From c9665b927f2af99201ad0e4a3a5fdbc6e3bac165 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Nicolas=20=E2=80=9CNiols=E2=80=9D=20Jeannerod?= Date: Fri, 20 Sep 2024 17:56:40 +0200 Subject: [PATCH 01/26] Move stuff from pixelfed-vm to pixelfed --- fediversity/pixelfed.nix | 21 +++++++++++++++++++++ vm/pixelfed-vm.nix | 12 +----------- 2 files changed, 22 insertions(+), 11 deletions(-) diff --git a/fediversity/pixelfed.nix b/fediversity/pixelfed.nix index 1edc914..a44b8f1 100644 --- a/fediversity/pixelfed.nix +++ b/fediversity/pixelfed.nix @@ -38,9 +38,28 @@ lib.mkIf (config.fediversity.enable && config.fediversity.pixelfed.enable) { services.pixelfed = { enable = true; domain = config.fediversity.internal.pixelfed.domain; + + # TODO: secrets management!!! + secretFile = pkgs.writeText "secrets.env" '' + APP_KEY=adKK9EcY8Hcj3PLU7rzG9rJ6KKTOtYfA + ''; + + ## Taeer feels like this way of configuring Nginx is odd; there should + ## instead be a `services.pixefed.nginx.enable` option and the actual Nginx + ## configuration should be in `services.nginx`. See eg. `pretix`. + ## + ## TODO: If that indeed makes sense, upstream. + nginx = { + # locations."/public/".proxyPass = "${config.fediversity.internal.garage.web.urlFor "pixelfed"}/public/"; + }; }; services.pixelfed.settings = { + ## NOTE: This depends on the targets, eg. universities might want control + ## over who has an account. We probably want a universal + ## `fediversity.openRegistration` option. + OPEN_REGISTRATION = true; + # DANGEROUSLY_SET_FILESYSTEM_DRIVER = "s3"; FILESYSTEM_CLOUD = "s3"; PF_ENABLE_CLOUD = true; @@ -62,4 +81,6 @@ lib.mkIf (config.fediversity.enable && config.fediversity.pixelfed.enable) { services.pixelfed.package = pkgs.pixelfed.overrideAttrs (old: { patches = (old.patches or [ ]) ++ [ ./pixelfed-group-permissions.patch ]; }); + + networking.firewall.allowedTCPPorts = [ 80 ]; } diff --git a/vm/pixelfed-vm.nix b/vm/pixelfed-vm.nix index 8f97180..3320ddc 100644 --- a/vm/pixelfed-vm.nix +++ b/vm/pixelfed-vm.nix @@ -11,22 +11,12 @@ pixelfed.enable = true; }; - networking.firewall.allowedTCPPorts = [ 80 ]; services.pixelfed = { - # TODO: secrets management! - secretFile = pkgs.writeText "secrets.env" '' - APP_KEY=adKK9EcY8Hcj3PLU7rzG9rJ6KKTOtYfA - ''; settings = { - OPEN_REGISTRATION = true; FORCE_HTTPS_URLS = false; }; - # I feel like this should have an `enable` option and be configured via `services.nginx` rather than mirroring those options in services.pixelfed.nginx - # TODO: If that indeed makes sense, upstream it. - nginx = { - # locations."/public/".proxyPass = "${config.fediversity.internal.garage.web.urlFor "pixelfed"}/public/"; - }; }; + virtualisation.memorySize = 2048; virtualisation.forwardPorts = [ { -- 2.47.0 From 9be823208309145f137f1052ae2582c570f1647c Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Nicolas=20=E2=80=9CNiols=E2=80=9D=20Jeannerod?= Date: Fri, 20 Sep 2024 18:25:21 +0200 Subject: [PATCH 02/26] [HACK] comment out virtualisation --- fediversity/garage.nix | 26 +++++++++++++------------- 1 file changed, 13 insertions(+), 13 deletions(-) diff --git a/fediversity/garage.nix b/fediversity/garage.nix index 84af662..2c3e006 100644 --- a/fediversity/garage.nix +++ b/fediversity/garage.nix @@ -132,19 +132,19 @@ in }; config = lib.mkIf config.fediversity.enable { - virtualisation.diskSize = 2048; - virtualisation.forwardPorts = [ - { - from = "host"; - host.port = config.fediversity.internal.garage.rpc.port; - guest.port = config.fediversity.internal.garage.rpc.port; - } - { - from = "host"; - host.port = config.fediversity.internal.garage.web.port; - guest.port = config.fediversity.internal.garage.web.port; - } - ]; + # virtualisation.diskSize = 2048; + # virtualisation.forwardPorts = [ + # { + # from = "host"; + # host.port = config.fediversity.internal.garage.rpc.port; + # guest.port = config.fediversity.internal.garage.rpc.port; + # } + # { + # from = "host"; + # host.port = config.fediversity.internal.garage.web.port; + # guest.port = config.fediversity.internal.garage.web.port; + # } + # ]; environment.systemPackages = [ pkgs.minio-client pkgs.awscli ]; -- 2.47.0 From 55a6377b129391e0dbd3ef5a2ca93b6db84cd59d Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Nicolas=20=E2=80=9CNiols=E2=80=9D=20Jeannerod?= Date: Fri, 20 Sep 2024 18:35:22 +0200 Subject: [PATCH 03/26] Ignore errors of `garage key import` --- fediversity/garage.nix | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/fediversity/garage.nix b/fediversity/garage.nix index 2c3e006..9822da7 100644 --- a/fediversity/garage.nix +++ b/fediversity/garage.nix @@ -52,7 +52,8 @@ let ${escapeShellArg bucket} --key ${escapeShellArg key} ''; ensureKeyScriptFn = key: {id, secret, ensureAccess}: '' - garage key import --yes -n ${escapeShellArg key} ${escapeShellArg id} ${escapeShellArg secret} + ## FIXME: Check whether the key exist and skip this step if that is the case. Get rid of this `|| :` + garage key import --yes -n ${escapeShellArg key} ${escapeShellArg id} ${escapeShellArg secret} || : ${concatMapAttrs (ensureAccessScriptFn key) ensureAccess} ''; ensureKeysScript = concatMapAttrs ensureKeyScriptFn cfg.ensureKeys; @@ -197,7 +198,8 @@ in # XXX: this is a hack because we want to write to the buckets here but we're not guaranteed any access keys # TODO: generate this key here rather than using a well-known key - garage key import --yes -n tmp ${snakeoil_key.id} ${snakeoil_key.secret} + # TODO: if the key already exists, we get an error; hacked with this `|| :` which needs to be removed + garage key import --yes -n tmp ${snakeoil_key.id} ${snakeoil_key.secret} || : export AWS_ACCESS_KEY_ID=${snakeoil_key.id}; export AWS_SECRET_ACCESS_KEY=${snakeoil_key.secret}; -- 2.47.0 From 6323e0adc81863252557c4932eafb9a31871d40e Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Nicolas=20=E2=80=9CNiols=E2=80=9D=20Jeannerod?= Date: Fri, 20 Sep 2024 18:44:47 +0200 Subject: [PATCH 04/26] Also open HTTPS port --- fediversity/pixelfed.nix | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/fediversity/pixelfed.nix b/fediversity/pixelfed.nix index a44b8f1..da77fea 100644 --- a/fediversity/pixelfed.nix +++ b/fediversity/pixelfed.nix @@ -82,5 +82,5 @@ lib.mkIf (config.fediversity.enable && config.fediversity.pixelfed.enable) { patches = (old.patches or [ ]) ++ [ ./pixelfed-group-permissions.patch ]; }); - networking.firewall.allowedTCPPorts = [ 80 ]; + networking.firewall.allowedTCPPorts = [ 80 443 ]; } -- 2.47.0 From 3bb9569eb4b1854b6f7da2e7ed1f7d2302b6d900 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Nicolas=20=E2=80=9CNiols=E2=80=9D=20Jeannerod?= Date: Fri, 20 Sep 2024 18:51:21 +0200 Subject: [PATCH 05/26] ACME --- fediversity/default.nix | 10 ++++++++++ fediversity/pixelfed.nix | 2 ++ 2 files changed, 12 insertions(+) diff --git a/fediversity/default.nix b/fediversity/default.nix index 46ee05d..0fed04f 100644 --- a/fediversity/default.nix +++ b/fediversity/default.nix @@ -100,4 +100,14 @@ in { }; }; }; + + config = { + ## FIXME: This should clearly go somewhere else; and we should have a + ## `staging` vs. `production` setting somewhere. + security.acme = { + acceptTerms = true; + defaults.email = "nicolas.jeannerod+fediversity@moduscreate.com"; + defaults.server = "https://acme-staging-v02.api.letsencrypt.org/directory"; + }; + }; } diff --git a/fediversity/pixelfed.nix b/fediversity/pixelfed.nix index da77fea..c9b48a0 100644 --- a/fediversity/pixelfed.nix +++ b/fediversity/pixelfed.nix @@ -50,6 +50,8 @@ lib.mkIf (config.fediversity.enable && config.fediversity.pixelfed.enable) { ## ## TODO: If that indeed makes sense, upstream. nginx = { + forceSSL = true; + enableACME = true; # locations."/public/".proxyPass = "${config.fediversity.internal.garage.web.urlFor "pixelfed"}/public/"; }; }; -- 2.47.0 From 011f166fd3e6fdb0af0354bdde6dda1db89b8878 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Nicolas=20=E2=80=9CNiols=E2=80=9D=20Jeannerod?= Date: Fri, 20 Sep 2024 18:55:00 +0200 Subject: [PATCH 06/26] Exceptionally use non-staging LetsEncrypt servers --- fediversity/default.nix | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/fediversity/default.nix b/fediversity/default.nix index 0fed04f..c8bc0f1 100644 --- a/fediversity/default.nix +++ b/fediversity/default.nix @@ -107,7 +107,7 @@ in { security.acme = { acceptTerms = true; defaults.email = "nicolas.jeannerod+fediversity@moduscreate.com"; - defaults.server = "https://acme-staging-v02.api.letsencrypt.org/directory"; + # defaults.server = "https://acme-staging-v02.api.letsencrypt.org/directory"; }; }; } -- 2.47.0 From 2501c480fb27ca82cd62787595dcaeaede80c213 Mon Sep 17 00:00:00 2001 From: Taeer Bar-Yam Date: Mon, 23 Sep 2024 11:55:54 -0400 Subject: [PATCH 07/26] proxy garage web to port 80 --- fediversity/default.nix | 8 ++------ fediversity/garage.nix | 37 +++++++++++++++++++++++-------------- fediversity/mastodon.nix | 2 +- 3 files changed, 26 insertions(+), 21 deletions(-) diff --git a/fediversity/default.nix b/fediversity/default.nix index c8bc0f1..768fb37 100644 --- a/fediversity/default.nix +++ b/fediversity/default.nix @@ -64,17 +64,13 @@ in { type = types.str; default = "web.garage.${config.fediversity.domain}"; }; - port = mkOption { + internalPort = mkOption { type = types.int; default = 3902; }; - rootDomainAndPort = mkOption { - type = types.str; - default = "${config.fediversity.internal.garage.web.rootDomain}:${toString config.fediversity.internal.garage.web.port}"; - }; urlFor = mkOption { type = types.functionTo types.str; - default = bucket: "http://${bucket}.${config.fediversity.internal.garage.web.rootDomainAndPort}"; + default = bucket: "http://${bucket}.${config.fediversity.internal.garage.web.rootDomain}"; }; }; }; diff --git a/fediversity/garage.nix b/fediversity/garage.nix index 9822da7..811bf9a 100644 --- a/fediversity/garage.nix +++ b/fediversity/garage.nix @@ -5,6 +5,7 @@ let id = "GK22a15201acacbd51cd43e327"; secret = "82b2b4cbef27bf8917b350d5b10a87c92fa9c8b13a415aeeea49726cf335d74e"; }; + cfg = config.fediversity.internal.garage; in # TODO: expand to a multi-machine setup @@ -42,7 +43,7 @@ let ${optionalString corsRules.enable '' garage bucket allow --read --write --owner ${bucketArg} --key tmp # TODO: endpoin-url should not be hard-coded - aws --region ${cfg.settings.s3_api.s3_region} --endpoint-url ${config.fediversity.internal.garage.api.url} s3api put-bucket-cors --bucket ${bucketArg} --cors-configuration ${corsRulesJSON} + aws --region ${cfg.settings.s3_api.s3_region} --endpoint-url ${cfg.api.url} s3api put-bucket-cors --bucket ${bucketArg} --cors-configuration ${corsRulesJSON} garage bucket deny --read --write --owner ${bucketArg} --key tmp ''} ''; @@ -137,21 +138,20 @@ in # virtualisation.forwardPorts = [ # { # from = "host"; - # host.port = config.fediversity.internal.garage.rpc.port; - # guest.port = config.fediversity.internal.garage.rpc.port; + # host.port = cfg.rpc.port; + # guest.port = cfg.rpc.port; # } # { # from = "host"; - # host.port = config.fediversity.internal.garage.web.port; - # guest.port = config.fediversity.internal.garage.web.port; + # host.port = cfg.web.port; + # guest.port = cfg.web.port; # } # ]; environment.systemPackages = [ pkgs.minio-client pkgs.awscli ]; networking.firewall.allowedTCPPorts = [ - config.fediversity.internal.garage.rpc.port - config.fediversity.internal.garage.web.port + cfg.rpc.port ]; services.garage = { enable = true; @@ -161,15 +161,24 @@ in # TODO: use a secret file rpc_secret = "d576c4478cc7d0d94cfc127138cbb82018b0155c037d1c827dfb6c36be5f6625"; # TODO: why does this have to be set? is there not a sensible default? - rpc_bind_addr = "[::]:${toString config.fediversity.internal.garage.rpc.port}"; - rpc_public_addr = "[::1]:${toString config.fediversity.internal.garage.rpc.port}"; - s3_api.api_bind_addr = "[::]:${toString config.fediversity.internal.garage.api.port}"; - s3_web.bind_addr = "[::]:${toString config.fediversity.internal.garage.web.port}"; - s3_web.root_domain = ".${config.fediversity.internal.garage.web.rootDomain}"; + rpc_bind_addr = "[::]:${toString cfg.rpc.port}"; + rpc_public_addr = "[::1]:${toString cfg.rpc.port}"; + s3_api.api_bind_addr = "[::]:${toString cfg.api.port}"; + s3_web.bind_addr = "[::]:${toString cfg.web.port}"; + s3_web.root_domain = ".${cfg.web.rootDomain}"; index = "index.html"; s3_api.s3_region = "garage"; - s3_api.root_domain = ".${config.fediversity.internal.garage.api.domain}"; + s3_api.root_domain = ".${cfg.api.domain}"; + }; + }; + services.nginx.virtualHosts."garagePortProxy" = { + serverName = "${cfg.web.urlFor "*"}"; # wildcard bucket *.foo.com + locations."/" = { + proxyPass = "localhost:3902" + extraConfig = '' + proxy_set_header Host $host; + ''; }; }; systemd.services.ensure-garage = { @@ -184,7 +193,7 @@ in # Give Garage time to start up by waiting until somethings speaks HTTP # behind Garage's API URL. - until ${pkgs.curl}/bin/curl -sio /dev/null ${config.fediversity.internal.garage.api.url}; do sleep 1; done + until ${pkgs.curl}/bin/curl -sio /dev/null ${cfg.api.url}; do sleep 1; done # XXX: this is very sensitive to being a single instance # (doing the bare minimum to get garage up and running) diff --git a/fediversity/mastodon.nix b/fediversity/mastodon.nix index 62599b5..d19edca 100644 --- a/fediversity/mastodon.nix +++ b/fediversity/mastodon.nix @@ -46,7 +46,7 @@ lib.mkIf (config.fediversity.enable && config.fediversity.mastodon.enable) { AWS_ACCESS_KEY_ID = snakeoil_key.id; AWS_SECRET_ACCESS_KEY = snakeoil_key.secret; S3_PROTOCOL = "http"; - S3_HOSTNAME = config.fediversity.internal.garage.web.rootDomainAndPort; + S3_HOSTNAME = config.fediversity.internal.garage.web.rootDomain; # by default it tries to use "/" S3_ALIAS_HOST = "${S3_BUCKET}.${S3_HOSTNAME}"; # SEE: the last section in https://docs.joinmastodon.org/admin/optional/object-storage/ -- 2.47.0 From e0936322220d9dd5c16aca24855fb8de8a1faa29 Mon Sep 17 00:00:00 2001 From: Taeer Bar-Yam Date: Mon, 23 Sep 2024 11:58:49 -0400 Subject: [PATCH 08/26] ; --- fediversity/garage.nix | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/fediversity/garage.nix b/fediversity/garage.nix index 811bf9a..6a1e2d5 100644 --- a/fediversity/garage.nix +++ b/fediversity/garage.nix @@ -175,7 +175,7 @@ in services.nginx.virtualHosts."garagePortProxy" = { serverName = "${cfg.web.urlFor "*"}"; # wildcard bucket *.foo.com locations."/" = { - proxyPass = "localhost:3902" + proxyPass = "localhost:3902"; extraConfig = '' proxy_set_header Host $host; ''; -- 2.47.0 From ca8310dce39840dc22be95b52cbc7b8b99674ea5 Mon Sep 17 00:00:00 2001 From: Taeer Bar-Yam Date: Mon, 23 Sep 2024 12:09:16 -0400 Subject: [PATCH 09/26] had two 'cfg's. changed one to 'fedicfg' --- fediversity/garage.nix | 30 +++++++++++++++--------------- 1 file changed, 15 insertions(+), 15 deletions(-) diff --git a/fediversity/garage.nix b/fediversity/garage.nix index 6a1e2d5..bf5d827 100644 --- a/fediversity/garage.nix +++ b/fediversity/garage.nix @@ -5,7 +5,6 @@ let id = "GK22a15201acacbd51cd43e327"; secret = "82b2b4cbef27bf8917b350d5b10a87c92fa9c8b13a415aeeea49726cf335d74e"; }; - cfg = config.fediversity.internal.garage; in # TODO: expand to a multi-machine setup @@ -16,6 +15,7 @@ let inherit (lib) types mkOption mkEnableOption optionalString concatStringsSep; inherit (lib.strings) escapeShellArg; cfg = config.services.garage; + fedicfg = config.fediversity.internal.garage; concatMapAttrs = scriptFn: attrset: concatStringsSep "\n" (lib.mapAttrsToList scriptFn attrset); ensureBucketScriptFn = bucket: { website, aliases, corsRules }: let @@ -43,7 +43,7 @@ let ${optionalString corsRules.enable '' garage bucket allow --read --write --owner ${bucketArg} --key tmp # TODO: endpoin-url should not be hard-coded - aws --region ${cfg.settings.s3_api.s3_region} --endpoint-url ${cfg.api.url} s3api put-bucket-cors --bucket ${bucketArg} --cors-configuration ${corsRulesJSON} + aws --region ${cfg.settings.s3_api.s3_region} --endpoint-url ${fedicfg.api.url} s3api put-bucket-cors --bucket ${bucketArg} --cors-configuration ${corsRulesJSON} garage bucket deny --read --write --owner ${bucketArg} --key tmp ''} ''; @@ -138,20 +138,20 @@ in # virtualisation.forwardPorts = [ # { # from = "host"; - # host.port = cfg.rpc.port; - # guest.port = cfg.rpc.port; + # host.port = fedicfg.rpc.port; + # guest.port = fedicfg.rpc.port; # } # { # from = "host"; - # host.port = cfg.web.port; - # guest.port = cfg.web.port; + # host.port = fedicfg.web.port; + # guest.port = fedicfg.web.port; # } # ]; environment.systemPackages = [ pkgs.minio-client pkgs.awscli ]; networking.firewall.allowedTCPPorts = [ - cfg.rpc.port + fedicfg.rpc.port ]; services.garage = { enable = true; @@ -161,19 +161,19 @@ in # TODO: use a secret file rpc_secret = "d576c4478cc7d0d94cfc127138cbb82018b0155c037d1c827dfb6c36be5f6625"; # TODO: why does this have to be set? is there not a sensible default? - rpc_bind_addr = "[::]:${toString cfg.rpc.port}"; - rpc_public_addr = "[::1]:${toString cfg.rpc.port}"; - s3_api.api_bind_addr = "[::]:${toString cfg.api.port}"; - s3_web.bind_addr = "[::]:${toString cfg.web.port}"; - s3_web.root_domain = ".${cfg.web.rootDomain}"; + rpc_bind_addr = "[::]:${toString fedicfg.rpc.port}"; + rpc_public_addr = "[::1]:${toString fedicfg.rpc.port}"; + s3_api.api_bind_addr = "[::]:${toString fedicfg.api.port}"; + s3_web.bind_addr = "[::]:${toString fedicfg.web.port}"; + s3_web.root_domain = ".${fedicfg.web.rootDomain}"; index = "index.html"; s3_api.s3_region = "garage"; - s3_api.root_domain = ".${cfg.api.domain}"; + s3_api.root_domain = ".${fedicfg.api.domain}"; }; }; services.nginx.virtualHosts."garagePortProxy" = { - serverName = "${cfg.web.urlFor "*"}"; # wildcard bucket *.foo.com + serverName = "${fedicfg.web.urlFor "*"}"; # wildcard bucket *.foo.com locations."/" = { proxyPass = "localhost:3902"; extraConfig = '' @@ -193,7 +193,7 @@ in # Give Garage time to start up by waiting until somethings speaks HTTP # behind Garage's API URL. - until ${pkgs.curl}/bin/curl -sio /dev/null ${cfg.api.url}; do sleep 1; done + until ${pkgs.curl}/bin/curl -sio /dev/null ${fedicfg.api.url}; do sleep 1; done # XXX: this is very sensitive to being a single instance # (doing the bare minimum to get garage up and running) -- 2.47.0 From 2657e2130fa12bda9d81d3595daf26b038717775 Mon Sep 17 00:00:00 2001 From: Taeer Bar-Yam Date: Mon, 23 Sep 2024 12:11:04 -0400 Subject: [PATCH 10/26] mv {,internal}port --- fediversity/garage.nix | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/fediversity/garage.nix b/fediversity/garage.nix index bf5d827..be29e21 100644 --- a/fediversity/garage.nix +++ b/fediversity/garage.nix @@ -164,7 +164,7 @@ in rpc_bind_addr = "[::]:${toString fedicfg.rpc.port}"; rpc_public_addr = "[::1]:${toString fedicfg.rpc.port}"; s3_api.api_bind_addr = "[::]:${toString fedicfg.api.port}"; - s3_web.bind_addr = "[::]:${toString fedicfg.web.port}"; + s3_web.bind_addr = "[::]:${toString fedicfg.web.internalPort}"; s3_web.root_domain = ".${fedicfg.web.rootDomain}"; index = "index.html"; -- 2.47.0 From ffb941687a282e909e811fd6f6bd79f1712328f4 Mon Sep 17 00:00:00 2001 From: Taeer Bar-Yam Date: Mon, 23 Sep 2024 12:14:40 -0400 Subject: [PATCH 11/26] remove http:// from nginx server name --- fediversity/garage.nix | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/fediversity/garage.nix b/fediversity/garage.nix index be29e21..b3d33a9 100644 --- a/fediversity/garage.nix +++ b/fediversity/garage.nix @@ -173,7 +173,7 @@ in }; }; services.nginx.virtualHosts."garagePortProxy" = { - serverName = "${fedicfg.web.urlFor "*"}"; # wildcard bucket *.foo.com + serverName = "*.${fedicfg.web.rootDomain}"; locations."/" = { proxyPass = "localhost:3902"; extraConfig = '' -- 2.47.0 From db39623eebef91443c4a459640903bde9fcd5b05 Mon Sep 17 00:00:00 2001 From: Taeer Bar-Yam Date: Mon, 23 Sep 2024 12:18:22 -0400 Subject: [PATCH 12/26] ADD http:// to proxypass --- fediversity/garage.nix | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/fediversity/garage.nix b/fediversity/garage.nix index b3d33a9..46fa6dc 100644 --- a/fediversity/garage.nix +++ b/fediversity/garage.nix @@ -175,7 +175,7 @@ in services.nginx.virtualHosts."garagePortProxy" = { serverName = "*.${fedicfg.web.rootDomain}"; locations."/" = { - proxyPass = "localhost:3902"; + proxyPass = "http://localhost:3902"; extraConfig = '' proxy_set_header Host $host; ''; -- 2.47.0 From 3e4b486921cb8cfd58eb0faa64d8b6689ba6bf04 Mon Sep 17 00:00:00 2001 From: Taeer Bar-Yam Date: Mon, 23 Sep 2024 12:22:40 -0400 Subject: [PATCH 13/26] httpS --- fediversity/garage.nix | 2 ++ 1 file changed, 2 insertions(+) diff --git a/fediversity/garage.nix b/fediversity/garage.nix index 46fa6dc..ea400df 100644 --- a/fediversity/garage.nix +++ b/fediversity/garage.nix @@ -173,6 +173,8 @@ in }; }; services.nginx.virtualHosts."garagePortProxy" = { + forceSSL = true; + enableACME = true; serverName = "*.${fedicfg.web.rootDomain}"; locations."/" = { proxyPass = "http://localhost:3902"; -- 2.47.0 From 2116ac6b27096d87e7cc1bb609e987e0d28fe455 Mon Sep 17 00:00:00 2001 From: Taeer Bar-Yam Date: Mon, 23 Sep 2024 12:39:15 -0400 Subject: [PATCH 14/26] acme fixup --- fediversity/garage.nix | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/fediversity/garage.nix b/fediversity/garage.nix index ea400df..e38acc8 100644 --- a/fediversity/garage.nix +++ b/fediversity/garage.nix @@ -172,10 +172,12 @@ in s3_api.root_domain = ".${fedicfg.api.domain}"; }; }; + services.nginx.virtualHosts."garagePortProxy" = { forceSSL = true; - enableACME = true; - serverName = "*.${fedicfg.web.rootDomain}"; + useACME = true; + serverName = fedicfg.web.rootDomain; + serverAliases = lib.mapAttrsToList (bucket: _: "${bucket}.${fedicfg.web.rootDomain}") cfg.ensureBuckets; ## TODO: use wildcard certificates? locations."/" = { proxyPass = "http://localhost:3902"; extraConfig = '' @@ -183,6 +185,7 @@ in ''; }; }; + systemd.services.ensure-garage = { after = [ "garage.service" ]; wantedBy = [ "garage.service" ]; -- 2.47.0 From 51a294a659617f4b06fd720e159c9b9c6dbafe19 Mon Sep 17 00:00:00 2001 From: Taeer Bar-Yam Date: Mon, 23 Sep 2024 12:39:55 -0400 Subject: [PATCH 15/26] acme fixup 2 --- fediversity/garage.nix | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/fediversity/garage.nix b/fediversity/garage.nix index e38acc8..a627009 100644 --- a/fediversity/garage.nix +++ b/fediversity/garage.nix @@ -175,7 +175,7 @@ in services.nginx.virtualHosts."garagePortProxy" = { forceSSL = true; - useACME = true; + enableACME = true; serverName = fedicfg.web.rootDomain; serverAliases = lib.mapAttrsToList (bucket: _: "${bucket}.${fedicfg.web.rootDomain}") cfg.ensureBuckets; ## TODO: use wildcard certificates? locations."/" = { -- 2.47.0 From 6b45256839be96be7dbe556102e703d5c409bf32 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Nicolas=20=E2=80=9CNiols=E2=80=9D=20Jeannerod?= Date: Tue, 24 Sep 2024 14:17:56 +0200 Subject: [PATCH 16/26] s/urlFor/urlForBucket --- fediversity/default.nix | 2 +- fediversity/peertube.nix | 6 +++--- fediversity/pixelfed.nix | 4 ++-- tests/pixelfed-garage.nix | 2 +- 4 files changed, 7 insertions(+), 7 deletions(-) diff --git a/fediversity/default.nix b/fediversity/default.nix index 768fb37..96a3d5b 100644 --- a/fediversity/default.nix +++ b/fediversity/default.nix @@ -68,7 +68,7 @@ in { type = types.int; default = 3902; }; - urlFor = mkOption { + urlForBucket = mkOption { type = types.functionTo types.str; default = bucket: "http://${bucket}.${config.fediversity.internal.garage.web.rootDomain}"; }; diff --git a/fediversity/peertube.nix b/fediversity/peertube.nix index 88d26e1..03e9e71 100644 --- a/fediversity/peertube.nix +++ b/fediversity/peertube.nix @@ -74,17 +74,17 @@ lib.mkIf (config.fediversity.enable && config.fediversity.peertube.enable) { web_videos = rec { bucket_name = "peertube-videos"; prefix = ""; - base_url = config.fediversity.internal.garage.web.urlFor bucket_name; + base_url = config.fediversity.internal.garage.web.urlForBucket bucket_name; }; videos = rec { bucket_name = "peertube-videos"; prefix = ""; - base_url = config.fediversity.internal.garage.web.urlFor bucket_name; + base_url = config.fediversity.internal.garage.web.urlForBucket bucket_name; }; streaming_playlists = rec { bucket_name = "peertube-playlists"; prefix = ""; - base_url = config.fediversity.internal.garage.web.urlFor bucket_name; + base_url = config.fediversity.internal.garage.web.urlForBucket bucket_name; }; }; }; diff --git a/fediversity/pixelfed.nix b/fediversity/pixelfed.nix index c9b48a0..894b99d 100644 --- a/fediversity/pixelfed.nix +++ b/fediversity/pixelfed.nix @@ -52,7 +52,7 @@ lib.mkIf (config.fediversity.enable && config.fediversity.pixelfed.enable) { nginx = { forceSSL = true; enableACME = true; - # locations."/public/".proxyPass = "${config.fediversity.internal.garage.web.urlFor "pixelfed"}/public/"; + # locations."/public/".proxyPass = "${config.fediversity.internal.garage.web.urlForBucket "pixelfed"}/public/"; }; }; @@ -68,7 +68,7 @@ lib.mkIf (config.fediversity.enable && config.fediversity.pixelfed.enable) { AWS_ACCESS_KEY_ID = snakeoil_key.id; AWS_SECRET_ACCESS_KEY = snakeoil_key.secret; AWS_DEFAULT_REGION = "garage"; - AWS_URL = config.fediversity.internal.garage.web.urlFor "pixelfed"; + AWS_URL = config.fediversity.internal.garage.web.urlForBucket "pixelfed"; AWS_BUCKET = "pixelfed"; AWS_ENDPOINT = config.fediversity.internal.garage.api.url; AWS_USE_PATH_STYLE_ENDPOINT = false; diff --git a/tests/pixelfed-garage.nix b/tests/pixelfed-garage.nix index b25bc66..f921c77 100644 --- a/tests/pixelfed-garage.nix +++ b/tests/pixelfed-garage.nix @@ -202,7 +202,7 @@ pkgs.nixosTest { with subtest("Check that image comes from garage"): src = server.succeed("su - selenium -c 'selenium-script-get-src ${email} ${password}'") - if not src.startswith("${nodes.server.fediversity.internal.garage.web.urlFor "pixelfed"}"): + if not src.startswith("${nodes.server.fediversity.internal.garage.web.urlForBucket "pixelfed"}"): raise Exception("image does not come from garage") ''; } -- 2.47.0 From 050042d25569264554b6a7141f7893f63beab9d6 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Nicolas=20=E2=80=9CNiols=E2=80=9D=20Jeannerod?= Date: Tue, 24 Sep 2024 14:23:29 +0200 Subject: [PATCH 17/26] domainForBucket --- fediversity/default.nix | 6 +++++- fediversity/garage.nix | 2 +- 2 files changed, 6 insertions(+), 2 deletions(-) diff --git a/fediversity/default.nix b/fediversity/default.nix index 96a3d5b..6a6b867 100644 --- a/fediversity/default.nix +++ b/fediversity/default.nix @@ -68,9 +68,13 @@ in { type = types.int; default = 3902; }; + domainForBucket = mkOption { + type = types.functionTo types.str; + default = bucket: "${bucket}.${config.fediversity.internal.garage.web.rootDomain}"; + }; urlForBucket = mkOption { type = types.functionTo types.str; - default = bucket: "http://${bucket}.${config.fediversity.internal.garage.web.rootDomain}"; + default = bucket: "http://${config.fediversity.internal.garage.web.domainForBucket bucket}"; }; }; }; diff --git a/fediversity/garage.nix b/fediversity/garage.nix index a627009..a3cbbeb 100644 --- a/fediversity/garage.nix +++ b/fediversity/garage.nix @@ -177,7 +177,7 @@ in forceSSL = true; enableACME = true; serverName = fedicfg.web.rootDomain; - serverAliases = lib.mapAttrsToList (bucket: _: "${bucket}.${fedicfg.web.rootDomain}") cfg.ensureBuckets; ## TODO: use wildcard certificates? + serverAliases = lib.mapAttrsToList (bucket: _: fedicfg.web.domainForBucket bucket) cfg.ensureBuckets; ## TODO: use wildcard certificates? locations."/" = { proxyPass = "http://localhost:3902"; extraConfig = '' -- 2.47.0 From 042cb2d517fe89904f0c4211ecdb629c1303b64a Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Nicolas=20=E2=80=9CNiols=E2=80=9D=20Jeannerod?= Date: Tue, 24 Sep 2024 14:40:35 +0200 Subject: [PATCH 18/26] Move Garage VM stuff out of main file --- fediversity/garage.nix | 16 +--------------- flake.nix | 8 +++++--- tests/mastodon-garage.nix | 2 +- tests/pixelfed-garage.nix | 2 +- vm/garage-vm.nix | 25 +++++++++++++++++++++++++ 5 files changed, 33 insertions(+), 20 deletions(-) create mode 100644 vm/garage-vm.nix diff --git a/fediversity/garage.nix b/fediversity/garage.nix index a3cbbeb..cc6187f 100644 --- a/fediversity/garage.nix +++ b/fediversity/garage.nix @@ -134,20 +134,6 @@ in }; config = lib.mkIf config.fediversity.enable { - # virtualisation.diskSize = 2048; - # virtualisation.forwardPorts = [ - # { - # from = "host"; - # host.port = fedicfg.rpc.port; - # guest.port = fedicfg.rpc.port; - # } - # { - # from = "host"; - # host.port = fedicfg.web.port; - # guest.port = fedicfg.web.port; - # } - # ]; - environment.systemPackages = [ pkgs.minio-client pkgs.awscli ]; networking.firewall.allowedTCPPorts = [ @@ -185,7 +171,7 @@ in ''; }; }; - + systemd.services.ensure-garage = { after = [ "garage.service" ]; wantedBy = [ "garage.service" ]; diff --git a/flake.nix b/flake.nix index 737ad31..5950b6b 100644 --- a/flake.nix +++ b/flake.nix @@ -17,6 +17,7 @@ ## VM-specific modules interactive-vm = import ./vm/interactive-vm.nix; + garage-vm = import ./vm/garage-vm.nix; mastodon-vm = import ./vm/mastodon-vm.nix; peertube-vm = import ./vm/peertube-vm.nix; pixelfed-vm = import ./vm/pixelfed-vm.nix; @@ -25,17 +26,17 @@ nixosConfigurations = { mastodon = nixpkgs.lib.nixosSystem { inherit system; - modules = with self.nixosModules; [ fediversity interactive-vm mastodon-vm ]; + modules = with self.nixosModules; [ fediversity interactive-vm garage-vm mastodon-vm ]; }; peertube = nixpkgs.lib.nixosSystem { inherit system; - modules = with self.nixosModules; [ fediversity interactive-vm peertube-vm ]; + modules = with self.nixosModules; [ fediversity interactive-vm garage-vm peertube-vm ]; }; pixelfed = nixpkgs.lib.nixosSystem { inherit system; - modules = with self.nixosModules; [ fediversity interactive-vm pixelfed-vm ]; + modules = with self.nixosModules; [ fediversity interactive-vm garage-vm pixelfed-vm ]; }; all = nixpkgs.lib.nixosSystem { @@ -43,6 +44,7 @@ modules = with self.nixosModules; [ fediversity interactive-vm + garage-vm peertube-vm pixelfed-vm mastodon-vm diff --git a/tests/mastodon-garage.nix b/tests/mastodon-garage.nix index 672b70f..ef53c6a 100644 --- a/tests/mastodon-garage.nix +++ b/tests/mastodon-garage.nix @@ -37,7 +37,7 @@ pkgs.nixosTest { nodes = { server = { config, ... }: { virtualisation.memorySize = lib.mkVMOverride 4096; - imports = with self.nixosModules; [ mastodon-vm ]; + imports = with self.nixosModules; [ garage-vm mastodon-vm ]; # TODO: pair down environment.systemPackages = with pkgs; [ python3 diff --git a/tests/pixelfed-garage.nix b/tests/pixelfed-garage.nix index f921c77..4137ede 100644 --- a/tests/pixelfed-garage.nix +++ b/tests/pixelfed-garage.nix @@ -136,7 +136,7 @@ pkgs.nixosTest { memorySize = lib.mkVMOverride 8192; cores = 8; }; - imports = with self.nixosModules; [ pixelfed-vm ]; + imports = with self.nixosModules; [ garage-vm pixelfed-vm ]; # TODO: pair down environment.systemPackages = with pkgs; [ python3 diff --git a/vm/garage-vm.nix b/vm/garage-vm.nix new file mode 100644 index 0000000..cd9c81c --- /dev/null +++ b/vm/garage-vm.nix @@ -0,0 +1,25 @@ +{ config, modulesPath, ... }: + +let + fedicfg = config.fediversity.internal.garage; + +in { + imports = [ + ../fediversity + (modulesPath + "/virtualisation/qemu-vm.nix") + ]; + + virtualisation.diskSize = 2048; + virtualisation.forwardPorts = [ + { + from = "host"; + host.port = fedicfg.rpc.port; + guest.port = fedicfg.rpc.port; + } + { + from = "host"; + host.port = fedicfg.web.port; + guest.port = fedicfg.web.port; + } + ]; +} -- 2.47.0 From a600829d56632b6d94a9c4b010b24b82d3b6c3e1 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Nicolas=20=E2=80=9CNiols=E2=80=9D=20Jeannerod?= Date: Tue, 24 Sep 2024 14:42:18 +0200 Subject: [PATCH 19/26] s/port/internalPort --- vm/garage-vm.nix | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/vm/garage-vm.nix b/vm/garage-vm.nix index cd9c81c..31e3c41 100644 --- a/vm/garage-vm.nix +++ b/vm/garage-vm.nix @@ -18,8 +18,8 @@ in { } { from = "host"; - host.port = fedicfg.web.port; - guest.port = fedicfg.web.port; + host.port = fedicfg.web.internalPort; + guest.port = fedicfg.web.internalPort; } ]; } -- 2.47.0 From bf303ff1d1242cfb11f5f9242c77bbcf158cc86c Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Nicolas=20=E2=80=9CNiols=E2=80=9D=20Jeannerod?= Date: Tue, 24 Sep 2024 14:51:41 +0200 Subject: [PATCH 20/26] Remove SSL in VM --- vm/pixelfed-vm.nix | 10 +++++++++- 1 file changed, 9 insertions(+), 1 deletion(-) diff --git a/vm/pixelfed-vm.nix b/vm/pixelfed-vm.nix index 3320ddc..3353648 100644 --- a/vm/pixelfed-vm.nix +++ b/vm/pixelfed-vm.nix @@ -1,5 +1,9 @@ -{ pkgs, modulesPath, ... }: { +{ pkgs, lib, modulesPath, ... }: +let + inherit (lib) mkVMOverride; + +in { imports = [ ../fediversity (modulesPath + "/virtualisation/qemu-vm.nix") @@ -15,6 +19,10 @@ settings = { FORCE_HTTPS_URLS = false; }; + nginx = { + forceSSL = mkVMOverride false; + enableACME = mkVMOverride false; + }; }; virtualisation.memorySize = 2048; -- 2.47.0 From e6b58b656ba4babaa3739481fd29430d3aaa157c Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Nicolas=20=E2=80=9CNiols=E2=80=9D=20Jeannerod?= Date: Tue, 24 Sep 2024 14:55:20 +0200 Subject: [PATCH 21/26] Remove SSL in Garage VM --- fediversity/garage.nix | 3 +-- vm/garage-vm.nix | 9 ++++++++- 2 files changed, 9 insertions(+), 3 deletions(-) diff --git a/fediversity/garage.nix b/fediversity/garage.nix index cc6187f..0dd0d7f 100644 --- a/fediversity/garage.nix +++ b/fediversity/garage.nix @@ -159,10 +159,9 @@ in }; }; - services.nginx.virtualHosts."garagePortProxy" = { + services.nginx.virtualHosts.${fedicfg.web.rootDomain} = { forceSSL = true; enableACME = true; - serverName = fedicfg.web.rootDomain; serverAliases = lib.mapAttrsToList (bucket: _: fedicfg.web.domainForBucket bucket) cfg.ensureBuckets; ## TODO: use wildcard certificates? locations."/" = { proxyPass = "http://localhost:3902"; diff --git a/vm/garage-vm.nix b/vm/garage-vm.nix index 31e3c41..8deb49f 100644 --- a/vm/garage-vm.nix +++ b/vm/garage-vm.nix @@ -1,6 +1,8 @@ -{ config, modulesPath, ... }: +{ lib, config, modulesPath, ... }: let + inherit (lib) mkVMOverride; + fedicfg = config.fediversity.internal.garage; in { @@ -9,6 +11,11 @@ in { (modulesPath + "/virtualisation/qemu-vm.nix") ]; + services.nginx.virtualHosts.${fedicfg.web.rootDomain} = { + forceSSL = mkVMOverride false; + enableACME = mkVMOverride false; + }; + virtualisation.diskSize = 2048; virtualisation.forwardPorts = [ { -- 2.47.0 From fc18582a1bfc4738352b8401362a4f90a651461b Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Nicolas=20=E2=80=9CNiols=E2=80=9D=20Jeannerod?= Date: Tue, 24 Sep 2024 16:42:53 +0200 Subject: [PATCH 22/26] Make Garage API domain be localhost --- fediversity/default.nix | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/fediversity/default.nix b/fediversity/default.nix index 6a6b867..e4c45cd 100644 --- a/fediversity/default.nix +++ b/fediversity/default.nix @@ -2,7 +2,7 @@ let inherit (builtins) toString; - inherit (lib) mkOption mkEnableOption; + inherit (lib) mkOption mkEnableOption mkForce; inherit (lib.types) types; in { @@ -109,5 +109,10 @@ in { defaults.email = "nicolas.jeannerod+fediversity@moduscreate.com"; # defaults.server = "https://acme-staging-v02.api.letsencrypt.org/directory"; }; + + ## NOTE: For a one-machine deployment, this removes the need to provide an + ## `s3.garage.` domain. However, this will quickly stop working once + ## we go to multi-machines deployment. + fediversity.internal.garage.api.domain = mkForce "localhost"; }; } -- 2.47.0 From b461a447077b3b8b37953eefb21ee132b480ef73 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Nicolas=20=E2=80=9CNiols=E2=80=9D=20Jeannerod?= Date: Tue, 24 Sep 2024 16:59:37 +0200 Subject: [PATCH 23/26] Not localhost --- fediversity/default.nix | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/fediversity/default.nix b/fediversity/default.nix index e4c45cd..379b1b2 100644 --- a/fediversity/default.nix +++ b/fediversity/default.nix @@ -113,6 +113,6 @@ in { ## NOTE: For a one-machine deployment, this removes the need to provide an ## `s3.garage.` domain. However, this will quickly stop working once ## we go to multi-machines deployment. - fediversity.internal.garage.api.domain = mkForce "localhost"; + fediversity.internal.garage.api.domain = mkForce "s3.garage.localhost"; }; } -- 2.47.0 From d910dfe78864d4656200cbb3e12a00c2c4537711 Mon Sep 17 00:00:00 2001 From: Taeer Bar-Yam Date: Wed, 25 Sep 2024 00:40:53 -0400 Subject: [PATCH 24/26] take bleeding edge pixelfed --- fediversity/pixelfed.nix | 4 ---- flake.lock | 36 +++++++++++++++++++++++++++++++- flake.nix | 44 +++++++++++++++++++++++++++++++++++---- tests/mastodon-garage.nix | 2 +- 4 files changed, 76 insertions(+), 10 deletions(-) diff --git a/fediversity/pixelfed.nix b/fediversity/pixelfed.nix index 894b99d..cef5d6d 100644 --- a/fediversity/pixelfed.nix +++ b/fediversity/pixelfed.nix @@ -80,9 +80,5 @@ lib.mkIf (config.fediversity.enable && config.fediversity.pixelfed.enable) { after = [ "ensure-garage.service" ]; }; - services.pixelfed.package = pkgs.pixelfed.overrideAttrs (old: { - patches = (old.patches or [ ]) ++ [ ./pixelfed-group-permissions.patch ]; - }); - networking.firewall.allowedTCPPorts = [ 80 443 ]; } diff --git a/flake.lock b/flake.lock index 60b501f..d25c01c 100644 --- a/flake.lock +++ b/flake.lock @@ -16,9 +16,43 @@ "type": "github" } }, + "nixpkgs-latest": { + "locked": { + "lastModified": 1727220152, + "narHash": "sha256-6ezRTVBZT25lQkvaPrfJSxYLwqcbNWm6feD/vG1FO0o=", + "owner": "nixos", + "repo": "nixpkgs", + "rev": "24959f933187217890b206788a85bfa73ba75949", + "type": "github" + }, + "original": { + "owner": "nixos", + "repo": "nixpkgs", + "type": "github" + } + }, + "pixelfed": { + "flake": false, + "locked": { + "lastModified": 1719823820, + "narHash": "sha256-CKjqnxp7p2z/13zfp4HQ1OAmaoUtqBKS6HFm6TV8Jwg=", + "owner": "pixelfed", + "repo": "pixelfed", + "rev": "4c245cf429330d01fcb8ebeb9aa8c84a9574a645", + "type": "github" + }, + "original": { + "owner": "pixelfed", + "ref": "v0.12.3", + "repo": "pixelfed", + "type": "github" + } + }, "root": { "inputs": { - "nixpkgs": "nixpkgs" + "nixpkgs": "nixpkgs", + "nixpkgs-latest": "nixpkgs-latest", + "pixelfed": "pixelfed" } } }, diff --git a/flake.nix b/flake.nix index 5950b6b..2a8a17b 100644 --- a/flake.nix +++ b/flake.nix @@ -3,15 +3,32 @@ inputs = { nixpkgs.url = "github:radvendii/nixpkgs/nixos_rebuild_tests"; + nixpkgs-latest.url = "github:nixos/nixpkgs"; + pixelfed = { + url = "github:pixelfed/pixelfed?ref=v0.12.3"; + flake = false; + }; }; - outputs = { self, nixpkgs }: + outputs = { self, nixpkgs, nixpkgs-latest, pixelfed }: let system = "x86_64-linux"; pkgs = nixpkgs.legacyPackages.${system}; + pkgsLatest = nixpkgs-latest.legacyPackages.${system}; + bleedingFediverseOverlay = (self: super: { + services.pixelfed.package = pkgsLatest.pixelfed.overrideAttrs (old: { + src = pixelfed; + patches = (old.patches or [ ]) ++ [ ./pixelfed-group-permissions.patch ]; + }); + ## TODO: give mastodon, peertube the same treatment + }); in { nixosModules = { + ## Bleeding-edge fediverse packages + bleedingFediverse = { + nixpkgs.overlays = [ bleedingFediverseOverlay ]; + }; ## Fediversity modules fediversity = import ./fediversity; @@ -26,22 +43,41 @@ nixosConfigurations = { mastodon = nixpkgs.lib.nixosSystem { inherit system; - modules = with self.nixosModules; [ fediversity interactive-vm garage-vm mastodon-vm ]; + modules = with self.nixosModules; [ + bleedingFediverse + fediversity + interactive-vm + garage-vm + mastodon-vm + ]; }; peertube = nixpkgs.lib.nixosSystem { inherit system; - modules = with self.nixosModules; [ fediversity interactive-vm garage-vm peertube-vm ]; + modules = with self.nixosModules; [ + bleedingFediverse + fediversity + interactive-vm + garage-vm + peertube-vm + ]; }; pixelfed = nixpkgs.lib.nixosSystem { inherit system; - modules = with self.nixosModules; [ fediversity interactive-vm garage-vm pixelfed-vm ]; + modules = with self.nixosModules; [ + bleedingFediverse + fediversity + interactive-vm + garage-vm + pixelfed-vm + ]; }; all = nixpkgs.lib.nixosSystem { inherit system; modules = with self.nixosModules; [ + bleedingFediverse fediversity interactive-vm garage-vm diff --git a/tests/mastodon-garage.nix b/tests/mastodon-garage.nix index ef53c6a..c02fe7d 100644 --- a/tests/mastodon-garage.nix +++ b/tests/mastodon-garage.nix @@ -37,7 +37,7 @@ pkgs.nixosTest { nodes = { server = { config, ... }: { virtualisation.memorySize = lib.mkVMOverride 4096; - imports = with self.nixosModules; [ garage-vm mastodon-vm ]; + imports = with self.nixosModules; [ bleedingFediverse garage-vm mastodon-vm ]; # TODO: pair down environment.systemPackages = with pkgs; [ python3 -- 2.47.0 From fa53ecac53921f84369fb382c303796756ecfd67 Mon Sep 17 00:00:00 2001 From: Taeer Bar-Yam Date: Wed, 25 Sep 2024 11:25:21 -0400 Subject: [PATCH 25/26] fix the overlay --- flake.nix | 4 ++-- tests/pixelfed-garage.nix | 2 +- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/flake.nix b/flake.nix index 2a8a17b..08d1cdc 100644 --- a/flake.nix +++ b/flake.nix @@ -16,9 +16,9 @@ pkgs = nixpkgs.legacyPackages.${system}; pkgsLatest = nixpkgs-latest.legacyPackages.${system}; bleedingFediverseOverlay = (self: super: { - services.pixelfed.package = pkgsLatest.pixelfed.overrideAttrs (old: { + pixelfed = pkgsLatest.pixelfed.overrideAttrs (old: { src = pixelfed; - patches = (old.patches or [ ]) ++ [ ./pixelfed-group-permissions.patch ]; + patches = (old.patches or [ ]) ++ [ ./fediversity/pixelfed-group-permissions.patch ]; }); ## TODO: give mastodon, peertube the same treatment }); diff --git a/tests/pixelfed-garage.nix b/tests/pixelfed-garage.nix index 4137ede..43a26d5 100644 --- a/tests/pixelfed-garage.nix +++ b/tests/pixelfed-garage.nix @@ -136,7 +136,7 @@ pkgs.nixosTest { memorySize = lib.mkVMOverride 8192; cores = 8; }; - imports = with self.nixosModules; [ garage-vm pixelfed-vm ]; + imports = with self.nixosModules; [ bleedingFediverse garage-vm pixelfed-vm ]; # TODO: pair down environment.systemPackages = with pkgs; [ python3 -- 2.47.0 From 4da997b3afa4b5ee50ad0e96c0f23d2049625a44 Mon Sep 17 00:00:00 2001 From: Taeer Bar-Yam Date: Thu, 26 Sep 2024 01:41:06 -0400 Subject: [PATCH 26/26] fix frivolous errors in garage test --- tests/pixelfed-garage.nix | 2 ++ 1 file changed, 2 insertions(+) diff --git a/tests/pixelfed-garage.nix b/tests/pixelfed-garage.nix index 43a26d5..92ef721 100644 --- a/tests/pixelfed-garage.nix +++ b/tests/pixelfed-garage.nix @@ -152,6 +152,8 @@ pkgs.nixosTest { POST_MEDIA = ./fediversity.png; AWS_ACCESS_KEY_ID = config.services.garage.ensureKeys.pixelfed.id; AWS_SECRET_ACCESS_KEY = config.services.garage.ensureKeys.pixelfed.secret; + ## without this we get frivolous errors in the logs + MC_REGION = "garage"; }; # chrome does not like being run as root users.users.selenium = { -- 2.47.0