diff --git a/README.md b/README.md index acf1ba90..c7ec46c7 100644 --- a/README.md +++ b/README.md @@ -64,6 +64,8 @@ You can then access the apps on your local machine (using the magic of port forw - [ ] share resources (e.g. s3 storage) between the services - [ ] get garage running on another machine - [ ] get garage replication running (multiple machines) +- [ ] some way of declaratively defining users? +- [ ] shared users between fediverse services # questions diff --git a/garage.nix b/garage.nix index 16e2adbc..ca24ca16 100644 --- a/garage.nix +++ b/garage.nix @@ -9,6 +9,55 @@ in # TODO: expand to a multi-machine setup { config, lib, pkgs, ... }: { # add in options to ensure creation of buckets and keys + options = + let + inherit (lib) types mkOption; + in { + services.garage = { + ensureBuckets = mkOption { + type = types.attrsOf (types.submodule { + options = { + website = mkOption { + type = types.bool; + default = false; + }; + }; + }); + }; + ensureKeys = mkOption { + type = types.attrsOf (types.submodule { + options = { + id = mkOption { + type = types.string; + }; + secret = mkOption { + type = types.string; + }; + # TODO: assert at least one of these is true + ensureAccess = mkOption { + type = types.attrsOf (types.submodule { + options = { + read = mkOption { + type = types.bool; + default = false; + }; + write = mkOption { + type = types.bool; + default = false; + }; + owner = mkOption { + type = types.bool; + default = false; + }; + }; + }); + default = []; + }; + }; + }); + }; + }; + }; config = { virtualisation.vmVariant = { @@ -56,6 +105,7 @@ in set -xeuo pipefail # give garage time to start up sleep 3 + # XXX: this is very sensitive to being a single instance # (bare minimum to get garage up and running) # also, it's crazy that we have to parse command output like this @@ -64,10 +114,25 @@ in LAYOUT_VER=$(garage layout show | perl -ne '/Current cluster layout version: (\d*)/ && print $1') garage layout apply --version $((LAYOUT_VER + 1)) - garage bucket create mastodon - garage key import --yes -n mastodon "${snakeoil_key.id}" "${snakeoil_key.secret}" - garage bucket allow --read --write mastodon --key mastodon - garage bucket website --allow mastodon + ${ + lib.concatStringsSep "\n" (lib.mapAttrsToList (bucket: { website }: '' + garage bucket create ${bucket} + # XXX: should this --deny the website if `website` is false? + ${lib.optionalString website '' + garage bucket website --allow ${bucket} + ''} + '') config.services.garage.ensureBuckets) + } + ${ + lib.concatStringsSep "\n" (lib.mapAttrsToList (key: {id, secret, ensureAccess}: '' + garage key import --yes -n ${key} ${id} ${secret} + ${ + lib.concatStringsSep "\n" (lib.mapAttrsToList (bucket: { read, write, owner }: '' + garage bucket allow ${lib.optionalString read "--read"} ${lib.optionalString write "--write"} ${lib.optionalString owner "--owner"} ${bucket} --key ${key} + '') ensureAccess) + } + '') config.services.garage.ensureKeys) + } ''; }; }; diff --git a/mastodon.nix b/mastodon.nix index 0db77384..ac43ea94 100644 --- a/mastodon.nix +++ b/mastodon.nix @@ -6,6 +6,23 @@ let in { config, lib, pkgs, ... }: lib.mkMerge [ { # garage setup + services.garage = { + ensureBuckets = { + mastodon = { website = true; }; + }; + ensureKeys = { + mastodon = { + inherit (snakeoil_key) id secret; + ensureAccess = { + mastodon = { + read = true; + write = true; + owner = true; + }; + }; + }; + }; + }; services.mastodon = { extraConfig = { S3_ENABLED = "true";