fricklerhandwerk/Fediversity
1
0
Fork 0
forked from Fediversity/Fediversity
Code Pull requests Activity

Clean up services and put Garage on a different machine ()

Browse source
This commit is contained in:
Nicolas Jeannerod 2025-02-21 20:24:14 +01:00
commit 5c7ac44387
Signed by untrusted user: Niols
GPG key ID: 35DB9EC8886E1CB8
24 changed files with 877 additions and 651 deletions

86
deployment/flake-part.nix
View file

@ -71,40 +71,82 @@ in
};
};
## NOTE: All of these secrets are publicly available in this source file
## and will end up in the Nix store. We don't care as they are only ever
## used for testing anyway.
pixelfedS3KeyConfig =
{ pkgs, ... }:
{
s3AccessKeyFile = pkgs.writeText "s3AccessKey" "GKb5615457d44214411e673b7b";
s3SecretKeyFile = pkgs.writeText "s3SecretKey" "5be6799a88ca9b9d813d1a806b64f15efa49482dbe15339ddfaf7f19cf434987";
};
mastodonS3KeyConfig =
{ pkgs, ... }:
{
s3AccessKeyFile = pkgs.writeText "s3AccessKey" "GK3515373e4c851ebaad366558";
s3SecretKeyFile = pkgs.writeText "s3SecretKey" "7d37d093435a41f2aab8f13c19ba067d9776c90215f56614adad6ece597dbb34";
};
peertubeS3KeyConfig =
{ pkgs, ... }:
{
s3AccessKeyFile = pkgs.writeText "s3AccessKey" "GK1f9feea9960f6f95ff404c9b";
s3SecretKeyFile = pkgs.writeText "s3SecretKey" "7295c4201966a02c2c3d25b5cea4a5ff782966a2415e3a196f91924631191395";
};
in
{
providers = { inherit (inputs.nixops4.modules.nixops4Provider) local; };
resources = {
fedi101 = makeProcolixVmResource 101 {
fediversity = {
enable = true;
domain = "fedi101.abundos.eu";
pixelfed.enable = true;
};
};
fedi100 = makeProcolixVmResource 100 (
{ pkgs, ... }:
{
fediversity = {
domain = "abundos.eu";
garage.enable = true;
pixelfed = pixelfedS3KeyConfig { inherit pkgs; };
mastodon = mastodonS3KeyConfig { inherit pkgs; };
peertube = peertubeS3KeyConfig { inherit pkgs; };
};
}
);
fedi102 = makeProcolixVmResource 102 {
fediversity = {
enable = true;
domain = "fedi102.abundos.eu";
mastodon.enable = true;
fedi101 = makeProcolixVmResource 101 (
{ pkgs, ... }:
{
fediversity = {
domain = "abundos.eu";
pixelfed = pixelfedS3KeyConfig { inherit pkgs; } // {
enable = true;
};
};
}
);
temp.cores = 1; # FIXME: should come from NixOps4 eventually
};
};
fedi102 = makeProcolixVmResource 102 (
{ pkgs, ... }:
{
fediversity = {
domain = "abundos.eu";
mastodon = mastodonS3KeyConfig { inherit pkgs; } // {
enable = true;
};
temp.cores = 1; # FIXME: should come from NixOps4 eventually
};
}
);
fedi103 = makeProcolixVmResource 103 (
{ pkgs, ... }:
{
fediversity = {
enable = true;
domain = "fedi103.abundos.eu";
peertube.enable = true;
temp.peertubeSecretsFile = pkgs.writeText "secret" ''
574e093907d1157ac0f8e760a6deb1035402003af5763135bae9cbd6abe32b24
'';
domain = "abundos.eu";
peertube = peertubeS3KeyConfig { inherit pkgs; } // {
enable = true;
## NOTE: Only ever used for testing anyway.
secretsFile = pkgs.writeText "secret" "574e093907d1157ac0f8e760a6deb1035402003af5763135bae9cbd6abe32b24";
};
};
}
);

120
services/HACKING.md Normal file
View file

@ -0,0 +1,120 @@
NOTE[Niols]: This file looks like a README file but is in fact development notes
from a previous engineer of the project. Needs an overhaul.
# Fediverse VMs
This repo is, for now, an attempt to familiarize myself with NixOS options for Fediverse applications, and build up a configuration layer that will set most of the relevant options for you (in a semi-opinionated way) given some high-level configuration. The goal is something in the same vein as [nixos-mailserver](https://gitlab.com/simple-nixos-mailserver/nixos-mailserver) but for fediversity.
Eventually, this will be tailored to high-throughput multi-machine setups. For now, it's just a small set of configurations to run in VMs.
## Running the VMs
you can build a VM using
```bash
nixos-rebuild build-vm --flake .#<vm_name>
```
where `<vm_name>` is one of `mastodon`, `peertube`, `pixelfed`, or `all`
and then run it with
```bash
./result/bin/run-nixos-vm
```
After the machine boots, you should be dropped into a root shell.
Note that state will be persisted in the `nixos.cqow2` file. Delete that and restart the VM to reset the state.
With the VM running, you can then access the apps on your local machine's web browser (using the magic of port forwarding) at the following addresses
NOTE: it sometimes takes a while for the services to start up, and in the meantime you will get 502 Bad Gateway.
- Mastodon: through the reverse proxy at <https://mastodon.localhost:8443> and directly at <http://mastodon.localhost:55001>
- You can create accounts on the machine itself by running `mastodon-tootctl accounts create test --email test@test.com --confirmed --approve`
- Account-related activities (logging in/out; preferences) can only be done on the insecure direct page <http://mastodon.localhost:55001>
- After you've logged in, you can go back to the secure page and you will remain logged in
- some operations may remove the port number from the URL. You'll have to add that back in manually
- PeerTube: <http://peertube.localhost:9000>
- The root account can be accessed with username "root". The password can be obtained by running the following command on the VM:
```bash
journalctl -u peertube | perl -ne '/password: (.*)/ && print $1'
```
- Creating other accounts has to be enabled via the admin interface. `Administration > Configuration > Basic > Enable Signup` or just add an account directly from `Administration > Create user`. But functionality can also be tested from the root account.
- Pixelfed: through the reverse proxy at <http://pixelfed.localhost:8080>
- Account creation via the web interface won't work until we figure out email
- For now, they can be created on the VM command line
```bash
pixelfed-manage user:create --name=test --username=test --email=test@test.com --password=testtest --confirm_email=1
```
# Building an installer image
Build an installer image for the desired configuration, e.g. for `peertube`:
```bash
nix build .#installers.peertube
```
Upload the image in `./result` to Proxmox when creating a VM.
Booting the image will format the disk and install NixOS with the desired configuration.
## debugging notes
- it is sometimes useful to `cat result/bin/run-nixos-vm` to see what's really going on (e.g. which ports are getting forwarded)
- relevant systemd services:
- mastodon-web.service
- peertube.service
- the `garage` CLI command gives information about garage storage, but cannot be used to actually inspect the contents. use `mc` (minio) for that
- run `mc alias set garage http://s3.garage.localhost:3900 --api s3v4 --path off $AWS_ACCESS_KEY_ID $AWS_SECRET_ACCESS_KEY`
- in the chromium devtools, you can go to the networking tab and change things like response headers in a way that persists through reloads. this is much faster iteration time if that's what you need to epxeriment with.
## NixOS Tests
Tests live in the aptly named `tests/` directory, and can be accessed at the flake URI `.#checks.<system>.<test-name>` e.g. `nix build .#checks.x86_64-linux.mastodon-garage`.
They can also be run interactively with
```
nix build .#checks.<system>.<test>.driverInteractive
./result/bin/nixos-test-driver 2>output
````
you can `less output` and then `F` from a different terminal to follow along.
These tests are also equiped with the same port forwarding as the VMs, so when running interactively you should be able to access services through a browser running on your machine.
While running interactively, `rebuildableTests` allows you to modify the test nodes and then redeploy without restarting the test and waiting for the VMs to start up again. To do this you must start the jumphost by running `redeploy_jumphost.start()` inside the driver. Then from the command line
```
nix build .#checks.<system>.<test>.driverInteractive
./result/bin/rebuild
```
# questions
- what is meant to be shared between instances?
- this is relevant to the security model. If garage is being shared between instances, we have to be careful having configurations depend on each other.
- they are to be shared, BUT the user will have no direct control over configuration.
# resources
- Tutorial for setting up better logging: https://krisztianfekete.org/self-hosting-mastodon-on-nixos-a-proof-of-concept/
- Setting up mastodon development environment: https://docs.joinmastodon.org/dev/setup/
- Tutorial for PeerTube that doesn't use `createLocally`: https://wiki.nixos.org/wiki/PeerTube
- garage settings for specific apps: https://garagehq.deuxfleurs.fr/documentation/connect/apps/
- pixelfed has terrible / mostly non-existent documentation)
- for when we start worry about scaling up: https://docs.joinmastodon.org/admin/scaling/
# notes
When mastodon is running in production mode, we have a few problems:
- you have to click "accept the security risk"
- it takes a while for the webpage to come online. Until then you see "502 Bad Gateway"
- email sent from the mastodon instance (e.g. for account confirmation) should be accessible at <https://mastodon.localhost:55001/letter_opener>, but it's not working.
- mastodon is trying to fetch `missing.png` without ssl (`http://`). This isn't allowed, and i'm not sure why it's doing it.
- mastodon is trying to fetch `custom.css` from https://mastodon.localhost (no port), which is not the configured `LOCAL_DOMAIN`, so it's unclear why.
NixOS tests do not take the configuration from `virtualisation.vmVariant`. This seems like an oversight since people don't tend to mix normal NixOS configurations with the ones they're using for tests. This should be pretty easy to rectify upstream.

130
services/README.md
View file

@ -1,117 +1,31 @@
# Fediverse VMs
# Services
This repo is, for now, an attempt to familiarize myself with NixOS options for Fediverse applications, and build up a configuration layer that will set most of the relevant options for you (in a semi-opinionated way) given some high-level configuration. The goal is something in the same vein as [nixos-mailserver](https://gitlab.com/simple-nixos-mailserver/nixos-mailserver) but for fediversity.
This directory contains the definition of a NixOS module allowing to easily set
up the Fediverse services that our project cares about. Those services are
already packaged in nixpkgs, which arguably already provides this. Here is
therefore the important distinction:
Eventually, this will be tailored to high-throughput multi-machine setups. For now, it's just a small set of configurations to run in VMs.
- The goal of nixpkgs is to be generic, bring all the building blocks and let
you do whatever it is you want with them. You get to choose all the options,
if to use a reverse proxy, which one, if to use an S3 backend, which one,
which database, etc.
## Running the VMs
- This module aims at being straightforward to use by being opinionated. It only
supports the use case of the Fediversity project and strives to hide as much
of the nitty-gritty details as possible.
you can build a VM using
For those that know it, we could say that the current module is an analogous of
[simple-nixos-mailserver] for Fediverse services.
```bash
nixos-rebuild build-vm --flake .#<vm_name>
```
[simple-nixos-mailserver]: https://gitlab.com/simple-nixos-mailserver/nixos-mailserver
where `<vm_name>` is one of `mastodon`, `peertube`, `pixelfed`, or `all`
## Content of this directory
and then run it with
```bash
./result/bin/run-nixos-vm
```
- [fediversity][./fediversity] contains the definition of the services. Look in
particular at its `default.nix` that contains the definition of the options.
After the machine boots, you should be dropped into a root shell.
- [vm][./vm] contains options specific to making the service run in local QEMU
VMs. These modules will for instance override the defaults to disable SSL, and
they will add virtualisation options to forward ports, for instance.
Note that state will be persisted in the `nixos.cqow2` file. Delete that and restart the VM to reset the state.
With the VM running, you can then access the apps on your local machine's web browser (using the magic of port forwarding) at the following addresses
NOTE: it sometimes takes a while for the services to start up, and in the meantime you will get 502 Bad Gateway.
- Mastodon: through the reverse proxy at <https://mastodon.localhost:8443> and directly at <http://mastodon.localhost:55001>
- You can create accounts on the machine itself by running `mastodon-tootctl accounts create test --email test@test.com --confirmed --approve`
- Account-related activities (logging in/out; preferences) can only be done on the insecure direct page <http://mastodon.localhost:55001>
- After you've logged in, you can go back to the secure page and you will remain logged in
- some operations may remove the port number from the URL. You'll have to add that back in manually
- PeerTube: <http://peertube.localhost:9000>
- The root account can be accessed with username "root". The password can be obtained by running the following command on the VM:
```bash
journalctl -u peertube | perl -ne '/password: (.*)/ && print $1'
```
- Creating other accounts has to be enabled via the admin interface. `Administration > Configuration > Basic > Enable Signup` or just add an account directly from `Administration > Create user`. But functionality can also be tested from the root account.
- Pixelfed: through the reverse proxy at <http://pixelfed.localhost:8080>
- Account creation via the web interface won't work until we figure out email
- For now, they can be created on the VM command line
```bash
pixelfed-manage user:create --name=test --username=test --email=test@test.com --password=testtest --confirm_email=1
```
# Building an installer image
Build an installer image for the desired configuration, e.g. for `peertube`:
```bash
nix build .#installers.peertube
```
Upload the image in `./result` to Proxmox when creating a VM.
Booting the image will format the disk and install NixOS with the desired configuration.
## debugging notes
- it is sometimes useful to `cat result/bin/run-nixos-vm` to see what's really going on (e.g. which ports are getting forwarded)
- relevant systemd services:
- mastodon-web.service
- peertube.service
- the `garage` CLI command gives information about garage storage, but cannot be used to actually inspect the contents. use `mc` (minio) for that
- run `mc alias set garage http://s3.garage.localhost:3900 --api s3v4 --path off $AWS_ACCESS_KEY_ID $AWS_SECRET_ACCESS_KEY`
- in the chromium devtools, you can go to the networking tab and change things like response headers in a way that persists through reloads. this is much faster iteration time if that's what you need to epxeriment with.
## NixOS Tests
Tests live in the aptly named `tests/` directory, and can be accessed at the flake URI `.#checks.<system>.<test-name>` e.g. `nix build .#checks.x86_64-linux.mastodon-garage`.
They can also be run interactively with
```
nix build .#checks.<system>.<test>.driverInteractive
./result/bin/nixos-test-driver 2>output
````
you can `less output` and then `F` from a different terminal to follow along.
These tests are also equiped with the same port forwarding as the VMs, so when running interactively you should be able to access services through a browser running on your machine.
While running interactively, `rebuildableTests` allows you to modify the test nodes and then redeploy without restarting the test and waiting for the VMs to start up again. To do this you must start the jumphost by running `redeploy_jumphost.start()` inside the driver. Then from the command line
```
nix build .#checks.<system>.<test>.driverInteractive
./result/bin/rebuild
```
# questions
- what is meant to be shared between instances?
- this is relevant to the security model. If garage is being shared between instances, we have to be careful having configurations depend on each other.
- they are to be shared, BUT the user will have no direct control over configuration.
# resources
- Tutorial for setting up better logging: https://krisztianfekete.org/self-hosting-mastodon-on-nixos-a-proof-of-concept/
- Setting up mastodon development environment: https://docs.joinmastodon.org/dev/setup/
- Tutorial for PeerTube that doesn't use `createLocally`: https://wiki.nixos.org/wiki/PeerTube
- garage settings for specific apps: https://garagehq.deuxfleurs.fr/documentation/connect/apps/
- pixelfed has terrible / mostly non-existent documentation)
- for when we start worry about scaling up: https://docs.joinmastodon.org/admin/scaling/
# notes
When mastodon is running in production mode, we have a few problems:
- you have to click "accept the security risk"
- it takes a while for the webpage to come online. Until then you see "502 Bad Gateway"
- email sent from the mastodon instance (e.g. for account confirmation) should be accessible at <https://mastodon.localhost:55001/letter_opener>, but it's not working.
- mastodon is trying to fetch `missing.png` without ssl (`http://`). This isn't allowed, and i'm not sure why it's doing it.
- mastodon is trying to fetch `custom.css` from https://mastodon.localhost (no port), which is not the configured `LOCAL_DOMAIN`, so it's unclear why.
NixOS tests do not take the configuration from `virtualisation.vmVariant`. This seems like an oversight since people don't tend to mix normal NixOS configurations with the ones they're using for tests. This should be pretty easy to rectify upstream.
- [tests][./tests] contain full NixOS tests of the services.

95
services/fediversity/default.nix
View file

@ -1,23 +1,20 @@
{ lib, config, ... }:
let
inherit (builtins) toString;
inherit (lib) mkOption mkEnableOption mkForce;
inherit (lib) mkOption;
inherit (lib.types) types;
in
{
imports = [
./garage.nix
./mastodon.nix
./pixelfed.nix
./peertube.nix
./garage
./mastodon
./pixelfed
./peertube
];
options = {
fediversity = {
enable = mkEnableOption "the collection of services bundled under Fediversity";
domain = mkOption {
type = types.str;
description = ''
@ -28,10 +25,6 @@ in
'';
};
mastodon.enable = mkEnableOption "default Fediversity Mastodon configuration";
pixelfed.enable = mkEnableOption "default Fediversity Pixelfed configuration";
peertube.enable = mkEnableOption "default Fediversity PeerTube configuration";
temp = mkOption {
description = "options that are only used while developing; should be removed eventually";
default = { };
@ -41,79 +34,6 @@ in
description = "number of cores; should be obtained from NixOps4";
type = types.int;
};
peertubeSecretsFile = mkOption {
description = "should it be provided by NixOps4? or maybe we should just ask for a main secret from which to derive all the others?";
type = types.path;
};
};
};
};
internal = mkOption {
description = "options that are only meant to be used internally; change at your own risk";
default = { };
type = types.submodule {
options = {
garage = {
api = {
domain = mkOption {
type = types.str;
default = "s3.garage.${config.fediversity.domain}";
};
port = mkOption {
type = types.int;
default = 3900;
};
url = mkOption {
type = types.str;
default = "http://${config.fediversity.internal.garage.api.domain}:${toString config.fediversity.internal.garage.api.port}";
};
};
rpc = {
port = mkOption {
type = types.int;
default = 3901;
};
};
web = {
rootDomain = mkOption {
type = types.str;
default = "web.garage.${config.fediversity.domain}";
};
internalPort = mkOption {
type = types.int;
default = 3902;
};
domainForBucket = mkOption {
type = types.functionTo types.str;
default = bucket: "${bucket}.${config.fediversity.internal.garage.web.rootDomain}";
};
urlForBucket = mkOption {
type = types.functionTo types.str;
default = bucket: "http://${config.fediversity.internal.garage.web.domainForBucket bucket}";
};
};
};
## REVIEW: Do we want to recreate options under
## `fediversity.internal` or would we rather use the options from
## the respective services? See Taeer's comment:
## https://git.fediversity.eu/taeer/simple-nixos-fediverse/pulls/22#issuecomment-124
pixelfed.domain = mkOption {
type = types.str;
default = "pixelfed.${config.fediversity.domain}";
};
mastodon.domain = mkOption {
type = types.str;
default = "mastodon.${config.fediversity.domain}";
};
peertube.domain = mkOption {
type = types.str;
default = "peertube.${config.fediversity.domain}";
};
};
};
};
@ -128,10 +48,5 @@ in
defaults.email = "nicolas.jeannerod+fediversity@moduscreate.com";
# defaults.server = "https://acme-staging-v02.api.letsencrypt.org/directory";
};
## NOTE: For a one-machine deployment, this removes the need to provide an
## `s3.garage.<domain>` domain. However, this will quickly stop working once
## we go to multi-machines deployment.
fediversity.internal.garage.api.domain = mkForce "s3.garage.localhost";
};
}

137
services/fediversity/garage.nix → services/fediversity/garage/default.nix
View file

@ -7,7 +7,6 @@ let
};
in
# TODO: expand to a multi-machine setup
{
config,
lib,
@ -17,18 +16,13 @@ in
let
inherit (builtins) toString;
inherit (lib)
types
mkOption
mkEnableOption
optionalString
concatStringsSep
;
inherit (lib) optionalString concatStringsSep mkIf;
inherit (lib.strings) escapeShellArg;
inherit (lib.attrsets) filterAttrs mapAttrs';
cfg = config.services.garage;
fedicfg = config.fediversity.internal.garage;
concatMapAttrs = scriptFn: attrset: concatStringsSep "\n" (lib.mapAttrsToList scriptFn attrset);
cfg = config.services.garage;
ensureBucketScriptFn =
bucket:
{
@ -68,11 +62,13 @@ let
${optionalString corsRules.enable ''
garage bucket allow --read --write --owner ${bucketArg} --key tmp
# TODO: endpoin-url should not be hard-coded
aws --region ${cfg.settings.s3_api.s3_region} --endpoint-url ${fedicfg.api.url} s3api put-bucket-cors --bucket ${bucketArg} --cors-configuration ${corsRulesJSON}
aws --region ${cfg.settings.s3_api.s3_region} --endpoint-url ${config.fediversity.garage.api.url} s3api put-bucket-cors --bucket ${bucketArg} --cors-configuration ${corsRulesJSON}
garage bucket deny --read --write --owner ${bucketArg} --key tmp
''}
'';
ensureBucketsScript = concatMapAttrs ensureBucketScriptFn cfg.ensureBuckets;
ensureBucketsScript = concatMapAttrs ensureBucketScriptFn config.fediversity.garage.ensureBuckets;
ensureAccessScriptFn =
key: bucket:
{
@ -87,100 +83,37 @@ let
ensureKeyScriptFn =
key:
{
id,
secret,
s3AccessKeyFile,
s3SecretKeyFile,
ensureAccess,
}:
''
## FIXME: Check whether the key exist and skip this step if that is the case. Get rid of this `|| :`
garage key import --yes -n ${escapeShellArg key} ${escapeShellArg id} ${escapeShellArg secret} || :
garage key import --yes -n ${escapeShellArg key} $(cat ${escapeShellArg s3AccessKeyFile}) $(cat ${escapeShellArg s3SecretKeyFile}) || :
${concatMapAttrs (ensureAccessScriptFn key) ensureAccess}
'';
ensureKeysScript = concatMapAttrs ensureKeyScriptFn cfg.ensureKeys;
ensureKeysScript = concatMapAttrs ensureKeyScriptFn config.fediversity.garage.ensureKeys;
in
{
# add in options to ensure creation of buckets and keys
options = {
services.garage = {
ensureBuckets = mkOption {
type = types.attrsOf (
types.submodule {
options = {
website = mkOption {
type = types.bool;
default = false;
};
# I think setting corsRules should allow another website to show images from your bucket
corsRules = {
enable = mkEnableOption "CORS Rules";
allowedHeaders = mkOption {
type = types.listOf types.str;
default = [ ];
};
allowedMethods = mkOption {
type = types.listOf types.str;
default = [ ];
};
allowedOrigins = mkOption {
type = types.listOf types.str;
default = [ ];
};
};
aliases = mkOption {
type = types.listOf types.str;
default = [ ];
};
};
}
);
default = { };
};
ensureKeys = mkOption {
type = types.attrsOf (
types.submodule {
# TODO: these should be managed as secrets, not in the nix store
options = {
id = mkOption { type = types.str; };
secret = mkOption { type = types.str; };
# TODO: assert at least one of these is true
# NOTE: this currently needs to be done at the top level module
ensureAccess = mkOption {
type = types.attrsOf (
types.submodule {
options = {
read = mkOption {
type = types.bool;
default = false;
};
write = mkOption {
type = types.bool;
default = false;
};
owner = mkOption {
type = types.bool;
default = false;
};
};
}
);
default = [ ];
};
};
}
);
default = { };
};
};
};
imports = [ ./options.nix ];
config = lib.mkIf config.fediversity.enable {
config = mkIf config.fediversity.garage.enable {
environment.systemPackages = [
pkgs.minio-client
pkgs.awscli
];
networking.firewall.allowedTCPPorts = [ fedicfg.rpc.port ];
## REVIEW: Do we want to reverse proxy the RPC and API ports? In fact,
## shouldn't we just get rid of RPC at all, we're not using it.
networking.firewall.allowedTCPPorts = [
80
443
config.fediversity.garage.api.port
config.fediversity.garage.rpc.port
];
services.garage = {
enable = true;
package = pkgs.garage_0_9;
@ -189,18 +122,20 @@ in
# TODO: use a secret file
rpc_secret = "d576c4478cc7d0d94cfc127138cbb82018b0155c037d1c827dfb6c36be5f6625";
# TODO: why does this have to be set? is there not a sensible default?
rpc_bind_addr = "[::]:${toString fedicfg.rpc.port}";
rpc_public_addr = "[::1]:${toString fedicfg.rpc.port}";
s3_api.api_bind_addr = "[::]:${toString fedicfg.api.port}";
s3_web.bind_addr = "[::]:${toString fedicfg.web.internalPort}";
s3_web.root_domain = ".${fedicfg.web.rootDomain}";
rpc_bind_addr = "[::]:${toString config.fediversity.garage.rpc.port}";
rpc_public_addr = "[::1]:${toString config.fediversity.garage.rpc.port}";
s3_api.api_bind_addr = "[::]:${toString config.fediversity.garage.api.port}";
s3_web.bind_addr = "[::]:${toString config.fediversity.garage.web.internalPort}";
s3_web.root_domain = ".${config.fediversity.garage.web.rootDomain}";
index = "index.html";
s3_api.s3_region = "garage";
s3_api.root_domain = ".${fedicfg.api.domain}";
s3_api.root_domain = ".${config.fediversity.garage.api.domain}";
};
};
services.nginx.enable = true;
## Create a proxy from <bucket>.web.garage.<domain> to localhost:3902 for
## each bucket that has `website = true`.
services.nginx.virtualHosts =
@ -225,9 +160,9 @@ in
};
in
mapAttrs' (bucket: _: {
name = fedicfg.web.domainForBucket bucket;
name = config.fediversity.garage.web.domainForBucket bucket;
inherit value;
}) (filterAttrs (_: { website, ... }: website) cfg.ensureBuckets);
}) (filterAttrs (_: { website, ... }: website) config.fediversity.garage.ensureBuckets);
systemd.services.ensure-garage = {
after = [ "garage.service" ];
@ -245,7 +180,7 @@ in
# Give Garage time to start up by waiting until somethings speaks HTTP
# behind Garage's API URL.
until ${pkgs.curl}/bin/curl -sio /dev/null ${fedicfg.api.url}; do sleep 1; done
until ${pkgs.curl}/bin/curl -sio /dev/null ${config.fediversity.garage.api.url}; do sleep 1; done
# XXX: this is very sensitive to being a single instance
# (doing the bare minimum to get garage up and running)

123
services/fediversity/garage/options.nix Normal file
View file

@ -0,0 +1,123 @@
{ config, lib, ... }:
let
inherit (lib) types mkOption mkEnableOption;
in
{
options.fediversity.garage = {
enable = mkEnableOption "Enable a Garage server on the machine";
ensureBuckets = mkOption {
type = types.attrsOf (
types.submodule {
options = {
website = mkOption {
type = types.bool;
default = false;
};
# I think setting corsRules should allow another website to show images from your bucket
corsRules = {
enable = mkEnableOption "CORS Rules";
allowedHeaders = mkOption {
type = types.listOf types.str;
default = [ ];
};
allowedMethods = mkOption {
type = types.listOf types.str;
default = [ ];
};
allowedOrigins = mkOption {
type = types.listOf types.str;
default = [ ];
};
};
aliases = mkOption {
type = types.listOf types.str;
default = [ ];
};
};
}
);
default = { };
};
ensureKeys = mkOption {
type = types.attrsOf (
types.submodule {
options = {
s3AccessKeyFile = mkOption { type = types.path; };
s3SecretKeyFile = mkOption { type = types.path; };
# TODO: assert at least one of these is true
# NOTE: this currently needs to be done at the top level module
ensureAccess = mkOption {
type = types.attrsOf (
types.submodule {
options = {
read = mkOption {
type = types.bool;
default = false;
};
write = mkOption {
type = types.bool;
default = false;
};
owner = mkOption {
type = types.bool;
default = false;
};
};
}
);
default = [ ];
};
};
}
);
default = { };
};
api = {
domain = mkOption {
type = types.str;
default = "s3.garage.${config.fediversity.domain}";
};
port = mkOption {
type = types.int;
default = 3900;
};
url = mkOption {
type = types.str;
default = "http://${config.fediversity.garage.api.domain}:${toString config.fediversity.garage.api.port}";
};
};
rpc = {
port = mkOption {
type = types.int;
default = 3901;
};
};
web = {
rootDomain = mkOption {
type = types.str;
default = "web.garage.${config.fediversity.domain}";
};
internalPort = mkOption {
type = types.int;
default = 3902;
};
domainForBucket = mkOption {
type = types.functionTo types.str;
default = bucket: "${bucket}.${config.fediversity.garage.web.rootDomain}";
};
urlForBucket = mkOption {
type = types.functionTo types.str;
default = bucket: "http://${config.fediversity.garage.web.domainForBucket bucket}";
};
};
};
}

87
services/fediversity/mastodon.nix
View file

@ -1,87 +0,0 @@
let
snakeoil_key = {
id = "GK3515373e4c851ebaad366558";
secret = "7d37d093435a41f2aab8f13c19ba067d9776c90215f56614adad6ece597dbb34";
};
in
{ config, lib, ... }:
lib.mkIf (config.fediversity.enable && config.fediversity.mastodon.enable) {
#### garage setup
services.garage = {
ensureBuckets = {
mastodon = {
website = true;
corsRules = {
enable = true;
allowedHeaders = [ "*" ];
allowedMethods = [ "GET" ];
allowedOrigins = [ "*" ];
};
};
};
ensureKeys = {
mastodon = {
inherit (snakeoil_key) id secret;
ensureAccess = {
mastodon = {
read = true;
write = true;
owner = true;
};
};
};
};
};
services.mastodon = {
extraConfig = rec {
S3_ENABLED = "true";
# TODO: this shouldn't be hard-coded, it should come from the garage configuration
S3_ENDPOINT = config.fediversity.internal.garage.api.url;
S3_REGION = "garage";
S3_BUCKET = "mastodon";
# use <S3_BUCKET>.<S3_ENDPOINT>
S3_OVERRIDE_PATH_STLE = "true";
AWS_ACCESS_KEY_ID = snakeoil_key.id;
AWS_SECRET_ACCESS_KEY = snakeoil_key.secret;
S3_PROTOCOL = "http";
S3_ALIAS_HOST = "${S3_BUCKET}.${config.fediversity.internal.garage.web.rootDomain}";
# SEE: the last section in https://docs.joinmastodon.org/admin/optional/object-storage/
# TODO: can we set up ACLs with garage?
S3_PERMISSION = "";
};
};
#### mastodon setup
# open up access to the mastodon web interface. 80 is necessary if only for ACME
networking.firewall.allowedTCPPorts = [
80
443
];
services.mastodon = {
enable = true;
localDomain = config.fediversity.internal.mastodon.domain;
configureNginx = true;
# from the documentation: recommended is the amount of your CPU cores minus
# one. but it also must be a positive integer
streamingProcesses = lib.max 1 (config.fediversity.temp.cores - 1);
# TODO: configure a mailserver so this works
smtp = {
fromAddress = "noreply@${config.fediversity.internal.mastodon.domain}";
createLocally = false;
};
};
security.acme = {
acceptTerms = true;
preliminarySelfsigned = true;
# TODO: configure a mailserver so we can set up acme
# defaults.email = "test@example.com";
};
}

112
services/fediversity/mastodon/default.nix Normal file
View file

@ -0,0 +1,112 @@
{
config,
lib,
pkgs,
...
}:
let
inherit (lib) mkIf mkMerge readFile;
inherit (pkgs) writeText;
in
{
imports = [ ./options.nix ];
config = mkMerge [
(mkIf
(
config.fediversity.garage.enable
&& config.fediversity.mastodon.s3AccessKeyFile != null
&& config.fediversity.mastodon.s3SecretKeyFile != null
)
{
fediversity.garage = {
ensureBuckets = {
mastodon = {
website = true;
corsRules = {
enable = true;
allowedHeaders = [ "*" ];
allowedMethods = [ "GET" ];
allowedOrigins = [ "*" ];
};
};
};
ensureKeys = {
mastodon = {
inherit (config.fediversity.mastodon) s3AccessKeyFile s3SecretKeyFile;
ensureAccess = {
mastodon = {
read = true;
write = true;
owner = true;
};
};
};
};
};
}
)
(mkIf config.fediversity.mastodon.enable {
services.mastodon.extraConfig = rec {
S3_ENABLED = "true";
# TODO: this shouldn't be hard-coded, it should come from the garage configuration
S3_ENDPOINT = config.fediversity.garage.api.url;
S3_REGION = "garage";
S3_BUCKET = "mastodon";
# use <S3_BUCKET>.<S3_ENDPOINT>
S3_OVERRIDE_PATH_STLE = "true";
S3_PROTOCOL = "http";
S3_ALIAS_HOST = config.fediversity.garage.web.domainForBucket S3_BUCKET;
# SEE: the last section in https://docs.joinmastodon.org/admin/optional/object-storage/
# TODO: can we set up ACLs with garage?
S3_PERMISSION = "";
};
## FIXME: secrets management; we should have a service that writes the
## `.env` files based on all the secrets that we need to put there.
services.mastodon.extraEnvFiles = [
(writeText "s3AccessKey" ''
AWS_ACCESS_KEY_ID=${readFile config.fediversity.mastodon.s3AccessKeyFile}
'')
(writeText "s3SecretKey" ''
AWS_SECRET_ACCESS_KEY=${readFile config.fediversity.mastodon.s3SecretKeyFile}
'')
];
# open up access to the mastodon web interface. 80 is necessary if only for ACME
networking.firewall.allowedTCPPorts = [
80
443
];
services.mastodon = {
enable = true;
localDomain = config.fediversity.mastodon.domain;
configureNginx = true;
# from the documentation: recommended is the amount of your CPU cores minus
# one. but it also must be a positive integer
streamingProcesses = lib.max 1 (config.fediversity.temp.cores - 1);
# TODO: configure a mailserver so this works
smtp = {
fromAddress = "noreply@${config.fediversity.mastodon.domain}";
createLocally = false;
};
};
security.acme = {
acceptTerms = true;
preliminarySelfsigned = true;
# TODO: configure a mailserver so we can set up acme
# defaults.email = "test@example.com";
};
})
];
}

14
services/fediversity/mastodon/options.nix Normal file
View file

@ -0,0 +1,14 @@
{ config, lib, ... }:
{
options.fediversity.mastodon =
(import ../sharedOptions.nix {
inherit config lib;
serviceName = "mastodon";
serviceDocName = "Mastodon";
})
//
{
};
}

119
services/fediversity/peertube.nix
View file

@ -1,119 +0,0 @@
let
snakeoil_key = {
id = "GK1f9feea9960f6f95ff404c9b";
secret = "7295c4201966a02c2c3d25b5cea4a5ff782966a2415e3a196f91924631191395";
};
in
{ config, lib, ... }:
lib.mkIf (config.fediversity.enable && config.fediversity.peertube.enable) {
networking.firewall.allowedTCPPorts = [
80
443
## For Live streaming and Live streaming when RTMPS is enabled.
1935
1936
];
services.garage = {
ensureBuckets = {
peertube-videos = {
website = true;
# TODO: these are too broad, after getting everything works narrow it down to the domain we actually want
corsRules = {
enable = true;
allowedHeaders = [ "*" ];
allowedMethods = [ "GET" ];
allowedOrigins = [ "*" ];
};
};
# TODO: these are too broad, after getting everything works narrow it down to the domain we actually want
peertube-playlists = {
website = true;
corsRules = {
enable = true;
allowedHeaders = [ "*" ];
allowedMethods = [ "GET" ];
allowedOrigins = [ "*" ];
};
};
};
ensureKeys = {
peertube = {
inherit (snakeoil_key) id secret;
ensureAccess = {
peertube-videos = {
read = true;
write = true;
owner = true;
};
peertube-playlists = {
read = true;
write = true;
owner = true;
};
};
};
};
};
services.peertube = {
enable = true;
localDomain = config.fediversity.internal.peertube.domain;
# TODO: in most of nixpkgs, these are true by default. upstream that unless there's a good reason not to.
redis.createLocally = true;
database.createLocally = true;
secrets.secretsFile = config.fediversity.temp.peertubeSecretsFile;
settings = {
object_storage = {
enabled = true;
endpoint = config.fediversity.internal.garage.api.url;
region = "garage";
upload_acl.public = null; # Garage does not support ACL
upload_acl.private = null; # Garage does not support ACL
# not supported by garage
# SEE: https://garagehq.deuxfleurs.fr/documentation/connect/apps/#peertube
proxy.proxyify_private_files = false;
web_videos = rec {
bucket_name = "peertube-videos";
prefix = "";
base_url = config.fediversity.internal.garage.web.urlForBucket bucket_name;
};
videos = rec {
bucket_name = "peertube-videos";
prefix = "";
base_url = config.fediversity.internal.garage.web.urlForBucket bucket_name;
};
streaming_playlists = rec {
bucket_name = "peertube-playlists";
prefix = "";
base_url = config.fediversity.internal.garage.web.urlForBucket bucket_name;
};
};
};
serviceEnvironmentFile = "/etc/peertube-env";
};
environment.etc.peertube-env.text = ''
AWS_ACCESS_KEY_ID=${snakeoil_key.id}
AWS_SECRET_ACCESS_KEY=${snakeoil_key.secret}
'';
## Proxying through Nginx
services.peertube = {
configureNginx = true;
listenWeb = 443;
enableWebHttps = true;
};
services.nginx.virtualHosts.${config.services.peertube.localDomain} = {
forceSSL = true;
enableACME = true;
};
}

135
services/fediversity/peertube/default.nix Normal file
View file

@ -0,0 +1,135 @@
{ config, lib, ... }:
let
inherit (lib) mkIf mkMerge readFile;
in
{
imports = [ ./options.nix ];
config = mkMerge [
(mkIf
(
config.fediversity.garage.enable
&& config.fediversity.peertube.s3AccessKeyFile != null
&& config.fediversity.peertube.s3SecretKeyFile != null
)
{
fediversity.garage = {
ensureBuckets = {
peertube-videos = {
website = true;
# TODO: these are too broad, after getting everything works narrow it down to the domain we actually want
corsRules = {
enable = true;
allowedHeaders = [ "*" ];
allowedMethods = [ "GET" ];
allowedOrigins = [ "*" ];
};
};
# TODO: these are too broad, after getting everything works narrow it down to the domain we actually want
peertube-playlists = {
website = true;
corsRules = {
enable = true;
allowedHeaders = [ "*" ];
allowedMethods = [ "GET" ];
allowedOrigins = [ "*" ];
};
};
};
ensureKeys = {
peertube = {
inherit (config.fediversity.peertube) s3AccessKeyFile s3SecretKeyFile;
ensureAccess = {
peertube-videos = {
read = true;
write = true;
owner = true;
};
peertube-playlists = {
read = true;
write = true;
owner = true;
};
};
};
};
};
}
)
(mkIf config.fediversity.peertube.enable {
networking.firewall.allowedTCPPorts = [
80
443
## For Live streaming and Live streaming when RTMPS is enabled.
1935
1936
];
services.peertube = {
enable = true;
localDomain = config.fediversity.peertube.domain;
# TODO: in most of nixpkgs, these are true by default. upstream that unless there's a good reason not to.
redis.createLocally = true;
database.createLocally = true;
secrets.secretsFile = config.fediversity.peertube.secretsFile;
settings = {
object_storage = {
enabled = true;
endpoint = config.fediversity.garage.api.url;
region = "garage";
upload_acl.public = null; # Garage does not support ACL
upload_acl.private = null; # Garage does not support ACL
# not supported by garage
# SEE: https://garagehq.deuxfleurs.fr/documentation/connect/apps/#peertube
proxy.proxyify_private_files = false;
web_videos = rec {
bucket_name = "peertube-videos";
prefix = "";
base_url = config.fediversity.garage.web.urlForBucket bucket_name;
};
videos = rec {
bucket_name = "peertube-videos";
prefix = "";
base_url = config.fediversity.garage.web.urlForBucket bucket_name;
};
streaming_playlists = rec {
bucket_name = "peertube-playlists";
prefix = "";
base_url = config.fediversity.garage.web.urlForBucket bucket_name;
};
};
};
serviceEnvironmentFile = "/etc/peertube-env";
};
## FIXME: secrets management; we should have a service that writes the
## `.env` files based on all the secrets that we need to put there.
environment.etc.peertube-env.text = ''
AWS_ACCESS_KEY_ID=${readFile config.fediversity.peertube.s3AccessKeyFile}
AWS_SECRET_ACCESS_KEY=${readFile config.fediversity.peertube.s3SecretKeyFile}
'';
## Proxying through Nginx
services.peertube = {
configureNginx = true;
listenWeb = 443;
enableWebHttps = true;
};
services.nginx.virtualHosts.${config.services.peertube.localDomain} = {
forceSSL = true;
enableACME = true;
};
})
];
}

28
services/fediversity/peertube/options.nix Normal file
View file

@ -0,0 +1,28 @@
{ config, lib, ... }:
let
inherit (lib) mkOption;
inherit (lib.types) types;
in
{
options.fediversity.peertube =
(import ../sharedOptions.nix {
inherit config lib;
serviceName = "peertube";
serviceDocName = "PeerTube";
})
//
{
secretsFile = mkOption {
type = types.path;
description = ''
Internal option change at your own risk
FIXME: should it be provided by NixOps4?
or maybe we should just ask for a main secret from which to derive all the others?
'';
};
};
}

92
services/fediversity/pixelfed.nix
View file

@ -1,92 +0,0 @@
let
snakeoil_key = {
id = "GKb5615457d44214411e673b7b";
secret = "5be6799a88ca9b9d813d1a806b64f15efa49482dbe15339ddfaf7f19cf434987";
};
in
{
config,
lib,
pkgs,
...
}:
lib.mkIf (config.fediversity.enable && config.fediversity.pixelfed.enable) {
services.garage = {
ensureBuckets = {
pixelfed = {
website = true;
# TODO: these are too broad, after getting everything works narrow it down to the domain we actually want
corsRules = {
enable = true;
allowedHeaders = [ "*" ];
allowedMethods = [ "GET" ];
allowedOrigins = [ "*" ];
};
};
};
ensureKeys = {
pixelfed = {
inherit (snakeoil_key) id secret;
ensureAccess = {
pixelfed = {
read = true;
write = true;
owner = true;
};
};
};
};
};
services.pixelfed = {
enable = true;
domain = config.fediversity.internal.pixelfed.domain;
# TODO: secrets management!!!
secretFile = pkgs.writeText "secrets.env" ''
APP_KEY=adKK9EcY8Hcj3PLU7rzG9rJ6KKTOtYfA
'';
## Taeer feels like this way of configuring Nginx is odd; there should
## instead be a `services.pixefed.nginx.enable` option and the actual Nginx
## configuration should be in `services.nginx`. See eg. `pretix`.
##
## TODO: If that indeed makes sense, upstream.
nginx = {
forceSSL = true;
enableACME = true;
# locations."/public/".proxyPass = "${config.fediversity.internal.garage.web.urlForBucket "pixelfed"}/public/";
};
};
services.pixelfed.settings = {
## NOTE: This depends on the targets, eg. universities might want control
## over who has an account. We probably want a universal
## `fediversity.openRegistration` option.
OPEN_REGISTRATION = true;
# DANGEROUSLY_SET_FILESYSTEM_DRIVER = "s3";
FILESYSTEM_CLOUD = "s3";
PF_ENABLE_CLOUD = true;
AWS_ACCESS_KEY_ID = snakeoil_key.id;
AWS_SECRET_ACCESS_KEY = snakeoil_key.secret;
AWS_DEFAULT_REGION = "garage";
AWS_URL = config.fediversity.internal.garage.web.urlForBucket "pixelfed";
AWS_BUCKET = "pixelfed";
AWS_ENDPOINT = config.fediversity.internal.garage.api.url;
AWS_USE_PATH_STYLE_ENDPOINT = false;
};
## Only ever run `pixelfed-data-setup` after `ensure-garage` has done its job.
## Otherwise, everything crashed dramatically.
systemd.services.pixelfed-data-setup = {
after = [ "ensure-garage.service" ];
};
networking.firewall.allowedTCPPorts = [
80
443
];
}

113
services/fediversity/pixelfed/default.nix Normal file
View file

@ -0,0 +1,113 @@
{
config,
lib,
pkgs,
...
}:
let
inherit (lib) mkIf mkMerge readFile;
in
{
imports = [ ./options.nix ];
config = mkMerge [
(mkIf
(
config.fediversity.garage.enable
&& config.fediversity.pixelfed.s3AccessKeyFile != null
&& config.fediversity.pixelfed.s3SecretKeyFile != null
)
{
fediversity.garage = {
ensureBuckets = {
pixelfed = {
website = true;
# TODO: these are too broad, after getting everything works narrow it down to the domain we actually want
corsRules = {
enable = true;
allowedHeaders = [ "*" ];
allowedMethods = [ "GET" ];
allowedOrigins = [ "*" ];
};
};
};
ensureKeys = {
pixelfed = {
inherit (config.fediversity.pixelfed) s3AccessKeyFile s3SecretKeyFile;
ensureAccess = {
pixelfed = {
read = true;
write = true;
owner = true;
};
};
};
};
};
}
)
(mkIf config.fediversity.pixelfed.enable {
## NOTE: Pixelfed as packaged in nixpkgs has a permission issue that prevents Nginx
## from being able to serving the images. We fix it here, but this should be
## upstreamed. See https://github.com/NixOS/nixpkgs/issues/235147
services.pixelfed.package = pkgs.pixelfed.overrideAttrs (old: {
patches = (old.patches or [ ]) ++ [ ./group-permissions.patch ];
});
users.users.nginx.extraGroups = [ "pixelfed" ];
services.pixelfed = {
enable = true;
domain = config.fediversity.pixelfed.domain;
## FIXME: secrets management; we should have a service that writes the
## `.env` file based on all the secrets that we need to put there.
secretFile = pkgs.writeText "secrets.env" ''
APP_KEY=adKK9EcY8Hcj3PLU7rzG9rJ6KKTOtYfA
AWS_ACCESS_KEY_ID=${readFile config.fediversity.pixelfed.s3AccessKeyFile}
AWS_SECRET_ACCESS_KEY=${readFile config.fediversity.pixelfed.s3SecretKeyFile}
'';
## Taeer feels like this way of configuring Nginx is odd; there should
## instead be a `services.pixefed.nginx.enable` option and the actual Nginx
## configuration should be in `services.nginx`. See eg. `pretix`.
##
## TODO: If that indeed makes sense, upstream.
nginx = {
forceSSL = true;
enableACME = true;
# locations."/public/".proxyPass = "${config.fediversity.garage.web.urlForBucket "pixelfed"}/public/";
};
};
services.pixelfed.settings = {
## NOTE: This depends on the targets, eg. universities might want control
## over who has an account. We probably want a universal
## `fediversity.openRegistration` option.
OPEN_REGISTRATION = true;
FILESYSTEM_CLOUD = "s3";
PF_ENABLE_CLOUD = true;
AWS_DEFAULT_REGION = "garage";
AWS_URL = config.fediversity.garage.web.urlForBucket "pixelfed";
AWS_BUCKET = "pixelfed";
AWS_ENDPOINT = config.fediversity.garage.api.url;
AWS_USE_PATH_STYLE_ENDPOINT = false;
};
## Only ever run `pixelfed-data-setup` after `ensure-garage` has done its job.
## Otherwise, everything crashed dramatically.
systemd.services.pixelfed-data-setup = {
after = [ "ensure-garage.service" ];
};
networking.firewall.allowedTCPPorts = [
80
443
];
})
];
}

0
services/fediversity/pixelfed-group-permissions.patch → services/fediversity/pixelfed/group-permissions.patch
View file

14
services/fediversity/pixelfed/options.nix Normal file
View file

@ -0,0 +1,14 @@
{ config, lib, ... }:
{
options.fediversity.pixelfed =
(import ../sharedOptions.nix {
inherit config lib;
serviceName = "pixelfed";
serviceDocName = "Pixelfed";
})
//
{
};
}

46
services/fediversity/sharedOptions.nix Normal file
View file

@ -0,0 +1,46 @@
## NOTE: Not a module, but a helper function to create options for Fediversity
## services, as they tend to require the same ones.
{
config,
lib,
serviceName,
serviceDocName,
}:
let
inherit (lib) mkOption mkEnableOption;
inherit (lib.types) types;
in
{
enable = mkEnableOption "Enable a ${serviceDocName} server on the machine";
s3AccessKeyFile = mkOption {
type = types.nullOr types.path;
description = ''
S3 access key for ${serviceDocName}'s bucket/s
In AWS CLI, this would be AWS_ACCESS_KEY_ID. The S3 bucket is only created
when non-`null`.
'';
default = null;
};
s3SecretKeyFile = mkOption {
type = types.nullOr types.path;
description = ''
S3 secret key for ${serviceDocName}'s bucket/s
In AWS CLI, this would be AWS_SECRET_ACCESS_KEY. The S3 bucket is only
created when non-`null`.
'';
default = null;
};
domain = mkOption {
type = types.str;
description = "Internal option change at your own risk";
default = "${serviceName}.${config.fediversity.domain}";
};
}

8
services/tests/mastodon.nix
View file

@ -69,8 +69,8 @@ pkgs.nixosTest {
expect
];
environment.variables = {
AWS_ACCESS_KEY_ID = config.services.garage.ensureKeys.mastodon.id;
AWS_SECRET_ACCESS_KEY = config.services.garage.ensureKeys.mastodon.secret;
AWS_ACCESS_KEY_ID = config.fediversity.garage.ensureKeys.mastodon.id;
AWS_SECRET_ACCESS_KEY = config.fediversity.garage.ensureKeys.mastodon.secret;
};
};
};
@ -118,7 +118,7 @@ pkgs.nixosTest {
server.succeed("toot post --media ${testImage}")
with subtest("Access garage"):
server.succeed("mc alias set garage ${nodes.server.fediversity.internal.garage.api.url} --api s3v4 --path off $AWS_ACCESS_KEY_ID $AWS_SECRET_ACCESS_KEY")
server.succeed("mc alias set garage ${nodes.server.fediversity.garage.api.url} --api s3v4 --path off $AWS_ACCESS_KEY_ID $AWS_SECRET_ACCESS_KEY")
server.succeed("mc ls garage/mastodon")
with subtest("Access image in garage"):
@ -144,7 +144,7 @@ pkgs.nixosTest {
raise Exception("mastodon did not send a content security policy header")
csp = csp_match.group(1)
# the connect-src content security policy should include the garage server
## TODO: use `nodes.server.fediversity.internal.garage.api.url` same as above, but beware of escaping the regex. Be careful with port 80 though.
## TODO: use `nodes.server.fediversity.garage.api.url` same as above, but beware of escaping the regex. Be careful with port 80 though.
garage_csp = re.match(".*; img-src[^;]*web\.garage\.localhost.*", csp)
if garage_csp is None:
raise Exception("Mastodon's Content-Security-Policy does not include Garage.")

6
services/tests/peertube.nix
View file

@ -197,8 +197,8 @@ pkgs.nixosTest {
systemd.services.postgresql.serviceConfig.TimeoutSec = lib.mkForce 3600;
environment.variables = {
AWS_ACCESS_KEY_ID = config.services.garage.ensureKeys.peertube.id;
AWS_SECRET_ACCESS_KEY = config.services.garage.ensureKeys.peertube.secret;
AWS_ACCESS_KEY_ID = "$(cat ${config.fediversity.peertube.s3AccessKeyFile})";
AWS_SECRET_ACCESS_KEY = "$(cat ${config.fediversity.peertube.s3SecretKeyFile})";
PT_INITIAL_ROOT_PASSWORD = "testtest";
};
};
@ -220,7 +220,7 @@ pkgs.nixosTest {
server.succeed(f"post-video-in-browser {root_password}")
with subtest("Find video in garage"):
server.succeed("mc alias set garage ${nodes.server.fediversity.internal.garage.api.url} --api s3v4 --path off $AWS_ACCESS_KEY_ID $AWS_SECRET_ACCESS_KEY")
server.succeed("mc alias set garage ${nodes.server.fediversity.garage.api.url} --api s3v4 --path off $AWS_ACCESS_KEY_ID $AWS_SECRET_ACCESS_KEY")
video = server.succeed("mc find garage --regex '\\.mp4'").rstrip()
if video == "":
raise Exception("Could not find any .mp4 video stored in Garage")

9
services/tests/pixelfed-garage.nix
View file

@ -1,4 +1,5 @@
{ pkgs, self }:
let
lib = pkgs.lib;
@ -160,8 +161,8 @@ pkgs.nixosTest {
];
environment.variables = {
POST_MEDIA = ./fediversity.png;
AWS_ACCESS_KEY_ID = config.services.garage.ensureKeys.pixelfed.id;
AWS_SECRET_ACCESS_KEY = config.services.garage.ensureKeys.pixelfed.secret;
AWS_ACCESS_KEY_ID = config.fediversity.garage.ensureKeys.pixelfed.id;
AWS_SECRET_ACCESS_KEY = config.fediversity.garage.ensureKeys.pixelfed.secret;
## without this we get frivolous errors in the logs
MC_REGION = "garage";
};
@ -200,7 +201,7 @@ pkgs.nixosTest {
raise Exception("cannot detect the uploaded image on pixelfed page.")
with subtest("access garage"):
server.succeed("mc alias set garage ${nodes.server.fediversity.internal.garage.api.url} --api s3v4 --path off $AWS_ACCESS_KEY_ID $AWS_SECRET_ACCESS_KEY")
server.succeed("mc alias set garage ${nodes.server.fediversity.garage.api.url} --api s3v4 --path off $AWS_ACCESS_KEY_ID $AWS_SECRET_ACCESS_KEY")
server.succeed("mc ls garage/pixelfed")
with subtest("access image in garage"):
@ -216,7 +217,7 @@ pkgs.nixosTest {
with subtest("Check that image comes from garage"):
src = server.succeed("su - selenium -c 'selenium-script-get-src ${email} ${password}'")
if not src.startswith("${nodes.server.fediversity.internal.garage.web.urlForBucket "pixelfed"}"):
if not src.startswith("${nodes.server.fediversity.garage.web.urlForBucket "pixelfed"}"):
raise Exception("image does not come from garage")
'';
}

18
services/vm/garage-vm.nix
View file

@ -8,14 +8,12 @@
let
inherit (lib) mkVMOverride mapAttrs' filterAttrs;
cfg = config.services.garage;
fedicfg = config.fediversity.internal.garage;
in
{
imports = [ (modulesPath + "/virtualisation/qemu-vm.nix") ];
fediversity.garage.enable = true;
services.nginx.virtualHosts =
let
value = {
@ -24,21 +22,21 @@ in
};
in
mapAttrs' (bucket: _: {
name = fedicfg.web.domainForBucket bucket;
name = config.fediversity.garage.web.domainForBucket bucket;
inherit value;
}) (filterAttrs (_: { website, ... }: website) cfg.ensureBuckets);
}) (filterAttrs (_: { website, ... }: website) config.fediversity.garage.ensureBuckets);
virtualisation.diskSize = 2048;
virtualisation.forwardPorts = [
{
from = "host";
host.port = fedicfg.rpc.port;
guest.port = fedicfg.rpc.port;
host.port = config.fediversity.garage.rpc.port;
guest.port = config.fediversity.garage.rpc.port;
}
{
from = "host";
host.port = fedicfg.web.internalPort;
guest.port = fedicfg.web.internalPort;
host.port = config.fediversity.garage.web.internalPort;
guest.port = config.fediversity.garage.web.internalPort;
}
];
}

9
services/vm/mastodon-vm.nix
View file

@ -1,6 +1,7 @@
{
modulesPath,
lib,
pkgs,
config,
...
}:
@ -11,9 +12,13 @@
config = lib.mkMerge [
{
fediversity = {
enable = true;
domain = "localhost";
mastodon.enable = true;
mastodon = {
enable = true;
s3AccessKeyFile = pkgs.writeText "s3AccessKey" "GK3515373e4c851ebaad366558";
s3SecretKeyFile = pkgs.writeText "s3SecretKey" "7d37d093435a41f2aab8f13c19ba067d9776c90215f56614adad6ece597dbb34";
};
temp.cores = config.virtualisation.cores;
};

12
services/vm/peertube-vm.nix
View file

@ -8,13 +8,13 @@
imports = [ (modulesPath + "/virtualisation/qemu-vm.nix") ];
fediversity = {
enable = true;
domain = "localhost";
peertube.enable = true;
temp.peertubeSecretsFile = pkgs.writeText "secret" ''
574e093907d1157ac0f8e760a6deb1035402003af5763135bae9cbd6abe32b24
'';
peertube = {
enable = true;
secretsFile = pkgs.writeText "secret" "574e093907d1157ac0f8e760a6deb1035402003af5763135bae9cbd6abe32b24";
s3AccessKeyFile = pkgs.writeText "s3AccessKey" "GK1f9feea9960f6f95ff404c9b";
s3SecretKeyFile = pkgs.writeText "s3SecretKey" "7295c4201966a02c2c3d25b5cea4a5ff782966a2415e3a196f91924631191395";
};
};
services.peertube = {

15
services/vm/pixelfed-vm.nix
View file

@ -1,4 +1,9 @@
{ lib, modulesPath, ... }:
{
lib,
pkgs,
modulesPath,
...
}:
let
inherit (lib) mkVMOverride;
@ -9,9 +14,13 @@ in
imports = [ (modulesPath + "/virtualisation/qemu-vm.nix") ];
fediversity = {
enable = true;
domain = "localhost";
pixelfed.enable = true;
pixelfed = {
enable = true;
s3AccessKeyFile = pkgs.writeText "s3AccessKey" "GKb5615457d44214411e673b7b";
s3SecretKeyFile = pkgs.writeText "s3SecretKey" "5be6799a88ca9b9d813d1a806b64f15efa49482dbe15339ddfaf7f19cf434987";
};
};
services.pixelfed = {