forked from Fediversity/Fediversity
refactor & cleanup
This commit is contained in:
parent
a4cb05d8a1
commit
230810bf6f
|
@ -1,148 +1,146 @@
|
||||||
{ config, lib, pkgs, ... }: {
|
{ config, lib, pkgs, ... }: lib.mkMerge [
|
||||||
|
# not mastodon related
|
||||||
# open up access to the mastodon web interface
|
{
|
||||||
networking.firewall.allowedTCPPorts = [ 443 ];
|
# let us log in
|
||||||
|
users.mutableUsers = false;
|
||||||
services.mastodon = {
|
users.users.root.hashedPassword = "";
|
||||||
enable = true;
|
services.openssh = {
|
||||||
|
|
||||||
# TODO: set up a domain name, and a DNS service so that this can run not in a vm
|
|
||||||
# localDomain = "domain.social";
|
|
||||||
configureNginx = true;
|
|
||||||
|
|
||||||
# TODO: configure a mailserver so this works
|
|
||||||
# smtp.fromAddress = "mastodon@social.local.gd";
|
|
||||||
|
|
||||||
# TODO: this is hardware-dependent. let's figure it out when we have hardware
|
|
||||||
# streamingProcesses = 1;
|
|
||||||
};
|
|
||||||
|
|
||||||
security.acme = {
|
|
||||||
acceptTerms = true;
|
|
||||||
preliminarySelfsigned = true;
|
|
||||||
# TODO: configure a mailserver so we can set up acme
|
|
||||||
# defaults.email = "test@example.com";
|
|
||||||
};
|
|
||||||
|
|
||||||
# let us log in
|
|
||||||
users.mutableUsers = false;
|
|
||||||
users.users.root.hashedPassword = "";
|
|
||||||
services.openssh = {
|
|
||||||
enable = true;
|
|
||||||
settings = {
|
|
||||||
PermitRootLogin = "yes";
|
|
||||||
PermitEmptyPasswords = "yes";
|
|
||||||
UsePAM = "no";
|
|
||||||
};
|
|
||||||
};
|
|
||||||
|
|
||||||
# access to convenient things
|
|
||||||
environment.systemPackages = with pkgs; [ w3m python3 ];
|
|
||||||
nix.extraOptions = ''
|
|
||||||
extra-experimental-features = nix-command flakes
|
|
||||||
'';
|
|
||||||
|
|
||||||
# these configurations only apply when producing a VM (e.g. nixos-rebuild build-vm)
|
|
||||||
virtualisation.vmVariant = { config, ... }: {
|
|
||||||
services.mastodon = {
|
|
||||||
# redirects to localhost, but allows it to have a proper domain name
|
|
||||||
# SEE: local.gd
|
|
||||||
localDomain = "social.local.gd";
|
|
||||||
|
|
||||||
smtp = {
|
|
||||||
fromAddress = "mastodon@social.local.gd";
|
|
||||||
createLocally = false;
|
|
||||||
};
|
|
||||||
|
|
||||||
extraConfig = {
|
|
||||||
EMAIL_DOMAIN_ALLOWLIST = "example.com";
|
|
||||||
RAILS_ENV = "development";
|
|
||||||
# for letter_opener
|
|
||||||
REMOTE_DEV = "true";
|
|
||||||
};
|
|
||||||
# database = {
|
|
||||||
# # createLocally = false;
|
|
||||||
# # host = "/run/postgresql";
|
|
||||||
# # port = null;
|
|
||||||
# name = "mastodon_development";
|
|
||||||
# user = "mastodon_development";
|
|
||||||
# };
|
|
||||||
# user = "mastodon_development";
|
|
||||||
|
|
||||||
# database.createLocally = false;
|
|
||||||
|
|
||||||
# from the documentation: recommended is the amount of your CPU cores minus one.
|
|
||||||
# but it also must be a positive integer
|
|
||||||
streamingProcesses = let
|
|
||||||
ncores = config.virtualisation.cores;
|
|
||||||
max = x: y: if x > y then x else y;
|
|
||||||
in
|
|
||||||
max 1 (ncores - 1);
|
|
||||||
};
|
|
||||||
|
|
||||||
# users.users.mastodon_development = {
|
|
||||||
# isSystemUser = true;
|
|
||||||
# home = config.services.mastodon.package;
|
|
||||||
# group = "mastodon";
|
|
||||||
# packages = [ config.services.mastodon.package pkgs.imagemagick ];
|
|
||||||
# };
|
|
||||||
|
|
||||||
services.postgresql = {
|
|
||||||
enable = true;
|
enable = true;
|
||||||
ensureUsers = [
|
settings = {
|
||||||
{
|
PermitRootLogin = "yes";
|
||||||
name = config.services.mastodon.database.user;
|
PermitEmptyPasswords = "yes";
|
||||||
ensureClauses.createdb = true;
|
UsePAM = "no";
|
||||||
# ensurePermissions."mastodon_development_test.*" = "ALL PRIVILEGES";
|
};
|
||||||
}
|
|
||||||
];
|
|
||||||
# ensureDatabases = [ "mastodon_development_test" ];
|
|
||||||
};
|
};
|
||||||
|
|
||||||
systemd.services.mastodon-init-db.script = lib.mkForce ''
|
# access to convenient things
|
||||||
if [ `psql -c \
|
environment.systemPackages = with pkgs; [ w3m python3 ];
|
||||||
"select count(*) from pg_class c \
|
nix.extraOptions = ''
|
||||||
join pg_namespace s on s.oid = c.relnamespace \
|
extra-experimental-features = nix-command flakes
|
||||||
where s.nspname not in ('pg_catalog', 'pg_toast', 'information_schema') \
|
|
||||||
and s.nspname not like 'pg_temp%';" | sed -n 3p` -eq 0 ]; then
|
|
||||||
echo "Seeding database"
|
|
||||||
rails db:setup
|
|
||||||
# SAFETY_ASSURED=1 rails db:schema:load
|
|
||||||
rails db:seed
|
|
||||||
else
|
|
||||||
echo "Migrating database (this might be a noop)"
|
|
||||||
rails db:migrate
|
|
||||||
fi
|
|
||||||
'';
|
'';
|
||||||
|
}
|
||||||
|
|
||||||
|
# mastodon setup
|
||||||
|
{
|
||||||
|
# open up access to the mastodon web interface
|
||||||
|
networking.firewall.allowedTCPPorts = [ 443 ];
|
||||||
|
|
||||||
|
services.mastodon = {
|
||||||
|
enable = true;
|
||||||
|
|
||||||
|
# TODO: set up a domain name, and a DNS service so that this can run not in a vm
|
||||||
|
# localDomain = "domain.social";
|
||||||
|
configureNginx = true;
|
||||||
|
|
||||||
|
# TODO: configure a mailserver so this works
|
||||||
|
# smtp.fromAddress = "mastodon@mastodon.localhost";
|
||||||
|
|
||||||
|
# TODO: this is hardware-dependent. let's figure it out when we have hardware
|
||||||
|
# streamingProcesses = 1;
|
||||||
|
};
|
||||||
|
|
||||||
security.acme = {
|
security.acme = {
|
||||||
defaults = {
|
acceptTerms = true;
|
||||||
# invalid server; the systemd service will fail, and we won't get properly signed certificates
|
preliminarySelfsigned = true;
|
||||||
# but let's not spam the letsencrypt servers (and we don't own this domain anyways)
|
# TODO: configure a mailserver so we can set up acme
|
||||||
server = "https://127.0.0.1";
|
# defaults.email = "test@example.com";
|
||||||
email = "none";
|
};
|
||||||
|
}
|
||||||
|
|
||||||
|
# VM setup
|
||||||
|
{
|
||||||
|
# these configurations only apply when producing a VM (e.g. nixos-rebuild build-vm)
|
||||||
|
virtualisation.vmVariant = { config, ... }: {
|
||||||
|
services.mastodon = {
|
||||||
|
# redirects to localhost, but allows it to have a proper domain name
|
||||||
|
localDomain = "mastodon.localhost";
|
||||||
|
|
||||||
|
smtp = {
|
||||||
|
fromAddress = "mastodon@mastodon.localhost";
|
||||||
|
createLocally = false;
|
||||||
|
};
|
||||||
|
|
||||||
|
extraConfig = {
|
||||||
|
EMAIL_DOMAIN_ALLOWLIST = "example.com";
|
||||||
|
};
|
||||||
|
|
||||||
|
# from the documentation: recommended is the amount of your CPU cores minus one.
|
||||||
|
# but it also must be a positive integer
|
||||||
|
streamingProcesses = let
|
||||||
|
ncores = config.virtualisation.cores;
|
||||||
|
max = x: y: if x > y then x else y;
|
||||||
|
in
|
||||||
|
max 1 (ncores - 1);
|
||||||
};
|
};
|
||||||
};
|
|
||||||
|
|
||||||
services.nginx.virtualHosts.${config.services.mastodon.localDomain} = {
|
security.acme = {
|
||||||
# extraConfig = ''
|
defaults = {
|
||||||
# add_header Referrer-Policy "same-origin";
|
# invalid server; the systemd service will fail, and we won't get properly signed certificates
|
||||||
# '';
|
# but let's not spam the letsencrypt servers (and we don't own this domain anyways)
|
||||||
};
|
server = "https://127.0.0.1";
|
||||||
|
email = "none";
|
||||||
|
};
|
||||||
|
};
|
||||||
|
|
||||||
virtualisation.memorySize = 2048;
|
virtualisation.memorySize = 2048;
|
||||||
virtualisation.forwardPorts = [
|
virtualisation.forwardPorts = [
|
||||||
{
|
{
|
||||||
from = "host";
|
from = "host";
|
||||||
host.port = 44443;
|
host.port = 44443;
|
||||||
guest.port = 443;
|
guest.port = 443;
|
||||||
}
|
}
|
||||||
{
|
{
|
||||||
from = "host";
|
from = "host";
|
||||||
host.port = 2222;
|
host.port = 2222;
|
||||||
guest.port = 22;
|
guest.port = 22;
|
||||||
}
|
}
|
||||||
];
|
];
|
||||||
};
|
};
|
||||||
}
|
}
|
||||||
|
|
||||||
|
# mastodon development environment
|
||||||
|
{
|
||||||
|
virtualisation.vmVariant = { config, ... }: {
|
||||||
|
services.mastodon = {
|
||||||
|
extraConfig = {
|
||||||
|
RAILS_ENV = "development";
|
||||||
|
# for letter_opener
|
||||||
|
REMOTE_DEV = "true";
|
||||||
|
};
|
||||||
|
};
|
||||||
|
|
||||||
|
services.postgresql = {
|
||||||
|
enable = true;
|
||||||
|
ensureUsers = [
|
||||||
|
{
|
||||||
|
name = config.services.mastodon.database.user;
|
||||||
|
ensureClauses.createdb = true;
|
||||||
|
# ensurePermissions doesn't work anymore
|
||||||
|
# ensurePermissions = {
|
||||||
|
# "mastodon_development.*" = "ALL PRIVILEGES";
|
||||||
|
# "mastodon_test.*" = "ALL PRIVILEGES";
|
||||||
|
# }
|
||||||
|
}
|
||||||
|
];
|
||||||
|
# ensureDatabases = [ "mastodon_development_test" "mastodon_test" ];
|
||||||
|
};
|
||||||
|
|
||||||
|
# run rails db:seed so that mastodon sets up the databases for us
|
||||||
|
systemd.services.mastodon-init-db.script = lib.mkForce ''
|
||||||
|
if [ `psql -c \
|
||||||
|
"select count(*) from pg_class c \
|
||||||
|
join pg_namespace s on s.oid = c.relnamespace \
|
||||||
|
where s.nspname not in ('pg_catalog', 'pg_toast', 'information_schema') \
|
||||||
|
and s.nspname not like 'pg_temp%';" | sed -n 3p` -eq 0 ]; then
|
||||||
|
echo "Seeding database"
|
||||||
|
rails db:setup
|
||||||
|
# SAFETY_ASSURED=1 rails db:schema:load
|
||||||
|
rails db:seed
|
||||||
|
else
|
||||||
|
echo "Migrating database (this might be a noop)"
|
||||||
|
rails db:migrate
|
||||||
|
fi
|
||||||
|
'';
|
||||||
|
};
|
||||||
|
}
|
||||||
|
]
|
||||||
|
|
Loading…
Reference in a new issue