Get Pixelfed running on metal #24

Merged
taeer merged 26 commits from pixelfed-on-metal into main 2024-09-26 15:52:16 +02:00
Showing only changes of commit ca8310dce3 - Show all commits

View file

@ -5,7 +5,6 @@ let
id = "GK22a15201acacbd51cd43e327"; id = "GK22a15201acacbd51cd43e327";
secret = "82b2b4cbef27bf8917b350d5b10a87c92fa9c8b13a415aeeea49726cf335d74e"; secret = "82b2b4cbef27bf8917b350d5b10a87c92fa9c8b13a415aeeea49726cf335d74e";
}; };
cfg = config.fediversity.internal.garage;
in in
# TODO: expand to a multi-machine setup # TODO: expand to a multi-machine setup
@ -16,6 +15,7 @@ let
inherit (lib) types mkOption mkEnableOption optionalString concatStringsSep; inherit (lib) types mkOption mkEnableOption optionalString concatStringsSep;
inherit (lib.strings) escapeShellArg; inherit (lib.strings) escapeShellArg;
cfg = config.services.garage; cfg = config.services.garage;
fedicfg = config.fediversity.internal.garage;
concatMapAttrs = scriptFn: attrset: concatStringsSep "\n" (lib.mapAttrsToList scriptFn attrset); concatMapAttrs = scriptFn: attrset: concatStringsSep "\n" (lib.mapAttrsToList scriptFn attrset);
ensureBucketScriptFn = bucket: { website, aliases, corsRules }: ensureBucketScriptFn = bucket: { website, aliases, corsRules }:
let let
@ -43,7 +43,7 @@ let
${optionalString corsRules.enable '' ${optionalString corsRules.enable ''
garage bucket allow --read --write --owner ${bucketArg} --key tmp garage bucket allow --read --write --owner ${bucketArg} --key tmp
# TODO: endpoin-url should not be hard-coded # TODO: endpoin-url should not be hard-coded
aws --region ${cfg.settings.s3_api.s3_region} --endpoint-url ${cfg.api.url} s3api put-bucket-cors --bucket ${bucketArg} --cors-configuration ${corsRulesJSON} aws --region ${cfg.settings.s3_api.s3_region} --endpoint-url ${fedicfg.api.url} s3api put-bucket-cors --bucket ${bucketArg} --cors-configuration ${corsRulesJSON}
garage bucket deny --read --write --owner ${bucketArg} --key tmp garage bucket deny --read --write --owner ${bucketArg} --key tmp
''} ''}
''; '';
@ -138,20 +138,20 @@ in
# virtualisation.forwardPorts = [ # virtualisation.forwardPorts = [
# { # {
# from = "host"; # from = "host";
# host.port = cfg.rpc.port; # host.port = fedicfg.rpc.port;
# guest.port = cfg.rpc.port; # guest.port = fedicfg.rpc.port;
# } # }
# { # {
# from = "host"; # from = "host";
# host.port = cfg.web.port; # host.port = fedicfg.web.port;
# guest.port = cfg.web.port; # guest.port = fedicfg.web.port;
# } # }
# ]; # ];
environment.systemPackages = [ pkgs.minio-client pkgs.awscli ]; environment.systemPackages = [ pkgs.minio-client pkgs.awscli ];
networking.firewall.allowedTCPPorts = [ networking.firewall.allowedTCPPorts = [
cfg.rpc.port fedicfg.rpc.port
]; ];
services.garage = { services.garage = {
enable = true; enable = true;
@ -161,19 +161,19 @@ in
# TODO: use a secret file # TODO: use a secret file
rpc_secret = "d576c4478cc7d0d94cfc127138cbb82018b0155c037d1c827dfb6c36be5f6625"; rpc_secret = "d576c4478cc7d0d94cfc127138cbb82018b0155c037d1c827dfb6c36be5f6625";
# TODO: why does this have to be set? is there not a sensible default? # TODO: why does this have to be set? is there not a sensible default?
rpc_bind_addr = "[::]:${toString cfg.rpc.port}"; rpc_bind_addr = "[::]:${toString fedicfg.rpc.port}";
rpc_public_addr = "[::1]:${toString cfg.rpc.port}"; rpc_public_addr = "[::1]:${toString fedicfg.rpc.port}";
s3_api.api_bind_addr = "[::]:${toString cfg.api.port}"; s3_api.api_bind_addr = "[::]:${toString fedicfg.api.port}";
s3_web.bind_addr = "[::]:${toString cfg.web.port}"; s3_web.bind_addr = "[::]:${toString fedicfg.web.port}";
s3_web.root_domain = ".${cfg.web.rootDomain}"; s3_web.root_domain = ".${fedicfg.web.rootDomain}";
index = "index.html"; index = "index.html";
s3_api.s3_region = "garage"; s3_api.s3_region = "garage";
s3_api.root_domain = ".${cfg.api.domain}"; s3_api.root_domain = ".${fedicfg.api.domain}";
}; };
}; };
services.nginx.virtualHosts."garagePortProxy" = { services.nginx.virtualHosts."garagePortProxy" = {
serverName = "${cfg.web.urlFor "*"}"; # wildcard bucket *.foo.com serverName = "${fedicfg.web.urlFor "*"}"; # wildcard bucket *.foo.com
locations."/" = { locations."/" = {
proxyPass = "localhost:3902"; proxyPass = "localhost:3902";
extraConfig = '' extraConfig = ''
@ -193,7 +193,7 @@ in
# Give Garage time to start up by waiting until somethings speaks HTTP # Give Garage time to start up by waiting until somethings speaks HTTP
# behind Garage's API URL. # behind Garage's API URL.
until ${pkgs.curl}/bin/curl -sio /dev/null ${cfg.api.url}; do sleep 1; done until ${pkgs.curl}/bin/curl -sio /dev/null ${fedicfg.api.url}; do sleep 1; done
# XXX: this is very sensitive to being a single instance # XXX: this is very sensitive to being a single instance
# (doing the bare minimum to get garage up and running) # (doing the bare minimum to get garage up and running)