Fediversity/configuration.nix
2024-03-06 04:40:22 -05:00

149 lines
4.2 KiB
Nix

{ config, lib, pkgs, ... }: {
# open up access to the mastodon web interface
networking.firewall.allowedTCPPorts = [ 443 ];
services.mastodon = {
enable = true;
# TODO: set up a domain name, and a DNS service so that this can run not in a vm
# localDomain = "domain.social";
configureNginx = true;
# TODO: configure a mailserver so this works
# smtp.fromAddress = "mastodon@social.local.gd";
# TODO: this is hardware-dependent. let's figure it out when we have hardware
# streamingProcesses = 1;
};
security.acme = {
acceptTerms = true;
preliminarySelfsigned = true;
# TODO: configure a mailserver so we can set up acme
# defaults.email = "test@example.com";
};
# let us log in
users.mutableUsers = false;
users.users.root.hashedPassword = "";
services.openssh = {
enable = true;
settings = {
PermitRootLogin = "yes";
PermitEmptyPasswords = "yes";
UsePAM = "no";
};
};
# access to convenient things
environment.systemPackages = with pkgs; [ w3m python3 ];
nix.extraOptions = ''
extra-experimental-features = nix-command flakes
'';
# these configurations only apply when producing a VM (e.g. nixos-rebuild build-vm)
virtualisation.vmVariant = { config, ... }: {
services.mastodon = {
# redirects to localhost, but allows it to have a proper domain name
# SEE: local.gd
localDomain = "social.local.gd";
smtp = {
fromAddress = "mastodon@social.local.gd";
createLocally = false;
};
extraConfig = {
EMAIL_DOMAIN_ALLOWLIST = "example.com";
RAILS_ENV = "development";
# for letter_opener
REMOTE_DEV = "true";
};
# database = {
# # createLocally = false;
# # host = "/run/postgresql";
# # port = null;
# name = "mastodon_development";
# user = "mastodon_development";
# };
# user = "mastodon_development";
# database.createLocally = false;
# from the documentation: recommended is the amount of your CPU cores minus one.
# but it also must be a positive integer
streamingProcesses = let
ncores = config.virtualisation.cores;
max = x: y: if x > y then x else y;
in
max 1 (ncores - 1);
};
# users.users.mastodon_development = {
# isSystemUser = true;
# home = config.services.mastodon.package;
# group = "mastodon";
# packages = [ config.services.mastodon.package pkgs.imagemagick ];
# };
services.postgresql = {
enable = true;
ensureUsers = [
{
name = config.services.mastodon.database.user;
ensureClauses.createdb = true;
# ensurePermissions."mastodon_development_test.*" = "ALL PRIVILEGES";
}
];
# ensureDatabases = [ "mastodon_development_test" ];
};
systemd.services.mastodon-init-db.script = lib.mkForce ''
if [ `psql -c \
"select count(*) from pg_class c \
join pg_namespace s on s.oid = c.relnamespace \
where s.nspname not in ('pg_catalog', 'pg_toast', 'information_schema') \
and s.nspname not like 'pg_temp%';" | sed -n 3p` -eq 0 ]; then
echo "Seeding database"
rails db:setup
# SAFETY_ASSURED=1 rails db:schema:load
rails db:seed
else
echo "Migrating database (this might be a noop)"
rails db:migrate
fi
'';
security.acme = {
defaults = {
# invalid server; the systemd service will fail, and we won't get properly signed certificates
# but let's not spam the letsencrypt servers (and we don't own this domain anyways)
server = "https://127.0.0.1";
email = "none";
};
};
services.nginx.virtualHosts.${config.services.mastodon.localDomain} = {
# extraConfig = ''
# add_header Referrer-Policy "same-origin";
# '';
};
virtualisation.memorySize = 2048;
virtualisation.forwardPorts = [
{
from = "host";
host.port = 44443;
guest.port = 443;
}
{
from = "host";
host.port = 2222;
guest.port = 22;
}
];
};
}