diff --git a/README.md b/README.md index 9a333017..7fecd12d 100644 --- a/README.md +++ b/README.md @@ -1,43 +1,45 @@ -# How to start up a mastodon VM +# Fediverse VMs + +This repo is, for now, an attempt to familiarize myself with NixOS options for Fediverse applications, and build up a configuration layer that will set most of the relevant options for you (in a semi-opinionated way) given some high-level configuration. This is in the same vein as [nixos-mailserver](https://gitlab.com/simple-nixos-mailserver/nixos-mailserver). + +Eventually, this will be tailored to high-throughput multi-machine setups. For now, it's just a small configuration to run in VMs. + +## Running the VMs + +you can build a VM using ```bash -nixos-rebuild build-vm --flake .#mastodon +nixos-rebuild build-vm --flake .# +``` + +where `` is one of `mastodon`, `peertube`, `pixelfed`, or `all` + +and then run it with +```bash ./result/bin/run-nixos-vm ``` -Now you can access mastodon at +You can then access the apps on your local machine (using the magic of port forwarding) at the following addresses -- You will have to "accept the security risk". -- It may take a minute for the webpage to come online. Until then you will see 502 Bad Gateway +- Mastodon: + - You will have to "accept the security risk" + - It may take a minute for the webpage to come online. Until then you will see "502 Bad Gateway" + - (NOTE: currently broken) email sent from the mastodon instance (e.g. for setting up an account) will be accessible at -Remember that if you want to clear the state from one launch to the next, you should delete the `nixos.qcow2` file that is created. +- PeerTube: + - The root account can be accessed with username "root". The password can be obtained by running the following command on the VM: + ```bash + journalctl -u peertube | perl -ne '/password: (.*)/ && print $1' + ``` + - Creating other accounts has to be enabled via the admin interface. `Administration > Configuration > Basic > Enable Signup` or just add an account directly from `Administration > Create user`. But functionality can also be tested from the root account. -- email, when it works, will be accessible at - -## peertube - -```bash -nixos-rebuild build-vm --flake .#peertube -./result/bin/run-nixos-vm -``` - -Now you can access peertube at - -The root account can be logged in with username "root". The password can be obtained with the command -```bash -journalctl -u peertube | perl -ne '/password: (.*)/ && print $1' -``` - -or just - -```bash -journalctl -u peertube | grep password -``` - -and look at the end of the line. - -Creating other accounts has to be enabled via the admin interface. `Administration > Configuration > Basic > Enable Signup` or just add an account directly from `Administration > Create user`. But functionality can also be tested from the root account. +## debugging notes +- it is sometimes useful to `cat result/bin/run-nixos-vm` to see what's really going on (e.g. which ports are getting forwarded) +- relevant systemd services: + - mastodon-web.service + - peertube.service + - unclear yet which pixelfed services are useful # TODOs @@ -57,6 +59,7 @@ Creating other accounts has to be enabled via the admin interface. `Administrati - [x] don't require proxy server - either forward 443 directly, or get mastodon to accept connections on a different port (maybe 3000? see development environment documentation) - [ ] get letter_opener working +- [ ] share resources (e.g. s3 storage) between the services # resources diff --git a/common.nix b/common.nix index 1ec8c201..e3ac132f 100644 --- a/common.nix +++ b/common.nix @@ -32,6 +32,13 @@ "-mon chardev=char0,mode=readline" "-device virtconsole,chardev=char0,nr=0" ]; + # forwardPorts = [ + # { + # from = "host"; + # host.port = 2222; + # guest.port = 22; + # } + # ]; }; }; } diff --git a/flake.nix b/flake.nix index a0024504..d381e12b 100644 --- a/flake.nix +++ b/flake.nix @@ -21,6 +21,16 @@ inherit system; modules = [ ./common.nix ./peertube.nix ]; }; + + pixelfed = nixpkgs.lib.nixosSystem { + inherit system; + modules = [ ./common.nix ./pixelfed.nix ]; + }; + + all = nixpkgs.lib.nixosSystem { + inherit system; + modules = [ ./common.nix ./mastodon.nix ./peertube.nix ./pixelfed.nix ]; + }; }; devShells.${system}.default = pkgs.mkShell { diff --git a/mastodon.nix b/mastodon.nix index 6a804208..77546d8d 100644 --- a/mastodon.nix +++ b/mastodon.nix @@ -67,17 +67,13 @@ host.port = 44443; guest.port = 443; } - { - from = "host"; - host.port = 2222; - guest.port = 22; - } ]; }; } # mastodon development environment { + networking.firewall.allowedTCPPorts = [ 55001 ]; virtualisation.vmVariant = { config, ... }: { services.mastodon = { # needed so we can directly access mastodon at port 55001 @@ -85,7 +81,7 @@ enableUnixSocket = false; extraConfig = { RAILS_ENV = "development"; - # for letter_opener + # for letter_opener (still doesn't work though) REMOTE_DEV = "true"; }; }; @@ -123,7 +119,7 @@ # rails db:migrate fi ''; - virtualisation.forwardPorts = lib.mkForce [ + virtualisation.forwardPorts = [ { from = "host"; host.port = 55001; diff --git a/peertube.nix b/peertube.nix index 195832c3..3eb6d45c 100644 --- a/peertube.nix +++ b/peertube.nix @@ -13,11 +13,11 @@ instance.name = "PeerTube Test VM"; }; # TODO: use agenix - secrets.secretsFile = pkgs.runCommand "secret-gen" { - nativeBuildInputs = [ pkgs.openssl ]; - } '' - openssl rand -hex 32 > $out + secrets.secretsFile = pkgs.writeText "secret" '' + 574e093907d1157ac0f8e760a6deb1035402003af5763135bae9cbd6abe32b24 ''; + + # TODO: in most of nixpkgs, these are true by default. upstream that unless there's a good reason not to. redis.createLocally = true; database.createLocally = true; configureNginx = true; diff --git a/pixelfed.nix b/pixelfed.nix new file mode 100644 index 00000000..186fc8b7 --- /dev/null +++ b/pixelfed.nix @@ -0,0 +1,25 @@ +{ config, lib, pkgs, ... }: { + virtualisation.vmVariant = { + networking.firewall.allowedTCPPorts = [ 80 ]; + services.pixelfed = { + enable = true; + domain = "pixelfed.localhost"; + secretFile = pkgs.writeText "secrets.env" '' + APP_KEY=adKK9EcY8Hcj3PLU7rzG9rJ6KKTOtYfA + ''; + settings = { + OPEN_REGISTRATION = true; + FORCE_HTTPS_URLS = false; + }; + # TODO: I feel like this should have an `enable` option and be configured via `services.nginx` rather than mirroring those options here + nginx = {}; + }; + virtualisation.forwardPorts = [ + { + from = "host"; + host.port = 8000; + guest.port = 80; + } + ]; + }; +}