From 83d8474f17788ccedff876bcdbf47665f37918bd Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Nicolas=20=E2=80=9CNiols=E2=80=9D=20Jeannerod?= Date: Tue, 17 Sep 2024 12:00:29 +0200 Subject: [PATCH 01/11] Some fixes to the Pixelfed/Garage test --- garage.nix | 2 +- tests/pixelfed-garage.nix | 13 +++++++------ 2 files changed, 8 insertions(+), 7 deletions(-) diff --git a/garage.nix b/garage.nix index b58738d..478443d 100644 --- a/garage.nix +++ b/garage.nix @@ -175,7 +175,7 @@ in { # Give garage time to start up by waiting until somethings speaks HTTP # behind localhost:3900. - until curl -sio /dev/null http://localhost:3900/; do sleep 1; done + until ${pkgs.curl}/bin/curl -sio /dev/null http://localhost:3900/; do sleep 1; done # XXX: this is very sensitive to being a single instance # (doing the bare minimum to get garage up and running) diff --git a/tests/pixelfed-garage.nix b/tests/pixelfed-garage.nix index e084cb0..a08a312 100644 --- a/tests/pixelfed-garage.nix +++ b/tests/pixelfed-garage.nix @@ -29,15 +29,16 @@ let print("Open login page...", file=sys.stderr) driver.get("http://pixelfed.localhost/login") print("Enter email...", file=sys.stderr) - driver.find_element(By.ID, "email").send_keys(${email}) + driver.find_element(By.ID, "email").send_keys("${email}") print("Enter password...", file=sys.stderr) - driver.find_element(By.ID, "password").send_keys(${password}) + driver.find_element(By.ID, "password").send_keys("${password}") # FIXME: This is disgusting. Find instead the input type submit in the form # with action ending in "/login". print("Click “Login” button...", file=sys.stderr) driver.find_element(By.XPATH, "//button[normalize-space()='Login']").click() ''; + ## NOTE: `path` must be a valid python string, either a variable or _quoted_. seleniumTakeScreenshot = path: '' print("Take screenshot...", file=sys.stderr) if not driver.save_screenshot(${path}): @@ -172,7 +173,7 @@ pkgs.nixosTest { server.wait_for_unit("phpfpm-pixelfed.service") with subtest("Account creation"): - server.succeed(f"pixelfed-manage user:create --name=test --username=test --email=${email} --password=${password} --confirm_email=1") + server.succeed("pixelfed-manage user:create --name=test --username=test --email=${email} --password=${password} --confirm_email=1") # NOTE: This could in theory give a false positive if pixelfed changes it's # colorscheme to include pure green. (see same problem in pixelfed-garage.nix). @@ -180,7 +181,7 @@ pkgs.nixosTest { # there, then post a green image and check that the green pixel IS there. with subtest("Image displays"): - server.succeed(f"su - selenium -c 'selenium-script-post-picture ${email} ${password}'") + server.succeed("su - selenium -c 'selenium-script-post-picture ${email} ${password}'") server.copy_from_vm("/home/selenium/screenshot.png", "") displayed_colors = server.succeed("magick /home/selenium/screenshot.png -define histogram:unique-colors=true -format %c histogram:info:") # check that the green image displayed somewhere @@ -193,7 +194,7 @@ pkgs.nixosTest { server.succeed("mc ls garage/pixelfed") with subtest("access image in garage"): - image = server.succeed("mc find garage --regex '\.png' --ignore '*_thumb.png'") + image = server.succeed("mc find garage --regex '\\.png' --ignore '*_thumb.png'") image = image.rstrip() if image == "": raise Exception("image posted to mastodon did not get stored in garage") @@ -204,7 +205,7 @@ pkgs.nixosTest { raise Exception("image stored in garage did not match image uploaded") with subtest("Check that image comes from garage"): - src = server.succeed(f"su - selenium -c 'selenium-script-get-src ${email} ${password}'") + src = server.succeed("su - selenium -c 'selenium-script-get-src ${email} ${password}'") if not src.startswith("http://pixelfed.web.garage.localhost:3902/"): raise Exception("image does not come from garage") ''; -- 2.47.0 From c455ec1667fe7263fefc3bf740c3be139321a8e2 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Nicolas=20=E2=80=9CNiols=E2=80=9D=20Jeannerod?= Date: Tue, 17 Sep 2024 14:24:23 +0200 Subject: [PATCH 02/11] Move VM-specific stuff in a subdirectory --- flake.nix | 17 ++++++++++------- interactive-vm.nix => vm/interactive-vm.nix | 0 mastodon-vm.nix => vm/mastodon-vm.nix | 0 peertube-vm.nix => vm/peertube-vm.nix | 0 pixelfed-vm.nix => vm/pixelfed-vm.nix | 0 5 files changed, 10 insertions(+), 7 deletions(-) rename interactive-vm.nix => vm/interactive-vm.nix (100%) rename mastodon-vm.nix => vm/mastodon-vm.nix (100%) rename peertube-vm.nix => vm/peertube-vm.nix (100%) rename pixelfed-vm.nix => vm/pixelfed-vm.nix (100%) diff --git a/flake.nix b/flake.nix index aeb7dba..913ea74 100644 --- a/flake.nix +++ b/flake.nix @@ -12,14 +12,17 @@ in { nixosModules = { - interactive-vm = import ./interactive-vm.nix; - mastodon = import ./mastodon.nix; - mastodon-vm = import ./mastodon-vm.nix; - peertube = import ./peertube.nix; - peertube-vm = import ./peertube-vm.nix; - pixelfed = import ./pixelfed.nix; - pixelfed-vm = import ./pixelfed-vm.nix; + ## Fediversity modules garage = import ./garage.nix; + mastodon = import ./mastodon.nix; + peertube = import ./peertube.nix; + pixelfed = import ./pixelfed.nix; + + ## VM-specific modules + interactive-vm = import ./vm/interactive-vm.nix; + mastodon-vm = import ./vm/mastodon-vm.nix; + peertube-vm = import ./vm/peertube-vm.nix; + pixelfed-vm = import ./vm/pixelfed-vm.nix; }; nixosConfigurations = { diff --git a/interactive-vm.nix b/vm/interactive-vm.nix similarity index 100% rename from interactive-vm.nix rename to vm/interactive-vm.nix diff --git a/mastodon-vm.nix b/vm/mastodon-vm.nix similarity index 100% rename from mastodon-vm.nix rename to vm/mastodon-vm.nix diff --git a/peertube-vm.nix b/vm/peertube-vm.nix similarity index 100% rename from peertube-vm.nix rename to vm/peertube-vm.nix diff --git a/pixelfed-vm.nix b/vm/pixelfed-vm.nix similarity index 100% rename from pixelfed-vm.nix rename to vm/pixelfed-vm.nix -- 2.47.0 From cc148ce57f678b3d29ce41ca8543cb19b0dcbf7f Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Nicolas=20=E2=80=9CNiols=E2=80=9D=20Jeannerod?= Date: Tue, 17 Sep 2024 14:27:24 +0200 Subject: [PATCH 03/11] Move Fediversity modules into own subdirectory --- garage.nix => fediversity/garage.nix | 0 mastodon.nix => fediversity/mastodon.nix | 0 peertube.nix => fediversity/peertube.nix | 0 .../pixelfed-group-permissions.patch | 0 pixelfed.nix => fediversity/pixelfed.nix | 0 flake.nix | 8 ++++---- 6 files changed, 4 insertions(+), 4 deletions(-) rename garage.nix => fediversity/garage.nix (100%) rename mastodon.nix => fediversity/mastodon.nix (100%) rename peertube.nix => fediversity/peertube.nix (100%) rename pixelfed-group-permissions.patch => fediversity/pixelfed-group-permissions.patch (100%) rename pixelfed.nix => fediversity/pixelfed.nix (100%) diff --git a/garage.nix b/fediversity/garage.nix similarity index 100% rename from garage.nix rename to fediversity/garage.nix diff --git a/mastodon.nix b/fediversity/mastodon.nix similarity index 100% rename from mastodon.nix rename to fediversity/mastodon.nix diff --git a/peertube.nix b/fediversity/peertube.nix similarity index 100% rename from peertube.nix rename to fediversity/peertube.nix diff --git a/pixelfed-group-permissions.patch b/fediversity/pixelfed-group-permissions.patch similarity index 100% rename from pixelfed-group-permissions.patch rename to fediversity/pixelfed-group-permissions.patch diff --git a/pixelfed.nix b/fediversity/pixelfed.nix similarity index 100% rename from pixelfed.nix rename to fediversity/pixelfed.nix diff --git a/flake.nix b/flake.nix index 913ea74..49d00cb 100644 --- a/flake.nix +++ b/flake.nix @@ -13,10 +13,10 @@ nixosModules = { ## Fediversity modules - garage = import ./garage.nix; - mastodon = import ./mastodon.nix; - peertube = import ./peertube.nix; - pixelfed = import ./pixelfed.nix; + garage = import ./fediversity/garage.nix; + mastodon = import ./fediversity/mastodon.nix; + peertube = import ./fediversity/peertube.nix; + pixelfed = import ./fediversity/pixelfed.nix; ## VM-specific modules interactive-vm = import ./vm/interactive-vm.nix; -- 2.47.0 From 7f99fc48dded24fe439637f2c52ce902f99dd219 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Nicolas=20=E2=80=9CNiols=E2=80=9D=20Jeannerod?= Date: Tue, 17 Sep 2024 14:30:59 +0200 Subject: [PATCH 04/11] Move Fediversity modules under top-level module --- fediversity/default.nix | 27 +++++++++++++++++++++++++++ fediversity/garage.nix | 10 +++++++--- fediversity/mastodon.nix | 5 ++++- fediversity/peertube.nix | 5 ++++- fediversity/pixelfed.nix | 5 ++++- flake.nix | 21 +++++++++------------ tests/mastodon-garage.nix | 2 +- tests/pixelfed-garage.nix | 6 +----- vm/mastodon-vm.nix | 10 +++++++++- vm/pixelfed-vm.nix | 12 +++++++++++- 10 files changed, 77 insertions(+), 26 deletions(-) create mode 100644 fediversity/default.nix diff --git a/fediversity/default.nix b/fediversity/default.nix new file mode 100644 index 0000000..6e38fbd --- /dev/null +++ b/fediversity/default.nix @@ -0,0 +1,27 @@ +{ lib, ... }: + +let + inherit (lib) mkOption; + inherit (lib.types) types; + +in { + imports = [ + ./garage.nix + ./mastodon.nix + ./pixelfed.nix + ./peertube.nix + ]; + + options = { + fediversity = { + enable = mkOption { + type = types.bool; + default = false; + }; + + mastodon.enable = mkOption { type = types.bool; default = false; }; + pixelfed.enable = mkOption { type = types.bool; default = false; }; + peertube.enable = mkOption { type = types.bool; default = false; }; + }; + }; +} diff --git a/fediversity/garage.nix b/fediversity/garage.nix index 478443d..aad2925 100644 --- a/fediversity/garage.nix +++ b/fediversity/garage.nix @@ -6,8 +6,10 @@ let secret = "82b2b4cbef27bf8917b350d5b10a87c92fa9c8b13a415aeeea49726cf335d74e"; }; in + # TODO: expand to a multi-machine setup -{ config, lib, pkgs, ... }: +{ config, lib, pkgs, ... }: + let inherit (lib) types mkOption mkEnableOption optionalString concatStringsSep; inherit (lib.strings) escapeShellArg; @@ -53,7 +55,9 @@ let ${concatMapAttrs (ensureAccessScriptFn key) ensureAccess} ''; ensureKeysScript = concatMapAttrs ensureKeyScriptFn cfg.ensureKeys; -in { +in + +{ # add in options to ensure creation of buckets and keys options = { services.garage = { @@ -126,7 +130,7 @@ in { }; }; - config = { + config = lib.mkIf config.fediversity.enable { virtualisation.diskSize = 2048; virtualisation.forwardPorts = [ { diff --git a/fediversity/mastodon.nix b/fediversity/mastodon.nix index e0c2ea4..5a349f6 100644 --- a/fediversity/mastodon.nix +++ b/fediversity/mastodon.nix @@ -4,7 +4,10 @@ let secret = "7d37d093435a41f2aab8f13c19ba067d9776c90215f56614adad6ece597dbb34"; }; in -{ config, lib, pkgs, ... }: { + +{ config, lib, pkgs, ... }: + +lib.mkIf (config.fediversity.enable && config.fediversity.mastodon.enable) { #### garage setup services.garage = { ensureBuckets = { diff --git a/fediversity/peertube.nix b/fediversity/peertube.nix index e0d4926..95e1c32 100644 --- a/fediversity/peertube.nix +++ b/fediversity/peertube.nix @@ -4,7 +4,10 @@ let secret = "7295c4201966a02c2c3d25b5cea4a5ff782966a2415e3a196f91924631191395"; }; in -{ config, lib, pkgs, ... }: { + +{ config, lib, pkgs, ... }: + +lib.mkIf (config.fediversity.enable && config.fediversity.peertube.enable) { networking.firewall.allowedTCPPorts = [ 80 9000 ]; services.garage = { diff --git a/fediversity/pixelfed.nix b/fediversity/pixelfed.nix index 9d2281f..1d04f60 100644 --- a/fediversity/pixelfed.nix +++ b/fediversity/pixelfed.nix @@ -4,7 +4,10 @@ let secret = "5be6799a88ca9b9d813d1a806b64f15efa49482dbe15339ddfaf7f19cf434987"; }; in -{ config, lib, pkgs, ... }: { + +{ config, lib, pkgs, ... }: + +lib.mkIf (config.fediversity.enable && config.fediversity.pixelfed.enable) { services.garage = { ensureBuckets = { pixelfed = { diff --git a/flake.nix b/flake.nix index 49d00cb..737ad31 100644 --- a/flake.nix +++ b/flake.nix @@ -5,7 +5,7 @@ nixpkgs.url = "github:radvendii/nixpkgs/nixos_rebuild_tests"; }; - outputs = { self, nixpkgs }: + outputs = { self, nixpkgs }: let system = "x86_64-linux"; pkgs = nixpkgs.legacyPackages.${system}; @@ -13,10 +13,7 @@ nixosModules = { ## Fediversity modules - garage = import ./fediversity/garage.nix; - mastodon = import ./fediversity/mastodon.nix; - peertube = import ./fediversity/peertube.nix; - pixelfed = import ./fediversity/pixelfed.nix; + fediversity = import ./fediversity; ## VM-specific modules interactive-vm = import ./vm/interactive-vm.nix; @@ -28,27 +25,27 @@ nixosConfigurations = { mastodon = nixpkgs.lib.nixosSystem { inherit system; - modules = with self.nixosModules; [ interactive-vm mastodon mastodon-vm garage ]; + modules = with self.nixosModules; [ fediversity interactive-vm mastodon-vm ]; }; peertube = nixpkgs.lib.nixosSystem { inherit system; - modules = with self.nixosModules; [ interactive-vm peertube peertube-vm garage ]; + modules = with self.nixosModules; [ fediversity interactive-vm peertube-vm ]; }; pixelfed = nixpkgs.lib.nixosSystem { inherit system; - modules = with self.nixosModules; [ interactive-vm pixelfed pixelfed-vm garage ]; + modules = with self.nixosModules; [ fediversity interactive-vm pixelfed-vm ]; }; all = nixpkgs.lib.nixosSystem { inherit system; modules = with self.nixosModules; [ + fediversity interactive-vm - peertube peertube-vm - pixelfed pixelfed-vm - mastodon mastodon-vm - garage + peertube-vm + pixelfed-vm + mastodon-vm ]; }; }; diff --git a/tests/mastodon-garage.nix b/tests/mastodon-garage.nix index d20c5ad..f98440d 100644 --- a/tests/mastodon-garage.nix +++ b/tests/mastodon-garage.nix @@ -37,7 +37,7 @@ pkgs.nixosTest { nodes = { server = { config, ... }: { virtualisation.memorySize = lib.mkVMOverride 4096; - imports = with self.nixosModules; [ garage mastodon mastodon-vm ]; + imports = with self.nixosModules; [ mastodon-vm ]; # TODO: pair down environment.systemPackages = with pkgs; [ python3 diff --git a/tests/pixelfed-garage.nix b/tests/pixelfed-garage.nix index a08a312..79e1edc 100644 --- a/tests/pixelfed-garage.nix +++ b/tests/pixelfed-garage.nix @@ -136,11 +136,7 @@ pkgs.nixosTest { memorySize = lib.mkVMOverride 8192; cores = 8; }; - imports = with self.nixosModules; [ - garage - pixelfed - pixelfed-vm - ]; + imports = with self.nixosModules; [ pixelfed-vm ]; # TODO: pair down environment.systemPackages = with pkgs; [ python3 diff --git a/vm/mastodon-vm.nix b/vm/mastodon-vm.nix index fcfe3e5..0d13b89 100644 --- a/vm/mastodon-vm.nix +++ b/vm/mastodon-vm.nix @@ -1,9 +1,17 @@ { modulesPath, lib, config, ... }: { - imports = [ (modulesPath + "/virtualisation/qemu-vm.nix") ]; + imports = [ + ../fediversity + (modulesPath + "/virtualisation/qemu-vm.nix") + ]; config = lib.mkMerge [ { + fediversity = { + enable = true; + mastodon.enable = true; + }; + services.mastodon = { # redirects to localhost, but allows it to have a proper domain name localDomain = "mastodon.localhost"; diff --git a/vm/pixelfed-vm.nix b/vm/pixelfed-vm.nix index 451aeda..be238f1 100644 --- a/vm/pixelfed-vm.nix +++ b/vm/pixelfed-vm.nix @@ -1,5 +1,15 @@ { pkgs, modulesPath, ... }: { - imports = [ (modulesPath + "/virtualisation/qemu-vm.nix") ]; + + imports = [ + ../fediversity + (modulesPath + "/virtualisation/qemu-vm.nix") + ]; + + fediversity = { + enable = true; + pixelfed.enable = true; + }; + networking.firewall.allowedTCPPorts = [ 80 ]; services.pixelfed = { domain = "pixelfed.localhost"; -- 2.47.0 From 9d1f20fc1c09477179768533ec409daee7ea4ba4 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Nicolas=20=E2=80=9CNiols=E2=80=9D=20Jeannerod?= Date: Tue, 17 Sep 2024 17:31:58 +0200 Subject: [PATCH 05/11] Factorise Garage URIs --- fediversity/default.nix | 32 +++++++++++++++++++++++++++++++- fediversity/garage.nix | 34 +++++++++++++++++++--------------- fediversity/mastodon.nix | 4 ++-- fediversity/peertube.nix | 14 +++++++------- fediversity/pixelfed.nix | 5 ++--- tests/mastodon-garage.nix | 2 ++ tests/pixelfed-garage.nix | 2 ++ vm/mastodon-vm.nix | 1 + vm/pixelfed-vm.nix | 3 ++- 9 files changed, 68 insertions(+), 29 deletions(-) diff --git a/fediversity/default.nix b/fediversity/default.nix index 6e38fbd..dfdffc8 100644 --- a/fediversity/default.nix +++ b/fediversity/default.nix @@ -1,6 +1,7 @@ -{ lib, ... }: +{ lib, config, ... }: let + inherit (builtins) toString; inherit (lib) mkOption; inherit (lib.types) types; @@ -19,9 +20,38 @@ in { default = false; }; + garage = mkOption { + type = types.anything; + }; + + domain = mkOption { + type = types.string; + }; + mastodon.enable = mkOption { type = types.bool; default = false; }; pixelfed.enable = mkOption { type = types.bool; default = false; }; peertube.enable = mkOption { type = types.bool; default = false; }; }; }; + + config.fediversity = { + garage = { + api = rec { + domain = "s3.garage.${config.fediversity.domain}"; + port = 3900; + url = "http://${domain}:${toString port}"; + }; + + rpc = rec { + port = 3901; + }; + + web = rec { + rootDomain = "web.garage.${config.fediversity.domain}"; + port = 3902; + rootDomainAndPort = "${rootDomain}:${toString port}"; + urlFor = bucket: "http://${bucket}.${rootDomainAndPort}"; + }; + }; + }; } diff --git a/fediversity/garage.nix b/fediversity/garage.nix index aad2925..92cbd88 100644 --- a/fediversity/garage.nix +++ b/fediversity/garage.nix @@ -11,6 +11,7 @@ in { config, lib, pkgs, ... }: let + inherit (builtins) toString; inherit (lib) types mkOption mkEnableOption optionalString concatStringsSep; inherit (lib.strings) escapeShellArg; cfg = config.services.garage; @@ -41,7 +42,7 @@ let ${optionalString corsRules.enable '' garage bucket allow --read --write --owner ${bucketArg} --key tmp # TODO: endpoin-url should not be hard-coded - aws --region ${cfg.settings.s3_api.s3_region} --endpoint-url http://s3.garage.localhost:3900 s3api put-bucket-cors --bucket ${bucketArg} --cors-configuration ${corsRulesJSON} + aws --region ${cfg.settings.s3_api.s3_region} --endpoint-url ${config.fediversity.garage.api.url} s3api put-bucket-cors --bucket ${bucketArg} --cors-configuration ${corsRulesJSON} garage bucket deny --read --write --owner ${bucketArg} --key tmp ''} ''; @@ -135,19 +136,22 @@ in virtualisation.forwardPorts = [ { from = "host"; - host.port = 3901; - guest.port = 3901; + host.port = config.fediversity.garage.rpc.port; + guest.port = config.fediversity.garage.rpc.port; } { from = "host"; - host.port = 3902; - guest.port = 3902; + host.port = config.fediversity.garage.web.port; + guest.port = config.fediversity.garage.web.port; } ]; environment.systemPackages = [ pkgs.minio-client pkgs.awscli ]; - networking.firewall.allowedTCPPorts = [ 3901 3902 ]; + networking.firewall.allowedTCPPorts = [ + config.fediversity.garage.rpc.port + config.fediversity.garage.web.port + ]; services.garage = { enable = true; package = pkgs.garage_0_9; @@ -156,15 +160,15 @@ in # TODO: use a secret file rpc_secret = "d576c4478cc7d0d94cfc127138cbb82018b0155c037d1c827dfb6c36be5f6625"; # TODO: why does this have to be set? is there not a sensible default? - rpc_bind_addr = "[::]:3901"; - rpc_public_addr = "[::1]:3901"; - s3_api.api_bind_addr = "[::]:3900"; - s3_web.bind_addr = "[::]:3902"; - s3_web.root_domain = ".web.garage.localhost"; + rpc_bind_addr = "[::]:${toString config.fediversity.garage.rpc.port}"; + rpc_public_addr = "[::1]:${toString config.fediversity.garage.rpc.port}"; + s3_api.api_bind_addr = "[::]:${toString config.fediversity.garage.api.port}"; + s3_web.bind_addr = "[::]:${toString config.fediversity.garage.web.port}"; + s3_web.root_domain = ".${config.fediversity.garage.web.rootDomain}"; index = "index.html"; s3_api.s3_region = "garage"; - s3_api.root_domain = ".s3.garage.localhost"; + s3_api.root_domain = ".${config.fediversity.garage.api.domain}"; }; }; systemd.services.ensure-garage = { @@ -177,9 +181,9 @@ in script = '' set -xeuo pipefail - # Give garage time to start up by waiting until somethings speaks HTTP - # behind localhost:3900. - until ${pkgs.curl}/bin/curl -sio /dev/null http://localhost:3900/; do sleep 1; done + # Give Garage time to start up by waiting until somethings speaks HTTP + # behind Garage's API URL. + until ${pkgs.curl}/bin/curl -sio /dev/null ${config.fediversity.garage.api.url}; do sleep 1; done # XXX: this is very sensitive to being a single instance # (doing the bare minimum to get garage up and running) diff --git a/fediversity/mastodon.nix b/fediversity/mastodon.nix index 5a349f6..e866b84 100644 --- a/fediversity/mastodon.nix +++ b/fediversity/mastodon.nix @@ -38,7 +38,7 @@ lib.mkIf (config.fediversity.enable && config.fediversity.mastodon.enable) { extraConfig = rec { S3_ENABLED = "true"; # TODO: this shouldn't be hard-coded, it should come from the garage configuration - S3_ENDPOINT = "http://s3.garage.localhost:3900"; + S3_ENDPOINT = config.fediversity.garage.api.url; S3_REGION = "garage"; S3_BUCKET = "mastodon"; # use . @@ -46,7 +46,7 @@ lib.mkIf (config.fediversity.enable && config.fediversity.mastodon.enable) { AWS_ACCESS_KEY_ID = snakeoil_key.id; AWS_SECRET_ACCESS_KEY = snakeoil_key.secret; S3_PROTOCOL = "http"; - S3_HOSTNAME = "web.garage.localhost:3902"; + S3_HOSTNAME = config.fediversity.garage.web.rootDomainAndPort; # by default it tries to use "/" S3_ALIAS_HOST = "${S3_BUCKET}.${S3_HOSTNAME}"; # SEE: the last section in https://docs.joinmastodon.org/admin/optional/object-storage/ diff --git a/fediversity/peertube.nix b/fediversity/peertube.nix index 95e1c32..021e52f 100644 --- a/fediversity/peertube.nix +++ b/fediversity/peertube.nix @@ -56,27 +56,27 @@ lib.mkIf (config.fediversity.enable && config.fediversity.peertube.enable) { settings = { object_storage = { enabled = true; - endpoint = "http://s3.garage.localhost:3900"; + endpoint = config.fediversity.garage.api.url; region = "garage"; # not supported by garage # SEE: https://garagehq.deuxfleurs.fr/documentation/connect/apps/#peertube proxy.proxyify_private_files = false; - web_videos = { + web_videos = rec { bucket_name = "peertube-videos"; prefix = ""; - base_url = "http://peertube-videos.web.garage.localhost:3902"; + base_url = config.fediversity.garage.web.urlFor bucket_name; }; - videos = { + videos = rec { bucket_name = "peertube-videos"; prefix = ""; - base_url = "http://peertube-videos.web.garage.localhost:3902"; + base_url = config.fediversity.garage.web.urlFor bucket_name; }; - streaming_playlists = { + streaming_playlists = rec { bucket_name = "peertube-playlists"; prefix = ""; - base_url = "http://peertube-playlists.web.garage.localhost:3902"; + base_url = config.fediversity.garage.web.urlFor bucket_name; }; }; }; diff --git a/fediversity/pixelfed.nix b/fediversity/pixelfed.nix index 1d04f60..38153f5 100644 --- a/fediversity/pixelfed.nix +++ b/fediversity/pixelfed.nix @@ -37,7 +37,6 @@ lib.mkIf (config.fediversity.enable && config.fediversity.pixelfed.enable) { services.pixelfed.enable = true; - # TODO: factor these out so we're only defining e.g. s3.garage.localhost and port 3900 in one place services.pixelfed.settings = { # DANGEROUSLY_SET_FILESYSTEM_DRIVER = "s3"; FILESYSTEM_CLOUD = "s3"; @@ -45,9 +44,9 @@ lib.mkIf (config.fediversity.enable && config.fediversity.pixelfed.enable) { AWS_ACCESS_KEY_ID = snakeoil_key.id; AWS_SECRET_ACCESS_KEY = snakeoil_key.secret; AWS_DEFAULT_REGION = "garage"; - AWS_URL = "http://pixelfed.web.garage.localhost:3902/"; + AWS_URL = config.fediversity.garage.web.urlFor "pixelfed"; AWS_BUCKET = "pixelfed"; - AWS_ENDPOINT = "http://s3.garage.localhost:3900"; + AWS_ENDPOINT = config.fediversity.garage.api.url; AWS_USE_PATH_STYLE_ENDPOINT = false; }; diff --git a/tests/mastodon-garage.nix b/tests/mastodon-garage.nix index f98440d..c35e799 100644 --- a/tests/mastodon-garage.nix +++ b/tests/mastodon-garage.nix @@ -95,6 +95,7 @@ pkgs.nixosTest { server.succeed("toot post --media $POST_MEDIA") with subtest("access garage"): + ## REVIEW: could we grab `config.fediversity.garage.api.url` here in some way? server.succeed("mc alias set garage http://s3.garage.localhost:3900 --api s3v4 --path off $AWS_ACCESS_KEY_ID $AWS_SECRET_ACCESS_KEY") server.succeed("mc ls garage/mastodon") @@ -121,6 +122,7 @@ pkgs.nixosTest { raise Exception("mastodon did not send a content security policy header") csp = csp_match.group(1) # the img-src content security policy should include the garage server + ## REVIEW: could we grab `config.fediversity.garage.web.url` here in some way? garage_csp = re.match(".*; img-src[^;]*web\.garage\.localhost:3902.*", csp) if garage_csp is None: raise Exception("Mastodon's content security policy does not include garage server. image will not be displayed properly on mastodon.") diff --git a/tests/pixelfed-garage.nix b/tests/pixelfed-garage.nix index 79e1edc..a474b1c 100644 --- a/tests/pixelfed-garage.nix +++ b/tests/pixelfed-garage.nix @@ -186,6 +186,7 @@ pkgs.nixosTest { raise Exception("cannot detect the uploaded image on pixelfed page.") with subtest("access garage"): + ## REVIEW: could we grab `config.fediversity.garage.api.url` here in some way? server.succeed("mc alias set garage http://s3.garage.localhost:3900 --api s3v4 --path off $AWS_ACCESS_KEY_ID $AWS_SECRET_ACCESS_KEY") server.succeed("mc ls garage/pixelfed") @@ -202,6 +203,7 @@ pkgs.nixosTest { with subtest("Check that image comes from garage"): src = server.succeed("su - selenium -c 'selenium-script-get-src ${email} ${password}'") + ## REVIEW: could we grab `config.fediversity.garage.web.url` here in some way? if not src.startswith("http://pixelfed.web.garage.localhost:3902/"): raise Exception("image does not come from garage") ''; diff --git a/vm/mastodon-vm.nix b/vm/mastodon-vm.nix index 0d13b89..0bc12aa 100644 --- a/vm/mastodon-vm.nix +++ b/vm/mastodon-vm.nix @@ -9,6 +9,7 @@ { fediversity = { enable = true; + domain = "localhost"; mastodon.enable = true; }; diff --git a/vm/pixelfed-vm.nix b/vm/pixelfed-vm.nix index be238f1..be04bfc 100644 --- a/vm/pixelfed-vm.nix +++ b/vm/pixelfed-vm.nix @@ -7,6 +7,7 @@ fediversity = { enable = true; + domain = "localhost"; pixelfed.enable = true; }; @@ -24,7 +25,7 @@ # I feel like this should have an `enable` option and be configured via `services.nginx` rather than mirroring those options in services.pixelfed.nginx # TODO: If that indeed makes sense, upstream it. nginx = { - # locations."/public/".proxyPass = "http://pixelfed.web.garage.localhost:3902/public/"; + # locations."/public/".proxyPass = "${config.fediversity.garage.web.urlFor "pixelfed"}/public/"; }; }; virtualisation.memorySize = 2048; -- 2.47.0 From fb02afc6c9c21e9fb4957c54e7bde48bcddfc082 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Nicolas=20=E2=80=9CNiols=E2=80=9D=20Jeannerod?= Date: Tue, 17 Sep 2024 17:58:09 +0200 Subject: [PATCH 06/11] Factorise services URIs --- fediversity/default.nix | 4 ++++ fediversity/mastodon.nix | 9 +++++---- fediversity/peertube.nix | 8 ++++++++ fediversity/pixelfed.nix | 5 ++++- vm/mastodon-vm.nix | 10 +--------- vm/peertube-vm.nix | 15 ++++++--------- vm/pixelfed-vm.nix | 1 - 7 files changed, 28 insertions(+), 24 deletions(-) diff --git a/fediversity/default.nix b/fediversity/default.nix index dfdffc8..d31df29 100644 --- a/fediversity/default.nix +++ b/fediversity/default.nix @@ -53,5 +53,9 @@ in { urlFor = bucket: "http://${bucket}.${rootDomainAndPort}"; }; }; + + pixelfed.domain = "pixelfed.${config.fediversity.domain}"; + mastodon.domain = "mastdodon.${config.fediversity.domain}"; + peertube.domain = "peertube.${config.fediversity.domain}"; }; } diff --git a/fediversity/mastodon.nix b/fediversity/mastodon.nix index e866b84..8740c8c 100644 --- a/fediversity/mastodon.nix +++ b/fediversity/mastodon.nix @@ -63,12 +63,14 @@ lib.mkIf (config.fediversity.enable && config.fediversity.mastodon.enable) { services.mastodon = { enable = true; - # TODO: set up a domain name, and a DNS service so that this can run not in a vm - # localDomain = "domain.social"; + localDomain = config.fediversity.mastodon.domain; configureNginx = true; # TODO: configure a mailserver so this works - # smtp.fromAddress = "mastodon@domain.social"; + smtp = { + fromAddress = "noreply@${config.fediversity.mastodon.domain}"; + createLocally = false; + }; # TODO: this is hardware-dependent. let's figure it out when we have hardware # streamingProcesses = 1; @@ -81,4 +83,3 @@ lib.mkIf (config.fediversity.enable && config.fediversity.mastodon.enable) { # defaults.email = "test@example.com"; }; } - diff --git a/fediversity/peertube.nix b/fediversity/peertube.nix index 021e52f..41c6cd1 100644 --- a/fediversity/peertube.nix +++ b/fediversity/peertube.nix @@ -53,6 +53,14 @@ lib.mkIf (config.fediversity.enable && config.fediversity.peertube.enable) { }; services.peertube = { + enable = true; + localDomain = config.fediversity.peertube.domain; + + # TODO: in most of nixpkgs, these are true by default. upstream that unless there's a good reason not to. + redis.createLocally = true; + database.createLocally = true; + configureNginx = true; + settings = { object_storage = { enabled = true; diff --git a/fediversity/pixelfed.nix b/fediversity/pixelfed.nix index 38153f5..95703ba 100644 --- a/fediversity/pixelfed.nix +++ b/fediversity/pixelfed.nix @@ -35,7 +35,10 @@ lib.mkIf (config.fediversity.enable && config.fediversity.pixelfed.enable) { }; }; - services.pixelfed.enable = true; + services.pixelfed = { + enable = true; + domain = config.fediversity.pixelfed.domain; + }; services.pixelfed.settings = { # DANGEROUSLY_SET_FILESYSTEM_DRIVER = "s3"; diff --git a/vm/mastodon-vm.nix b/vm/mastodon-vm.nix index 0bc12aa..caf1ca6 100644 --- a/vm/mastodon-vm.nix +++ b/vm/mastodon-vm.nix @@ -14,14 +14,6 @@ }; services.mastodon = { - # redirects to localhost, but allows it to have a proper domain name - localDomain = "mastodon.localhost"; - - smtp = { - fromAddress = "mastodon@mastodon.localhost"; - createLocally = false; - }; - extraConfig = { EMAIL_DOMAIN_ALLOWLIST = "example.com"; }; @@ -65,7 +57,7 @@ BIND = "0.0.0.0"; # for letter_opener (still doesn't work though) REMOTE_DEV = "true"; - LOCAL_DOMAIN = "mastodon.localhost:8443"; + LOCAL_DOMAIN = "${config.fediversity.mastodon.domain}:8443"; }; }; diff --git a/vm/peertube-vm.nix b/vm/peertube-vm.nix index d38a625..5f40f4f 100644 --- a/vm/peertube-vm.nix +++ b/vm/peertube-vm.nix @@ -1,9 +1,11 @@ { pkgs, modulesPath, ... }: { - imports = [ (modulesPath + "/virtualisation/qemu-vm.nix") ]; + + imports = [ + ../fediversity + (modulesPath + "/virtualisation/qemu-vm.nix") + ]; + services.peertube = { - enable = true; - # redirects to localhost, but allows it to have a proper domain name - localDomain = "peertube.localhost"; enableWebHttps = false; settings = { listen.hostname = "0.0.0.0"; @@ -13,11 +15,6 @@ secrets.secretsFile = pkgs.writeText "secret" '' 574e093907d1157ac0f8e760a6deb1035402003af5763135bae9cbd6abe32b24 ''; - - # TODO: in most of nixpkgs, these are true by default. upstream that unless there's a good reason not to. - redis.createLocally = true; - database.createLocally = true; - configureNginx = true; }; virtualisation.forwardPorts = [ diff --git a/vm/pixelfed-vm.nix b/vm/pixelfed-vm.nix index be04bfc..f12b9c5 100644 --- a/vm/pixelfed-vm.nix +++ b/vm/pixelfed-vm.nix @@ -13,7 +13,6 @@ networking.firewall.allowedTCPPorts = [ 80 ]; services.pixelfed = { - domain = "pixelfed.localhost"; # TODO: secrets management! secretFile = pkgs.writeText "secrets.env" '' APP_KEY=adKK9EcY8Hcj3PLU7rzG9rJ6KKTOtYfA -- 2.47.0 From 2ff8975b6b2f19d5ffbd7574bd76494bf532d048 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Nicolas=20=E2=80=9CNiols=E2=80=9D=20Jeannerod?= Date: Fri, 20 Sep 2024 16:34:08 +0200 Subject: [PATCH 07/11] s/mkOption/mkEnableOption --- fediversity/default.nix | 13 +++++-------- 1 file changed, 5 insertions(+), 8 deletions(-) diff --git a/fediversity/default.nix b/fediversity/default.nix index d31df29..3f39485 100644 --- a/fediversity/default.nix +++ b/fediversity/default.nix @@ -2,7 +2,7 @@ let inherit (builtins) toString; - inherit (lib) mkOption; + inherit (lib) mkOption mkEnableOption; inherit (lib.types) types; in { @@ -15,10 +15,7 @@ in { options = { fediversity = { - enable = mkOption { - type = types.bool; - default = false; - }; + enable = mkEnableOption "the collection of services bundled under Fediversity"; garage = mkOption { type = types.anything; @@ -28,9 +25,9 @@ in { type = types.string; }; - mastodon.enable = mkOption { type = types.bool; default = false; }; - pixelfed.enable = mkOption { type = types.bool; default = false; }; - peertube.enable = mkOption { type = types.bool; default = false; }; + mastodon.enable = mkEnableOption "default Fediversity Mastodon configuration"; + pixelfed.enable = mkEnableOption "default Fediversity Pixelfed configuration"; + peertube.enable = mkEnableOption "default Fediversity PeerTube configuration"; }; }; -- 2.47.0 From d97772ccc4008417aec2117d62031e9123d8deba Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Nicolas=20=E2=80=9CNiols=E2=80=9D=20Jeannerod?= Date: Fri, 20 Sep 2024 16:35:21 +0200 Subject: [PATCH 08/11] s/types.string/types.str/ `types.string` was being used for too many thing so it got deprecated and now there are several different string types. `types.str` is the one where you don't want to merge definitions if it's defined in more than one place Co-authored-by: Taeer Bar-Yam --- fediversity/default.nix | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/fediversity/default.nix b/fediversity/default.nix index 3f39485..9c60d61 100644 --- a/fediversity/default.nix +++ b/fediversity/default.nix @@ -22,7 +22,7 @@ in { }; domain = mkOption { - type = types.string; + type = types.str; }; mastodon.enable = mkEnableOption "default Fediversity Mastodon configuration"; -- 2.47.0 From 73939b9d8752ed4193ebae1b865c306d8eae4971 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Nicolas=20=E2=80=9CNiols=E2=80=9D=20Jeannerod?= Date: Fri, 20 Sep 2024 17:13:35 +0200 Subject: [PATCH 09/11] =?UTF-8?q?Rework=20definition=20of=20=E2=80=9Cconst?= =?UTF-8?q?ants=E2=80=9D?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit - make things such as `fediversity.garage.api.port` into actual options with the right default value - move them under `fediversity.internal` Co-authored-by: Taeer Bar-Yam --- fediversity/default.nix | 91 ++++++++++++++++++++++++++++----------- fediversity/garage.nix | 28 ++++++------ fediversity/mastodon.nix | 8 ++-- fediversity/peertube.nix | 10 ++--- fediversity/pixelfed.nix | 6 +-- tests/mastodon-garage.nix | 4 +- tests/pixelfed-garage.nix | 4 +- vm/mastodon-vm.nix | 2 +- vm/pixelfed-vm.nix | 2 +- 9 files changed, 98 insertions(+), 57 deletions(-) diff --git a/fediversity/default.nix b/fediversity/default.nix index 9c60d61..a6e0682 100644 --- a/fediversity/default.nix +++ b/fediversity/default.nix @@ -17,42 +17,83 @@ in { fediversity = { enable = mkEnableOption "the collection of services bundled under Fediversity"; - garage = mkOption { - type = types.anything; - }; - domain = mkOption { type = types.str; + description = '' + root domain for the Fediversity services + + For instance, if this option is set to `foo.example.com`, then + Pixelfed might be under `pixelfed.foo.example.com`. + ''; }; mastodon.enable = mkEnableOption "default Fediversity Mastodon configuration"; pixelfed.enable = mkEnableOption "default Fediversity Pixelfed configuration"; peertube.enable = mkEnableOption "default Fediversity PeerTube configuration"; - }; - }; - config.fediversity = { - garage = { - api = rec { - domain = "s3.garage.${config.fediversity.domain}"; - port = 3900; - url = "http://${domain}:${toString port}"; - }; + internal = mkOption { + description = "options that are only meant to be used internally; change at your own risk"; + default = {}; + type = types.submodule { + options = { + garage = { + api = { + domain = mkOption { + type = types.str; + default = "s3.garage.${config.fediversity.domain}"; + }; + port = mkOption { + type = types.int; + default = 3900; + }; + url = mkOption { + type = types.str; + default = "http://${config.fediversity.internal.garage.api.domain}:${toString config.fediversity.internal.garage.api.port}"; + }; + }; - rpc = rec { - port = 3901; - }; + rpc = { + port = mkOption { + type = types.int; + default = 3901; + }; + }; - web = rec { - rootDomain = "web.garage.${config.fediversity.domain}"; - port = 3902; - rootDomainAndPort = "${rootDomain}:${toString port}"; - urlFor = bucket: "http://${bucket}.${rootDomainAndPort}"; + web = { + rootDomain = mkOption { + type = types.str; + default = "web.garage.${config.fediversity.domain}"; + }; + port = mkOption { + type = types.int; + default = 3902; + }; + rootDomainAndPort = mkOption { + type = types.str; + default = "${config.fediversity.internal.garage.web.rootDomain}:${toString config.fediversity.internal.garage.web.port}"; + }; + urlFor = mkOption { + type = types.functionTo types.str; + default = bucket: "http://${bucket}.${config.fediversity.internal.garage.web.rootDomainAndPort}"; + }; + }; + }; + + pixelfed.domain = mkOption { + type = types.str; + default = "pixelfed.${config.fediversity.domain}"; + }; + mastodon.domain = mkOption { + type = types.str; + default = "mastdodon.${config.fediversity.domain}"; + }; + peertube.domain = mkOption { + type = types.str; + default = "peertube.${config.fediversity.domain}"; + }; + }; + }; }; }; - - pixelfed.domain = "pixelfed.${config.fediversity.domain}"; - mastodon.domain = "mastdodon.${config.fediversity.domain}"; - peertube.domain = "peertube.${config.fediversity.domain}"; }; } diff --git a/fediversity/garage.nix b/fediversity/garage.nix index 92cbd88..84af662 100644 --- a/fediversity/garage.nix +++ b/fediversity/garage.nix @@ -42,7 +42,7 @@ let ${optionalString corsRules.enable '' garage bucket allow --read --write --owner ${bucketArg} --key tmp # TODO: endpoin-url should not be hard-coded - aws --region ${cfg.settings.s3_api.s3_region} --endpoint-url ${config.fediversity.garage.api.url} s3api put-bucket-cors --bucket ${bucketArg} --cors-configuration ${corsRulesJSON} + aws --region ${cfg.settings.s3_api.s3_region} --endpoint-url ${config.fediversity.internal.garage.api.url} s3api put-bucket-cors --bucket ${bucketArg} --cors-configuration ${corsRulesJSON} garage bucket deny --read --write --owner ${bucketArg} --key tmp ''} ''; @@ -136,21 +136,21 @@ in virtualisation.forwardPorts = [ { from = "host"; - host.port = config.fediversity.garage.rpc.port; - guest.port = config.fediversity.garage.rpc.port; + host.port = config.fediversity.internal.garage.rpc.port; + guest.port = config.fediversity.internal.garage.rpc.port; } { from = "host"; - host.port = config.fediversity.garage.web.port; - guest.port = config.fediversity.garage.web.port; + host.port = config.fediversity.internal.garage.web.port; + guest.port = config.fediversity.internal.garage.web.port; } ]; environment.systemPackages = [ pkgs.minio-client pkgs.awscli ]; networking.firewall.allowedTCPPorts = [ - config.fediversity.garage.rpc.port - config.fediversity.garage.web.port + config.fediversity.internal.garage.rpc.port + config.fediversity.internal.garage.web.port ]; services.garage = { enable = true; @@ -160,15 +160,15 @@ in # TODO: use a secret file rpc_secret = "d576c4478cc7d0d94cfc127138cbb82018b0155c037d1c827dfb6c36be5f6625"; # TODO: why does this have to be set? is there not a sensible default? - rpc_bind_addr = "[::]:${toString config.fediversity.garage.rpc.port}"; - rpc_public_addr = "[::1]:${toString config.fediversity.garage.rpc.port}"; - s3_api.api_bind_addr = "[::]:${toString config.fediversity.garage.api.port}"; - s3_web.bind_addr = "[::]:${toString config.fediversity.garage.web.port}"; - s3_web.root_domain = ".${config.fediversity.garage.web.rootDomain}"; + rpc_bind_addr = "[::]:${toString config.fediversity.internal.garage.rpc.port}"; + rpc_public_addr = "[::1]:${toString config.fediversity.internal.garage.rpc.port}"; + s3_api.api_bind_addr = "[::]:${toString config.fediversity.internal.garage.api.port}"; + s3_web.bind_addr = "[::]:${toString config.fediversity.internal.garage.web.port}"; + s3_web.root_domain = ".${config.fediversity.internal.garage.web.rootDomain}"; index = "index.html"; s3_api.s3_region = "garage"; - s3_api.root_domain = ".${config.fediversity.garage.api.domain}"; + s3_api.root_domain = ".${config.fediversity.internal.garage.api.domain}"; }; }; systemd.services.ensure-garage = { @@ -183,7 +183,7 @@ in # Give Garage time to start up by waiting until somethings speaks HTTP # behind Garage's API URL. - until ${pkgs.curl}/bin/curl -sio /dev/null ${config.fediversity.garage.api.url}; do sleep 1; done + until ${pkgs.curl}/bin/curl -sio /dev/null ${config.fediversity.internal.garage.api.url}; do sleep 1; done # XXX: this is very sensitive to being a single instance # (doing the bare minimum to get garage up and running) diff --git a/fediversity/mastodon.nix b/fediversity/mastodon.nix index 8740c8c..62599b5 100644 --- a/fediversity/mastodon.nix +++ b/fediversity/mastodon.nix @@ -38,7 +38,7 @@ lib.mkIf (config.fediversity.enable && config.fediversity.mastodon.enable) { extraConfig = rec { S3_ENABLED = "true"; # TODO: this shouldn't be hard-coded, it should come from the garage configuration - S3_ENDPOINT = config.fediversity.garage.api.url; + S3_ENDPOINT = config.fediversity.internal.garage.api.url; S3_REGION = "garage"; S3_BUCKET = "mastodon"; # use . @@ -46,7 +46,7 @@ lib.mkIf (config.fediversity.enable && config.fediversity.mastodon.enable) { AWS_ACCESS_KEY_ID = snakeoil_key.id; AWS_SECRET_ACCESS_KEY = snakeoil_key.secret; S3_PROTOCOL = "http"; - S3_HOSTNAME = config.fediversity.garage.web.rootDomainAndPort; + S3_HOSTNAME = config.fediversity.internal.garage.web.rootDomainAndPort; # by default it tries to use "/" S3_ALIAS_HOST = "${S3_BUCKET}.${S3_HOSTNAME}"; # SEE: the last section in https://docs.joinmastodon.org/admin/optional/object-storage/ @@ -63,12 +63,12 @@ lib.mkIf (config.fediversity.enable && config.fediversity.mastodon.enable) { services.mastodon = { enable = true; - localDomain = config.fediversity.mastodon.domain; + localDomain = config.fediversity.internal.mastodon.domain; configureNginx = true; # TODO: configure a mailserver so this works smtp = { - fromAddress = "noreply@${config.fediversity.mastodon.domain}"; + fromAddress = "noreply@${config.fediversity.internal.mastodon.domain}"; createLocally = false; }; diff --git a/fediversity/peertube.nix b/fediversity/peertube.nix index 41c6cd1..88d26e1 100644 --- a/fediversity/peertube.nix +++ b/fediversity/peertube.nix @@ -54,7 +54,7 @@ lib.mkIf (config.fediversity.enable && config.fediversity.peertube.enable) { services.peertube = { enable = true; - localDomain = config.fediversity.peertube.domain; + localDomain = config.fediversity.internal.peertube.domain; # TODO: in most of nixpkgs, these are true by default. upstream that unless there's a good reason not to. redis.createLocally = true; @@ -64,7 +64,7 @@ lib.mkIf (config.fediversity.enable && config.fediversity.peertube.enable) { settings = { object_storage = { enabled = true; - endpoint = config.fediversity.garage.api.url; + endpoint = config.fediversity.internal.garage.api.url; region = "garage"; # not supported by garage @@ -74,17 +74,17 @@ lib.mkIf (config.fediversity.enable && config.fediversity.peertube.enable) { web_videos = rec { bucket_name = "peertube-videos"; prefix = ""; - base_url = config.fediversity.garage.web.urlFor bucket_name; + base_url = config.fediversity.internal.garage.web.urlFor bucket_name; }; videos = rec { bucket_name = "peertube-videos"; prefix = ""; - base_url = config.fediversity.garage.web.urlFor bucket_name; + base_url = config.fediversity.internal.garage.web.urlFor bucket_name; }; streaming_playlists = rec { bucket_name = "peertube-playlists"; prefix = ""; - base_url = config.fediversity.garage.web.urlFor bucket_name; + base_url = config.fediversity.internal.garage.web.urlFor bucket_name; }; }; }; diff --git a/fediversity/pixelfed.nix b/fediversity/pixelfed.nix index 95703ba..1edc914 100644 --- a/fediversity/pixelfed.nix +++ b/fediversity/pixelfed.nix @@ -37,7 +37,7 @@ lib.mkIf (config.fediversity.enable && config.fediversity.pixelfed.enable) { services.pixelfed = { enable = true; - domain = config.fediversity.pixelfed.domain; + domain = config.fediversity.internal.pixelfed.domain; }; services.pixelfed.settings = { @@ -47,9 +47,9 @@ lib.mkIf (config.fediversity.enable && config.fediversity.pixelfed.enable) { AWS_ACCESS_KEY_ID = snakeoil_key.id; AWS_SECRET_ACCESS_KEY = snakeoil_key.secret; AWS_DEFAULT_REGION = "garage"; - AWS_URL = config.fediversity.garage.web.urlFor "pixelfed"; + AWS_URL = config.fediversity.internal.garage.web.urlFor "pixelfed"; AWS_BUCKET = "pixelfed"; - AWS_ENDPOINT = config.fediversity.garage.api.url; + AWS_ENDPOINT = config.fediversity.internal.garage.api.url; AWS_USE_PATH_STYLE_ENDPOINT = false; }; diff --git a/tests/mastodon-garage.nix b/tests/mastodon-garage.nix index c35e799..c109ea1 100644 --- a/tests/mastodon-garage.nix +++ b/tests/mastodon-garage.nix @@ -95,7 +95,7 @@ pkgs.nixosTest { server.succeed("toot post --media $POST_MEDIA") with subtest("access garage"): - ## REVIEW: could we grab `config.fediversity.garage.api.url` here in some way? + ## REVIEW: could we grab `config.fediversity.internal.garage.api.url` here in some way? server.succeed("mc alias set garage http://s3.garage.localhost:3900 --api s3v4 --path off $AWS_ACCESS_KEY_ID $AWS_SECRET_ACCESS_KEY") server.succeed("mc ls garage/mastodon") @@ -122,7 +122,7 @@ pkgs.nixosTest { raise Exception("mastodon did not send a content security policy header") csp = csp_match.group(1) # the img-src content security policy should include the garage server - ## REVIEW: could we grab `config.fediversity.garage.web.url` here in some way? + ## REVIEW: could we grab `config.fediversity.internal.garage.web.url` here in some way? garage_csp = re.match(".*; img-src[^;]*web\.garage\.localhost:3902.*", csp) if garage_csp is None: raise Exception("Mastodon's content security policy does not include garage server. image will not be displayed properly on mastodon.") diff --git a/tests/pixelfed-garage.nix b/tests/pixelfed-garage.nix index a474b1c..9bf2944 100644 --- a/tests/pixelfed-garage.nix +++ b/tests/pixelfed-garage.nix @@ -186,7 +186,7 @@ pkgs.nixosTest { raise Exception("cannot detect the uploaded image on pixelfed page.") with subtest("access garage"): - ## REVIEW: could we grab `config.fediversity.garage.api.url` here in some way? + ## REVIEW: could we grab `config.fediversity.internal.garage.api.url` here in some way? server.succeed("mc alias set garage http://s3.garage.localhost:3900 --api s3v4 --path off $AWS_ACCESS_KEY_ID $AWS_SECRET_ACCESS_KEY") server.succeed("mc ls garage/pixelfed") @@ -203,7 +203,7 @@ pkgs.nixosTest { with subtest("Check that image comes from garage"): src = server.succeed("su - selenium -c 'selenium-script-get-src ${email} ${password}'") - ## REVIEW: could we grab `config.fediversity.garage.web.url` here in some way? + ## REVIEW: could we grab `config.fediversity.internal.garage.web.url` here in some way? if not src.startswith("http://pixelfed.web.garage.localhost:3902/"): raise Exception("image does not come from garage") ''; diff --git a/vm/mastodon-vm.nix b/vm/mastodon-vm.nix index caf1ca6..ea17f27 100644 --- a/vm/mastodon-vm.nix +++ b/vm/mastodon-vm.nix @@ -57,7 +57,7 @@ BIND = "0.0.0.0"; # for letter_opener (still doesn't work though) REMOTE_DEV = "true"; - LOCAL_DOMAIN = "${config.fediversity.mastodon.domain}:8443"; + LOCAL_DOMAIN = "${config.fediversity.internal.mastodon.domain}:8443"; }; }; diff --git a/vm/pixelfed-vm.nix b/vm/pixelfed-vm.nix index f12b9c5..8f97180 100644 --- a/vm/pixelfed-vm.nix +++ b/vm/pixelfed-vm.nix @@ -24,7 +24,7 @@ # I feel like this should have an `enable` option and be configured via `services.nginx` rather than mirroring those options in services.pixelfed.nginx # TODO: If that indeed makes sense, upstream it. nginx = { - # locations."/public/".proxyPass = "${config.fediversity.garage.web.urlFor "pixelfed"}/public/"; + # locations."/public/".proxyPass = "${config.fediversity.internal.garage.web.urlFor "pixelfed"}/public/"; }; }; virtualisation.memorySize = 2048; -- 2.47.0 From 43826e686b9bec0b3f9b44da5459a518840f1a70 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Nicolas=20=E2=80=9CNiols=E2=80=9D=20Jeannerod?= Date: Fri, 20 Sep 2024 17:20:31 +0200 Subject: [PATCH 10/11] Note on style choice for eg. `fediversity.internal.pixelfed.domain` --- fediversity/default.nix | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/fediversity/default.nix b/fediversity/default.nix index a6e0682..46ee05d 100644 --- a/fediversity/default.nix +++ b/fediversity/default.nix @@ -79,6 +79,10 @@ in { }; }; + ## REVIEW: Do we want to recreate options under + ## `fediversity.internal` or would we rather use the options from + ## the respective services? See Taeer's comment: + ## https://git.fediversity.eu/taeer/simple-nixos-fediverse/pulls/22#issuecomment-124 pixelfed.domain = mkOption { type = types.str; default = "pixelfed.${config.fediversity.domain}"; -- 2.47.0 From fa0a01f8682cbf4228425b881333f03cd6ce23d3 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Nicolas=20=E2=80=9CNiols=E2=80=9D=20Jeannerod?= Date: Fri, 20 Sep 2024 15:45:53 +0000 Subject: [PATCH 11/11] Use common options also in tests --- tests/mastodon-garage.nix | 7 +++---- tests/pixelfed-garage.nix | 10 ++++------ 2 files changed, 7 insertions(+), 10 deletions(-) diff --git a/tests/mastodon-garage.nix b/tests/mastodon-garage.nix index c109ea1..672b70f 100644 --- a/tests/mastodon-garage.nix +++ b/tests/mastodon-garage.nix @@ -57,7 +57,7 @@ pkgs.nixosTest { }; }; - testScript = '' + testScript = { nodes, ... }: '' import re import time @@ -95,8 +95,7 @@ pkgs.nixosTest { server.succeed("toot post --media $POST_MEDIA") with subtest("access garage"): - ## REVIEW: could we grab `config.fediversity.internal.garage.api.url` here in some way? - server.succeed("mc alias set garage http://s3.garage.localhost:3900 --api s3v4 --path off $AWS_ACCESS_KEY_ID $AWS_SECRET_ACCESS_KEY") + server.succeed("mc alias set garage ${nodes.server.fediversity.internal.garage.api.url} --api s3v4 --path off $AWS_ACCESS_KEY_ID $AWS_SECRET_ACCESS_KEY") server.succeed("mc ls garage/mastodon") with subtest("access image in garage"): @@ -122,7 +121,7 @@ pkgs.nixosTest { raise Exception("mastodon did not send a content security policy header") csp = csp_match.group(1) # the img-src content security policy should include the garage server - ## REVIEW: could we grab `config.fediversity.internal.garage.web.url` here in some way? + ## TODO: use `nodes.server.fediversity.internal.garage.api.url` same as above, but beware of escaping the regex. garage_csp = re.match(".*; img-src[^;]*web\.garage\.localhost:3902.*", csp) if garage_csp is None: raise Exception("Mastodon's content security policy does not include garage server. image will not be displayed properly on mastodon.") diff --git a/tests/pixelfed-garage.nix b/tests/pixelfed-garage.nix index 9bf2944..b25bc66 100644 --- a/tests/pixelfed-garage.nix +++ b/tests/pixelfed-garage.nix @@ -160,7 +160,7 @@ pkgs.nixosTest { }; }; - testScript = '' + testScript = { nodes, ... }: '' import re server.start() @@ -186,15 +186,14 @@ pkgs.nixosTest { raise Exception("cannot detect the uploaded image on pixelfed page.") with subtest("access garage"): - ## REVIEW: could we grab `config.fediversity.internal.garage.api.url` here in some way? - server.succeed("mc alias set garage http://s3.garage.localhost:3900 --api s3v4 --path off $AWS_ACCESS_KEY_ID $AWS_SECRET_ACCESS_KEY") + server.succeed("mc alias set garage ${nodes.server.fediversity.internal.garage.api.url} --api s3v4 --path off $AWS_ACCESS_KEY_ID $AWS_SECRET_ACCESS_KEY") server.succeed("mc ls garage/pixelfed") with subtest("access image in garage"): image = server.succeed("mc find garage --regex '\\.png' --ignore '*_thumb.png'") image = image.rstrip() if image == "": - raise Exception("image posted to mastodon did not get stored in garage") + raise Exception("image posted to Pixelfed did not get stored in garage") server.succeed(f"mc cat {image} >/garage-image.png") garage_image_hash = server.succeed("identify -quiet -format '%#' /garage-image.png") image_hash = server.succeed("identify -quiet -format '%#' $POST_MEDIA") @@ -203,8 +202,7 @@ pkgs.nixosTest { with subtest("Check that image comes from garage"): src = server.succeed("su - selenium -c 'selenium-script-get-src ${email} ${password}'") - ## REVIEW: could we grab `config.fediversity.internal.garage.web.url` here in some way? - if not src.startswith("http://pixelfed.web.garage.localhost:3902/"): + if not src.startswith("${nodes.server.fediversity.internal.garage.web.urlFor "pixelfed"}"): raise Exception("image does not come from garage") ''; } -- 2.47.0