diff --git a/fediversity/default.nix b/fediversity/default.nix index 9c60d61d..a6e0682e 100644 --- a/fediversity/default.nix +++ b/fediversity/default.nix @@ -17,42 +17,83 @@ in { fediversity = { enable = mkEnableOption "the collection of services bundled under Fediversity"; - garage = mkOption { - type = types.anything; - }; - domain = mkOption { type = types.str; + description = '' + root domain for the Fediversity services + + For instance, if this option is set to `foo.example.com`, then + Pixelfed might be under `pixelfed.foo.example.com`. + ''; }; mastodon.enable = mkEnableOption "default Fediversity Mastodon configuration"; pixelfed.enable = mkEnableOption "default Fediversity Pixelfed configuration"; peertube.enable = mkEnableOption "default Fediversity PeerTube configuration"; - }; - }; - config.fediversity = { - garage = { - api = rec { - domain = "s3.garage.${config.fediversity.domain}"; - port = 3900; - url = "http://${domain}:${toString port}"; - }; + internal = mkOption { + description = "options that are only meant to be used internally; change at your own risk"; + default = {}; + type = types.submodule { + options = { + garage = { + api = { + domain = mkOption { + type = types.str; + default = "s3.garage.${config.fediversity.domain}"; + }; + port = mkOption { + type = types.int; + default = 3900; + }; + url = mkOption { + type = types.str; + default = "http://${config.fediversity.internal.garage.api.domain}:${toString config.fediversity.internal.garage.api.port}"; + }; + }; - rpc = rec { - port = 3901; - }; + rpc = { + port = mkOption { + type = types.int; + default = 3901; + }; + }; - web = rec { - rootDomain = "web.garage.${config.fediversity.domain}"; - port = 3902; - rootDomainAndPort = "${rootDomain}:${toString port}"; - urlFor = bucket: "http://${bucket}.${rootDomainAndPort}"; + web = { + rootDomain = mkOption { + type = types.str; + default = "web.garage.${config.fediversity.domain}"; + }; + port = mkOption { + type = types.int; + default = 3902; + }; + rootDomainAndPort = mkOption { + type = types.str; + default = "${config.fediversity.internal.garage.web.rootDomain}:${toString config.fediversity.internal.garage.web.port}"; + }; + urlFor = mkOption { + type = types.functionTo types.str; + default = bucket: "http://${bucket}.${config.fediversity.internal.garage.web.rootDomainAndPort}"; + }; + }; + }; + + pixelfed.domain = mkOption { + type = types.str; + default = "pixelfed.${config.fediversity.domain}"; + }; + mastodon.domain = mkOption { + type = types.str; + default = "mastdodon.${config.fediversity.domain}"; + }; + peertube.domain = mkOption { + type = types.str; + default = "peertube.${config.fediversity.domain}"; + }; + }; + }; }; }; - - pixelfed.domain = "pixelfed.${config.fediversity.domain}"; - mastodon.domain = "mastdodon.${config.fediversity.domain}"; - peertube.domain = "peertube.${config.fediversity.domain}"; }; } diff --git a/fediversity/garage.nix b/fediversity/garage.nix index 92cbd88c..84af6627 100644 --- a/fediversity/garage.nix +++ b/fediversity/garage.nix @@ -42,7 +42,7 @@ let ${optionalString corsRules.enable '' garage bucket allow --read --write --owner ${bucketArg} --key tmp # TODO: endpoin-url should not be hard-coded - aws --region ${cfg.settings.s3_api.s3_region} --endpoint-url ${config.fediversity.garage.api.url} s3api put-bucket-cors --bucket ${bucketArg} --cors-configuration ${corsRulesJSON} + aws --region ${cfg.settings.s3_api.s3_region} --endpoint-url ${config.fediversity.internal.garage.api.url} s3api put-bucket-cors --bucket ${bucketArg} --cors-configuration ${corsRulesJSON} garage bucket deny --read --write --owner ${bucketArg} --key tmp ''} ''; @@ -136,21 +136,21 @@ in virtualisation.forwardPorts = [ { from = "host"; - host.port = config.fediversity.garage.rpc.port; - guest.port = config.fediversity.garage.rpc.port; + host.port = config.fediversity.internal.garage.rpc.port; + guest.port = config.fediversity.internal.garage.rpc.port; } { from = "host"; - host.port = config.fediversity.garage.web.port; - guest.port = config.fediversity.garage.web.port; + host.port = config.fediversity.internal.garage.web.port; + guest.port = config.fediversity.internal.garage.web.port; } ]; environment.systemPackages = [ pkgs.minio-client pkgs.awscli ]; networking.firewall.allowedTCPPorts = [ - config.fediversity.garage.rpc.port - config.fediversity.garage.web.port + config.fediversity.internal.garage.rpc.port + config.fediversity.internal.garage.web.port ]; services.garage = { enable = true; @@ -160,15 +160,15 @@ in # TODO: use a secret file rpc_secret = "d576c4478cc7d0d94cfc127138cbb82018b0155c037d1c827dfb6c36be5f6625"; # TODO: why does this have to be set? is there not a sensible default? - rpc_bind_addr = "[::]:${toString config.fediversity.garage.rpc.port}"; - rpc_public_addr = "[::1]:${toString config.fediversity.garage.rpc.port}"; - s3_api.api_bind_addr = "[::]:${toString config.fediversity.garage.api.port}"; - s3_web.bind_addr = "[::]:${toString config.fediversity.garage.web.port}"; - s3_web.root_domain = ".${config.fediversity.garage.web.rootDomain}"; + rpc_bind_addr = "[::]:${toString config.fediversity.internal.garage.rpc.port}"; + rpc_public_addr = "[::1]:${toString config.fediversity.internal.garage.rpc.port}"; + s3_api.api_bind_addr = "[::]:${toString config.fediversity.internal.garage.api.port}"; + s3_web.bind_addr = "[::]:${toString config.fediversity.internal.garage.web.port}"; + s3_web.root_domain = ".${config.fediversity.internal.garage.web.rootDomain}"; index = "index.html"; s3_api.s3_region = "garage"; - s3_api.root_domain = ".${config.fediversity.garage.api.domain}"; + s3_api.root_domain = ".${config.fediversity.internal.garage.api.domain}"; }; }; systemd.services.ensure-garage = { @@ -183,7 +183,7 @@ in # Give Garage time to start up by waiting until somethings speaks HTTP # behind Garage's API URL. - until ${pkgs.curl}/bin/curl -sio /dev/null ${config.fediversity.garage.api.url}; do sleep 1; done + until ${pkgs.curl}/bin/curl -sio /dev/null ${config.fediversity.internal.garage.api.url}; do sleep 1; done # XXX: this is very sensitive to being a single instance # (doing the bare minimum to get garage up and running) diff --git a/fediversity/mastodon.nix b/fediversity/mastodon.nix index 8740c8c7..62599b51 100644 --- a/fediversity/mastodon.nix +++ b/fediversity/mastodon.nix @@ -38,7 +38,7 @@ lib.mkIf (config.fediversity.enable && config.fediversity.mastodon.enable) { extraConfig = rec { S3_ENABLED = "true"; # TODO: this shouldn't be hard-coded, it should come from the garage configuration - S3_ENDPOINT = config.fediversity.garage.api.url; + S3_ENDPOINT = config.fediversity.internal.garage.api.url; S3_REGION = "garage"; S3_BUCKET = "mastodon"; # use . @@ -46,7 +46,7 @@ lib.mkIf (config.fediversity.enable && config.fediversity.mastodon.enable) { AWS_ACCESS_KEY_ID = snakeoil_key.id; AWS_SECRET_ACCESS_KEY = snakeoil_key.secret; S3_PROTOCOL = "http"; - S3_HOSTNAME = config.fediversity.garage.web.rootDomainAndPort; + S3_HOSTNAME = config.fediversity.internal.garage.web.rootDomainAndPort; # by default it tries to use "/" S3_ALIAS_HOST = "${S3_BUCKET}.${S3_HOSTNAME}"; # SEE: the last section in https://docs.joinmastodon.org/admin/optional/object-storage/ @@ -63,12 +63,12 @@ lib.mkIf (config.fediversity.enable && config.fediversity.mastodon.enable) { services.mastodon = { enable = true; - localDomain = config.fediversity.mastodon.domain; + localDomain = config.fediversity.internal.mastodon.domain; configureNginx = true; # TODO: configure a mailserver so this works smtp = { - fromAddress = "noreply@${config.fediversity.mastodon.domain}"; + fromAddress = "noreply@${config.fediversity.internal.mastodon.domain}"; createLocally = false; }; diff --git a/fediversity/peertube.nix b/fediversity/peertube.nix index 41c6cd16..88d26e11 100644 --- a/fediversity/peertube.nix +++ b/fediversity/peertube.nix @@ -54,7 +54,7 @@ lib.mkIf (config.fediversity.enable && config.fediversity.peertube.enable) { services.peertube = { enable = true; - localDomain = config.fediversity.peertube.domain; + localDomain = config.fediversity.internal.peertube.domain; # TODO: in most of nixpkgs, these are true by default. upstream that unless there's a good reason not to. redis.createLocally = true; @@ -64,7 +64,7 @@ lib.mkIf (config.fediversity.enable && config.fediversity.peertube.enable) { settings = { object_storage = { enabled = true; - endpoint = config.fediversity.garage.api.url; + endpoint = config.fediversity.internal.garage.api.url; region = "garage"; # not supported by garage @@ -74,17 +74,17 @@ lib.mkIf (config.fediversity.enable && config.fediversity.peertube.enable) { web_videos = rec { bucket_name = "peertube-videos"; prefix = ""; - base_url = config.fediversity.garage.web.urlFor bucket_name; + base_url = config.fediversity.internal.garage.web.urlFor bucket_name; }; videos = rec { bucket_name = "peertube-videos"; prefix = ""; - base_url = config.fediversity.garage.web.urlFor bucket_name; + base_url = config.fediversity.internal.garage.web.urlFor bucket_name; }; streaming_playlists = rec { bucket_name = "peertube-playlists"; prefix = ""; - base_url = config.fediversity.garage.web.urlFor bucket_name; + base_url = config.fediversity.internal.garage.web.urlFor bucket_name; }; }; }; diff --git a/fediversity/pixelfed.nix b/fediversity/pixelfed.nix index 95703ba5..1edc9149 100644 --- a/fediversity/pixelfed.nix +++ b/fediversity/pixelfed.nix @@ -37,7 +37,7 @@ lib.mkIf (config.fediversity.enable && config.fediversity.pixelfed.enable) { services.pixelfed = { enable = true; - domain = config.fediversity.pixelfed.domain; + domain = config.fediversity.internal.pixelfed.domain; }; services.pixelfed.settings = { @@ -47,9 +47,9 @@ lib.mkIf (config.fediversity.enable && config.fediversity.pixelfed.enable) { AWS_ACCESS_KEY_ID = snakeoil_key.id; AWS_SECRET_ACCESS_KEY = snakeoil_key.secret; AWS_DEFAULT_REGION = "garage"; - AWS_URL = config.fediversity.garage.web.urlFor "pixelfed"; + AWS_URL = config.fediversity.internal.garage.web.urlFor "pixelfed"; AWS_BUCKET = "pixelfed"; - AWS_ENDPOINT = config.fediversity.garage.api.url; + AWS_ENDPOINT = config.fediversity.internal.garage.api.url; AWS_USE_PATH_STYLE_ENDPOINT = false; }; diff --git a/tests/mastodon-garage.nix b/tests/mastodon-garage.nix index c35e7994..c109ea18 100644 --- a/tests/mastodon-garage.nix +++ b/tests/mastodon-garage.nix @@ -95,7 +95,7 @@ pkgs.nixosTest { server.succeed("toot post --media $POST_MEDIA") with subtest("access garage"): - ## REVIEW: could we grab `config.fediversity.garage.api.url` here in some way? + ## REVIEW: could we grab `config.fediversity.internal.garage.api.url` here in some way? server.succeed("mc alias set garage http://s3.garage.localhost:3900 --api s3v4 --path off $AWS_ACCESS_KEY_ID $AWS_SECRET_ACCESS_KEY") server.succeed("mc ls garage/mastodon") @@ -122,7 +122,7 @@ pkgs.nixosTest { raise Exception("mastodon did not send a content security policy header") csp = csp_match.group(1) # the img-src content security policy should include the garage server - ## REVIEW: could we grab `config.fediversity.garage.web.url` here in some way? + ## REVIEW: could we grab `config.fediversity.internal.garage.web.url` here in some way? garage_csp = re.match(".*; img-src[^;]*web\.garage\.localhost:3902.*", csp) if garage_csp is None: raise Exception("Mastodon's content security policy does not include garage server. image will not be displayed properly on mastodon.") diff --git a/tests/pixelfed-garage.nix b/tests/pixelfed-garage.nix index a474b1cd..9bf2944e 100644 --- a/tests/pixelfed-garage.nix +++ b/tests/pixelfed-garage.nix @@ -186,7 +186,7 @@ pkgs.nixosTest { raise Exception("cannot detect the uploaded image on pixelfed page.") with subtest("access garage"): - ## REVIEW: could we grab `config.fediversity.garage.api.url` here in some way? + ## REVIEW: could we grab `config.fediversity.internal.garage.api.url` here in some way? server.succeed("mc alias set garage http://s3.garage.localhost:3900 --api s3v4 --path off $AWS_ACCESS_KEY_ID $AWS_SECRET_ACCESS_KEY") server.succeed("mc ls garage/pixelfed") @@ -203,7 +203,7 @@ pkgs.nixosTest { with subtest("Check that image comes from garage"): src = server.succeed("su - selenium -c 'selenium-script-get-src ${email} ${password}'") - ## REVIEW: could we grab `config.fediversity.garage.web.url` here in some way? + ## REVIEW: could we grab `config.fediversity.internal.garage.web.url` here in some way? if not src.startswith("http://pixelfed.web.garage.localhost:3902/"): raise Exception("image does not come from garage") ''; diff --git a/vm/mastodon-vm.nix b/vm/mastodon-vm.nix index caf1ca6c..ea17f272 100644 --- a/vm/mastodon-vm.nix +++ b/vm/mastodon-vm.nix @@ -57,7 +57,7 @@ BIND = "0.0.0.0"; # for letter_opener (still doesn't work though) REMOTE_DEV = "true"; - LOCAL_DOMAIN = "${config.fediversity.mastodon.domain}:8443"; + LOCAL_DOMAIN = "${config.fediversity.internal.mastodon.domain}:8443"; }; }; diff --git a/vm/pixelfed-vm.nix b/vm/pixelfed-vm.nix index f12b9c51..8f971801 100644 --- a/vm/pixelfed-vm.nix +++ b/vm/pixelfed-vm.nix @@ -24,7 +24,7 @@ # I feel like this should have an `enable` option and be configured via `services.nginx` rather than mirroring those options in services.pixelfed.nginx # TODO: If that indeed makes sense, upstream it. nginx = { - # locations."/public/".proxyPass = "${config.fediversity.garage.web.urlFor "pixelfed"}/public/"; + # locations."/public/".proxyPass = "${config.fediversity.internal.garage.web.urlFor "pixelfed"}/public/"; }; }; virtualisation.memorySize = 2048;