fediversity/simple-nixos-fediverse
Archived
14
1
Fork 2
Code Issues Pull requests Projects Wiki Activity Actions

options for ensuring garage buckets

Browse source
This commit is contained in:
Taeer Bar-Yam 2024-03-27 05:59:50 -04:00
parent 5fd1e115a0
commit 48084fa688
3 changed files with 88 additions and 4 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

2
README.md
View file

@ -64,6 +64,8 @@ You can then access the apps on your local machine (using the magic of port forw
- [ ] share resources (e.g. s3 storage) between the services
- [ ] get garage running on another machine
- [ ] get garage replication running (multiple machines)
- [ ] some way of declaratively defining users?
- [ ] shared users between fediverse services
# questions

73
garage.nix
View file

@ -9,6 +9,55 @@ in
# TODO: expand to a multi-machine setup
{ config, lib, pkgs, ... }: {
# add in options to ensure creation of buckets and keys
options =
let
inherit (lib) types mkOption;
in {
services.garage = {
ensureBuckets = mkOption {
type = types.attrsOf (types.submodule {
options = {
website = mkOption {
type = types.bool;
default = false;
};
};
});
};
ensureKeys = mkOption {
type = types.attrsOf (types.submodule {
options = {
id = mkOption {
type = types.string;
};
secret = mkOption {
type = types.string;
};
# TODO: assert at least one of these is true
ensureAccess = mkOption {
type = types.attrsOf (types.submodule {
options = {
read = mkOption {
type = types.bool;
default = false;
};
write = mkOption {
type = types.bool;
default = false;
};
owner = mkOption {
type = types.bool;
default = false;
};
};
});
default = [];
};
};
});
};
};
};
config = {
virtualisation.vmVariant = {
@ -56,6 +105,7 @@ in
set -xeuo pipefail
# give garage time to start up
sleep 3
# XXX: this is very sensitive to being a single instance
# (bare minimum to get garage up and running)
# also, it's crazy that we have to parse command output like this
@ -64,10 +114,25 @@ in
LAYOUT_VER=$(garage layout show | perl -ne '/Current cluster layout version: (\d*)/ && print $1')
garage layout apply --version $((LAYOUT_VER + 1))
garage bucket create mastodon
garage key import --yes -n mastodon "${snakeoil_key.id}" "${snakeoil_key.secret}"
garage bucket allow --read --write mastodon --key mastodon
garage bucket website --allow mastodon
${
lib.concatStringsSep "\n" (lib.mapAttrsToList (bucket: { website }: ''
garage bucket create ${bucket}
# XXX: should this --deny the website if `website` is false?
${lib.optionalString website ''
garage bucket website --allow ${bucket}
''}
'') config.services.garage.ensureBuckets)
}
${
lib.concatStringsSep "\n" (lib.mapAttrsToList (key: {id, secret, ensureAccess}: ''
garage key import --yes -n ${key} ${id} ${secret}
${
lib.concatStringsSep "\n" (lib.mapAttrsToList (bucket: { read, write, owner }: ''
garage bucket allow ${lib.optionalString read "--read"} ${lib.optionalString write "--write"} ${lib.optionalString owner "--owner"} ${bucket} --key ${key}
'') ensureAccess)
}
'') config.services.garage.ensureKeys)
}
'';
};
};

17
mastodon.nix
View file

@ -6,6 +6,23 @@ let
in
{ config, lib, pkgs, ... }: lib.mkMerge [
{ # garage setup
services.garage = {
ensureBuckets = {
mastodon = { website = true; };
};
ensureKeys = {
mastodon = {
inherit (snakeoil_key) id secret;
ensureAccess = {
mastodon = {
read = true;
write = true;
owner = true;
};
};
};
};
};
services.mastodon = {
extraConfig = {
S3_ENABLED = "true";