This commit is contained in:
Robert Hensing 2024-05-28 16:08:57 +02:00
parent 2c7e3603b8
commit 3e329b4254
5 changed files with 31 additions and 4 deletions

View file

@ -2,7 +2,7 @@
This repo is, for now, an attempt to familiarize myself with NixOS options for Fediverse applications, and build up a configuration layer that will set most of the relevant options for you (in a semi-opinionated way) given some high-level configuration. The goal is something in the same vein as [nixos-mailserver](https://gitlab.com/simple-nixos-mailserver/nixos-mailserver) but for fediversity. This repo is, for now, an attempt to familiarize myself with NixOS options for Fediverse applications, and build up a configuration layer that will set most of the relevant options for you (in a semi-opinionated way) given some high-level configuration. The goal is something in the same vein as [nixos-mailserver](https://gitlab.com/simple-nixos-mailserver/nixos-mailserver) but for fediversity.
Eventually, this will be tailored to high-throughput multi-machine setups. For now, it's just a small configuration to run in VMs. Eventually, this will be tailored to high-throughput multi-machine setups. For now, it's just a small set of configurations to run in VMs.
## Running the VMs ## Running the VMs
@ -76,6 +76,10 @@ NOTE: it sometimes takes a while for the services to start up, and in the meanti
When mastodon is running in production mode, we have a few problems: When mastodon is running in production mode, we have a few problems:
- you have to click "accept the security risk" - you have to click "accept the security risk"
- it takes a while for the webpage to come online. Until then you see "502 Bad Gateway" - it takes a while for the webpage to come online. Until then you see "502 Bad Gateway"
- reverse proxy should produce a user friendly page regardless
- might be needed for upgrade downtime too?
- don't send users over until it's up
- email sent from the mastodon instance (e.g. for account confirmation) should be accessible at <https://mastodon.localhost:55001/letter_opener>, but it's not working. - email sent from the mastodon instance (e.g. for account confirmation) should be accessible at <https://mastodon.localhost:55001/letter_opener>, but it's not working.
- maybe the admin account should be managed entirely by fediversity anyway?

View file

@ -1,4 +1,6 @@
{ pkgs, ... }: { { pkgs, ... }: {
# Customize nixos-rebuild build-vm to be a bit more convenient
virtualisation.vmVariant = { virtualisation.vmVariant = {
# let us log in # let us log in
users.mutableUsers = false; users.mutableUsers = false;

View file

@ -55,6 +55,7 @@ in
type = types.str; type = types.str;
}; };
# TODO: assert at least one of these is true # TODO: assert at least one of these is true
# currently, needs to be done in the top level module
ensureAccess = mkOption { ensureAccess = mkOption {
type = types.attrsOf (types.submodule { type = types.attrsOf (types.submodule {
options = { options = {
@ -106,6 +107,8 @@ in
settings = { settings = {
replication_mode = "none"; replication_mode = "none";
# TODO: use a secret file # TODO: use a secret file
# I'd like to have a NixOS module that declares the need for a secret file
# that way, the need can be met by any secrets solution (agenix, sops-nix, colmena, a nixops4 module, ...)
rpc_secret = "d576c4478cc7d0d94cfc127138cbb82018b0155c037d1c827dfb6c36be5f6625"; rpc_secret = "d576c4478cc7d0d94cfc127138cbb82018b0155c037d1c827dfb6c36be5f6625";
# TODO: why does this have to be set? is there not a sensible default? # TODO: why does this have to be set? is there not a sensible default?
rpc_bind_addr = "[::]:3901"; rpc_bind_addr = "[::]:3901";
@ -133,6 +136,7 @@ in
# also, it's crazy that we have to parse command output like this # also, it's crazy that we have to parse command output like this
# TODO: talk to garage maintainer about making this nicer to work with in Nix # TODO: talk to garage maintainer about making this nicer to work with in Nix
# before I do that though, I should figure out how setting it up across multiple machines will work # before I do that though, I should figure out how setting it up across multiple machines will work
# You could ask for a change or `--json` flag anyway, and maybe tell them what you're working on.
GARAGE_ID=$(garage node id 2>/dev/null | perl -ne '/(.*)@.*/ && print $1') GARAGE_ID=$(garage node id 2>/dev/null | perl -ne '/(.*)@.*/ && print $1')
garage layout assign -z g1 -c 1G $GARAGE_ID garage layout assign -z g1 -c 1G $GARAGE_ID
LAYOUT_VER=$(garage layout show | perl -ne '/Current cluster layout version: (\d*)/ && print $1') LAYOUT_VER=$(garage layout show | perl -ne '/Current cluster layout version: (\d*)/ && print $1')
@ -151,7 +155,7 @@ in
# TODO: should this --deny the website if `website` is false? # TODO: should this --deny the website if `website` is false?
${lib.optionalString website '' ${lib.optionalString website ''
garage bucket website --allow ${bucket} garage bucket website --allow ${/* more robust: */ lib.strings.escapeShellArg bucket}
''} ''}
${lib.concatStringsSep "\n" (map (alias: '' ${lib.concatStringsSep "\n" (map (alias: ''
@ -160,6 +164,8 @@ in
${lib.optionalString corsRules.enable '' ${lib.optionalString corsRules.enable ''
# TODO: can i turn this whole thing into one builtins.toJSON? # TODO: can i turn this whole thing into one builtins.toJSON?
# why not :D
# we also have `lib.strings.escapeShellArg` for the quoting
export CORS=${lib.concatStrings [ export CORS=${lib.concatStrings [
"'" "'"
''{"CORSRules":[{'' ''{"CORSRules":[{''
@ -175,6 +181,7 @@ in
garage bucket deny --read --write --owner ${bucket} --key tmp garage bucket deny --read --write --owner ${bucket} --key tmp
''} ''}
'') config.services.garage.ensureBuckets) '') config.services.garage.ensureBuckets)
# probably nice to factor this out into a function
} }
${ ${
lib.concatStringsSep "\n" (lib.mapAttrsToList (key: {id, secret, ensureAccess}: '' lib.concatStringsSep "\n" (lib.mapAttrsToList (key: {id, secret, ensureAccess}: ''

View file

@ -101,9 +101,8 @@ in
# but it also must be a positive integer # but it also must be a positive integer
streamingProcesses = let streamingProcesses = let
ncores = config.virtualisation.cores; ncores = config.virtualisation.cores;
max = x: y: if x > y then x else y;
in in
max 1 (ncores - 1); lib.max 1 (ncores - 1);
}; };
security.acme = { security.acme = {
@ -160,7 +159,10 @@ in
}; };
# run rails db:seed so that mastodon sets up the databases for us # run rails db:seed so that mastodon sets up the databases for us
# iirc the postgresql module can also do this kind of thing
systemd.services.mastodon-init-db.script = lib.mkForce '' systemd.services.mastodon-init-db.script = lib.mkForce ''
# This conditional freaks me out
# Maybe configure psql to output in a more machine-readable format?
if [ `psql -c \ if [ `psql -c \
"select count(*) from pg_class c \ "select count(*) from pg_class c \
join pg_namespace s on s.oid = c.relnamespace \ join pg_namespace s on s.oid = c.relnamespace \

12
thoughts Normal file
View file

@ -0,0 +1,12 @@
# `ensureBuckets`
Should be replaced by a resource that creates the bucket, so that we can manage its whole lifecycle, including updates (authz?) and deletion; possibly a generic S3 bucket resource? - we'll see.
Fine solution for now.
Perhaps also useful in a NixOS module, but could also be tech debt if nobody uses it.
# More exploration
- Use NixOS test framework?
- Write test that upgrades garage