Compare commits
No commits in common. "main" and "main" have entirely different histories.
20
README.md
20
README.md
|
@ -46,26 +46,6 @@ NOTE: it sometimes takes a while for the services to start up, and in the meanti
|
||||||
```bash
|
```bash
|
||||||
pixelfed-manage user:create --name=test --username=test --email=test@test.com --password=testtest --confirm_email=1
|
pixelfed-manage user:create --name=test --username=test --email=test@test.com --password=testtest --confirm_email=1
|
||||||
```
|
```
|
||||||
# Building an installer image
|
|
||||||
|
|
||||||
Build an installer image for the desired configuration, e.g. for `peertube`:
|
|
||||||
|
|
||||||
```bash
|
|
||||||
nix build .#installers.peertube
|
|
||||||
```
|
|
||||||
|
|
||||||
Upload the image in `./result` to Proxmox when creating a VM.
|
|
||||||
Booting the image will format the disk and install NixOS with the desired configuration.
|
|
||||||
|
|
||||||
# Deploying an updated machine configuration
|
|
||||||
|
|
||||||
> TODO: There is currently no way to specify an actual target machine by name.
|
|
||||||
|
|
||||||
Assuming you have SSH configuration with access to the remote `root` user stored for a machine called e.g. `peertube`, deploy the configuration by the same name:
|
|
||||||
|
|
||||||
```bash
|
|
||||||
nix run .#deploy.peertube
|
|
||||||
```
|
|
||||||
|
|
||||||
## debugging notes
|
## debugging notes
|
||||||
|
|
||||||
|
|
13
deploy.nix
13
deploy.nix
|
@ -1,13 +0,0 @@
|
||||||
{ writeShellApplication }:
|
|
||||||
name: config:
|
|
||||||
writeShellApplication {
|
|
||||||
name = "deploy";
|
|
||||||
text = ''
|
|
||||||
result="$(nix build --print-out-paths ${./.}#nixosConfigurations#${name} --eval-store auto --store ssh-ng://${name})"
|
|
||||||
# shellcheck disable=SC2087
|
|
||||||
ssh ${name} << EOF
|
|
||||||
nix-env -p /nix/var/nix/profiles/system --set "$result"
|
|
||||||
"$result"/bin/switch-to-configuration switch
|
|
||||||
EOF
|
|
||||||
'';
|
|
||||||
}
|
|
|
@ -1,36 +0,0 @@
|
||||||
{ ... }:
|
|
||||||
{
|
|
||||||
disko.devices.disk.main = {
|
|
||||||
device = "/dev/sda";
|
|
||||||
type = "disk";
|
|
||||||
content = {
|
|
||||||
type = "gpt";
|
|
||||||
partitions = {
|
|
||||||
MBR = {
|
|
||||||
priority = 0;
|
|
||||||
size = "1M";
|
|
||||||
type = "EF02";
|
|
||||||
};
|
|
||||||
ESP = {
|
|
||||||
priority = 1;
|
|
||||||
size = "500M";
|
|
||||||
type = "EF00";
|
|
||||||
content = {
|
|
||||||
type = "filesystem";
|
|
||||||
format = "vfat";
|
|
||||||
mountpoint = "/boot";
|
|
||||||
};
|
|
||||||
};
|
|
||||||
root = {
|
|
||||||
priority = 2;
|
|
||||||
size = "100%";
|
|
||||||
content = {
|
|
||||||
type = "filesystem";
|
|
||||||
format = "ext4";
|
|
||||||
mountpoint = "/";
|
|
||||||
};
|
|
||||||
};
|
|
||||||
};
|
|
||||||
};
|
|
||||||
};
|
|
||||||
}
|
|
|
@ -2,7 +2,7 @@
|
||||||
|
|
||||||
let
|
let
|
||||||
inherit (builtins) toString;
|
inherit (builtins) toString;
|
||||||
inherit (lib) mkOption mkEnableOption mkForce;
|
inherit (lib) mkOption mkEnableOption;
|
||||||
inherit (lib.types) types;
|
inherit (lib.types) types;
|
||||||
|
|
||||||
in {
|
in {
|
||||||
|
@ -64,17 +64,17 @@ in {
|
||||||
type = types.str;
|
type = types.str;
|
||||||
default = "web.garage.${config.fediversity.domain}";
|
default = "web.garage.${config.fediversity.domain}";
|
||||||
};
|
};
|
||||||
internalPort = mkOption {
|
port = mkOption {
|
||||||
type = types.int;
|
type = types.int;
|
||||||
default = 3902;
|
default = 3902;
|
||||||
};
|
};
|
||||||
domainForBucket = mkOption {
|
rootDomainAndPort = mkOption {
|
||||||
type = types.functionTo types.str;
|
type = types.str;
|
||||||
default = bucket: "${bucket}.${config.fediversity.internal.garage.web.rootDomain}";
|
default = "${config.fediversity.internal.garage.web.rootDomain}:${toString config.fediversity.internal.garage.web.port}";
|
||||||
};
|
};
|
||||||
urlForBucket = mkOption {
|
urlFor = mkOption {
|
||||||
type = types.functionTo types.str;
|
type = types.functionTo types.str;
|
||||||
default = bucket: "http://${config.fediversity.internal.garage.web.domainForBucket bucket}";
|
default = bucket: "http://${bucket}.${config.fediversity.internal.garage.web.rootDomainAndPort}";
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
|
@ -100,19 +100,4 @@ in {
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
|
|
||||||
config = {
|
|
||||||
## FIXME: This should clearly go somewhere else; and we should have a
|
|
||||||
## `staging` vs. `production` setting somewhere.
|
|
||||||
security.acme = {
|
|
||||||
acceptTerms = true;
|
|
||||||
defaults.email = "nicolas.jeannerod+fediversity@moduscreate.com";
|
|
||||||
# defaults.server = "https://acme-staging-v02.api.letsencrypt.org/directory";
|
|
||||||
};
|
|
||||||
|
|
||||||
## NOTE: For a one-machine deployment, this removes the need to provide an
|
|
||||||
## `s3.garage.<domain>` domain. However, this will quickly stop working once
|
|
||||||
## we go to multi-machines deployment.
|
|
||||||
fediversity.internal.garage.api.domain = mkForce "s3.garage.localhost";
|
|
||||||
};
|
|
||||||
}
|
}
|
||||||
|
|
|
@ -15,7 +15,6 @@ let
|
||||||
inherit (lib) types mkOption mkEnableOption optionalString concatStringsSep;
|
inherit (lib) types mkOption mkEnableOption optionalString concatStringsSep;
|
||||||
inherit (lib.strings) escapeShellArg;
|
inherit (lib.strings) escapeShellArg;
|
||||||
cfg = config.services.garage;
|
cfg = config.services.garage;
|
||||||
fedicfg = config.fediversity.internal.garage;
|
|
||||||
concatMapAttrs = scriptFn: attrset: concatStringsSep "\n" (lib.mapAttrsToList scriptFn attrset);
|
concatMapAttrs = scriptFn: attrset: concatStringsSep "\n" (lib.mapAttrsToList scriptFn attrset);
|
||||||
ensureBucketScriptFn = bucket: { website, aliases, corsRules }:
|
ensureBucketScriptFn = bucket: { website, aliases, corsRules }:
|
||||||
let
|
let
|
||||||
|
@ -43,7 +42,7 @@ let
|
||||||
${optionalString corsRules.enable ''
|
${optionalString corsRules.enable ''
|
||||||
garage bucket allow --read --write --owner ${bucketArg} --key tmp
|
garage bucket allow --read --write --owner ${bucketArg} --key tmp
|
||||||
# TODO: endpoin-url should not be hard-coded
|
# TODO: endpoin-url should not be hard-coded
|
||||||
aws --region ${cfg.settings.s3_api.s3_region} --endpoint-url ${fedicfg.api.url} s3api put-bucket-cors --bucket ${bucketArg} --cors-configuration ${corsRulesJSON}
|
aws --region ${cfg.settings.s3_api.s3_region} --endpoint-url ${config.fediversity.internal.garage.api.url} s3api put-bucket-cors --bucket ${bucketArg} --cors-configuration ${corsRulesJSON}
|
||||||
garage bucket deny --read --write --owner ${bucketArg} --key tmp
|
garage bucket deny --read --write --owner ${bucketArg} --key tmp
|
||||||
''}
|
''}
|
||||||
'';
|
'';
|
||||||
|
@ -53,8 +52,7 @@ let
|
||||||
${escapeShellArg bucket} --key ${escapeShellArg key}
|
${escapeShellArg bucket} --key ${escapeShellArg key}
|
||||||
'';
|
'';
|
||||||
ensureKeyScriptFn = key: {id, secret, ensureAccess}: ''
|
ensureKeyScriptFn = key: {id, secret, ensureAccess}: ''
|
||||||
## FIXME: Check whether the key exist and skip this step if that is the case. Get rid of this `|| :`
|
garage key import --yes -n ${escapeShellArg key} ${escapeShellArg id} ${escapeShellArg secret}
|
||||||
garage key import --yes -n ${escapeShellArg key} ${escapeShellArg id} ${escapeShellArg secret} || :
|
|
||||||
${concatMapAttrs (ensureAccessScriptFn key) ensureAccess}
|
${concatMapAttrs (ensureAccessScriptFn key) ensureAccess}
|
||||||
'';
|
'';
|
||||||
ensureKeysScript = concatMapAttrs ensureKeyScriptFn cfg.ensureKeys;
|
ensureKeysScript = concatMapAttrs ensureKeyScriptFn cfg.ensureKeys;
|
||||||
|
@ -134,10 +132,25 @@ in
|
||||||
};
|
};
|
||||||
|
|
||||||
config = lib.mkIf config.fediversity.enable {
|
config = lib.mkIf config.fediversity.enable {
|
||||||
|
virtualisation.diskSize = 2048;
|
||||||
|
virtualisation.forwardPorts = [
|
||||||
|
{
|
||||||
|
from = "host";
|
||||||
|
host.port = config.fediversity.internal.garage.rpc.port;
|
||||||
|
guest.port = config.fediversity.internal.garage.rpc.port;
|
||||||
|
}
|
||||||
|
{
|
||||||
|
from = "host";
|
||||||
|
host.port = config.fediversity.internal.garage.web.port;
|
||||||
|
guest.port = config.fediversity.internal.garage.web.port;
|
||||||
|
}
|
||||||
|
];
|
||||||
|
|
||||||
environment.systemPackages = [ pkgs.minio-client pkgs.awscli ];
|
environment.systemPackages = [ pkgs.minio-client pkgs.awscli ];
|
||||||
|
|
||||||
networking.firewall.allowedTCPPorts = [
|
networking.firewall.allowedTCPPorts = [
|
||||||
fedicfg.rpc.port
|
config.fediversity.internal.garage.rpc.port
|
||||||
|
config.fediversity.internal.garage.web.port
|
||||||
];
|
];
|
||||||
services.garage = {
|
services.garage = {
|
||||||
enable = true;
|
enable = true;
|
||||||
|
@ -147,30 +160,17 @@ in
|
||||||
# TODO: use a secret file
|
# TODO: use a secret file
|
||||||
rpc_secret = "d576c4478cc7d0d94cfc127138cbb82018b0155c037d1c827dfb6c36be5f6625";
|
rpc_secret = "d576c4478cc7d0d94cfc127138cbb82018b0155c037d1c827dfb6c36be5f6625";
|
||||||
# TODO: why does this have to be set? is there not a sensible default?
|
# TODO: why does this have to be set? is there not a sensible default?
|
||||||
rpc_bind_addr = "[::]:${toString fedicfg.rpc.port}";
|
rpc_bind_addr = "[::]:${toString config.fediversity.internal.garage.rpc.port}";
|
||||||
rpc_public_addr = "[::1]:${toString fedicfg.rpc.port}";
|
rpc_public_addr = "[::1]:${toString config.fediversity.internal.garage.rpc.port}";
|
||||||
s3_api.api_bind_addr = "[::]:${toString fedicfg.api.port}";
|
s3_api.api_bind_addr = "[::]:${toString config.fediversity.internal.garage.api.port}";
|
||||||
s3_web.bind_addr = "[::]:${toString fedicfg.web.internalPort}";
|
s3_web.bind_addr = "[::]:${toString config.fediversity.internal.garage.web.port}";
|
||||||
s3_web.root_domain = ".${fedicfg.web.rootDomain}";
|
s3_web.root_domain = ".${config.fediversity.internal.garage.web.rootDomain}";
|
||||||
index = "index.html";
|
index = "index.html";
|
||||||
|
|
||||||
s3_api.s3_region = "garage";
|
s3_api.s3_region = "garage";
|
||||||
s3_api.root_domain = ".${fedicfg.api.domain}";
|
s3_api.root_domain = ".${config.fediversity.internal.garage.api.domain}";
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
|
|
||||||
services.nginx.virtualHosts.${fedicfg.web.rootDomain} = {
|
|
||||||
forceSSL = true;
|
|
||||||
enableACME = true;
|
|
||||||
serverAliases = lib.mapAttrsToList (bucket: _: fedicfg.web.domainForBucket bucket) cfg.ensureBuckets; ## TODO: use wildcard certificates?
|
|
||||||
locations."/" = {
|
|
||||||
proxyPass = "http://localhost:3902";
|
|
||||||
extraConfig = ''
|
|
||||||
proxy_set_header Host $host;
|
|
||||||
'';
|
|
||||||
};
|
|
||||||
};
|
|
||||||
|
|
||||||
systemd.services.ensure-garage = {
|
systemd.services.ensure-garage = {
|
||||||
after = [ "garage.service" ];
|
after = [ "garage.service" ];
|
||||||
wantedBy = [ "garage.service" ];
|
wantedBy = [ "garage.service" ];
|
||||||
|
@ -183,7 +183,7 @@ in
|
||||||
|
|
||||||
# Give Garage time to start up by waiting until somethings speaks HTTP
|
# Give Garage time to start up by waiting until somethings speaks HTTP
|
||||||
# behind Garage's API URL.
|
# behind Garage's API URL.
|
||||||
until ${pkgs.curl}/bin/curl -sio /dev/null ${fedicfg.api.url}; do sleep 1; done
|
until ${pkgs.curl}/bin/curl -sio /dev/null ${config.fediversity.internal.garage.api.url}; do sleep 1; done
|
||||||
|
|
||||||
# XXX: this is very sensitive to being a single instance
|
# XXX: this is very sensitive to being a single instance
|
||||||
# (doing the bare minimum to get garage up and running)
|
# (doing the bare minimum to get garage up and running)
|
||||||
|
@ -197,8 +197,7 @@ in
|
||||||
|
|
||||||
# XXX: this is a hack because we want to write to the buckets here but we're not guaranteed any access keys
|
# XXX: this is a hack because we want to write to the buckets here but we're not guaranteed any access keys
|
||||||
# TODO: generate this key here rather than using a well-known key
|
# TODO: generate this key here rather than using a well-known key
|
||||||
# TODO: if the key already exists, we get an error; hacked with this `|| :` which needs to be removed
|
garage key import --yes -n tmp ${snakeoil_key.id} ${snakeoil_key.secret}
|
||||||
garage key import --yes -n tmp ${snakeoil_key.id} ${snakeoil_key.secret} || :
|
|
||||||
export AWS_ACCESS_KEY_ID=${snakeoil_key.id};
|
export AWS_ACCESS_KEY_ID=${snakeoil_key.id};
|
||||||
export AWS_SECRET_ACCESS_KEY=${snakeoil_key.secret};
|
export AWS_SECRET_ACCESS_KEY=${snakeoil_key.secret};
|
||||||
|
|
||||||
|
|
|
@ -46,7 +46,7 @@ lib.mkIf (config.fediversity.enable && config.fediversity.mastodon.enable) {
|
||||||
AWS_ACCESS_KEY_ID = snakeoil_key.id;
|
AWS_ACCESS_KEY_ID = snakeoil_key.id;
|
||||||
AWS_SECRET_ACCESS_KEY = snakeoil_key.secret;
|
AWS_SECRET_ACCESS_KEY = snakeoil_key.secret;
|
||||||
S3_PROTOCOL = "http";
|
S3_PROTOCOL = "http";
|
||||||
S3_HOSTNAME = config.fediversity.internal.garage.web.rootDomain;
|
S3_HOSTNAME = config.fediversity.internal.garage.web.rootDomainAndPort;
|
||||||
# by default it tries to use "<S3_HOSTNAME>/<S3_BUCKET>"
|
# by default it tries to use "<S3_HOSTNAME>/<S3_BUCKET>"
|
||||||
S3_ALIAS_HOST = "${S3_BUCKET}.${S3_HOSTNAME}";
|
S3_ALIAS_HOST = "${S3_BUCKET}.${S3_HOSTNAME}";
|
||||||
# SEE: the last section in https://docs.joinmastodon.org/admin/optional/object-storage/
|
# SEE: the last section in https://docs.joinmastodon.org/admin/optional/object-storage/
|
||||||
|
|
|
@ -74,17 +74,17 @@ lib.mkIf (config.fediversity.enable && config.fediversity.peertube.enable) {
|
||||||
web_videos = rec {
|
web_videos = rec {
|
||||||
bucket_name = "peertube-videos";
|
bucket_name = "peertube-videos";
|
||||||
prefix = "";
|
prefix = "";
|
||||||
base_url = config.fediversity.internal.garage.web.urlForBucket bucket_name;
|
base_url = config.fediversity.internal.garage.web.urlFor bucket_name;
|
||||||
};
|
};
|
||||||
videos = rec {
|
videos = rec {
|
||||||
bucket_name = "peertube-videos";
|
bucket_name = "peertube-videos";
|
||||||
prefix = "";
|
prefix = "";
|
||||||
base_url = config.fediversity.internal.garage.web.urlForBucket bucket_name;
|
base_url = config.fediversity.internal.garage.web.urlFor bucket_name;
|
||||||
};
|
};
|
||||||
streaming_playlists = rec {
|
streaming_playlists = rec {
|
||||||
bucket_name = "peertube-playlists";
|
bucket_name = "peertube-playlists";
|
||||||
prefix = "";
|
prefix = "";
|
||||||
base_url = config.fediversity.internal.garage.web.urlForBucket bucket_name;
|
base_url = config.fediversity.internal.garage.web.urlFor bucket_name;
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
|
|
|
@ -38,37 +38,16 @@ lib.mkIf (config.fediversity.enable && config.fediversity.pixelfed.enable) {
|
||||||
services.pixelfed = {
|
services.pixelfed = {
|
||||||
enable = true;
|
enable = true;
|
||||||
domain = config.fediversity.internal.pixelfed.domain;
|
domain = config.fediversity.internal.pixelfed.domain;
|
||||||
|
|
||||||
# TODO: secrets management!!!
|
|
||||||
secretFile = pkgs.writeText "secrets.env" ''
|
|
||||||
APP_KEY=adKK9EcY8Hcj3PLU7rzG9rJ6KKTOtYfA
|
|
||||||
'';
|
|
||||||
|
|
||||||
## Taeer feels like this way of configuring Nginx is odd; there should
|
|
||||||
## instead be a `services.pixefed.nginx.enable` option and the actual Nginx
|
|
||||||
## configuration should be in `services.nginx`. See eg. `pretix`.
|
|
||||||
##
|
|
||||||
## TODO: If that indeed makes sense, upstream.
|
|
||||||
nginx = {
|
|
||||||
forceSSL = true;
|
|
||||||
enableACME = true;
|
|
||||||
# locations."/public/".proxyPass = "${config.fediversity.internal.garage.web.urlForBucket "pixelfed"}/public/";
|
|
||||||
};
|
|
||||||
};
|
};
|
||||||
|
|
||||||
services.pixelfed.settings = {
|
services.pixelfed.settings = {
|
||||||
## NOTE: This depends on the targets, eg. universities might want control
|
|
||||||
## over who has an account. We probably want a universal
|
|
||||||
## `fediversity.openRegistration` option.
|
|
||||||
OPEN_REGISTRATION = true;
|
|
||||||
|
|
||||||
# DANGEROUSLY_SET_FILESYSTEM_DRIVER = "s3";
|
# DANGEROUSLY_SET_FILESYSTEM_DRIVER = "s3";
|
||||||
FILESYSTEM_CLOUD = "s3";
|
FILESYSTEM_CLOUD = "s3";
|
||||||
PF_ENABLE_CLOUD = true;
|
PF_ENABLE_CLOUD = true;
|
||||||
AWS_ACCESS_KEY_ID = snakeoil_key.id;
|
AWS_ACCESS_KEY_ID = snakeoil_key.id;
|
||||||
AWS_SECRET_ACCESS_KEY = snakeoil_key.secret;
|
AWS_SECRET_ACCESS_KEY = snakeoil_key.secret;
|
||||||
AWS_DEFAULT_REGION = "garage";
|
AWS_DEFAULT_REGION = "garage";
|
||||||
AWS_URL = config.fediversity.internal.garage.web.urlForBucket "pixelfed";
|
AWS_URL = config.fediversity.internal.garage.web.urlFor "pixelfed";
|
||||||
AWS_BUCKET = "pixelfed";
|
AWS_BUCKET = "pixelfed";
|
||||||
AWS_ENDPOINT = config.fediversity.internal.garage.api.url;
|
AWS_ENDPOINT = config.fediversity.internal.garage.api.url;
|
||||||
AWS_USE_PATH_STYLE_ENDPOINT = false;
|
AWS_USE_PATH_STYLE_ENDPOINT = false;
|
||||||
|
@ -80,5 +59,7 @@ lib.mkIf (config.fediversity.enable && config.fediversity.pixelfed.enable) {
|
||||||
after = [ "ensure-garage.service" ];
|
after = [ "ensure-garage.service" ];
|
||||||
};
|
};
|
||||||
|
|
||||||
networking.firewall.allowedTCPPorts = [ 80 443 ];
|
services.pixelfed.package = pkgs.pixelfed.overrideAttrs (old: {
|
||||||
|
patches = (old.patches or [ ]) ++ [ ./pixelfed-group-permissions.patch ];
|
||||||
|
});
|
||||||
}
|
}
|
||||||
|
|
71
flake.lock
71
flake.lock
|
@ -1,55 +1,6 @@
|
||||||
{
|
{
|
||||||
"nodes": {
|
"nodes": {
|
||||||
"disko": {
|
|
||||||
"inputs": {
|
|
||||||
"nixpkgs": "nixpkgs"
|
|
||||||
},
|
|
||||||
"locked": {
|
|
||||||
"lastModified": 1727347829,
|
|
||||||
"narHash": "sha256-y7cW6TjJKy+tu7efxeWI6lyg4VVx/9whx+OmrhmRShU=",
|
|
||||||
"owner": "nix-community",
|
|
||||||
"repo": "disko",
|
|
||||||
"rev": "1879e48907c14a70302ff5d0539c3b9b6f97feaa",
|
|
||||||
"type": "github"
|
|
||||||
},
|
|
||||||
"original": {
|
|
||||||
"owner": "nix-community",
|
|
||||||
"repo": "disko",
|
|
||||||
"type": "github"
|
|
||||||
}
|
|
||||||
},
|
|
||||||
"nixpkgs": {
|
"nixpkgs": {
|
||||||
"locked": {
|
|
||||||
"lastModified": 1725194671,
|
|
||||||
"narHash": "sha256-tLGCFEFTB5TaOKkpfw3iYT9dnk4awTP/q4w+ROpMfuw=",
|
|
||||||
"owner": "NixOS",
|
|
||||||
"repo": "nixpkgs",
|
|
||||||
"rev": "b833ff01a0d694b910daca6e2ff4a3f26dee478c",
|
|
||||||
"type": "github"
|
|
||||||
},
|
|
||||||
"original": {
|
|
||||||
"owner": "NixOS",
|
|
||||||
"ref": "nixpkgs-unstable",
|
|
||||||
"repo": "nixpkgs",
|
|
||||||
"type": "github"
|
|
||||||
}
|
|
||||||
},
|
|
||||||
"nixpkgs-latest": {
|
|
||||||
"locked": {
|
|
||||||
"lastModified": 1727220152,
|
|
||||||
"narHash": "sha256-6ezRTVBZT25lQkvaPrfJSxYLwqcbNWm6feD/vG1FO0o=",
|
|
||||||
"owner": "nixos",
|
|
||||||
"repo": "nixpkgs",
|
|
||||||
"rev": "24959f933187217890b206788a85bfa73ba75949",
|
|
||||||
"type": "github"
|
|
||||||
},
|
|
||||||
"original": {
|
|
||||||
"owner": "nixos",
|
|
||||||
"repo": "nixpkgs",
|
|
||||||
"type": "github"
|
|
||||||
}
|
|
||||||
},
|
|
||||||
"nixpkgs_2": {
|
|
||||||
"locked": {
|
"locked": {
|
||||||
"lastModified": 1723726852,
|
"lastModified": 1723726852,
|
||||||
"narHash": "sha256-lRzlx4fPRtzA+dgz9Rh4WK5yAW3TsAXx335DQqxY2XY=",
|
"narHash": "sha256-lRzlx4fPRtzA+dgz9Rh4WK5yAW3TsAXx335DQqxY2XY=",
|
||||||
|
@ -65,29 +16,9 @@
|
||||||
"type": "github"
|
"type": "github"
|
||||||
}
|
}
|
||||||
},
|
},
|
||||||
"pixelfed": {
|
|
||||||
"flake": false,
|
|
||||||
"locked": {
|
|
||||||
"lastModified": 1719823820,
|
|
||||||
"narHash": "sha256-CKjqnxp7p2z/13zfp4HQ1OAmaoUtqBKS6HFm6TV8Jwg=",
|
|
||||||
"owner": "pixelfed",
|
|
||||||
"repo": "pixelfed",
|
|
||||||
"rev": "4c245cf429330d01fcb8ebeb9aa8c84a9574a645",
|
|
||||||
"type": "github"
|
|
||||||
},
|
|
||||||
"original": {
|
|
||||||
"owner": "pixelfed",
|
|
||||||
"ref": "v0.12.3",
|
|
||||||
"repo": "pixelfed",
|
|
||||||
"type": "github"
|
|
||||||
}
|
|
||||||
},
|
|
||||||
"root": {
|
"root": {
|
||||||
"inputs": {
|
"inputs": {
|
||||||
"disko": "disko",
|
"nixpkgs": "nixpkgs"
|
||||||
"nixpkgs": "nixpkgs_2",
|
|
||||||
"nixpkgs-latest": "nixpkgs-latest",
|
|
||||||
"pixelfed": "pixelfed"
|
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
},
|
},
|
||||||
|
|
71
flake.nix
71
flake.nix
|
@ -1,95 +1,48 @@
|
||||||
{
|
{
|
||||||
|
description = "Testing mastodon configurations";
|
||||||
|
|
||||||
inputs = {
|
inputs = {
|
||||||
nixpkgs.url = "github:radvendii/nixpkgs/nixos_rebuild_tests";
|
nixpkgs.url = "github:radvendii/nixpkgs/nixos_rebuild_tests";
|
||||||
nixpkgs-latest.url = "github:nixos/nixpkgs";
|
|
||||||
pixelfed = {
|
|
||||||
url = "github:pixelfed/pixelfed?ref=v0.12.3";
|
|
||||||
flake = false;
|
|
||||||
};
|
|
||||||
disko.url = "github:nix-community/disko";
|
|
||||||
};
|
};
|
||||||
|
|
||||||
outputs = { self, nixpkgs, nixpkgs-latest, pixelfed, disko }:
|
outputs = { self, nixpkgs }:
|
||||||
let
|
let
|
||||||
system = "x86_64-linux";
|
system = "x86_64-linux";
|
||||||
lib = nixpkgs.lib;
|
|
||||||
pkgs = nixpkgs.legacyPackages.${system};
|
pkgs = nixpkgs.legacyPackages.${system};
|
||||||
pkgsLatest = nixpkgs-latest.legacyPackages.${system};
|
|
||||||
bleedingFediverseOverlay = (self: super: {
|
|
||||||
pixelfed = pkgsLatest.pixelfed.overrideAttrs (old: {
|
|
||||||
src = pixelfed;
|
|
||||||
patches = (old.patches or [ ]) ++ [ ./fediversity/pixelfed-group-permissions.patch ];
|
|
||||||
});
|
|
||||||
## TODO: give mastodon, peertube the same treatment
|
|
||||||
});
|
|
||||||
in {
|
in {
|
||||||
|
|
||||||
nixosModules = {
|
nixosModules = {
|
||||||
## Bleeding-edge fediverse packages
|
|
||||||
bleedingFediverse = {
|
|
||||||
nixpkgs.overlays = [ bleedingFediverseOverlay ];
|
|
||||||
};
|
|
||||||
## Fediversity modules
|
## Fediversity modules
|
||||||
fediversity = import ./fediversity;
|
fediversity = import ./fediversity;
|
||||||
|
|
||||||
## VM-specific modules
|
## VM-specific modules
|
||||||
interactive-vm = import ./vm/interactive-vm.nix;
|
interactive-vm = import ./vm/interactive-vm.nix;
|
||||||
garage-vm = import ./vm/garage-vm.nix;
|
|
||||||
mastodon-vm = import ./vm/mastodon-vm.nix;
|
mastodon-vm = import ./vm/mastodon-vm.nix;
|
||||||
peertube-vm = import ./vm/peertube-vm.nix;
|
peertube-vm = import ./vm/peertube-vm.nix;
|
||||||
pixelfed-vm = import ./vm/pixelfed-vm.nix;
|
pixelfed-vm = import ./vm/pixelfed-vm.nix;
|
||||||
|
|
||||||
disk-layout = import ./disk-layout.nix;
|
|
||||||
};
|
};
|
||||||
|
|
||||||
nixosConfigurations = {
|
nixosConfigurations = {
|
||||||
mastodon = nixpkgs.lib.nixosSystem {
|
mastodon = nixpkgs.lib.nixosSystem {
|
||||||
inherit system;
|
inherit system;
|
||||||
modules = with self.nixosModules; [
|
modules = with self.nixosModules; [ fediversity interactive-vm mastodon-vm ];
|
||||||
disko.nixosModules.default
|
|
||||||
disk-layout
|
|
||||||
bleedingFediverse
|
|
||||||
fediversity
|
|
||||||
interactive-vm
|
|
||||||
garage-vm
|
|
||||||
mastodon-vm
|
|
||||||
];
|
|
||||||
};
|
};
|
||||||
|
|
||||||
peertube = nixpkgs.lib.nixosSystem {
|
peertube = nixpkgs.lib.nixosSystem {
|
||||||
inherit system;
|
inherit system;
|
||||||
modules = with self.nixosModules; [
|
modules = with self.nixosModules; [ fediversity interactive-vm peertube-vm ];
|
||||||
disko.nixosModules.default
|
|
||||||
disk-layout
|
|
||||||
bleedingFediverse
|
|
||||||
fediversity
|
|
||||||
interactive-vm
|
|
||||||
garage-vm
|
|
||||||
peertube-vm
|
|
||||||
];
|
|
||||||
};
|
};
|
||||||
|
|
||||||
pixelfed = nixpkgs.lib.nixosSystem {
|
pixelfed = nixpkgs.lib.nixosSystem {
|
||||||
inherit system;
|
inherit system;
|
||||||
modules = with self.nixosModules; [
|
modules = with self.nixosModules; [ fediversity interactive-vm pixelfed-vm ];
|
||||||
disko.nixosModules.default
|
|
||||||
disk-layout
|
|
||||||
bleedingFediverse
|
|
||||||
fediversity
|
|
||||||
interactive-vm
|
|
||||||
garage-vm
|
|
||||||
pixelfed-vm
|
|
||||||
];
|
|
||||||
};
|
};
|
||||||
|
|
||||||
all = nixpkgs.lib.nixosSystem {
|
all = nixpkgs.lib.nixosSystem {
|
||||||
inherit system;
|
inherit system;
|
||||||
modules = with self.nixosModules; [
|
modules = with self.nixosModules; [
|
||||||
disko.nixosModules.default
|
|
||||||
disk-layout
|
|
||||||
bleedingFediverse
|
|
||||||
fediversity
|
fediversity
|
||||||
interactive-vm
|
interactive-vm
|
||||||
garage-vm
|
|
||||||
peertube-vm
|
peertube-vm
|
||||||
pixelfed-vm
|
pixelfed-vm
|
||||||
mastodon-vm
|
mastodon-vm
|
||||||
|
@ -97,16 +50,6 @@
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
|
|
||||||
## Fully-feature ISO installer
|
|
||||||
mkInstaller = import ./installer.nix;
|
|
||||||
installers = lib.mapAttrs (_: config: self.mkInstaller nixpkgs config) self.nixosConfigurations;
|
|
||||||
|
|
||||||
deploy =
|
|
||||||
let
|
|
||||||
deployCommand = (pkgs.callPackage ./deploy.nix { });
|
|
||||||
in
|
|
||||||
lib.mapAttrs (name: config: deployCommand name config) self.nixosConfigurations;
|
|
||||||
|
|
||||||
checks.${system} = {
|
checks.${system} = {
|
||||||
mastodon-garage = import ./tests/mastodon-garage.nix { inherit pkgs self; };
|
mastodon-garage = import ./tests/mastodon-garage.nix { inherit pkgs self; };
|
||||||
pixelfed-garage = import ./tests/pixelfed-garage.nix { inherit pkgs self; };
|
pixelfed-garage = import ./tests/pixelfed-garage.nix { inherit pkgs self; };
|
||||||
|
|
|
@ -1,39 +0,0 @@
|
||||||
/**
|
|
||||||
Convert a NixOS configuration to one for a minimal installer ISO
|
|
||||||
|
|
||||||
WARNING: Running this installer will format the target disk!
|
|
||||||
*/
|
|
||||||
nixpkgs: machine:
|
|
||||||
let
|
|
||||||
installer = { config, pkgs, lib, ... }:
|
|
||||||
let
|
|
||||||
bootstrap = pkgs.writeShellApplication {
|
|
||||||
name = "bootstrap";
|
|
||||||
runtimeInputs = with pkgs; [ nixos-install-tools ];
|
|
||||||
text = ''
|
|
||||||
${machine.config.system.build.diskoScript}
|
|
||||||
nixos-install --no-root-password --no-channel-copy --system ${machine.config.system.build.toplevel}
|
|
||||||
'';
|
|
||||||
};
|
|
||||||
in
|
|
||||||
{
|
|
||||||
imports = [
|
|
||||||
"${nixpkgs}/nixos/modules/installer/cd-dvd/installation-cd-minimal.nix"
|
|
||||||
];
|
|
||||||
nixpkgs.hostPlatform = "x86_64-linux";
|
|
||||||
services.getty.autologinUser = lib.mkForce "root";
|
|
||||||
programs.bash.loginShellInit = ''
|
|
||||||
${nixpkgs.lib.getExe bootstrap}
|
|
||||||
'';
|
|
||||||
|
|
||||||
isoImage = {
|
|
||||||
compressImage = false;
|
|
||||||
squashfsCompression = "lz4";
|
|
||||||
isoName = lib.mkForce "installer.iso";
|
|
||||||
## ^^ FIXME: Use a more interesting name or keep the default name and
|
|
||||||
## use `isoImage.isoName` in the tests.
|
|
||||||
};
|
|
||||||
};
|
|
||||||
in
|
|
||||||
(nixpkgs.lib.nixosSystem { modules = [installer];}).config.system.build.isoImage
|
|
||||||
|
|
|
@ -37,12 +37,7 @@ pkgs.nixosTest {
|
||||||
nodes = {
|
nodes = {
|
||||||
server = { config, ... }: {
|
server = { config, ... }: {
|
||||||
virtualisation.memorySize = lib.mkVMOverride 4096;
|
virtualisation.memorySize = lib.mkVMOverride 4096;
|
||||||
imports = with self.nixosModules; [
|
imports = with self.nixosModules; [ mastodon-vm ];
|
||||||
bleedingFediverse
|
|
||||||
fediversity
|
|
||||||
garage-vm
|
|
||||||
mastodon-vm
|
|
||||||
];
|
|
||||||
# TODO: pair down
|
# TODO: pair down
|
||||||
environment.systemPackages = with pkgs; [
|
environment.systemPackages = with pkgs; [
|
||||||
python3
|
python3
|
||||||
|
|
|
@ -136,12 +136,7 @@ pkgs.nixosTest {
|
||||||
memorySize = lib.mkVMOverride 8192;
|
memorySize = lib.mkVMOverride 8192;
|
||||||
cores = 8;
|
cores = 8;
|
||||||
};
|
};
|
||||||
imports = with self.nixosModules; [
|
imports = with self.nixosModules; [ pixelfed-vm ];
|
||||||
bleedingFediverse
|
|
||||||
fediversity
|
|
||||||
garage-vm
|
|
||||||
pixelfed-vm
|
|
||||||
];
|
|
||||||
# TODO: pair down
|
# TODO: pair down
|
||||||
environment.systemPackages = with pkgs; [
|
environment.systemPackages = with pkgs; [
|
||||||
python3
|
python3
|
||||||
|
@ -157,8 +152,6 @@ pkgs.nixosTest {
|
||||||
POST_MEDIA = ./fediversity.png;
|
POST_MEDIA = ./fediversity.png;
|
||||||
AWS_ACCESS_KEY_ID = config.services.garage.ensureKeys.pixelfed.id;
|
AWS_ACCESS_KEY_ID = config.services.garage.ensureKeys.pixelfed.id;
|
||||||
AWS_SECRET_ACCESS_KEY = config.services.garage.ensureKeys.pixelfed.secret;
|
AWS_SECRET_ACCESS_KEY = config.services.garage.ensureKeys.pixelfed.secret;
|
||||||
## without this we get frivolous errors in the logs
|
|
||||||
MC_REGION = "garage";
|
|
||||||
};
|
};
|
||||||
# chrome does not like being run as root
|
# chrome does not like being run as root
|
||||||
users.users.selenium = {
|
users.users.selenium = {
|
||||||
|
@ -209,7 +202,7 @@ pkgs.nixosTest {
|
||||||
|
|
||||||
with subtest("Check that image comes from garage"):
|
with subtest("Check that image comes from garage"):
|
||||||
src = server.succeed("su - selenium -c 'selenium-script-get-src ${email} ${password}'")
|
src = server.succeed("su - selenium -c 'selenium-script-get-src ${email} ${password}'")
|
||||||
if not src.startswith("${nodes.server.fediversity.internal.garage.web.urlForBucket "pixelfed"}"):
|
if not src.startswith("${nodes.server.fediversity.internal.garage.web.urlFor "pixelfed"}"):
|
||||||
raise Exception("image does not come from garage")
|
raise Exception("image does not come from garage")
|
||||||
'';
|
'';
|
||||||
}
|
}
|
||||||
|
|
|
@ -1,29 +0,0 @@
|
||||||
{ lib, config, modulesPath, ... }:
|
|
||||||
|
|
||||||
let
|
|
||||||
inherit (lib) mkVMOverride;
|
|
||||||
|
|
||||||
fedicfg = config.fediversity.internal.garage;
|
|
||||||
|
|
||||||
in {
|
|
||||||
imports = [ (modulesPath + "/virtualisation/qemu-vm.nix") ];
|
|
||||||
|
|
||||||
services.nginx.virtualHosts.${fedicfg.web.rootDomain} = {
|
|
||||||
forceSSL = mkVMOverride false;
|
|
||||||
enableACME = mkVMOverride false;
|
|
||||||
};
|
|
||||||
|
|
||||||
virtualisation.diskSize = 2048;
|
|
||||||
virtualisation.forwardPorts = [
|
|
||||||
{
|
|
||||||
from = "host";
|
|
||||||
host.port = fedicfg.rpc.port;
|
|
||||||
guest.port = fedicfg.rpc.port;
|
|
||||||
}
|
|
||||||
{
|
|
||||||
from = "host";
|
|
||||||
host.port = fedicfg.web.internalPort;
|
|
||||||
guest.port = fedicfg.web.internalPort;
|
|
||||||
}
|
|
||||||
];
|
|
||||||
}
|
|
|
@ -1,6 +1,9 @@
|
||||||
{ modulesPath, lib, config, ... }: {
|
{ modulesPath, lib, config, ... }: {
|
||||||
|
|
||||||
imports = [ (modulesPath + "/virtualisation/qemu-vm.nix") ];
|
imports = [
|
||||||
|
../fediversity
|
||||||
|
(modulesPath + "/virtualisation/qemu-vm.nix")
|
||||||
|
];
|
||||||
|
|
||||||
config = lib.mkMerge [
|
config = lib.mkMerge [
|
||||||
{
|
{
|
||||||
|
|
|
@ -1,6 +1,9 @@
|
||||||
{ pkgs, modulesPath, ... }: {
|
{ pkgs, modulesPath, ... }: {
|
||||||
|
|
||||||
imports = [ (modulesPath + "/virtualisation/qemu-vm.nix") ];
|
imports = [
|
||||||
|
../fediversity
|
||||||
|
(modulesPath + "/virtualisation/qemu-vm.nix")
|
||||||
|
];
|
||||||
|
|
||||||
services.peertube = {
|
services.peertube = {
|
||||||
enableWebHttps = false;
|
enableWebHttps = false;
|
||||||
|
|
|
@ -1,10 +1,9 @@
|
||||||
{ pkgs, lib, modulesPath, ... }:
|
{ pkgs, modulesPath, ... }: {
|
||||||
|
|
||||||
let
|
imports = [
|
||||||
inherit (lib) mkVMOverride;
|
../fediversity
|
||||||
|
(modulesPath + "/virtualisation/qemu-vm.nix")
|
||||||
in {
|
];
|
||||||
imports = [ (modulesPath + "/virtualisation/qemu-vm.nix") ];
|
|
||||||
|
|
||||||
fediversity = {
|
fediversity = {
|
||||||
enable = true;
|
enable = true;
|
||||||
|
@ -12,16 +11,22 @@ in {
|
||||||
pixelfed.enable = true;
|
pixelfed.enable = true;
|
||||||
};
|
};
|
||||||
|
|
||||||
|
networking.firewall.allowedTCPPorts = [ 80 ];
|
||||||
services.pixelfed = {
|
services.pixelfed = {
|
||||||
|
# TODO: secrets management!
|
||||||
|
secretFile = pkgs.writeText "secrets.env" ''
|
||||||
|
APP_KEY=adKK9EcY8Hcj3PLU7rzG9rJ6KKTOtYfA
|
||||||
|
'';
|
||||||
settings = {
|
settings = {
|
||||||
|
OPEN_REGISTRATION = true;
|
||||||
FORCE_HTTPS_URLS = false;
|
FORCE_HTTPS_URLS = false;
|
||||||
};
|
};
|
||||||
|
# I feel like this should have an `enable` option and be configured via `services.nginx` rather than mirroring those options in services.pixelfed.nginx
|
||||||
|
# TODO: If that indeed makes sense, upstream it.
|
||||||
nginx = {
|
nginx = {
|
||||||
forceSSL = mkVMOverride false;
|
# locations."/public/".proxyPass = "${config.fediversity.internal.garage.web.urlFor "pixelfed"}/public/";
|
||||||
enableACME = mkVMOverride false;
|
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
|
|
||||||
virtualisation.memorySize = 2048;
|
virtualisation.memorySize = 2048;
|
||||||
virtualisation.forwardPorts = [
|
virtualisation.forwardPorts = [
|
||||||
{
|
{
|
||||||
|
|
Loading…
Reference in a new issue