Add packages.${system}.pixelfed

pixelfed: Use package from lock
nixosModules: move pixelfed package definition into flake lexical scope
2024-09-25 13:29:39 +02:00 · 2024-09-25 09:42:08 +02:00 · 2024-09-25 09:23:50 +02:00 · 2024-09-23 11:48:17 +02:00
20 changed files with 537 additions and 1136 deletions
--- a/.gitignore
+++ b/.gitignore
@ -6,4 +6,3 @@ result*
 output
 todo

-/.pre-commit-config.yaml
--- a/README.md
+++ b/README.md
@ -46,26 +46,6 @@ NOTE: it sometimes takes a while for the services to start up, and in the meanti
    ```bash
    pixelfed-manage user:create --name=test --username=test --email=test@test.com --password=testtest --confirm_email=1
    ```
-# Building an installer image
-
-Build an installer image for the desired configuration, e.g. for `peertube`:
-
-```bash
-nix build .#installers.peertube
-```
-
-Upload the image in `./result` to Proxmox when creating a VM.
-Booting the image will format the disk and install NixOS with the desired configuration.
-
-# Deploying an updated machine configuration
-
-> TODO: There is currently no way to specify an actual target machine by name.
-
-Assuming you have SSH configuration with access to the remote `root` user stored for a machine called e.g. `peertube`, deploy the configuration by the same name:
-
-```bash
-nix run .#deploy.peertube
-```

 ## debugging notes

--- a/deploy.nix
+++ b/deploy.nix
@ -1,13 +0,0 @@
-{ writeShellApplication }:
-name: _config:
-writeShellApplication {
-  name = "deploy";
-  text = ''
-    result="$(nix build --print-out-paths ${./.}#nixosConfigurations#${name} --eval-store auto --store ssh-ng://${name})"
-    # shellcheck disable=SC2087
-    ssh ${name} << EOF
-    nix-env -p /nix/var/nix/profiles/system --set "$result"
-    "$result"/bin/switch-to-configuration switch
-    EOF
-  '';
-}
--- a/disk-layout.nix
+++ b/disk-layout.nix
@ -1,36 +0,0 @@
-{ ... }:
-{
-  disko.devices.disk.main = {
-    device = "/dev/sda";
-    type = "disk";
-    content = {
-      type = "gpt";
-      partitions = {
-        MBR = {
-          priority = 0;
-          size = "1M";
-          type = "EF02";
-        };
-        ESP = {
-          priority = 1;
-          size = "500M";
-          type = "EF00";
-          content = {
-            type = "filesystem";
-            format = "vfat";
-            mountpoint = "/boot";
-          };
-        };
-        root = {
-          priority = 2;
-          size = "100%";
-          content = {
-            type = "filesystem";
-            format = "ext4";
-            mountpoint = "/";
-          };
-        };
-      };
-    };
-  };
-}
--- a/fediversity/default.nix
+++ b/fediversity/default.nix
@ -2,11 +2,10 @@

 let
  inherit (builtins) toString;
-  inherit (lib) mkOption mkEnableOption mkForce;
+  inherit (lib) mkOption mkEnableOption;
  inherit (lib.types) types;

-in
-{
+in {
  imports = [
    ./garage.nix
    ./mastodon.nix
@ -32,24 +31,6 @@ in
      pixelfed.enable = mkEnableOption "default Fediversity Pixelfed configuration";
      peertube.enable = mkEnableOption "default Fediversity PeerTube configuration";

-      temp = mkOption {
-        description = "options that are only used while developing; should be removed eventually";
-        default = { };
-        type = types.submodule {
-          options = {
-            cores = mkOption {
-              description = "number of cores; should be obtained from NixOps4";
-              type = types.int;
-            };
-
-            peertubeSecretsFile = mkOption {
-              description = "should it be provided by NixOps4? or maybe we should just ask for a main secret from which to derive all the others?";
-              type = types.path;
-            };
-          };
-        };
-      };
-
      internal = mkOption {
        description = "options that are only meant to be used internally; change at your own risk";
        default = {};
@ -83,17 +64,17 @@ in
                  type = types.str;
                  default = "web.garage.${config.fediversity.domain}";
                };
-                internalPort = mkOption {
+                port = mkOption {
                  type = types.int;
                  default = 3902;
                };
-                domainForBucket = mkOption {
-                  type = types.functionTo types.str;
-                  default = bucket: "${bucket}.${config.fediversity.internal.garage.web.rootDomain}";
+                rootDomainAndPort = mkOption {
+                  type = types.str;
+                  default = "${config.fediversity.internal.garage.web.rootDomain}:${toString config.fediversity.internal.garage.web.port}";
                };
-                urlForBucket = mkOption {
+                urlFor = mkOption {
                  type = types.functionTo types.str;
-                  default = bucket: "http://${config.fediversity.internal.garage.web.domainForBucket bucket}";
+                  default = bucket: "http://${bucket}.${config.fediversity.internal.garage.web.rootDomainAndPort}";
                };
              };
            };
@ -108,7 +89,7 @@ in
            };
            mastodon.domain = mkOption {
              type = types.str;
-              default = "mastodon.${config.fediversity.domain}";
+              default = "mastdodon.${config.fediversity.domain}";
            };
            peertube.domain = mkOption {
              type = types.str;
@ -119,19 +100,4 @@ in
      };
    };
  };
-
-  config = {
-    ## FIXME: This should clearly go somewhere else; and we should have a
-    ## `staging` vs. `production` setting somewhere.
-    security.acme = {
-      acceptTerms = true;
-      defaults.email = "nicolas.jeannerod+fediversity@moduscreate.com";
-      # defaults.server = "https://acme-staging-v02.api.letsencrypt.org/directory";
-    };
-
-    ## NOTE: For a one-machine deployment, this removes the need to provide an
-    ## `s3.garage.<domain>` domain. However, this will quickly stop working once
-    ## we go to multi-machines deployment.
-    fediversity.internal.garage.api.domain = mkForce "s3.garage.localhost";
-  };
 }
--- a/fediversity/garage.nix
+++ b/fediversity/garage.nix
@ -8,49 +8,25 @@ let
 in

 # TODO: expand to a multi-machine setup
-{
-  config,
-  lib,
-  pkgs,
-  ...
-}:
+{ config, lib, pkgs, ... }:

 let
  inherit (builtins) toString;
-  inherit (lib)
-    types
-    mkOption
-    mkEnableOption
-    optionalString
-    concatStringsSep
-    ;
+  inherit (lib) types mkOption mkEnableOption optionalString concatStringsSep;
  inherit (lib.strings) escapeShellArg;
-  inherit (lib.attrsets) filterAttrs mapAttrs';
  cfg = config.services.garage;
-  fedicfg = config.fediversity.internal.garage;
  concatMapAttrs = scriptFn: attrset: concatStringsSep "\n" (lib.mapAttrsToList scriptFn attrset);
-  ensureBucketScriptFn =
-    bucket:
-    {
-      website,
-      aliases,
-      corsRules,
-    }:
+  ensureBucketScriptFn = bucket: { website, aliases, corsRules }:
    let
      bucketArg = escapeShellArg bucket;
-      corsRulesJSON = escapeShellArg (
-        builtins.toJSON {
-          CORSRules = [
-            {
+      corsRulesJSON = escapeShellArg (builtins.toJSON {
+        CORSRules = [{
          AllowedHeaders = corsRules.allowedHeaders;
          AllowedMethods = corsRules.allowedMethods;
          AllowedOrigins = corsRules.allowedOrigins;
-            }
-          ];
-        }
-      );
-    in
-    ''
+        }];
+      });
+    in ''
      # garage bucket info tells us if the bucket already exists
      garage bucket info ${bucketArg} || garage bucket create ${bucketArg}

@ -59,41 +35,24 @@ let
        garage bucket website --allow ${bucketArg}
      ''}

-      ${concatStringsSep "\n" (
-        map (alias: ''
+      ${concatStringsSep "\n" (map (alias: ''
        garage bucket alias ${bucketArg} ${escapeShellArg alias}
-        '') aliases
-      )}
+      '') aliases)}

      ${optionalString corsRules.enable ''
        garage bucket allow --read --write --owner ${bucketArg} --key tmp
        # TODO: endpoin-url should not be hard-coded
-        aws --region ${cfg.settings.s3_api.s3_region} --endpoint-url ${fedicfg.api.url} s3api put-bucket-cors --bucket ${bucketArg} --cors-configuration ${corsRulesJSON}
+        aws --region ${cfg.settings.s3_api.s3_region} --endpoint-url ${config.fediversity.internal.garage.api.url} s3api put-bucket-cors --bucket ${bucketArg} --cors-configuration ${corsRulesJSON}
        garage bucket deny --read --write --owner ${bucketArg} --key tmp
      ''}
    '';
  ensureBucketsScript = concatMapAttrs ensureBucketScriptFn cfg.ensureBuckets;
-  ensureAccessScriptFn =
-    key: bucket:
-    {
-      read,
-      write,
-      owner,
-    }:
-    ''
+  ensureAccessScriptFn = key: bucket: { read, write, owner }: ''
    garage bucket allow ${optionalString read "--read"} ${optionalString write "--write"} ${optionalString owner "--owner"} \
      ${escapeShellArg bucket} --key ${escapeShellArg key}
  '';
-  ensureKeyScriptFn =
-    key:
-    {
-      id,
-      secret,
-      ensureAccess,
-    }:
-    ''
-      ## FIXME: Check whether the key exist and skip this step if that is the case. Get rid of this `|| :`
-      garage key import --yes -n ${escapeShellArg key} ${escapeShellArg id} ${escapeShellArg secret} || :
+  ensureKeyScriptFn = key: {id, secret, ensureAccess}: ''
+    garage key import --yes -n ${escapeShellArg key} ${escapeShellArg id} ${escapeShellArg secret}
    ${concatMapAttrs (ensureAccessScriptFn key) ensureAccess}
  '';
  ensureKeysScript = concatMapAttrs ensureKeyScriptFn cfg.ensureKeys;
@ -104,8 +63,7 @@ in
  options = {
    services.garage = {
      ensureBuckets = mkOption {
-        type = types.attrsOf (
-          types.submodule {
+        type = types.attrsOf (types.submodule {
          options = {
            website = mkOption {
              type = types.bool;
@ -132,13 +90,11 @@ in
              default = [];
            };
          };
-          }
-        );
+        });
        default = {};
      };
      ensureKeys = mkOption {
-        type = types.attrsOf (
-          types.submodule {
+        type = types.attrsOf (types.submodule {
          # TODO: these should be managed as secrets, not in the nix store
          options = {
            id = mkOption {
@ -150,8 +106,7 @@ in
            # TODO: assert at least one of these is true
            # NOTE: this currently needs to be done at the top level module
            ensureAccess = mkOption {
-                type = types.attrsOf (
-                  types.submodule {
+              type = types.attrsOf (types.submodule {
                options = {
                  read = mkOption {
                    type = types.bool;
@ -166,26 +121,36 @@ in
                    default = false;
                  };
                };
-                  }
-                );
+              });
              default = [];
            };
          };
-          }
-        );
+        });
        default = {};
      };
    };
  };

  config = lib.mkIf config.fediversity.enable {
-    environment.systemPackages = [
-      pkgs.minio-client
-      pkgs.awscli
+    virtualisation.diskSize = 2048;
+    virtualisation.forwardPorts = [
+      {
+        from = "host";
+        host.port = config.fediversity.internal.garage.rpc.port;
+        guest.port = config.fediversity.internal.garage.rpc.port;
+      }
+      {
+        from = "host";
+        host.port = config.fediversity.internal.garage.web.port;
+        guest.port = config.fediversity.internal.garage.web.port;
+      }
    ];

+    environment.systemPackages = [ pkgs.minio-client pkgs.awscli ];
+
    networking.firewall.allowedTCPPorts = [
-      fedicfg.rpc.port
+      config.fediversity.internal.garage.rpc.port
+      config.fediversity.internal.garage.web.port
    ];
    services.garage = {
      enable = true;
@ -195,59 +160,30 @@ in
        # TODO: use a secret file
        rpc_secret = "d576c4478cc7d0d94cfc127138cbb82018b0155c037d1c827dfb6c36be5f6625";
        # TODO: why does this have to be set? is there not a sensible default?
-        rpc_bind_addr = "[::]:${toString fedicfg.rpc.port}";
-        rpc_public_addr = "[::1]:${toString fedicfg.rpc.port}";
-        s3_api.api_bind_addr = "[::]:${toString fedicfg.api.port}";
-        s3_web.bind_addr = "[::]:${toString fedicfg.web.internalPort}";
-        s3_web.root_domain = ".${fedicfg.web.rootDomain}";
+        rpc_bind_addr = "[::]:${toString config.fediversity.internal.garage.rpc.port}";
+        rpc_public_addr = "[::1]:${toString config.fediversity.internal.garage.rpc.port}";
+        s3_api.api_bind_addr = "[::]:${toString config.fediversity.internal.garage.api.port}";
+        s3_web.bind_addr = "[::]:${toString config.fediversity.internal.garage.web.port}";
+        s3_web.root_domain = ".${config.fediversity.internal.garage.web.rootDomain}";
        index = "index.html";

        s3_api.s3_region = "garage";
-        s3_api.root_domain = ".${fedicfg.api.domain}";
+        s3_api.root_domain = ".${config.fediversity.internal.garage.api.domain}";
      };
    };
-
-    ## Create a proxy from <bucket>.web.garage.<domain> to localhost:3902 for
-    ## each bucket that has `website = true`.
-    services.nginx.virtualHosts =
-      let
-        value = {
-          forceSSL = true;
-          enableACME = true;
-          locations."/" = {
-            proxyPass = "http://localhost:3902";
-            extraConfig = ''
-              ## copied from https://garagehq.deuxfleurs.fr/documentation/cookbook/reverse-proxy/
-              proxy_set_header Host $host;
-              proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
-              # Disable buffering to a temporary file.
-              proxy_max_temp_file_size 0;
-            '';
-          };
-        };
-      in
-      mapAttrs' (bucket: _: {
-        name = fedicfg.web.domainForBucket bucket;
-        inherit value;
-      }) (filterAttrs (_: { website, ... }: website) cfg.ensureBuckets);
-
    systemd.services.ensure-garage = {
      after = [ "garage.service" ];
      wantedBy = [ "garage.service" ];
      serviceConfig = {
        Type = "oneshot";
      };
-      path = [
-        cfg.package
-        pkgs.perl
-        pkgs.awscli
-      ];
+      path = [ cfg.package pkgs.perl pkgs.awscli ];
      script = ''
        set -xeuo pipefail

        # Give Garage time to start up by waiting until somethings speaks HTTP
        # behind Garage's API URL.
-        until ${pkgs.curl}/bin/curl -sio /dev/null ${fedicfg.api.url}; do sleep 1; done
+        until ${pkgs.curl}/bin/curl -sio /dev/null ${config.fediversity.internal.garage.api.url}; do sleep 1; done

        # XXX: this is very sensitive to being a single instance
        # (doing the bare minimum to get garage up and running)
@ -261,8 +197,7 @@ in

        # XXX: this is a hack because we want to write to the buckets here but we're not guaranteed any access keys
        # TODO: generate this key here rather than using a well-known key
-        # TODO: if the key already exists, we get an error; hacked with this `|| :` which needs to be removed
-        garage key import --yes -n tmp ${snakeoil_key.id} ${snakeoil_key.secret} || :
+        garage key import --yes -n tmp ${snakeoil_key.id} ${snakeoil_key.secret}
        export AWS_ACCESS_KEY_ID=${snakeoil_key.id};
        export AWS_SECRET_ACCESS_KEY=${snakeoil_key.secret};

--- a/fediversity/mastodon.nix
+++ b/fediversity/mastodon.nix
@ -5,11 +5,7 @@ let
  };
 in

-{
-  config,
-  lib,
-  ...
-}:
+{ config, lib, pkgs, ... }:

 lib.mkIf (config.fediversity.enable && config.fediversity.mastodon.enable) {
 #### garage setup
@ -50,7 +46,7 @@ lib.mkIf (config.fediversity.enable && config.fediversity.mastodon.enable) {
      AWS_ACCESS_KEY_ID = snakeoil_key.id;
      AWS_SECRET_ACCESS_KEY = snakeoil_key.secret;
      S3_PROTOCOL = "http";
-      S3_HOSTNAME = config.fediversity.internal.garage.web.rootDomain;
+      S3_HOSTNAME = config.fediversity.internal.garage.web.rootDomainAndPort;
      # by default it tries to use "<S3_HOSTNAME>/<S3_BUCKET>"
      S3_ALIAS_HOST = "${S3_BUCKET}.${S3_HOSTNAME}";
      # SEE: the last section in https://docs.joinmastodon.org/admin/optional/object-storage/
@ -61,11 +57,8 @@ lib.mkIf (config.fediversity.enable && config.fediversity.mastodon.enable) {

  #### mastodon setup

-  # open up access to the mastodon web interface. 80 is necessary if only for ACME
-  networking.firewall.allowedTCPPorts = [
-    80
-    443
-  ];
+  # open up access to the mastodon web interface
+  networking.firewall.allowedTCPPorts = [ 443 ];

  services.mastodon = {
    enable = true;
@ -73,10 +66,6 @@ lib.mkIf (config.fediversity.enable && config.fediversity.mastodon.enable) {
    localDomain = config.fediversity.internal.mastodon.domain;
    configureNginx = true;

-    # from the documentation: recommended is the amount of your CPU cores minus
-    # one. but it also must be a positive integer
-    streamingProcesses = lib.max 1 (config.fediversity.temp.cores - 1);
-
    # TODO: configure a mailserver so this works
    smtp = {
      fromAddress = "noreply@${config.fediversity.internal.mastodon.domain}";
--- a/fediversity/peertube.nix
+++ b/fediversity/peertube.nix
@ -5,17 +5,10 @@ let
  };
 in

-{
-  config,
-  lib,
-  ...
-}:
+{ config, lib, pkgs, ... }:

 lib.mkIf (config.fediversity.enable && config.fediversity.peertube.enable) {
-  networking.firewall.allowedTCPPorts = [
-    80
-    443
-  ];
+  networking.firewall.allowedTCPPorts = [ 80 9000 ];

  services.garage = {
    ensureBuckets = {
@ -66,8 +59,7 @@ lib.mkIf (config.fediversity.enable && config.fediversity.peertube.enable) {
    # TODO: in most of nixpkgs, these are true by default. upstream that unless there's a good reason not to.
    redis.createLocally = true;
    database.createLocally = true;
-
-    secrets.secretsFile = config.fediversity.temp.peertubeSecretsFile;
+    configureNginx = true;

    settings = {
      object_storage = {
@ -82,17 +74,17 @@ lib.mkIf (config.fediversity.enable && config.fediversity.peertube.enable) {
        web_videos = rec {
          bucket_name = "peertube-videos";
          prefix = "";
-          base_url = config.fediversity.internal.garage.web.urlForBucket bucket_name;
+          base_url = config.fediversity.internal.garage.web.urlFor bucket_name;
        };
        videos = rec {
          bucket_name = "peertube-videos";
          prefix = "";
-          base_url = config.fediversity.internal.garage.web.urlForBucket bucket_name;
+          base_url = config.fediversity.internal.garage.web.urlFor bucket_name;
        };
        streaming_playlists = rec {
          bucket_name = "peertube-playlists";
          prefix = "";
-          base_url = config.fediversity.internal.garage.web.urlForBucket bucket_name;
+          base_url = config.fediversity.internal.garage.web.urlFor bucket_name;
        };
      };
    };
@ -102,12 +94,4 @@ lib.mkIf (config.fediversity.enable && config.fediversity.peertube.enable) {
    AWS_ACCESS_KEY_ID=${snakeoil_key.id}
    AWS_SECRET_ACCESS_KEY=${snakeoil_key.secret}
  '';
-
-  ## Proxying through Nginx
-
-  services.peertube.configureNginx = true;
-  services.nginx.virtualHosts.${config.services.peertube.localDomain} = {
-    forceSSL = true;
-    enableACME = true;
-  };
 }
--- a/fediversity/pixelfed.nix
+++ b/fediversity/pixelfed.nix
@ -5,12 +5,7 @@ let
  };
 in

-{
-  config,
-  lib,
-  pkgs,
-  ...
-}:
+{ config, lib, pkgs, ... }:

 lib.mkIf (config.fediversity.enable && config.fediversity.pixelfed.enable) {
  services.garage = {
@ -43,37 +38,16 @@ lib.mkIf (config.fediversity.enable && config.fediversity.pixelfed.enable) {
  services.pixelfed = {
    enable = true;
    domain = config.fediversity.internal.pixelfed.domain;
-
-    # TODO: secrets management!!!
-    secretFile = pkgs.writeText "secrets.env" ''
-      APP_KEY=adKK9EcY8Hcj3PLU7rzG9rJ6KKTOtYfA
-    '';
-
-    ## Taeer feels like this way of configuring Nginx is odd; there should
-    ## instead be a `services.pixefed.nginx.enable` option and the actual Nginx
-    ## configuration should be in `services.nginx`. See eg. `pretix`.
-    ##
-    ## TODO: If that indeed makes sense, upstream.
-    nginx = {
-      forceSSL = true;
-      enableACME = true;
-      # locations."/public/".proxyPass = "${config.fediversity.internal.garage.web.urlForBucket "pixelfed"}/public/";
-    };
  };

  services.pixelfed.settings = {
-    ## NOTE: This depends on the targets, eg. universities might want control
-    ## over who has an account. We probably want a universal
-    ## `fediversity.openRegistration` option.
-    OPEN_REGISTRATION = true;
-
    # DANGEROUSLY_SET_FILESYSTEM_DRIVER = "s3";
    FILESYSTEM_CLOUD = "s3";
    PF_ENABLE_CLOUD = true;
    AWS_ACCESS_KEY_ID = snakeoil_key.id;
    AWS_SECRET_ACCESS_KEY = snakeoil_key.secret;
    AWS_DEFAULT_REGION = "garage";
-    AWS_URL = config.fediversity.internal.garage.web.urlForBucket "pixelfed";
+    AWS_URL = config.fediversity.internal.garage.web.urlFor "pixelfed";
    AWS_BUCKET = "pixelfed";
    AWS_ENDPOINT = config.fediversity.internal.garage.api.url;
    AWS_USE_PATH_STYLE_ENDPOINT = false;
@ -85,8 +59,4 @@ lib.mkIf (config.fediversity.enable && config.fediversity.pixelfed.enable) {
    after = [ "ensure-garage.service" ];
  };

-  networking.firewall.allowedTCPPorts = [
-    80
-    443
-  ];
 }
--- a/flake.lock
+++ b/flake.lock
@ -1,151 +1,12 @@
 {
  "nodes": {
-    "disko": {
-      "inputs": {
-        "nixpkgs": "nixpkgs"
-      },
-      "locked": {
-        "lastModified": 1727347829,
-        "narHash": "sha256-y7cW6TjJKy+tu7efxeWI6lyg4VVx/9whx+OmrhmRShU=",
-        "owner": "nix-community",
-        "repo": "disko",
-        "rev": "1879e48907c14a70302ff5d0539c3b9b6f97feaa",
-        "type": "github"
-      },
-      "original": {
-        "owner": "nix-community",
-        "repo": "disko",
-        "type": "github"
-      }
-    },
-    "flake-compat": {
-      "flake": false,
-      "locked": {
-        "lastModified": 1696426674,
-        "narHash": "sha256-kvjfFW7WAETZlt09AgDn1MrtKzP7t90Vf7vypd3OL1U=",
-        "owner": "edolstra",
-        "repo": "flake-compat",
-        "rev": "0f9255e01c2351cc7d116c072cb317785dd33b33",
-        "type": "github"
-      },
-      "original": {
-        "owner": "edolstra",
-        "repo": "flake-compat",
-        "type": "github"
-      }
-    },
-    "git-hooks": {
-      "inputs": {
-        "flake-compat": "flake-compat",
-        "gitignore": "gitignore",
-        "nixpkgs": "nixpkgs_2",
-        "nixpkgs-stable": "nixpkgs-stable"
-      },
-      "locked": {
-        "lastModified": 1730814269,
-        "narHash": "sha256-fWPHyhYE6xvMI1eGY3pwBTq85wcy1YXqdzTZF+06nOg=",
-        "owner": "cachix",
-        "repo": "git-hooks.nix",
-        "rev": "d70155fdc00df4628446352fc58adc640cd705c2",
-        "type": "github"
-      },
-      "original": {
-        "owner": "cachix",
-        "repo": "git-hooks.nix",
-        "type": "github"
-      }
-    },
-    "gitignore": {
-      "inputs": {
-        "nixpkgs": [
-          "git-hooks",
-          "nixpkgs"
-        ]
-      },
-      "locked": {
-        "lastModified": 1709087332,
-        "narHash": "sha256-HG2cCnktfHsKV0s4XW83gU3F57gaTljL9KNSuG6bnQs=",
-        "owner": "hercules-ci",
-        "repo": "gitignore.nix",
-        "rev": "637db329424fd7e46cf4185293b9cc8c88c95394",
-        "type": "github"
-      },
-      "original": {
-        "owner": "hercules-ci",
-        "repo": "gitignore.nix",
-        "type": "github"
-      }
-    },
    "nixpkgs": {
      "locked": {
-        "lastModified": 1725194671,
-        "narHash": "sha256-tLGCFEFTB5TaOKkpfw3iYT9dnk4awTP/q4w+ROpMfuw=",
-        "owner": "NixOS",
-        "repo": "nixpkgs",
-        "rev": "b833ff01a0d694b910daca6e2ff4a3f26dee478c",
-        "type": "github"
-      },
-      "original": {
-        "owner": "NixOS",
-        "ref": "nixpkgs-unstable",
-        "repo": "nixpkgs",
-        "type": "github"
-      }
-    },
-    "nixpkgs-latest": {
-      "locked": {
-        "lastModified": 1727220152,
-        "narHash": "sha256-6ezRTVBZT25lQkvaPrfJSxYLwqcbNWm6feD/vG1FO0o=",
-        "owner": "nixos",
-        "repo": "nixpkgs",
-        "rev": "24959f933187217890b206788a85bfa73ba75949",
-        "type": "github"
-      },
-      "original": {
-        "owner": "nixos",
-        "repo": "nixpkgs",
-        "type": "github"
-      }
-    },
-    "nixpkgs-stable": {
-      "locked": {
-        "lastModified": 1730741070,
-        "narHash": "sha256-edm8WG19kWozJ/GqyYx2VjW99EdhjKwbY3ZwdlPAAlo=",
-        "owner": "NixOS",
-        "repo": "nixpkgs",
-        "rev": "d063c1dd113c91ab27959ba540c0d9753409edf3",
-        "type": "github"
-      },
-      "original": {
-        "owner": "NixOS",
-        "ref": "nixos-24.05",
-        "repo": "nixpkgs",
-        "type": "github"
-      }
-    },
-    "nixpkgs_2": {
-      "locked": {
-        "lastModified": 1730768919,
-        "narHash": "sha256-8AKquNnnSaJRXZxc5YmF/WfmxiHX6MMZZasRP6RRQkE=",
-        "owner": "NixOS",
-        "repo": "nixpkgs",
-        "rev": "a04d33c0c3f1a59a2c1cb0c6e34cd24500e5a1dc",
-        "type": "github"
-      },
-      "original": {
-        "owner": "NixOS",
-        "ref": "nixpkgs-unstable",
-        "repo": "nixpkgs",
-        "type": "github"
-      }
-    },
-    "nixpkgs_3": {
-      "locked": {
-        "lastModified": 1730137230,
-        "narHash": "sha256-0kW6v0alzWIc/Dc/DoVZ7A9qNScv77bj/zYTKI67HZM=",
+        "lastModified": 1723726852,
+        "narHash": "sha256-lRzlx4fPRtzA+dgz9Rh4WK5yAW3TsAXx335DQqxY2XY=",
        "owner": "radvendii",
        "repo": "nixpkgs",
-        "rev": "df815998652a1d00ce7c059a1e5ef7d7c0548c90",
+        "rev": "9286249a1673cf5b14a4793e22dd44b70cb69a0d",
        "type": "github"
      },
      "original": {
@ -155,30 +16,9 @@
        "type": "github"
      }
    },
-    "pixelfed": {
-      "flake": false,
-      "locked": {
-        "lastModified": 1719823820,
-        "narHash": "sha256-CKjqnxp7p2z/13zfp4HQ1OAmaoUtqBKS6HFm6TV8Jwg=",
-        "owner": "pixelfed",
-        "repo": "pixelfed",
-        "rev": "4c245cf429330d01fcb8ebeb9aa8c84a9574a645",
-        "type": "github"
-      },
-      "original": {
-        "owner": "pixelfed",
-        "ref": "v0.12.3",
-        "repo": "pixelfed",
-        "type": "github"
-      }
-    },
    "root": {
      "inputs": {
-        "disko": "disko",
-        "git-hooks": "git-hooks",
-        "nixpkgs": "nixpkgs_3",
-        "nixpkgs-latest": "nixpkgs-latest",
-        "pixelfed": "pixelfed"
+        "nixpkgs": "nixpkgs"
      }
    }
  },
--- a/flake.nix
+++ b/flake.nix
@ -1,108 +1,77 @@
 {
+  description = "Testing mastodon configurations";
+
  inputs = {
    nixpkgs.url = "github:radvendii/nixpkgs/nixos_rebuild_tests";
-    nixpkgs-latest.url = "github:nixos/nixpkgs";
-    git-hooks.url = "github:cachix/git-hooks.nix";
-
-    pixelfed = {
-      url = "github:pixelfed/pixelfed?ref=v0.12.3";
-      flake = false;
-    };
-    disko.url = "github:nix-community/disko";
  };

-  outputs =
-    {
-      self,
-      nixpkgs,
-      nixpkgs-latest,
-      git-hooks,
-      pixelfed,
-      disko,
-    }:
+  outputs = inputs@{ self, nixpkgs }:
  let
    system = "x86_64-linux";
-      lib = nixpkgs.lib;
    pkgs = nixpkgs.legacyPackages.${system};
-      pkgsLatest = nixpkgs-latest.legacyPackages.${system};
-      bleedingFediverseOverlay = (
-        _: _: {
-          pixelfed = pkgsLatest.pixelfed.overrideAttrs (old: {
-            src = pixelfed;
+  in {
+
+    packages.${system} = {
+      pixelfed = pkgs.pixelfed.overrideAttrs (old: {
          patches = (old.patches or [ ]) ++ [ ./fediversity/pixelfed-group-permissions.patch ];
      });
-          ## TODO: give mastodon, peertube the same treatment
-        }
-      );
-    in
-    {
-      nixosModules = {
-        ## Bleeding-edge fediverse packages
-        bleedingFediverse = {
-          nixpkgs.overlays = [ bleedingFediverseOverlay ];
    };
+
+    nixosModules = {
      ## Fediversity modules
-        fediversity = import ./fediversity;
+      fediversity = { pkgs, ... }: {
+        imports = [ ./fediversity ];
+        services.pixelfed.package = self.packages.${pkgs.stdenv.hostPlatform.system}.pixelfed;
+      };

      ## VM-specific modules
-        interactive-vm = import ./vm/interactive-vm.nix;
-        garage-vm = import ./vm/garage-vm.nix;
-        mastodon-vm = import ./vm/mastodon-vm.nix;
-        peertube-vm = import ./vm/peertube-vm.nix;
-        pixelfed-vm = import ./vm/pixelfed-vm.nix;
-
-        disk-layout = import ./disk-layout.nix;
+      interactive-vm = {
+        imports = [
+          ./vm/interactive-vm.nix
+          self.nixosModules.fediversity
+        ];
+      };
+      mastodon-vm = {
+        imports = [
+          ./vm/mastodon-vm.nix
+          self.nixosModules.fediversity
+        ];
+      };
+      peertube-vm = {
+        imports = [
+          ./vm/peertube-vm.nix
+          self.nixosModules.fediversity
+        ];
+      };
+      pixelfed-vm = {
+        imports = [
+          ./vm/pixelfed-vm.nix
+          self.nixosModules.fediversity
+        ];
+      };
    };

    nixosConfigurations = {
      mastodon = nixpkgs.lib.nixosSystem {
        inherit system;
-          modules = with self.nixosModules; [
-            disko.nixosModules.default
-            disk-layout
-            bleedingFediverse
-            fediversity
-            interactive-vm
-            garage-vm
-            mastodon-vm
-          ];
+        modules = with self.nixosModules; [ fediversity interactive-vm mastodon-vm ];
      };

      peertube = nixpkgs.lib.nixosSystem {
        inherit system;
-          modules = with self.nixosModules; [
-            disko.nixosModules.default
-            disk-layout
-            bleedingFediverse
-            fediversity
-            interactive-vm
-            garage-vm
-            peertube-vm
-          ];
+        modules = with self.nixosModules; [ fediversity interactive-vm peertube-vm ];
      };

      pixelfed = nixpkgs.lib.nixosSystem {
        inherit system;
-          modules = with self.nixosModules; [
-            disko.nixosModules.default
-            disk-layout
-            bleedingFediverse
-            fediversity
-            interactive-vm
-            garage-vm
-            pixelfed-vm
-          ];
+        modules = with self.nixosModules; [ fediversity interactive-vm pixelfed-vm ];
      };

      all = nixpkgs.lib.nixosSystem {
        inherit system;
        modules = with self.nixosModules; [
-            disko.nixosModules.default
-            disk-layout
-            bleedingFediverse
          fediversity
          interactive-vm
-            garage-vm
          peertube-vm
          pixelfed-vm
          mastodon-vm
@ -110,34 +79,15 @@
      };
    };

-      ## Fully-feature ISO installer
-      mkInstaller = import ./installer.nix;
-      installers = lib.mapAttrs (_: config: self.mkInstaller nixpkgs config) self.nixosConfigurations;
-
-      deploy =
-        let
-          deployCommand = (pkgs.callPackage ./deploy.nix { });
-        in
-        lib.mapAttrs (name: config: deployCommand name config) self.nixosConfigurations;
-
    checks.${system} = {
      mastodon-garage = import ./tests/mastodon-garage.nix { inherit pkgs self; };
      pixelfed-garage = import ./tests/pixelfed-garage.nix { inherit pkgs self; };
-
-        pre-commit = git-hooks.lib.${system}.run {
-          src = ./.;
-          hooks = {
-            nixfmt-rfc-style.enable = true;
-            deadnix.enable = true;
-          };
-        };
    };

    devShells.${system}.default = pkgs.mkShell {
      inputs = with pkgs; [
        nil
      ];
-        shellHook = self.checks.${system}.pre-commit.shellHook;
    };
  };
 }
--- a/installer.nix
+++ b/installer.nix
@ -1,61 +0,0 @@
-/**
-  Convert a NixOS configuration to one for a minimal installer ISO
-
-  WARNING: Running this installer will format the target disk!
-*/
-
-{
-  nixpkgs,
-  hostKeys ? { },
-}:
-machine:
-
-let
-  inherit (builtins) concatStringsSep attrValues mapAttrs;
-
-  installer =
-    {
-      config,
-      pkgs,
-      lib,
-      ...
-    }:
-    let
-      bootstrap = pkgs.writeShellApplication {
-        name = "bootstrap";
-        runtimeInputs = with pkgs; [ nixos-install-tools ];
-        text = ''
-          ${machine.config.system.build.diskoScript}
-          nixos-install --no-root-password --no-channel-copy --system ${machine.config.system.build.toplevel}
-          ${concatStringsSep "\n" (
-            attrValues (
-              mapAttrs (kind: keys: ''
-                cp ${keys.private} /mnt/etc/ssh/ssh_host_${kind}_key
-                chmod 600 /mnt/etc/ssh/ssh_host_${kind}_key
-                cp ${keys.public} /mnt/etc/ssh/ssh_host_${kind}_key.pub
-                chmod 644 /mnt/etc/ssh/ssh_host_${kind}_key.pub
-              '') hostKeys
-            )
-          )}
-          poweroff
-        '';
-      };
-    in
-    {
-      imports = [
-        "${nixpkgs}/nixos/modules/installer/cd-dvd/installation-cd-minimal.nix"
-      ];
-      nixpkgs.hostPlatform = "x86_64-linux";
-      services.getty.autologinUser = lib.mkForce "root";
-      programs.bash.loginShellInit = nixpkgs.lib.getExe bootstrap;
-
-      isoImage = {
-        compressImage = false;
-        squashfsCompression = "lz4";
-        isoName = lib.mkForce "installer.iso";
-        ## ^^ FIXME: Use a more interesting name or keep the default name and
-        ## use `isoImage.isoName` in the tests.
-      };
-    };
-in
-(nixpkgs.lib.nixosSystem { modules = [ installer ]; }).config.system.build.isoImage
--- a/tests/mastodon-garage.nix
+++ b/tests/mastodon-garage.nix
@ -1,16 +1,11 @@
 { pkgs, self }:
 let
  lib = pkgs.lib;
-
-  ## FIXME: this binding was not used, but maybe we want a side-effect or something?
-  # rebuildableTest = import ./rebuildableTest.nix pkgs;
-
-  seleniumScript =
-    pkgs.writers.writePython3Bin "selenium-script"
+  rebuildableTest = import ./rebuildableTest.nix pkgs;
+  seleniumScript = pkgs.writers.writePython3Bin "selenium-script"
    {
      libraries = with pkgs.python3Packages; [ selenium ];
-      }
-      ''
+    } ''
    from selenium import webdriver
    from selenium.webdriver.common.by import By
    from selenium.webdriver.firefox.options import Options
@ -40,16 +35,9 @@ pkgs.nixosTest {
  name = "test-mastodon-garage";

  nodes = {
-    server =
-      { config, ... }:
-      {
+    server = { config, ... }: {
      virtualisation.memorySize = lib.mkVMOverride 4096;
-        imports = with self.nixosModules; [
-          bleedingFediverse
-          fediversity
-          garage-vm
-          mastodon-vm
-        ];
+      imports = with self.nixosModules; [ mastodon-vm ];
      # TODO: pair down
      environment.systemPackages = with pkgs; [
        python3
@ -69,9 +57,7 @@ pkgs.nixosTest {
    };
  };

-  testScript =
-    { nodes, ... }:
-    ''
+  testScript = { nodes, ... }: ''
    import re
    import time

@ -135,8 +121,8 @@ pkgs.nixosTest {
        raise Exception("mastodon did not send a content security policy header")
      csp = csp_match.group(1)
      # the img-src content security policy should include the garage server
-        ## TODO: use `nodes.server.fediversity.internal.garage.api.url` same as above, but beware of escaping the regex. Be careful with port 80 though.
-        garage_csp = re.match(".*; img-src[^;]*web\.garage\.localhost.*", csp)
+      ## TODO: use `nodes.server.fediversity.internal.garage.api.url` same as above, but beware of escaping the regex.
+      garage_csp = re.match(".*; img-src[^;]*web\.garage\.localhost:3902.*", csp)
      if garage_csp is None:
        raise Exception("Mastodon's content security policy does not include garage server. image will not be displayed properly on mastodon.")

--- a/tests/pixelfed-garage.nix
+++ b/tests/pixelfed-garage.nix
@ -1,9 +1,7 @@
 { pkgs, self }:
 let
  lib = pkgs.lib;
-
-  ## FIXME: this binding was not used but maybe we want a side effect or something?
-  # rebuildableTest = import ./rebuildableTest.nix pkgs;
+  rebuildableTest = import ./rebuildableTest.nix pkgs;

  email = "test@test.com";
  password = "testtest";
@ -52,12 +50,10 @@ let
    driver.quit()
  '';

-  seleniumScriptPostPicture =
-    pkgs.writers.writePython3Bin "selenium-script-post-picture"
+  seleniumScriptPostPicture = pkgs.writers.writePython3Bin "selenium-script-post-picture"
    {
      libraries = with pkgs.python3Packages; [ selenium ];
-      }
-      ''
+    } ''
    import os
    import time
    ${seleniumImports}
@ -97,12 +93,10 @@ let
    ${seleniumTakeScreenshot "\"/home/selenium/screenshot.png\""}
    ${seleniumQuit}'';

-  seleniumScriptGetSrc =
-    pkgs.writers.writePython3Bin "selenium-script-get-src"
+  seleniumScriptGetSrc = pkgs.writers.writePython3Bin "selenium-script-get-src"
    {
      libraries = with pkgs.python3Packages; [ selenium ];
-      }
-      ''
+    } ''
    ${seleniumImports}
    ${seleniumSetup}
    ${seleniumPixelfedLogin}
@ -121,9 +115,7 @@ pkgs.nixosTest {
  name = "test-pixelfed-garage";

  nodes = {
-    server =
-      { config, ... }:
-      {
+    server = { config, ... }: {

      services = {
        xserver = {
@ -137,21 +129,14 @@ pkgs.nixosTest {
          user = "selenium";
        };
      };
-        virtualisation.resolution = {
-          x = 1680;
-          y = 1050;
-        };
+      virtualisation.resolution = { x = 1680; y = 1050; };
+

      virtualisation = {
        memorySize = lib.mkVMOverride 8192;
        cores = 8;
      };
-        imports = with self.nixosModules; [
-          bleedingFediverse
-          fediversity
-          garage-vm
-          pixelfed-vm
-        ];
+      imports = with self.nixosModules; [ pixelfed-vm ];
      # TODO: pair down
      environment.systemPackages = with pkgs; [
        python3
@ -167,8 +152,6 @@ pkgs.nixosTest {
        POST_MEDIA = ./fediversity.png;
        AWS_ACCESS_KEY_ID = config.services.garage.ensureKeys.pixelfed.id;
        AWS_SECRET_ACCESS_KEY = config.services.garage.ensureKeys.pixelfed.secret;
-          ## without this we get frivolous errors in the logs
-          MC_REGION = "garage";
      };
      # chrome does not like being run as root
      users.users.selenium = {
@ -177,9 +160,7 @@ pkgs.nixosTest {
    };
  };

-  testScript =
-    { nodes, ... }:
-    ''
+  testScript = { nodes, ... }: ''
    import re

    server.start()
@ -221,7 +202,7 @@ pkgs.nixosTest {

    with subtest("Check that image comes from garage"):
      src = server.succeed("su - selenium -c 'selenium-script-get-src ${email} ${password}'")
-        if not src.startswith("${nodes.server.fediversity.internal.garage.web.urlForBucket "pixelfed"}"):
+      if not src.startswith("${nodes.server.fediversity.internal.garage.web.urlFor "pixelfed"}"):
        raise Exception("image does not come from garage")
  '';
 }
--- a/tests/rebuildableTest.nix
+++ b/tests/rebuildableTest.nix
@ -1,16 +1,9 @@
 pkgs: test:
 let
-  inherit (pkgs.lib)
-    mapAttrsToList
-    concatStringsSep
-    genAttrs
-    mkIf
-    ;
+  inherit (pkgs.lib) mapAttrsToList concatStringsSep genAttrs mkIf;
  inherit (builtins) attrNames;

-  interactiveConfig = (
-    { config, ... }:
-    {
+  interactiveConfig = ({ config, ... }: {
    # so we can run `nix shell nixpkgs#foo` on the machines
    nix.extraOptions = ''
      extra-experimental-features = nix-command flakes
@ -27,16 +20,13 @@ let
    };

    virtualisation = mkIf (config.networking.hostName == "jumphost") {
-        forwardPorts = [
-          {
+      forwardPorts = [{
        from = "host";
        host.port = 2222;
        guest.port = 22;
-          }
-        ];
+      }];
    };
-    }
-  );
+  });

  sshConfig = pkgs.writeText "ssh-config" ''
    Host *
@ -60,11 +50,10 @@ let
    # create an association array from machine names to the path to their
    # configuration in the nix store
    declare -A configPaths=(${
-      concatStringsSep " " (
-        mapAttrsToList (
-          n: v: ''["${n}"]="${v.system.build.toplevel}"''
-        ) rebuildableTest.driverInteractive.nodes
-      )
+      concatStringsSep " "
+        (mapAttrsToList
+          (n: v: ''["${n}"]="${v.system.build.toplevel}"'')
+          rebuildableTest.driverInteractive.nodes)
    })

    rebuild_one() {
@ -124,14 +113,16 @@ let
  # we're at it)
  rebuildableTest =
    let
-      preOverride = pkgs.nixosTest (
-        test
-        // {
+      preOverride = pkgs.nixosTest (test // {
        interactive = (test.interactive or { }) // {
          # no need to // with test.interactive.nodes here, since we are iterating
          # over all of them, and adding back in the config via `imports`
-            nodes =
-              genAttrs (attrNames test.nodes or { } ++ attrNames test.interactive.nodes or { } ++ [ "jumphost" ])
+          nodes = genAttrs
+            (
+              attrNames test.nodes or { } ++
+                attrNames test.interactive.nodes or { } ++
+                [ "jumphost" ]
+            )
            (n: {
              imports = [
                (test.interactive.${n} or { })
@ -140,20 +131,14 @@ let
            });
        };
        # override with test.passthru in case someone wants to overwrite us.
-          passthru = {
-            inherit rebuildScript sshConfig;
-          } // (test.passthru or { });
-        }
-      );
+        passthru = { inherit rebuildScript sshConfig; } // (test.passthru or { });
+      });
    in
-    preOverride
-    // {
+    preOverride // {
      driverInteractive = preOverride.driverInteractive.overrideAttrs (old: {
        # this comes from runCommand, not mkDerivation, so this is the only
        # hook we have to override
-        buildCommand =
-          old.buildCommand
-          + ''
+        buildCommand = old.buildCommand + ''
          ln -s ${sshConfig} $out/ssh-config
          ln -s ${rebuildScript}/bin/rebuild $out/bin/rebuild
        '';
@ -161,3 +146,4 @@ let
    };
 in
 rebuildableTest
+
--- a/vm/garage-vm.nix
+++ b/vm/garage-vm.nix
@ -1,44 +0,0 @@
-{
-  lib,
-  config,
-  modulesPath,
-  ...
-}:
-
-let
-  inherit (lib) mkVMOverride mapAttrs' filterAttrs;
-
-  cfg = config.services.garage;
-
-  fedicfg = config.fediversity.internal.garage;
-
-in
-{
-  imports = [ (modulesPath + "/virtualisation/qemu-vm.nix") ];
-
-  services.nginx.virtualHosts =
-    let
-      value = {
-        forceSSL = mkVMOverride false;
-        enableACME = mkVMOverride false;
-      };
-    in
-    mapAttrs' (bucket: _: {
-      name = fedicfg.web.domainForBucket bucket;
-      inherit value;
-    }) (filterAttrs (_: { website, ... }: website) cfg.ensureBuckets);
-
-  virtualisation.diskSize = 2048;
-  virtualisation.forwardPorts = [
-    {
-      from = "host";
-      host.port = fedicfg.rpc.port;
-      guest.port = fedicfg.rpc.port;
-    }
-    {
-      from = "host";
-      host.port = fedicfg.web.internalPort;
-      guest.port = fedicfg.web.internalPort;
-    }
-  ];
-}
--- a/vm/interactive-vm.nix
+++ b/vm/interactive-vm.nix
@ -1,6 +1,5 @@
 # customize nixos-rebuild build-vm to be a bit more convenient
-{ pkgs, ... }:
-{
+{ pkgs, ... }: {
  # let us log in
  users.mutableUsers = false;
  users.users.root.hashedPassword = "";
@ -35,10 +34,7 @@
  # no graphics. see nixos-shell
  virtualisation = {
    graphics = false;
-    qemu.consoles = [
-      "tty0"
-      "hvc0"
-    ];
+    qemu.consoles = [ "tty0" "hvc0" ];
    qemu.options = [
      "-serial null"
      "-device virtio-serial"
@ -48,19 +44,12 @@
    ];
  };

+
  # we can't forward port 80 or 443, so let's run nginx on a different port
-  networking.firewall.allowedTCPPorts = [
-    8443
-    8080
-  ];
+  networking.firewall.allowedTCPPorts = [ 8443 8080 ];
  services.nginx.defaultSSLListenPort = 8443;
  services.nginx.defaultHTTPListenPort = 8080;
  virtualisation.forwardPorts = [
-    {
-      from = "host";
-      host.port = 22222;
-      guest.port = 22;
-    }
    {
      from = "host";
      host.port = 8080;
--- a/vm/mastodon-vm.nix
+++ b/vm/mastodon-vm.nix
@ -1,12 +1,8 @@
-{
-  modulesPath,
-  lib,
-  config,
-  ...
-}:
-{
+{ modulesPath, lib, config, ... }: {

-  imports = [ (modulesPath + "/virtualisation/qemu-vm.nix") ];
+  imports = [
+    (modulesPath + "/virtualisation/qemu-vm.nix")
+  ];

  config = lib.mkMerge [
    {
@ -14,17 +10,19 @@
        enable = true;
        domain = "localhost";
        mastodon.enable = true;
-
-        temp.cores = config.virtualisation.cores;
      };

      services.mastodon = {
        extraConfig = {
          EMAIL_DOMAIN_ALLOWLIST = "example.com";
        };
+
+        # from the documentation: recommended is the amount of your CPU cores
+        # minus one. but it also must be a positive integer
+        streamingProcesses = lib.max 1 (config.virtualisation.cores - 1);
      };

-      security.acme = lib.mkVMOverride {
+      security.acme = {
        defaults = {
          # invalid server; the systemd service will fail, and we won't get
          # properly signed certificates. but let's not spam the letsencrypt
--- a/vm/peertube-vm.nix
+++ b/vm/peertube-vm.nix
@ -1,8 +1,8 @@
-{ modulesPath, ... }:
+{ pkgs, modulesPath, ... }: {

-{
-
-  imports = [ (modulesPath + "/virtualisation/qemu-vm.nix") ];
+  imports = [
+    (modulesPath + "/virtualisation/qemu-vm.nix")
+  ];

  services.peertube = {
    enableWebHttps = false;
@ -10,6 +10,10 @@
      listen.hostname = "0.0.0.0";
      instance.name = "PeerTube Test VM";
    };
+    # TODO: use agenix
+    secrets.secretsFile = pkgs.writeText "secret" ''
+      574e093907d1157ac0f8e760a6deb1035402003af5763135bae9cbd6abe32b24
+    '';
  };

  virtualisation.forwardPorts = [
--- a/vm/pixelfed-vm.nix
+++ b/vm/pixelfed-vm.nix
@ -1,16 +1,8 @@
-{
-  lib,
-  modulesPath,
-  ...
-}:
+{ pkgs, modulesPath, ... }: {

-let
-  inherit (lib) mkVMOverride;
-
-in
-
-{
-  imports = [ (modulesPath + "/virtualisation/qemu-vm.nix") ];
+  imports = [
+    (modulesPath + "/virtualisation/qemu-vm.nix")
+  ];

  fediversity = {
    enable = true;
@ -18,16 +10,22 @@ in
    pixelfed.enable = true;
  };

+  networking.firewall.allowedTCPPorts = [ 80 ];
  services.pixelfed = {
+    # TODO: secrets management!
+    secretFile = pkgs.writeText "secrets.env" ''
+      APP_KEY=adKK9EcY8Hcj3PLU7rzG9rJ6KKTOtYfA
+    '';
    settings = {
+      OPEN_REGISTRATION = true;
      FORCE_HTTPS_URLS = false;
    };
+    # I feel like this should have an `enable` option and be configured via `services.nginx` rather than mirroring those options in services.pixelfed.nginx
+    # TODO: If that indeed makes sense, upstream it.
    nginx = {
-      forceSSL = mkVMOverride false;
-      enableACME = mkVMOverride false;
+      # locations."/public/".proxyPass = "${config.fediversity.internal.garage.web.urlFor "pixelfed"}/public/";
    };
  };
-
  virtualisation.memorySize = 2048;
  virtualisation.forwardPorts = [
    {
Author	SHA1	Message	Date
Robert Hensing	114b1d596f	Add packages.${system}.pixelfed	2024-09-25 13:29:39 +02:00
Robert Hensing	1fc83f6980	pixelfed: Use package from lock	2024-09-25 09:42:08 +02:00
Robert Hensing	c9bd295faa	nixosModules: move pixelfed package definition into flake lexical scope	2024-09-25 09:23:50 +02:00
Robert Hensing	a4fedcbc44	nixosModules: Preserve file name import drops it	2024-09-23 11:48:17 +02:00