diff --git a/fediversity/default.nix b/fediversity/default.nix new file mode 100644 index 0000000..46ee05d --- /dev/null +++ b/fediversity/default.nix @@ -0,0 +1,103 @@ +{ lib, config, ... }: + +let + inherit (builtins) toString; + inherit (lib) mkOption mkEnableOption; + inherit (lib.types) types; + +in { + imports = [ + ./garage.nix + ./mastodon.nix + ./pixelfed.nix + ./peertube.nix + ]; + + options = { + fediversity = { + enable = mkEnableOption "the collection of services bundled under Fediversity"; + + domain = mkOption { + type = types.str; + description = '' + root domain for the Fediversity services + + For instance, if this option is set to `foo.example.com`, then + Pixelfed might be under `pixelfed.foo.example.com`. + ''; + }; + + mastodon.enable = mkEnableOption "default Fediversity Mastodon configuration"; + pixelfed.enable = mkEnableOption "default Fediversity Pixelfed configuration"; + peertube.enable = mkEnableOption "default Fediversity PeerTube configuration"; + + internal = mkOption { + description = "options that are only meant to be used internally; change at your own risk"; + default = {}; + type = types.submodule { + options = { + garage = { + api = { + domain = mkOption { + type = types.str; + default = "s3.garage.${config.fediversity.domain}"; + }; + port = mkOption { + type = types.int; + default = 3900; + }; + url = mkOption { + type = types.str; + default = "http://${config.fediversity.internal.garage.api.domain}:${toString config.fediversity.internal.garage.api.port}"; + }; + }; + + rpc = { + port = mkOption { + type = types.int; + default = 3901; + }; + }; + + web = { + rootDomain = mkOption { + type = types.str; + default = "web.garage.${config.fediversity.domain}"; + }; + port = mkOption { + type = types.int; + default = 3902; + }; + rootDomainAndPort = mkOption { + type = types.str; + default = "${config.fediversity.internal.garage.web.rootDomain}:${toString config.fediversity.internal.garage.web.port}"; + }; + urlFor = mkOption { + type = types.functionTo types.str; + default = bucket: "http://${bucket}.${config.fediversity.internal.garage.web.rootDomainAndPort}"; + }; + }; + }; + + ## REVIEW: Do we want to recreate options under + ## `fediversity.internal` or would we rather use the options from + ## the respective services? See Taeer's comment: + ## https://git.fediversity.eu/taeer/simple-nixos-fediverse/pulls/22#issuecomment-124 + pixelfed.domain = mkOption { + type = types.str; + default = "pixelfed.${config.fediversity.domain}"; + }; + mastodon.domain = mkOption { + type = types.str; + default = "mastdodon.${config.fediversity.domain}"; + }; + peertube.domain = mkOption { + type = types.str; + default = "peertube.${config.fediversity.domain}"; + }; + }; + }; + }; + }; + }; +} diff --git a/garage.nix b/fediversity/garage.nix similarity index 83% rename from garage.nix rename to fediversity/garage.nix index b58738d..84af662 100644 --- a/garage.nix +++ b/fediversity/garage.nix @@ -6,9 +6,12 @@ let secret = "82b2b4cbef27bf8917b350d5b10a87c92fa9c8b13a415aeeea49726cf335d74e"; }; in + # TODO: expand to a multi-machine setup -{ config, lib, pkgs, ... }: +{ config, lib, pkgs, ... }: + let + inherit (builtins) toString; inherit (lib) types mkOption mkEnableOption optionalString concatStringsSep; inherit (lib.strings) escapeShellArg; cfg = config.services.garage; @@ -39,7 +42,7 @@ let ${optionalString corsRules.enable '' garage bucket allow --read --write --owner ${bucketArg} --key tmp # TODO: endpoin-url should not be hard-coded - aws --region ${cfg.settings.s3_api.s3_region} --endpoint-url http://s3.garage.localhost:3900 s3api put-bucket-cors --bucket ${bucketArg} --cors-configuration ${corsRulesJSON} + aws --region ${cfg.settings.s3_api.s3_region} --endpoint-url ${config.fediversity.internal.garage.api.url} s3api put-bucket-cors --bucket ${bucketArg} --cors-configuration ${corsRulesJSON} garage bucket deny --read --write --owner ${bucketArg} --key tmp ''} ''; @@ -53,7 +56,9 @@ let ${concatMapAttrs (ensureAccessScriptFn key) ensureAccess} ''; ensureKeysScript = concatMapAttrs ensureKeyScriptFn cfg.ensureKeys; -in { +in + +{ # add in options to ensure creation of buckets and keys options = { services.garage = { @@ -126,24 +131,27 @@ in { }; }; - config = { + config = lib.mkIf config.fediversity.enable { virtualisation.diskSize = 2048; virtualisation.forwardPorts = [ { from = "host"; - host.port = 3901; - guest.port = 3901; + host.port = config.fediversity.internal.garage.rpc.port; + guest.port = config.fediversity.internal.garage.rpc.port; } { from = "host"; - host.port = 3902; - guest.port = 3902; + host.port = config.fediversity.internal.garage.web.port; + guest.port = config.fediversity.internal.garage.web.port; } ]; environment.systemPackages = [ pkgs.minio-client pkgs.awscli ]; - networking.firewall.allowedTCPPorts = [ 3901 3902 ]; + networking.firewall.allowedTCPPorts = [ + config.fediversity.internal.garage.rpc.port + config.fediversity.internal.garage.web.port + ]; services.garage = { enable = true; package = pkgs.garage_0_9; @@ -152,15 +160,15 @@ in { # TODO: use a secret file rpc_secret = "d576c4478cc7d0d94cfc127138cbb82018b0155c037d1c827dfb6c36be5f6625"; # TODO: why does this have to be set? is there not a sensible default? - rpc_bind_addr = "[::]:3901"; - rpc_public_addr = "[::1]:3901"; - s3_api.api_bind_addr = "[::]:3900"; - s3_web.bind_addr = "[::]:3902"; - s3_web.root_domain = ".web.garage.localhost"; + rpc_bind_addr = "[::]:${toString config.fediversity.internal.garage.rpc.port}"; + rpc_public_addr = "[::1]:${toString config.fediversity.internal.garage.rpc.port}"; + s3_api.api_bind_addr = "[::]:${toString config.fediversity.internal.garage.api.port}"; + s3_web.bind_addr = "[::]:${toString config.fediversity.internal.garage.web.port}"; + s3_web.root_domain = ".${config.fediversity.internal.garage.web.rootDomain}"; index = "index.html"; s3_api.s3_region = "garage"; - s3_api.root_domain = ".s3.garage.localhost"; + s3_api.root_domain = ".${config.fediversity.internal.garage.api.domain}"; }; }; systemd.services.ensure-garage = { @@ -173,9 +181,9 @@ in { script = '' set -xeuo pipefail - # Give garage time to start up by waiting until somethings speaks HTTP - # behind localhost:3900. - until curl -sio /dev/null http://localhost:3900/; do sleep 1; done + # Give Garage time to start up by waiting until somethings speaks HTTP + # behind Garage's API URL. + until ${pkgs.curl}/bin/curl -sio /dev/null ${config.fediversity.internal.garage.api.url}; do sleep 1; done # XXX: this is very sensitive to being a single instance # (doing the bare minimum to get garage up and running) diff --git a/mastodon.nix b/fediversity/mastodon.nix similarity index 81% rename from mastodon.nix rename to fediversity/mastodon.nix index e0c2ea4..62599b5 100644 --- a/mastodon.nix +++ b/fediversity/mastodon.nix @@ -4,7 +4,10 @@ let secret = "7d37d093435a41f2aab8f13c19ba067d9776c90215f56614adad6ece597dbb34"; }; in -{ config, lib, pkgs, ... }: { + +{ config, lib, pkgs, ... }: + +lib.mkIf (config.fediversity.enable && config.fediversity.mastodon.enable) { #### garage setup services.garage = { ensureBuckets = { @@ -35,7 +38,7 @@ in extraConfig = rec { S3_ENABLED = "true"; # TODO: this shouldn't be hard-coded, it should come from the garage configuration - S3_ENDPOINT = "http://s3.garage.localhost:3900"; + S3_ENDPOINT = config.fediversity.internal.garage.api.url; S3_REGION = "garage"; S3_BUCKET = "mastodon"; # use . @@ -43,7 +46,7 @@ in AWS_ACCESS_KEY_ID = snakeoil_key.id; AWS_SECRET_ACCESS_KEY = snakeoil_key.secret; S3_PROTOCOL = "http"; - S3_HOSTNAME = "web.garage.localhost:3902"; + S3_HOSTNAME = config.fediversity.internal.garage.web.rootDomainAndPort; # by default it tries to use "/" S3_ALIAS_HOST = "${S3_BUCKET}.${S3_HOSTNAME}"; # SEE: the last section in https://docs.joinmastodon.org/admin/optional/object-storage/ @@ -60,12 +63,14 @@ in services.mastodon = { enable = true; - # TODO: set up a domain name, and a DNS service so that this can run not in a vm - # localDomain = "domain.social"; + localDomain = config.fediversity.internal.mastodon.domain; configureNginx = true; # TODO: configure a mailserver so this works - # smtp.fromAddress = "mastodon@domain.social"; + smtp = { + fromAddress = "noreply@${config.fediversity.internal.mastodon.domain}"; + createLocally = false; + }; # TODO: this is hardware-dependent. let's figure it out when we have hardware # streamingProcesses = 1; @@ -78,4 +83,3 @@ in # defaults.email = "test@example.com"; }; } - diff --git a/peertube.nix b/fediversity/peertube.nix similarity index 72% rename from peertube.nix rename to fediversity/peertube.nix index e0d4926..88d26e1 100644 --- a/peertube.nix +++ b/fediversity/peertube.nix @@ -4,7 +4,10 @@ let secret = "7295c4201966a02c2c3d25b5cea4a5ff782966a2415e3a196f91924631191395"; }; in -{ config, lib, pkgs, ... }: { + +{ config, lib, pkgs, ... }: + +lib.mkIf (config.fediversity.enable && config.fediversity.peertube.enable) { networking.firewall.allowedTCPPorts = [ 80 9000 ]; services.garage = { @@ -50,30 +53,38 @@ in }; services.peertube = { + enable = true; + localDomain = config.fediversity.internal.peertube.domain; + + # TODO: in most of nixpkgs, these are true by default. upstream that unless there's a good reason not to. + redis.createLocally = true; + database.createLocally = true; + configureNginx = true; + settings = { object_storage = { enabled = true; - endpoint = "http://s3.garage.localhost:3900"; + endpoint = config.fediversity.internal.garage.api.url; region = "garage"; # not supported by garage # SEE: https://garagehq.deuxfleurs.fr/documentation/connect/apps/#peertube proxy.proxyify_private_files = false; - web_videos = { + web_videos = rec { bucket_name = "peertube-videos"; prefix = ""; - base_url = "http://peertube-videos.web.garage.localhost:3902"; + base_url = config.fediversity.internal.garage.web.urlFor bucket_name; }; - videos = { + videos = rec { bucket_name = "peertube-videos"; prefix = ""; - base_url = "http://peertube-videos.web.garage.localhost:3902"; + base_url = config.fediversity.internal.garage.web.urlFor bucket_name; }; - streaming_playlists = { + streaming_playlists = rec { bucket_name = "peertube-playlists"; prefix = ""; - base_url = "http://peertube-playlists.web.garage.localhost:3902"; + base_url = config.fediversity.internal.garage.web.urlFor bucket_name; }; }; }; diff --git a/pixelfed-group-permissions.patch b/fediversity/pixelfed-group-permissions.patch similarity index 100% rename from pixelfed-group-permissions.patch rename to fediversity/pixelfed-group-permissions.patch diff --git a/pixelfed.nix b/fediversity/pixelfed.nix similarity index 81% rename from pixelfed.nix rename to fediversity/pixelfed.nix index 9d2281f..1edc914 100644 --- a/pixelfed.nix +++ b/fediversity/pixelfed.nix @@ -4,7 +4,10 @@ let secret = "5be6799a88ca9b9d813d1a806b64f15efa49482dbe15339ddfaf7f19cf434987"; }; in -{ config, lib, pkgs, ... }: { + +{ config, lib, pkgs, ... }: + +lib.mkIf (config.fediversity.enable && config.fediversity.pixelfed.enable) { services.garage = { ensureBuckets = { pixelfed = { @@ -32,9 +35,11 @@ in }; }; - services.pixelfed.enable = true; + services.pixelfed = { + enable = true; + domain = config.fediversity.internal.pixelfed.domain; + }; - # TODO: factor these out so we're only defining e.g. s3.garage.localhost and port 3900 in one place services.pixelfed.settings = { # DANGEROUSLY_SET_FILESYSTEM_DRIVER = "s3"; FILESYSTEM_CLOUD = "s3"; @@ -42,9 +47,9 @@ in AWS_ACCESS_KEY_ID = snakeoil_key.id; AWS_SECRET_ACCESS_KEY = snakeoil_key.secret; AWS_DEFAULT_REGION = "garage"; - AWS_URL = "http://pixelfed.web.garage.localhost:3902/"; + AWS_URL = config.fediversity.internal.garage.web.urlFor "pixelfed"; AWS_BUCKET = "pixelfed"; - AWS_ENDPOINT = "http://s3.garage.localhost:3900"; + AWS_ENDPOINT = config.fediversity.internal.garage.api.url; AWS_USE_PATH_STYLE_ENDPOINT = false; }; diff --git a/flake.nix b/flake.nix index aeb7dba..737ad31 100644 --- a/flake.nix +++ b/flake.nix @@ -5,47 +5,47 @@ nixpkgs.url = "github:radvendii/nixpkgs/nixos_rebuild_tests"; }; - outputs = { self, nixpkgs }: + outputs = { self, nixpkgs }: let system = "x86_64-linux"; pkgs = nixpkgs.legacyPackages.${system}; in { nixosModules = { - interactive-vm = import ./interactive-vm.nix; - mastodon = import ./mastodon.nix; - mastodon-vm = import ./mastodon-vm.nix; - peertube = import ./peertube.nix; - peertube-vm = import ./peertube-vm.nix; - pixelfed = import ./pixelfed.nix; - pixelfed-vm = import ./pixelfed-vm.nix; - garage = import ./garage.nix; + ## Fediversity modules + fediversity = import ./fediversity; + + ## VM-specific modules + interactive-vm = import ./vm/interactive-vm.nix; + mastodon-vm = import ./vm/mastodon-vm.nix; + peertube-vm = import ./vm/peertube-vm.nix; + pixelfed-vm = import ./vm/pixelfed-vm.nix; }; nixosConfigurations = { mastodon = nixpkgs.lib.nixosSystem { inherit system; - modules = with self.nixosModules; [ interactive-vm mastodon mastodon-vm garage ]; + modules = with self.nixosModules; [ fediversity interactive-vm mastodon-vm ]; }; peertube = nixpkgs.lib.nixosSystem { inherit system; - modules = with self.nixosModules; [ interactive-vm peertube peertube-vm garage ]; + modules = with self.nixosModules; [ fediversity interactive-vm peertube-vm ]; }; pixelfed = nixpkgs.lib.nixosSystem { inherit system; - modules = with self.nixosModules; [ interactive-vm pixelfed pixelfed-vm garage ]; + modules = with self.nixosModules; [ fediversity interactive-vm pixelfed-vm ]; }; all = nixpkgs.lib.nixosSystem { inherit system; modules = with self.nixosModules; [ + fediversity interactive-vm - peertube peertube-vm - pixelfed pixelfed-vm - mastodon mastodon-vm - garage + peertube-vm + pixelfed-vm + mastodon-vm ]; }; }; diff --git a/tests/mastodon-garage.nix b/tests/mastodon-garage.nix index d20c5ad..672b70f 100644 --- a/tests/mastodon-garage.nix +++ b/tests/mastodon-garage.nix @@ -37,7 +37,7 @@ pkgs.nixosTest { nodes = { server = { config, ... }: { virtualisation.memorySize = lib.mkVMOverride 4096; - imports = with self.nixosModules; [ garage mastodon mastodon-vm ]; + imports = with self.nixosModules; [ mastodon-vm ]; # TODO: pair down environment.systemPackages = with pkgs; [ python3 @@ -57,7 +57,7 @@ pkgs.nixosTest { }; }; - testScript = '' + testScript = { nodes, ... }: '' import re import time @@ -95,7 +95,7 @@ pkgs.nixosTest { server.succeed("toot post --media $POST_MEDIA") with subtest("access garage"): - server.succeed("mc alias set garage http://s3.garage.localhost:3900 --api s3v4 --path off $AWS_ACCESS_KEY_ID $AWS_SECRET_ACCESS_KEY") + server.succeed("mc alias set garage ${nodes.server.fediversity.internal.garage.api.url} --api s3v4 --path off $AWS_ACCESS_KEY_ID $AWS_SECRET_ACCESS_KEY") server.succeed("mc ls garage/mastodon") with subtest("access image in garage"): @@ -121,6 +121,7 @@ pkgs.nixosTest { raise Exception("mastodon did not send a content security policy header") csp = csp_match.group(1) # the img-src content security policy should include the garage server + ## TODO: use `nodes.server.fediversity.internal.garage.api.url` same as above, but beware of escaping the regex. garage_csp = re.match(".*; img-src[^;]*web\.garage\.localhost:3902.*", csp) if garage_csp is None: raise Exception("Mastodon's content security policy does not include garage server. image will not be displayed properly on mastodon.") diff --git a/tests/pixelfed-garage.nix b/tests/pixelfed-garage.nix index e084cb0..b25bc66 100644 --- a/tests/pixelfed-garage.nix +++ b/tests/pixelfed-garage.nix @@ -29,15 +29,16 @@ let print("Open login page...", file=sys.stderr) driver.get("http://pixelfed.localhost/login") print("Enter email...", file=sys.stderr) - driver.find_element(By.ID, "email").send_keys(${email}) + driver.find_element(By.ID, "email").send_keys("${email}") print("Enter password...", file=sys.stderr) - driver.find_element(By.ID, "password").send_keys(${password}) + driver.find_element(By.ID, "password").send_keys("${password}") # FIXME: This is disgusting. Find instead the input type submit in the form # with action ending in "/login". print("Click “Login” button...", file=sys.stderr) driver.find_element(By.XPATH, "//button[normalize-space()='Login']").click() ''; + ## NOTE: `path` must be a valid python string, either a variable or _quoted_. seleniumTakeScreenshot = path: '' print("Take screenshot...", file=sys.stderr) if not driver.save_screenshot(${path}): @@ -135,11 +136,7 @@ pkgs.nixosTest { memorySize = lib.mkVMOverride 8192; cores = 8; }; - imports = with self.nixosModules; [ - garage - pixelfed - pixelfed-vm - ]; + imports = with self.nixosModules; [ pixelfed-vm ]; # TODO: pair down environment.systemPackages = with pkgs; [ python3 @@ -163,7 +160,7 @@ pkgs.nixosTest { }; }; - testScript = '' + testScript = { nodes, ... }: '' import re server.start() @@ -172,7 +169,7 @@ pkgs.nixosTest { server.wait_for_unit("phpfpm-pixelfed.service") with subtest("Account creation"): - server.succeed(f"pixelfed-manage user:create --name=test --username=test --email=${email} --password=${password} --confirm_email=1") + server.succeed("pixelfed-manage user:create --name=test --username=test --email=${email} --password=${password} --confirm_email=1") # NOTE: This could in theory give a false positive if pixelfed changes it's # colorscheme to include pure green. (see same problem in pixelfed-garage.nix). @@ -180,7 +177,7 @@ pkgs.nixosTest { # there, then post a green image and check that the green pixel IS there. with subtest("Image displays"): - server.succeed(f"su - selenium -c 'selenium-script-post-picture ${email} ${password}'") + server.succeed("su - selenium -c 'selenium-script-post-picture ${email} ${password}'") server.copy_from_vm("/home/selenium/screenshot.png", "") displayed_colors = server.succeed("magick /home/selenium/screenshot.png -define histogram:unique-colors=true -format %c histogram:info:") # check that the green image displayed somewhere @@ -189,14 +186,14 @@ pkgs.nixosTest { raise Exception("cannot detect the uploaded image on pixelfed page.") with subtest("access garage"): - server.succeed("mc alias set garage http://s3.garage.localhost:3900 --api s3v4 --path off $AWS_ACCESS_KEY_ID $AWS_SECRET_ACCESS_KEY") + server.succeed("mc alias set garage ${nodes.server.fediversity.internal.garage.api.url} --api s3v4 --path off $AWS_ACCESS_KEY_ID $AWS_SECRET_ACCESS_KEY") server.succeed("mc ls garage/pixelfed") with subtest("access image in garage"): - image = server.succeed("mc find garage --regex '\.png' --ignore '*_thumb.png'") + image = server.succeed("mc find garage --regex '\\.png' --ignore '*_thumb.png'") image = image.rstrip() if image == "": - raise Exception("image posted to mastodon did not get stored in garage") + raise Exception("image posted to Pixelfed did not get stored in garage") server.succeed(f"mc cat {image} >/garage-image.png") garage_image_hash = server.succeed("identify -quiet -format '%#' /garage-image.png") image_hash = server.succeed("identify -quiet -format '%#' $POST_MEDIA") @@ -204,8 +201,8 @@ pkgs.nixosTest { raise Exception("image stored in garage did not match image uploaded") with subtest("Check that image comes from garage"): - src = server.succeed(f"su - selenium -c 'selenium-script-get-src ${email} ${password}'") - if not src.startswith("http://pixelfed.web.garage.localhost:3902/"): + src = server.succeed("su - selenium -c 'selenium-script-get-src ${email} ${password}'") + if not src.startswith("${nodes.server.fediversity.internal.garage.web.urlFor "pixelfed"}"): raise Exception("image does not come from garage") ''; } diff --git a/interactive-vm.nix b/vm/interactive-vm.nix similarity index 100% rename from interactive-vm.nix rename to vm/interactive-vm.nix diff --git a/mastodon-vm.nix b/vm/mastodon-vm.nix similarity index 91% rename from mastodon-vm.nix rename to vm/mastodon-vm.nix index fcfe3e5..ea17f27 100644 --- a/mastodon-vm.nix +++ b/vm/mastodon-vm.nix @@ -1,18 +1,19 @@ { modulesPath, lib, config, ... }: { - imports = [ (modulesPath + "/virtualisation/qemu-vm.nix") ]; + imports = [ + ../fediversity + (modulesPath + "/virtualisation/qemu-vm.nix") + ]; config = lib.mkMerge [ { + fediversity = { + enable = true; + domain = "localhost"; + mastodon.enable = true; + }; + services.mastodon = { - # redirects to localhost, but allows it to have a proper domain name - localDomain = "mastodon.localhost"; - - smtp = { - fromAddress = "mastodon@mastodon.localhost"; - createLocally = false; - }; - extraConfig = { EMAIL_DOMAIN_ALLOWLIST = "example.com"; }; @@ -56,7 +57,7 @@ BIND = "0.0.0.0"; # for letter_opener (still doesn't work though) REMOTE_DEV = "true"; - LOCAL_DOMAIN = "mastodon.localhost:8443"; + LOCAL_DOMAIN = "${config.fediversity.internal.mastodon.domain}:8443"; }; }; diff --git a/peertube-vm.nix b/vm/peertube-vm.nix similarity index 53% rename from peertube-vm.nix rename to vm/peertube-vm.nix index d38a625..5f40f4f 100644 --- a/peertube-vm.nix +++ b/vm/peertube-vm.nix @@ -1,9 +1,11 @@ { pkgs, modulesPath, ... }: { - imports = [ (modulesPath + "/virtualisation/qemu-vm.nix") ]; + + imports = [ + ../fediversity + (modulesPath + "/virtualisation/qemu-vm.nix") + ]; + services.peertube = { - enable = true; - # redirects to localhost, but allows it to have a proper domain name - localDomain = "peertube.localhost"; enableWebHttps = false; settings = { listen.hostname = "0.0.0.0"; @@ -13,11 +15,6 @@ secrets.secretsFile = pkgs.writeText "secret" '' 574e093907d1157ac0f8e760a6deb1035402003af5763135bae9cbd6abe32b24 ''; - - # TODO: in most of nixpkgs, these are true by default. upstream that unless there's a good reason not to. - redis.createLocally = true; - database.createLocally = true; - configureNginx = true; }; virtualisation.forwardPorts = [ diff --git a/pixelfed-vm.nix b/vm/pixelfed-vm.nix similarity index 70% rename from pixelfed-vm.nix rename to vm/pixelfed-vm.nix index 451aeda..8f97180 100644 --- a/pixelfed-vm.nix +++ b/vm/pixelfed-vm.nix @@ -1,8 +1,18 @@ { pkgs, modulesPath, ... }: { - imports = [ (modulesPath + "/virtualisation/qemu-vm.nix") ]; + + imports = [ + ../fediversity + (modulesPath + "/virtualisation/qemu-vm.nix") + ]; + + fediversity = { + enable = true; + domain = "localhost"; + pixelfed.enable = true; + }; + networking.firewall.allowedTCPPorts = [ 80 ]; services.pixelfed = { - domain = "pixelfed.localhost"; # TODO: secrets management! secretFile = pkgs.writeText "secrets.env" '' APP_KEY=adKK9EcY8Hcj3PLU7rzG9rJ6KKTOtYfA @@ -14,7 +24,7 @@ # I feel like this should have an `enable` option and be configured via `services.nginx` rather than mirroring those options in services.pixelfed.nginx # TODO: If that indeed makes sense, upstream it. nginx = { - # locations."/public/".proxyPass = "http://pixelfed.web.garage.localhost:3902/public/"; + # locations."/public/".proxyPass = "${config.fediversity.internal.garage.web.urlFor "pixelfed"}/public/"; }; }; virtualisation.memorySize = 2048;