diff --git a/fediversity/default.nix b/fediversity/default.nix index 6e38fbda..dfdffc8c 100644 --- a/fediversity/default.nix +++ b/fediversity/default.nix @@ -1,6 +1,7 @@ -{ lib, ... }: +{ lib, config, ... }: let + inherit (builtins) toString; inherit (lib) mkOption; inherit (lib.types) types; @@ -19,9 +20,38 @@ in { default = false; }; + garage = mkOption { + type = types.anything; + }; + + domain = mkOption { + type = types.string; + }; + mastodon.enable = mkOption { type = types.bool; default = false; }; pixelfed.enable = mkOption { type = types.bool; default = false; }; peertube.enable = mkOption { type = types.bool; default = false; }; }; }; + + config.fediversity = { + garage = { + api = rec { + domain = "s3.garage.${config.fediversity.domain}"; + port = 3900; + url = "http://${domain}:${toString port}"; + }; + + rpc = rec { + port = 3901; + }; + + web = rec { + rootDomain = "web.garage.${config.fediversity.domain}"; + port = 3902; + rootDomainAndPort = "${rootDomain}:${toString port}"; + urlFor = bucket: "http://${bucket}.${rootDomainAndPort}"; + }; + }; + }; } diff --git a/fediversity/garage.nix b/fediversity/garage.nix index aad2925f..92cbd88c 100644 --- a/fediversity/garage.nix +++ b/fediversity/garage.nix @@ -11,6 +11,7 @@ in { config, lib, pkgs, ... }: let + inherit (builtins) toString; inherit (lib) types mkOption mkEnableOption optionalString concatStringsSep; inherit (lib.strings) escapeShellArg; cfg = config.services.garage; @@ -41,7 +42,7 @@ let ${optionalString corsRules.enable '' garage bucket allow --read --write --owner ${bucketArg} --key tmp # TODO: endpoin-url should not be hard-coded - aws --region ${cfg.settings.s3_api.s3_region} --endpoint-url http://s3.garage.localhost:3900 s3api put-bucket-cors --bucket ${bucketArg} --cors-configuration ${corsRulesJSON} + aws --region ${cfg.settings.s3_api.s3_region} --endpoint-url ${config.fediversity.garage.api.url} s3api put-bucket-cors --bucket ${bucketArg} --cors-configuration ${corsRulesJSON} garage bucket deny --read --write --owner ${bucketArg} --key tmp ''} ''; @@ -135,19 +136,22 @@ in virtualisation.forwardPorts = [ { from = "host"; - host.port = 3901; - guest.port = 3901; + host.port = config.fediversity.garage.rpc.port; + guest.port = config.fediversity.garage.rpc.port; } { from = "host"; - host.port = 3902; - guest.port = 3902; + host.port = config.fediversity.garage.web.port; + guest.port = config.fediversity.garage.web.port; } ]; environment.systemPackages = [ pkgs.minio-client pkgs.awscli ]; - networking.firewall.allowedTCPPorts = [ 3901 3902 ]; + networking.firewall.allowedTCPPorts = [ + config.fediversity.garage.rpc.port + config.fediversity.garage.web.port + ]; services.garage = { enable = true; package = pkgs.garage_0_9; @@ -156,15 +160,15 @@ in # TODO: use a secret file rpc_secret = "d576c4478cc7d0d94cfc127138cbb82018b0155c037d1c827dfb6c36be5f6625"; # TODO: why does this have to be set? is there not a sensible default? - rpc_bind_addr = "[::]:3901"; - rpc_public_addr = "[::1]:3901"; - s3_api.api_bind_addr = "[::]:3900"; - s3_web.bind_addr = "[::]:3902"; - s3_web.root_domain = ".web.garage.localhost"; + rpc_bind_addr = "[::]:${toString config.fediversity.garage.rpc.port}"; + rpc_public_addr = "[::1]:${toString config.fediversity.garage.rpc.port}"; + s3_api.api_bind_addr = "[::]:${toString config.fediversity.garage.api.port}"; + s3_web.bind_addr = "[::]:${toString config.fediversity.garage.web.port}"; + s3_web.root_domain = ".${config.fediversity.garage.web.rootDomain}"; index = "index.html"; s3_api.s3_region = "garage"; - s3_api.root_domain = ".s3.garage.localhost"; + s3_api.root_domain = ".${config.fediversity.garage.api.domain}"; }; }; systemd.services.ensure-garage = { @@ -177,9 +181,9 @@ in script = '' set -xeuo pipefail - # Give garage time to start up by waiting until somethings speaks HTTP - # behind localhost:3900. - until ${pkgs.curl}/bin/curl -sio /dev/null http://localhost:3900/; do sleep 1; done + # Give Garage time to start up by waiting until somethings speaks HTTP + # behind Garage's API URL. + until ${pkgs.curl}/bin/curl -sio /dev/null ${config.fediversity.garage.api.url}; do sleep 1; done # XXX: this is very sensitive to being a single instance # (doing the bare minimum to get garage up and running) diff --git a/fediversity/mastodon.nix b/fediversity/mastodon.nix index 5a349f6f..e866b848 100644 --- a/fediversity/mastodon.nix +++ b/fediversity/mastodon.nix @@ -38,7 +38,7 @@ lib.mkIf (config.fediversity.enable && config.fediversity.mastodon.enable) { extraConfig = rec { S3_ENABLED = "true"; # TODO: this shouldn't be hard-coded, it should come from the garage configuration - S3_ENDPOINT = "http://s3.garage.localhost:3900"; + S3_ENDPOINT = config.fediversity.garage.api.url; S3_REGION = "garage"; S3_BUCKET = "mastodon"; # use . @@ -46,7 +46,7 @@ lib.mkIf (config.fediversity.enable && config.fediversity.mastodon.enable) { AWS_ACCESS_KEY_ID = snakeoil_key.id; AWS_SECRET_ACCESS_KEY = snakeoil_key.secret; S3_PROTOCOL = "http"; - S3_HOSTNAME = "web.garage.localhost:3902"; + S3_HOSTNAME = config.fediversity.garage.web.rootDomainAndPort; # by default it tries to use "/" S3_ALIAS_HOST = "${S3_BUCKET}.${S3_HOSTNAME}"; # SEE: the last section in https://docs.joinmastodon.org/admin/optional/object-storage/ diff --git a/fediversity/peertube.nix b/fediversity/peertube.nix index 95e1c32a..021e52f0 100644 --- a/fediversity/peertube.nix +++ b/fediversity/peertube.nix @@ -56,27 +56,27 @@ lib.mkIf (config.fediversity.enable && config.fediversity.peertube.enable) { settings = { object_storage = { enabled = true; - endpoint = "http://s3.garage.localhost:3900"; + endpoint = config.fediversity.garage.api.url; region = "garage"; # not supported by garage # SEE: https://garagehq.deuxfleurs.fr/documentation/connect/apps/#peertube proxy.proxyify_private_files = false; - web_videos = { + web_videos = rec { bucket_name = "peertube-videos"; prefix = ""; - base_url = "http://peertube-videos.web.garage.localhost:3902"; + base_url = config.fediversity.garage.web.urlFor bucket_name; }; - videos = { + videos = rec { bucket_name = "peertube-videos"; prefix = ""; - base_url = "http://peertube-videos.web.garage.localhost:3902"; + base_url = config.fediversity.garage.web.urlFor bucket_name; }; - streaming_playlists = { + streaming_playlists = rec { bucket_name = "peertube-playlists"; prefix = ""; - base_url = "http://peertube-playlists.web.garage.localhost:3902"; + base_url = config.fediversity.garage.web.urlFor bucket_name; }; }; }; diff --git a/fediversity/pixelfed.nix b/fediversity/pixelfed.nix index 1d04f608..38153f54 100644 --- a/fediversity/pixelfed.nix +++ b/fediversity/pixelfed.nix @@ -37,7 +37,6 @@ lib.mkIf (config.fediversity.enable && config.fediversity.pixelfed.enable) { services.pixelfed.enable = true; - # TODO: factor these out so we're only defining e.g. s3.garage.localhost and port 3900 in one place services.pixelfed.settings = { # DANGEROUSLY_SET_FILESYSTEM_DRIVER = "s3"; FILESYSTEM_CLOUD = "s3"; @@ -45,9 +44,9 @@ lib.mkIf (config.fediversity.enable && config.fediversity.pixelfed.enable) { AWS_ACCESS_KEY_ID = snakeoil_key.id; AWS_SECRET_ACCESS_KEY = snakeoil_key.secret; AWS_DEFAULT_REGION = "garage"; - AWS_URL = "http://pixelfed.web.garage.localhost:3902/"; + AWS_URL = config.fediversity.garage.web.urlFor "pixelfed"; AWS_BUCKET = "pixelfed"; - AWS_ENDPOINT = "http://s3.garage.localhost:3900"; + AWS_ENDPOINT = config.fediversity.garage.api.url; AWS_USE_PATH_STYLE_ENDPOINT = false; }; diff --git a/tests/mastodon-garage.nix b/tests/mastodon-garage.nix index f98440d0..c35e7994 100644 --- a/tests/mastodon-garage.nix +++ b/tests/mastodon-garage.nix @@ -95,6 +95,7 @@ pkgs.nixosTest { server.succeed("toot post --media $POST_MEDIA") with subtest("access garage"): + ## REVIEW: could we grab `config.fediversity.garage.api.url` here in some way? server.succeed("mc alias set garage http://s3.garage.localhost:3900 --api s3v4 --path off $AWS_ACCESS_KEY_ID $AWS_SECRET_ACCESS_KEY") server.succeed("mc ls garage/mastodon") @@ -121,6 +122,7 @@ pkgs.nixosTest { raise Exception("mastodon did not send a content security policy header") csp = csp_match.group(1) # the img-src content security policy should include the garage server + ## REVIEW: could we grab `config.fediversity.garage.web.url` here in some way? garage_csp = re.match(".*; img-src[^;]*web\.garage\.localhost:3902.*", csp) if garage_csp is None: raise Exception("Mastodon's content security policy does not include garage server. image will not be displayed properly on mastodon.") diff --git a/tests/pixelfed-garage.nix b/tests/pixelfed-garage.nix index 79e1edc2..a474b1cd 100644 --- a/tests/pixelfed-garage.nix +++ b/tests/pixelfed-garage.nix @@ -186,6 +186,7 @@ pkgs.nixosTest { raise Exception("cannot detect the uploaded image on pixelfed page.") with subtest("access garage"): + ## REVIEW: could we grab `config.fediversity.garage.api.url` here in some way? server.succeed("mc alias set garage http://s3.garage.localhost:3900 --api s3v4 --path off $AWS_ACCESS_KEY_ID $AWS_SECRET_ACCESS_KEY") server.succeed("mc ls garage/pixelfed") @@ -202,6 +203,7 @@ pkgs.nixosTest { with subtest("Check that image comes from garage"): src = server.succeed("su - selenium -c 'selenium-script-get-src ${email} ${password}'") + ## REVIEW: could we grab `config.fediversity.garage.web.url` here in some way? if not src.startswith("http://pixelfed.web.garage.localhost:3902/"): raise Exception("image does not come from garage") ''; diff --git a/vm/mastodon-vm.nix b/vm/mastodon-vm.nix index 0d13b89e..0bc12aa6 100644 --- a/vm/mastodon-vm.nix +++ b/vm/mastodon-vm.nix @@ -9,6 +9,7 @@ { fediversity = { enable = true; + domain = "localhost"; mastodon.enable = true; }; diff --git a/vm/pixelfed-vm.nix b/vm/pixelfed-vm.nix index be238f13..be04bfc7 100644 --- a/vm/pixelfed-vm.nix +++ b/vm/pixelfed-vm.nix @@ -7,6 +7,7 @@ fediversity = { enable = true; + domain = "localhost"; pixelfed.enable = true; }; @@ -24,7 +25,7 @@ # I feel like this should have an `enable` option and be configured via `services.nginx` rather than mirroring those options in services.pixelfed.nginx # TODO: If that indeed makes sense, upstream it. nginx = { - # locations."/public/".proxyPass = "http://pixelfed.web.garage.localhost:3902/public/"; + # locations."/public/".proxyPass = "${config.fediversity.garage.web.urlFor "pixelfed"}/public/"; }; }; virtualisation.memorySize = 2048;