From c9665b927f2af99201ad0e4a3a5fdbc6e3bac165 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Nicolas=20=E2=80=9CNiols=E2=80=9D=20Jeannerod?=
 <nicolas.jeannerod@tweag.io>
Date: Fri, 20 Sep 2024 17:56:40 +0200
Subject: [PATCH] Move stuff from pixelfed-vm to pixelfed

---
 fediversity/pixelfed.nix | 21 +++++++++++++++++++++
 vm/pixelfed-vm.nix       | 12 +-----------
 2 files changed, 22 insertions(+), 11 deletions(-)

diff --git a/fediversity/pixelfed.nix b/fediversity/pixelfed.nix
index 1edc914..a44b8f1 100644
--- a/fediversity/pixelfed.nix
+++ b/fediversity/pixelfed.nix
@@ -38,9 +38,28 @@ lib.mkIf (config.fediversity.enable && config.fediversity.pixelfed.enable) {
   services.pixelfed = {
     enable = true;
     domain = config.fediversity.internal.pixelfed.domain;
+
+    # TODO: secrets management!!!
+    secretFile = pkgs.writeText "secrets.env" ''
+      APP_KEY=adKK9EcY8Hcj3PLU7rzG9rJ6KKTOtYfA
+    '';
+
+    ## Taeer feels like this way of configuring Nginx is odd; there should
+    ## instead be a `services.pixefed.nginx.enable` option and the actual Nginx
+    ## configuration should be in `services.nginx`. See eg. `pretix`.
+    ##
+    ## TODO: If that indeed makes sense, upstream.
+    nginx = {
+      # locations."/public/".proxyPass = "${config.fediversity.internal.garage.web.urlFor "pixelfed"}/public/";
+    };
   };
 
   services.pixelfed.settings = {
+    ## NOTE: This depends on the targets, eg. universities might want control
+    ## over who has an account. We probably want a universal
+    ## `fediversity.openRegistration` option.
+    OPEN_REGISTRATION = true;
+
     # DANGEROUSLY_SET_FILESYSTEM_DRIVER = "s3";
     FILESYSTEM_CLOUD = "s3";
     PF_ENABLE_CLOUD = true;
@@ -62,4 +81,6 @@ lib.mkIf (config.fediversity.enable && config.fediversity.pixelfed.enable) {
   services.pixelfed.package = pkgs.pixelfed.overrideAttrs (old: {
     patches = (old.patches or [ ]) ++ [ ./pixelfed-group-permissions.patch ];
   });
+
+  networking.firewall.allowedTCPPorts = [ 80 ];
 }
diff --git a/vm/pixelfed-vm.nix b/vm/pixelfed-vm.nix
index 8f97180..3320ddc 100644
--- a/vm/pixelfed-vm.nix
+++ b/vm/pixelfed-vm.nix
@@ -11,22 +11,12 @@
     pixelfed.enable = true;
   };
 
-  networking.firewall.allowedTCPPorts = [ 80 ];
   services.pixelfed = {
-    # TODO: secrets management!
-    secretFile = pkgs.writeText "secrets.env" ''
-      APP_KEY=adKK9EcY8Hcj3PLU7rzG9rJ6KKTOtYfA
-    '';
     settings = {
-      OPEN_REGISTRATION = true;
       FORCE_HTTPS_URLS = false;
     };
-    # I feel like this should have an `enable` option and be configured via `services.nginx` rather than mirroring those options in services.pixelfed.nginx
-    # TODO: If that indeed makes sense, upstream it.
-    nginx = {
-      # locations."/public/".proxyPass = "${config.fediversity.internal.garage.web.urlFor "pixelfed"}/public/";
-    };
   };
+
   virtualisation.memorySize = 2048;
   virtualisation.forwardPorts = [
     {