!')"
+      fi
+
+      exec ${s6.start}
+    '';
+  }];
+  nginxConfig = ''
+    map $http_upgrade ${"$"}${name}_connection_upgrade {
+      default upgrade;
+      ${"''"} close;
+    }
+
+    upstream ${name}_backend {
+      server unix:$MINIFEDI_RUN/${name}/web.sock fail_timeout=0;
+    }
+
+    upstream ${name}_streaming {
+      server unix:$MINIFEDI_RUN/${name}/streaming.sock fail_timeout=0;
+    }
+
+    server {
+      listen 443 ssl http2;
+      listen [::]:443 ssl http2;
+      server_name ${name}.lvh.me;
+
+      ssl_protocols TLSv1.2 TLSv1.3;
+      ssl_ciphers HIGH:!MEDIUM:!LOW:!aNULL:!NULL:!SHA;
+      ssl_prefer_server_ciphers on;
+      ssl_session_cache shared:SSL:10m;
+      ssl_session_tickets off;
+
+      # Uncomment these lines once you acquire a certificate:
+      ssl_certificate     $MINIFEDI_DATA/nginx/fullchain.pem;
+      ssl_certificate_key $MINIFEDI_DATA/nginx/key.pem;
+
+      keepalive_timeout    70;
+      sendfile             on;
+      client_max_body_size 99m;
+
+      root ${mastodon}/public;
+
+      gzip on;
+      gzip_disable "msie6";
+      gzip_vary on;
+      gzip_proxied any;
+      gzip_comp_level 6;
+      gzip_buffers 16 8k;
+      gzip_http_version 1.1;
+      gzip_types text/plain text/css application/json application/javascript text/xml application/xml application/xml+rss text/javascript image/svg+xml image/x-icon;
+
+      location / {
+        try_files $uri @proxy;
+      }
+
+      # If Docker is used for deployment and Rails serves static files,
+      # then needed must replace line `try_files $uri =404;` with `try_files $uri @proxy;`.
+      location = /sw.js {
+        add_header Cache-Control "public, max-age=604800, must-revalidate";
+        add_header Strict-Transport-Security "max-age=63072000; includeSubDomains";
+        try_files $uri =404;
+      }
+
+      location ~ ^/assets/ {
+        add_header Cache-Control "public, max-age=2419200, must-revalidate";
+        add_header Strict-Transport-Security "max-age=63072000; includeSubDomains";
+        try_files $uri =404;
+      }
+
+      location ~ ^/avatars/ {
+        add_header Cache-Control "public, max-age=2419200, must-revalidate";
+        add_header Strict-Transport-Security "max-age=63072000; includeSubDomains";
+        try_files $uri =404;
+      }
+
+      location ~ ^/emoji/ {
+        add_header Cache-Control "public, max-age=2419200, must-revalidate";
+        add_header Strict-Transport-Security "max-age=63072000; includeSubDomains";
+        try_files $uri =404;
+      }
+
+      location ~ ^/headers/ {
+        add_header Cache-Control "public, max-age=2419200, must-revalidate";
+        add_header Strict-Transport-Security "max-age=63072000; includeSubDomains";
+        try_files $uri =404;
+      }
+
+      location ~ ^/packs/ {
+        add_header Cache-Control "public, max-age=2419200, must-revalidate";
+        add_header Strict-Transport-Security "max-age=63072000; includeSubDomains";
+        try_files $uri =404;
+      }
+
+      location ~ ^/shortcuts/ {
+        add_header Cache-Control "public, max-age=2419200, must-revalidate";
+        add_header Strict-Transport-Security "max-age=63072000; includeSubDomains";
+        try_files $uri =404;
+      }
+
+      location ~ ^/sounds/ {
+        add_header Cache-Control "public, max-age=2419200, must-revalidate";
+        add_header Strict-Transport-Security "max-age=63072000; includeSubDomains";
+        try_files $uri =404;
+      }
+
+      location /system/ {
+        add_header Cache-Control "public, max-age=2419200, immutable";
+        add_header Strict-Transport-Security "max-age=63072000; includeSubDomains";
+
+        alias $MINIFEDI_DATA/${name}/files/;
+
+        try_files $uri =404;
+      }
+
+      location ^~ /api/v1/streaming {
+        proxy_set_header Host $host;
+        proxy_set_header X-Real-IP $remote_addr;
+        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+        proxy_set_header X-Forwarded-Proto $scheme;
+        proxy_set_header Proxy "";
+
+        proxy_pass http://${name}_streaming;
+        proxy_buffering off;
+        proxy_redirect off;
+        proxy_http_version 1.1;
+        proxy_set_header Upgrade $http_upgrade;
+        proxy_set_header Connection ${"$"}${name}_connection_upgrade;
+
+        add_header Strict-Transport-Security "max-age=63072000; includeSubDomains";
+
+        tcp_nodelay on;
+      }
+
+      location @proxy {
+        proxy_set_header Host $host;
+        proxy_set_header X-Real-IP $remote_addr;
+        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+        proxy_set_header X-Forwarded-Proto $scheme;
+        proxy_set_header Proxy "";
+        proxy_pass_header Server;
+
+        proxy_pass http://${name}_backend;
+        proxy_buffering on;
+        proxy_redirect off;
+        proxy_http_version 1.1;
+        proxy_set_header Upgrade $http_upgrade;
+        proxy_set_header Connection ${"$"}${name}_connection_upgrade;
+
+        # proxy_cache CACHE;
+        # proxy_cache_valid 200 7d;
+        # proxy_cache_valid 410 24h;
+        # proxy_cache_use_stale error timeout updating http_500 http_502 http_503 http_504;
+        add_header X-Cached $upstream_cache_status;
+
+        tcp_nodelay on;
+      }
+
+      error_page 404 500 501 502 503 504 /500.html;
+    }
+  '';
+}

nix/fedi/mastodon/source.nix

@@ -0,0 +1,11 @@
+# This file was generated by pkgs.mastodon.updateScript.
+{ fetchgit, applyPatches }: let
+  src = fetchgit {
+    url = "https://github.com/mastodon/mastodon.git";
+    rev = "v4.1.2";
+    sha256 = "18yzpc2rz9sa04y2sdxzsfkndbqqsfqvji47imwc3yj40l8hciws";
+  };
+in applyPatches {
+  inherit src;
+  patches = [];
+}

nix/fedi/mastodon/version.nix

@@ -0,0 +1 @@
+"4.1.2"

nix/s6.nix

@@ -0,0 +1,10 @@
+{ pkgs, services, path }:
+
+let scandir = pkgs.linkFarm "service" services;
+in {
+  start = pkgs.writeShellScript "s6-start" ''
+    cp -RL ${scandir} $MINIFEDI_RUN/${path}
+    chmod -R +w $MINIFEDI_RUN/${path}
+    exec ${pkgs.s6}/bin/s6-svscan $MINIFEDI_RUN/${path}
+  '';
+}

nix/services.nix

@@ -0,0 +1,20 @@
+{ pkgs }:
+let
+  instances = {
+    mastodon = import ./fedi/mastodon {
+      inherit pkgs;
+      name = "mastodon";
+    };
+    akkoma = import ./fedi/akkoma {
+      inherit pkgs;
+      name = "akkoma";
+    };
+  };
+in instances // {
+  postgres = import ./support-services/postgres { inherit pkgs; };
+  redis = import ./support-services/redis { inherit pkgs; };
+  nginx = import ./support-services/nginx {
+    inherit pkgs;
+    inherit instances;
+  };
+}

nix/support-services/nginx/default.nix

@@ -0,0 +1,49 @@
+{ pkgs, instances }:
+let
+  config = pkgs.writeText "nginx.conf" ''
+    events {}
+
+    pid $MINIFEDI_RUN/nginx/nginx.pid;
+
+    daemon off;
+
+    error_log stderr info;
+
+    http {
+      include ${pkgs.nginx}/conf/mime.types;
+
+      access_log $MINIFEDI_DATA/nginx/access.log;
+
+      server {
+        listen 80;
+        listen [::]:80;
+        location / { return 301 https://$host$request_uri; }
+      }
+
+      ${
+        pkgs.lib.concatStrings (builtins.map (x: x.nginxConfig)
+          (pkgs.lib.attrsets.attrValues instances))
+      }
+    }
+  '';
+in {
+  service = pkgs.linkFarm "nginx" {
+    run = pkgs.writeShellScript "run-nginx" ''
+      set -e
+
+      PATH=${pkgs.gettext}/bin:$PATH
+
+      mkdir -p $MINIFEDI_DATA/nginx
+      mkdir -p $MINIFEDI_RUN/nginx
+
+      if ! [[ -e $MINIFEDI_DATA/nginx/fullchain.pem ]]; then
+        CAROOT=$MINIFEDI_CERT ${pkgs.mkcert}/bin/mkcert -cert-file $MINIFEDI_DATA/nginx/cert.pem -key-file $MINIFEDI_DATA/nginx/key.pem *.lvh.me
+        cat $MINIFEDI_DATA/nginx/cert.pem $MINIFEDI_CERT/rootCA.pem > $MINIFEDI_DATA/nginx/fullchain.pem
+      fi
+
+      cd $MINIFEDI_DATA
+      cat ${config} | envsubst '$MINIFEDI_DATA $MINIFEDI_RUN' > $MINIFEDI_DATA/nginx/nginx.conf
+      ${pkgs.nginx}/bin/nginx -c $MINIFEDI_DATA/nginx/nginx.conf -e $MINIFEDI_DATA/nginx/error.log
+    '';
+  };
+}

nix/support-services/postgres/default.nix

@@ -0,0 +1,29 @@
+{ pkgs }:
+
+{
+  service = pkgs.linkFarm "postgres" {
+    run = pkgs.writeShellScript "run-postgres-outer" ''
+      exec ${pkgs.s6}/bin/s6-notifyoncheck ${
+        pkgs.writeShellScript "run-postgres-inner" ''
+          export PATH=${pkgs.gettext}/bin:$PATH
+
+          mkdir -p $MINIFEDI_DATA/postgres
+          mkdir -p $MINIFEDI_RUN/postgres
+          cd $MINIFEDI_DATA/postgres
+          export PGDATA=$(pwd)/data
+          [[ -e $PGDATA ]] || ${pkgs.postgresql}/bin/initdb
+          cat ${./postgresql.conf} | envsubst > $PGDATA/postgresql.conf
+          exec ${pkgs.postgresql}/bin/postgres
+        ''
+      }
+    '';
+
+    data = pkgs.linkFarm "data" {
+      check = pkgs.writeShellScript "check-postgres" ''
+        ${pkgs.postgresql}/bin/pg_isready -h $MINIFEDI_RUN/postgres
+      '';
+    };
+
+    notification-fd = pkgs.writeText "notification-fd" "3";
+  };
+}

nix/support-services/postgres/postgresql.conf

@@ -0,0 +1,2 @@
+listen_addresses = ''
+unix_socket_directories = '$MINIFEDI_RUN/postgres/'

nix/support-services/redis/default.nix

@@ -0,0 +1,19 @@
+{ pkgs }:
+let
+  config = pkgs.writeText "redis.conf" ''
+    port 0
+    protected-mode yes
+  '';
+in {
+  service = pkgs.linkFarm "nginx" {
+    run = pkgs.writeShellScript "run-nginx" ''
+      set -e
+
+      mkdir -p $MINIFEDI_DATA/redis
+      mkdir -p $MINIFEDI_RUN/redis
+
+      cd $MINIFEDI_RUN/redis
+      ${pkgs.redis}/bin/redis-server ${config} --unixsocket $MINIFEDI_RUN/redis/redis.sock
+    '';
+  };
+}