Compare commits
31 commits
Author | SHA1 | Date | |
---|---|---|---|
Nicolas Jeannerod | be756ab8d3 | ||
Nicolas Jeannerod | dd9b481b78 | ||
Nicolas Jeannerod | 3cfc4370f7 | ||
Nicolas Jeannerod | e9b5de893d | ||
Nicolas Jeannerod | 7b36774b80 | ||
4da997b3af | |||
fa53ecac53 | |||
d910dfe788 | |||
Nicolas Jeannerod | b461a44707 | ||
Nicolas Jeannerod | fc18582a1b | ||
Nicolas Jeannerod | e6b58b656b | ||
Nicolas Jeannerod | bf303ff1d1 | ||
Nicolas Jeannerod | a600829d56 | ||
Nicolas Jeannerod | 042cb2d517 | ||
Nicolas Jeannerod | 050042d255 | ||
Nicolas Jeannerod | 6b45256839 | ||
51a294a659 | |||
2116ac6b27 | |||
3e4b486921 | |||
db39623eeb | |||
ffb941687a | |||
2657e2130f | |||
ca8310dce3 | |||
e093632222 | |||
2501c480fb | |||
Nicolas Jeannerod | 011f166fd3 | ||
Nicolas Jeannerod | 3bb9569eb4 | ||
Nicolas Jeannerod | 6323e0adc8 | ||
Nicolas Jeannerod | 55a6377b12 | ||
Nicolas Jeannerod | 9be8232083 | ||
Nicolas Jeannerod | c9665b927f |
20
README.md
20
README.md
|
@ -46,6 +46,26 @@ NOTE: it sometimes takes a while for the services to start up, and in the meanti
|
||||||
```bash
|
```bash
|
||||||
pixelfed-manage user:create --name=test --username=test --email=test@test.com --password=testtest --confirm_email=1
|
pixelfed-manage user:create --name=test --username=test --email=test@test.com --password=testtest --confirm_email=1
|
||||||
```
|
```
|
||||||
|
# Building an installer image
|
||||||
|
|
||||||
|
Build an installer image for the desired configuration, e.g. for `peertube`:
|
||||||
|
|
||||||
|
```bash
|
||||||
|
nix build .#installers.peertube
|
||||||
|
```
|
||||||
|
|
||||||
|
Upload the image in `./result` to Proxmox when creating a VM.
|
||||||
|
Booting the image will format the disk and install NixOS with the desired configuration.
|
||||||
|
|
||||||
|
# Deploying an updated machine configuration
|
||||||
|
|
||||||
|
> TODO: There is currently no way to specify an actual target machine by name.
|
||||||
|
|
||||||
|
Assuming you have SSH configuration with access to the remote `root` user stored for a machine called e.g. `peertube`, deploy the configuration by the same name:
|
||||||
|
|
||||||
|
```bash
|
||||||
|
nix run .#deploy.peertube
|
||||||
|
```
|
||||||
|
|
||||||
## debugging notes
|
## debugging notes
|
||||||
|
|
||||||
|
|
13
deploy.nix
Normal file
13
deploy.nix
Normal file
|
@ -0,0 +1,13 @@
|
||||||
|
{ writeShellApplication }:
|
||||||
|
name: config:
|
||||||
|
writeShellApplication {
|
||||||
|
name = "deploy";
|
||||||
|
text = ''
|
||||||
|
result="$(nix build --print-out-paths ${./.}#nixosConfigurations#${name} --eval-store auto --store ssh-ng://${name})"
|
||||||
|
# shellcheck disable=SC2087
|
||||||
|
ssh ${name} << EOF
|
||||||
|
nix-env -p /nix/var/nix/profiles/system --set "$result"
|
||||||
|
"$result"/bin/switch-to-configuration switch
|
||||||
|
EOF
|
||||||
|
'';
|
||||||
|
}
|
36
disk-layout.nix
Normal file
36
disk-layout.nix
Normal file
|
@ -0,0 +1,36 @@
|
||||||
|
{ ... }:
|
||||||
|
{
|
||||||
|
disko.devices.disk.main = {
|
||||||
|
device = "/dev/sda";
|
||||||
|
type = "disk";
|
||||||
|
content = {
|
||||||
|
type = "gpt";
|
||||||
|
partitions = {
|
||||||
|
MBR = {
|
||||||
|
priority = 0;
|
||||||
|
size = "1M";
|
||||||
|
type = "EF02";
|
||||||
|
};
|
||||||
|
ESP = {
|
||||||
|
priority = 1;
|
||||||
|
size = "500M";
|
||||||
|
type = "EF00";
|
||||||
|
content = {
|
||||||
|
type = "filesystem";
|
||||||
|
format = "vfat";
|
||||||
|
mountpoint = "/boot";
|
||||||
|
};
|
||||||
|
};
|
||||||
|
root = {
|
||||||
|
priority = 2;
|
||||||
|
size = "100%";
|
||||||
|
content = {
|
||||||
|
type = "filesystem";
|
||||||
|
format = "ext4";
|
||||||
|
mountpoint = "/";
|
||||||
|
};
|
||||||
|
};
|
||||||
|
};
|
||||||
|
};
|
||||||
|
};
|
||||||
|
}
|
|
@ -2,7 +2,7 @@
|
||||||
|
|
||||||
let
|
let
|
||||||
inherit (builtins) toString;
|
inherit (builtins) toString;
|
||||||
inherit (lib) mkOption mkEnableOption;
|
inherit (lib) mkOption mkEnableOption mkForce;
|
||||||
inherit (lib.types) types;
|
inherit (lib.types) types;
|
||||||
|
|
||||||
in {
|
in {
|
||||||
|
@ -64,17 +64,17 @@ in {
|
||||||
type = types.str;
|
type = types.str;
|
||||||
default = "web.garage.${config.fediversity.domain}";
|
default = "web.garage.${config.fediversity.domain}";
|
||||||
};
|
};
|
||||||
port = mkOption {
|
internalPort = mkOption {
|
||||||
type = types.int;
|
type = types.int;
|
||||||
default = 3902;
|
default = 3902;
|
||||||
};
|
};
|
||||||
rootDomainAndPort = mkOption {
|
domainForBucket = mkOption {
|
||||||
type = types.str;
|
|
||||||
default = "${config.fediversity.internal.garage.web.rootDomain}:${toString config.fediversity.internal.garage.web.port}";
|
|
||||||
};
|
|
||||||
urlFor = mkOption {
|
|
||||||
type = types.functionTo types.str;
|
type = types.functionTo types.str;
|
||||||
default = bucket: "http://${bucket}.${config.fediversity.internal.garage.web.rootDomainAndPort}";
|
default = bucket: "${bucket}.${config.fediversity.internal.garage.web.rootDomain}";
|
||||||
|
};
|
||||||
|
urlForBucket = mkOption {
|
||||||
|
type = types.functionTo types.str;
|
||||||
|
default = bucket: "http://${config.fediversity.internal.garage.web.domainForBucket bucket}";
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
|
@ -100,4 +100,19 @@ in {
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
|
|
||||||
|
config = {
|
||||||
|
## FIXME: This should clearly go somewhere else; and we should have a
|
||||||
|
## `staging` vs. `production` setting somewhere.
|
||||||
|
security.acme = {
|
||||||
|
acceptTerms = true;
|
||||||
|
defaults.email = "nicolas.jeannerod+fediversity@moduscreate.com";
|
||||||
|
# defaults.server = "https://acme-staging-v02.api.letsencrypt.org/directory";
|
||||||
|
};
|
||||||
|
|
||||||
|
## NOTE: For a one-machine deployment, this removes the need to provide an
|
||||||
|
## `s3.garage.<domain>` domain. However, this will quickly stop working once
|
||||||
|
## we go to multi-machines deployment.
|
||||||
|
fediversity.internal.garage.api.domain = mkForce "s3.garage.localhost";
|
||||||
|
};
|
||||||
}
|
}
|
||||||
|
|
|
@ -15,6 +15,7 @@ let
|
||||||
inherit (lib) types mkOption mkEnableOption optionalString concatStringsSep;
|
inherit (lib) types mkOption mkEnableOption optionalString concatStringsSep;
|
||||||
inherit (lib.strings) escapeShellArg;
|
inherit (lib.strings) escapeShellArg;
|
||||||
cfg = config.services.garage;
|
cfg = config.services.garage;
|
||||||
|
fedicfg = config.fediversity.internal.garage;
|
||||||
concatMapAttrs = scriptFn: attrset: concatStringsSep "\n" (lib.mapAttrsToList scriptFn attrset);
|
concatMapAttrs = scriptFn: attrset: concatStringsSep "\n" (lib.mapAttrsToList scriptFn attrset);
|
||||||
ensureBucketScriptFn = bucket: { website, aliases, corsRules }:
|
ensureBucketScriptFn = bucket: { website, aliases, corsRules }:
|
||||||
let
|
let
|
||||||
|
@ -42,7 +43,7 @@ let
|
||||||
${optionalString corsRules.enable ''
|
${optionalString corsRules.enable ''
|
||||||
garage bucket allow --read --write --owner ${bucketArg} --key tmp
|
garage bucket allow --read --write --owner ${bucketArg} --key tmp
|
||||||
# TODO: endpoin-url should not be hard-coded
|
# TODO: endpoin-url should not be hard-coded
|
||||||
aws --region ${cfg.settings.s3_api.s3_region} --endpoint-url ${config.fediversity.internal.garage.api.url} s3api put-bucket-cors --bucket ${bucketArg} --cors-configuration ${corsRulesJSON}
|
aws --region ${cfg.settings.s3_api.s3_region} --endpoint-url ${fedicfg.api.url} s3api put-bucket-cors --bucket ${bucketArg} --cors-configuration ${corsRulesJSON}
|
||||||
garage bucket deny --read --write --owner ${bucketArg} --key tmp
|
garage bucket deny --read --write --owner ${bucketArg} --key tmp
|
||||||
''}
|
''}
|
||||||
'';
|
'';
|
||||||
|
@ -52,7 +53,8 @@ let
|
||||||
${escapeShellArg bucket} --key ${escapeShellArg key}
|
${escapeShellArg bucket} --key ${escapeShellArg key}
|
||||||
'';
|
'';
|
||||||
ensureKeyScriptFn = key: {id, secret, ensureAccess}: ''
|
ensureKeyScriptFn = key: {id, secret, ensureAccess}: ''
|
||||||
garage key import --yes -n ${escapeShellArg key} ${escapeShellArg id} ${escapeShellArg secret}
|
## FIXME: Check whether the key exist and skip this step if that is the case. Get rid of this `|| :`
|
||||||
|
garage key import --yes -n ${escapeShellArg key} ${escapeShellArg id} ${escapeShellArg secret} || :
|
||||||
${concatMapAttrs (ensureAccessScriptFn key) ensureAccess}
|
${concatMapAttrs (ensureAccessScriptFn key) ensureAccess}
|
||||||
'';
|
'';
|
||||||
ensureKeysScript = concatMapAttrs ensureKeyScriptFn cfg.ensureKeys;
|
ensureKeysScript = concatMapAttrs ensureKeyScriptFn cfg.ensureKeys;
|
||||||
|
@ -132,25 +134,10 @@ in
|
||||||
};
|
};
|
||||||
|
|
||||||
config = lib.mkIf config.fediversity.enable {
|
config = lib.mkIf config.fediversity.enable {
|
||||||
virtualisation.diskSize = 2048;
|
|
||||||
virtualisation.forwardPorts = [
|
|
||||||
{
|
|
||||||
from = "host";
|
|
||||||
host.port = config.fediversity.internal.garage.rpc.port;
|
|
||||||
guest.port = config.fediversity.internal.garage.rpc.port;
|
|
||||||
}
|
|
||||||
{
|
|
||||||
from = "host";
|
|
||||||
host.port = config.fediversity.internal.garage.web.port;
|
|
||||||
guest.port = config.fediversity.internal.garage.web.port;
|
|
||||||
}
|
|
||||||
];
|
|
||||||
|
|
||||||
environment.systemPackages = [ pkgs.minio-client pkgs.awscli ];
|
environment.systemPackages = [ pkgs.minio-client pkgs.awscli ];
|
||||||
|
|
||||||
networking.firewall.allowedTCPPorts = [
|
networking.firewall.allowedTCPPorts = [
|
||||||
config.fediversity.internal.garage.rpc.port
|
fedicfg.rpc.port
|
||||||
config.fediversity.internal.garage.web.port
|
|
||||||
];
|
];
|
||||||
services.garage = {
|
services.garage = {
|
||||||
enable = true;
|
enable = true;
|
||||||
|
@ -160,17 +147,30 @@ in
|
||||||
# TODO: use a secret file
|
# TODO: use a secret file
|
||||||
rpc_secret = "d576c4478cc7d0d94cfc127138cbb82018b0155c037d1c827dfb6c36be5f6625";
|
rpc_secret = "d576c4478cc7d0d94cfc127138cbb82018b0155c037d1c827dfb6c36be5f6625";
|
||||||
# TODO: why does this have to be set? is there not a sensible default?
|
# TODO: why does this have to be set? is there not a sensible default?
|
||||||
rpc_bind_addr = "[::]:${toString config.fediversity.internal.garage.rpc.port}";
|
rpc_bind_addr = "[::]:${toString fedicfg.rpc.port}";
|
||||||
rpc_public_addr = "[::1]:${toString config.fediversity.internal.garage.rpc.port}";
|
rpc_public_addr = "[::1]:${toString fedicfg.rpc.port}";
|
||||||
s3_api.api_bind_addr = "[::]:${toString config.fediversity.internal.garage.api.port}";
|
s3_api.api_bind_addr = "[::]:${toString fedicfg.api.port}";
|
||||||
s3_web.bind_addr = "[::]:${toString config.fediversity.internal.garage.web.port}";
|
s3_web.bind_addr = "[::]:${toString fedicfg.web.internalPort}";
|
||||||
s3_web.root_domain = ".${config.fediversity.internal.garage.web.rootDomain}";
|
s3_web.root_domain = ".${fedicfg.web.rootDomain}";
|
||||||
index = "index.html";
|
index = "index.html";
|
||||||
|
|
||||||
s3_api.s3_region = "garage";
|
s3_api.s3_region = "garage";
|
||||||
s3_api.root_domain = ".${config.fediversity.internal.garage.api.domain}";
|
s3_api.root_domain = ".${fedicfg.api.domain}";
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
|
|
||||||
|
services.nginx.virtualHosts.${fedicfg.web.rootDomain} = {
|
||||||
|
forceSSL = true;
|
||||||
|
enableACME = true;
|
||||||
|
serverAliases = lib.mapAttrsToList (bucket: _: fedicfg.web.domainForBucket bucket) cfg.ensureBuckets; ## TODO: use wildcard certificates?
|
||||||
|
locations."/" = {
|
||||||
|
proxyPass = "http://localhost:3902";
|
||||||
|
extraConfig = ''
|
||||||
|
proxy_set_header Host $host;
|
||||||
|
'';
|
||||||
|
};
|
||||||
|
};
|
||||||
|
|
||||||
systemd.services.ensure-garage = {
|
systemd.services.ensure-garage = {
|
||||||
after = [ "garage.service" ];
|
after = [ "garage.service" ];
|
||||||
wantedBy = [ "garage.service" ];
|
wantedBy = [ "garage.service" ];
|
||||||
|
@ -183,7 +183,7 @@ in
|
||||||
|
|
||||||
# Give Garage time to start up by waiting until somethings speaks HTTP
|
# Give Garage time to start up by waiting until somethings speaks HTTP
|
||||||
# behind Garage's API URL.
|
# behind Garage's API URL.
|
||||||
until ${pkgs.curl}/bin/curl -sio /dev/null ${config.fediversity.internal.garage.api.url}; do sleep 1; done
|
until ${pkgs.curl}/bin/curl -sio /dev/null ${fedicfg.api.url}; do sleep 1; done
|
||||||
|
|
||||||
# XXX: this is very sensitive to being a single instance
|
# XXX: this is very sensitive to being a single instance
|
||||||
# (doing the bare minimum to get garage up and running)
|
# (doing the bare minimum to get garage up and running)
|
||||||
|
@ -197,7 +197,8 @@ in
|
||||||
|
|
||||||
# XXX: this is a hack because we want to write to the buckets here but we're not guaranteed any access keys
|
# XXX: this is a hack because we want to write to the buckets here but we're not guaranteed any access keys
|
||||||
# TODO: generate this key here rather than using a well-known key
|
# TODO: generate this key here rather than using a well-known key
|
||||||
garage key import --yes -n tmp ${snakeoil_key.id} ${snakeoil_key.secret}
|
# TODO: if the key already exists, we get an error; hacked with this `|| :` which needs to be removed
|
||||||
|
garage key import --yes -n tmp ${snakeoil_key.id} ${snakeoil_key.secret} || :
|
||||||
export AWS_ACCESS_KEY_ID=${snakeoil_key.id};
|
export AWS_ACCESS_KEY_ID=${snakeoil_key.id};
|
||||||
export AWS_SECRET_ACCESS_KEY=${snakeoil_key.secret};
|
export AWS_SECRET_ACCESS_KEY=${snakeoil_key.secret};
|
||||||
|
|
||||||
|
|
|
@ -46,7 +46,7 @@ lib.mkIf (config.fediversity.enable && config.fediversity.mastodon.enable) {
|
||||||
AWS_ACCESS_KEY_ID = snakeoil_key.id;
|
AWS_ACCESS_KEY_ID = snakeoil_key.id;
|
||||||
AWS_SECRET_ACCESS_KEY = snakeoil_key.secret;
|
AWS_SECRET_ACCESS_KEY = snakeoil_key.secret;
|
||||||
S3_PROTOCOL = "http";
|
S3_PROTOCOL = "http";
|
||||||
S3_HOSTNAME = config.fediversity.internal.garage.web.rootDomainAndPort;
|
S3_HOSTNAME = config.fediversity.internal.garage.web.rootDomain;
|
||||||
# by default it tries to use "<S3_HOSTNAME>/<S3_BUCKET>"
|
# by default it tries to use "<S3_HOSTNAME>/<S3_BUCKET>"
|
||||||
S3_ALIAS_HOST = "${S3_BUCKET}.${S3_HOSTNAME}";
|
S3_ALIAS_HOST = "${S3_BUCKET}.${S3_HOSTNAME}";
|
||||||
# SEE: the last section in https://docs.joinmastodon.org/admin/optional/object-storage/
|
# SEE: the last section in https://docs.joinmastodon.org/admin/optional/object-storage/
|
||||||
|
|
|
@ -74,17 +74,17 @@ lib.mkIf (config.fediversity.enable && config.fediversity.peertube.enable) {
|
||||||
web_videos = rec {
|
web_videos = rec {
|
||||||
bucket_name = "peertube-videos";
|
bucket_name = "peertube-videos";
|
||||||
prefix = "";
|
prefix = "";
|
||||||
base_url = config.fediversity.internal.garage.web.urlFor bucket_name;
|
base_url = config.fediversity.internal.garage.web.urlForBucket bucket_name;
|
||||||
};
|
};
|
||||||
videos = rec {
|
videos = rec {
|
||||||
bucket_name = "peertube-videos";
|
bucket_name = "peertube-videos";
|
||||||
prefix = "";
|
prefix = "";
|
||||||
base_url = config.fediversity.internal.garage.web.urlFor bucket_name;
|
base_url = config.fediversity.internal.garage.web.urlForBucket bucket_name;
|
||||||
};
|
};
|
||||||
streaming_playlists = rec {
|
streaming_playlists = rec {
|
||||||
bucket_name = "peertube-playlists";
|
bucket_name = "peertube-playlists";
|
||||||
prefix = "";
|
prefix = "";
|
||||||
base_url = config.fediversity.internal.garage.web.urlFor bucket_name;
|
base_url = config.fediversity.internal.garage.web.urlForBucket bucket_name;
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
|
|
|
@ -38,16 +38,37 @@ lib.mkIf (config.fediversity.enable && config.fediversity.pixelfed.enable) {
|
||||||
services.pixelfed = {
|
services.pixelfed = {
|
||||||
enable = true;
|
enable = true;
|
||||||
domain = config.fediversity.internal.pixelfed.domain;
|
domain = config.fediversity.internal.pixelfed.domain;
|
||||||
|
|
||||||
|
# TODO: secrets management!!!
|
||||||
|
secretFile = pkgs.writeText "secrets.env" ''
|
||||||
|
APP_KEY=adKK9EcY8Hcj3PLU7rzG9rJ6KKTOtYfA
|
||||||
|
'';
|
||||||
|
|
||||||
|
## Taeer feels like this way of configuring Nginx is odd; there should
|
||||||
|
## instead be a `services.pixefed.nginx.enable` option and the actual Nginx
|
||||||
|
## configuration should be in `services.nginx`. See eg. `pretix`.
|
||||||
|
##
|
||||||
|
## TODO: If that indeed makes sense, upstream.
|
||||||
|
nginx = {
|
||||||
|
forceSSL = true;
|
||||||
|
enableACME = true;
|
||||||
|
# locations."/public/".proxyPass = "${config.fediversity.internal.garage.web.urlForBucket "pixelfed"}/public/";
|
||||||
|
};
|
||||||
};
|
};
|
||||||
|
|
||||||
services.pixelfed.settings = {
|
services.pixelfed.settings = {
|
||||||
|
## NOTE: This depends on the targets, eg. universities might want control
|
||||||
|
## over who has an account. We probably want a universal
|
||||||
|
## `fediversity.openRegistration` option.
|
||||||
|
OPEN_REGISTRATION = true;
|
||||||
|
|
||||||
# DANGEROUSLY_SET_FILESYSTEM_DRIVER = "s3";
|
# DANGEROUSLY_SET_FILESYSTEM_DRIVER = "s3";
|
||||||
FILESYSTEM_CLOUD = "s3";
|
FILESYSTEM_CLOUD = "s3";
|
||||||
PF_ENABLE_CLOUD = true;
|
PF_ENABLE_CLOUD = true;
|
||||||
AWS_ACCESS_KEY_ID = snakeoil_key.id;
|
AWS_ACCESS_KEY_ID = snakeoil_key.id;
|
||||||
AWS_SECRET_ACCESS_KEY = snakeoil_key.secret;
|
AWS_SECRET_ACCESS_KEY = snakeoil_key.secret;
|
||||||
AWS_DEFAULT_REGION = "garage";
|
AWS_DEFAULT_REGION = "garage";
|
||||||
AWS_URL = config.fediversity.internal.garage.web.urlFor "pixelfed";
|
AWS_URL = config.fediversity.internal.garage.web.urlForBucket "pixelfed";
|
||||||
AWS_BUCKET = "pixelfed";
|
AWS_BUCKET = "pixelfed";
|
||||||
AWS_ENDPOINT = config.fediversity.internal.garage.api.url;
|
AWS_ENDPOINT = config.fediversity.internal.garage.api.url;
|
||||||
AWS_USE_PATH_STYLE_ENDPOINT = false;
|
AWS_USE_PATH_STYLE_ENDPOINT = false;
|
||||||
|
@ -59,7 +80,5 @@ lib.mkIf (config.fediversity.enable && config.fediversity.pixelfed.enable) {
|
||||||
after = [ "ensure-garage.service" ];
|
after = [ "ensure-garage.service" ];
|
||||||
};
|
};
|
||||||
|
|
||||||
services.pixelfed.package = pkgs.pixelfed.overrideAttrs (old: {
|
networking.firewall.allowedTCPPorts = [ 80 443 ];
|
||||||
patches = (old.patches or [ ]) ++ [ ./pixelfed-group-permissions.patch ];
|
|
||||||
});
|
|
||||||
}
|
}
|
||||||
|
|
71
flake.lock
71
flake.lock
|
@ -1,6 +1,55 @@
|
||||||
{
|
{
|
||||||
"nodes": {
|
"nodes": {
|
||||||
|
"disko": {
|
||||||
|
"inputs": {
|
||||||
|
"nixpkgs": "nixpkgs"
|
||||||
|
},
|
||||||
|
"locked": {
|
||||||
|
"lastModified": 1727347829,
|
||||||
|
"narHash": "sha256-y7cW6TjJKy+tu7efxeWI6lyg4VVx/9whx+OmrhmRShU=",
|
||||||
|
"owner": "nix-community",
|
||||||
|
"repo": "disko",
|
||||||
|
"rev": "1879e48907c14a70302ff5d0539c3b9b6f97feaa",
|
||||||
|
"type": "github"
|
||||||
|
},
|
||||||
|
"original": {
|
||||||
|
"owner": "nix-community",
|
||||||
|
"repo": "disko",
|
||||||
|
"type": "github"
|
||||||
|
}
|
||||||
|
},
|
||||||
"nixpkgs": {
|
"nixpkgs": {
|
||||||
|
"locked": {
|
||||||
|
"lastModified": 1725194671,
|
||||||
|
"narHash": "sha256-tLGCFEFTB5TaOKkpfw3iYT9dnk4awTP/q4w+ROpMfuw=",
|
||||||
|
"owner": "NixOS",
|
||||||
|
"repo": "nixpkgs",
|
||||||
|
"rev": "b833ff01a0d694b910daca6e2ff4a3f26dee478c",
|
||||||
|
"type": "github"
|
||||||
|
},
|
||||||
|
"original": {
|
||||||
|
"owner": "NixOS",
|
||||||
|
"ref": "nixpkgs-unstable",
|
||||||
|
"repo": "nixpkgs",
|
||||||
|
"type": "github"
|
||||||
|
}
|
||||||
|
},
|
||||||
|
"nixpkgs-latest": {
|
||||||
|
"locked": {
|
||||||
|
"lastModified": 1727220152,
|
||||||
|
"narHash": "sha256-6ezRTVBZT25lQkvaPrfJSxYLwqcbNWm6feD/vG1FO0o=",
|
||||||
|
"owner": "nixos",
|
||||||
|
"repo": "nixpkgs",
|
||||||
|
"rev": "24959f933187217890b206788a85bfa73ba75949",
|
||||||
|
"type": "github"
|
||||||
|
},
|
||||||
|
"original": {
|
||||||
|
"owner": "nixos",
|
||||||
|
"repo": "nixpkgs",
|
||||||
|
"type": "github"
|
||||||
|
}
|
||||||
|
},
|
||||||
|
"nixpkgs_2": {
|
||||||
"locked": {
|
"locked": {
|
||||||
"lastModified": 1723726852,
|
"lastModified": 1723726852,
|
||||||
"narHash": "sha256-lRzlx4fPRtzA+dgz9Rh4WK5yAW3TsAXx335DQqxY2XY=",
|
"narHash": "sha256-lRzlx4fPRtzA+dgz9Rh4WK5yAW3TsAXx335DQqxY2XY=",
|
||||||
|
@ -16,9 +65,29 @@
|
||||||
"type": "github"
|
"type": "github"
|
||||||
}
|
}
|
||||||
},
|
},
|
||||||
|
"pixelfed": {
|
||||||
|
"flake": false,
|
||||||
|
"locked": {
|
||||||
|
"lastModified": 1719823820,
|
||||||
|
"narHash": "sha256-CKjqnxp7p2z/13zfp4HQ1OAmaoUtqBKS6HFm6TV8Jwg=",
|
||||||
|
"owner": "pixelfed",
|
||||||
|
"repo": "pixelfed",
|
||||||
|
"rev": "4c245cf429330d01fcb8ebeb9aa8c84a9574a645",
|
||||||
|
"type": "github"
|
||||||
|
},
|
||||||
|
"original": {
|
||||||
|
"owner": "pixelfed",
|
||||||
|
"ref": "v0.12.3",
|
||||||
|
"repo": "pixelfed",
|
||||||
|
"type": "github"
|
||||||
|
}
|
||||||
|
},
|
||||||
"root": {
|
"root": {
|
||||||
"inputs": {
|
"inputs": {
|
||||||
"nixpkgs": "nixpkgs"
|
"disko": "disko",
|
||||||
|
"nixpkgs": "nixpkgs_2",
|
||||||
|
"nixpkgs-latest": "nixpkgs-latest",
|
||||||
|
"pixelfed": "pixelfed"
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
},
|
},
|
||||||
|
|
71
flake.nix
71
flake.nix
|
@ -1,48 +1,95 @@
|
||||||
{
|
{
|
||||||
description = "Testing mastodon configurations";
|
|
||||||
|
|
||||||
inputs = {
|
inputs = {
|
||||||
nixpkgs.url = "github:radvendii/nixpkgs/nixos_rebuild_tests";
|
nixpkgs.url = "github:radvendii/nixpkgs/nixos_rebuild_tests";
|
||||||
|
nixpkgs-latest.url = "github:nixos/nixpkgs";
|
||||||
|
pixelfed = {
|
||||||
|
url = "github:pixelfed/pixelfed?ref=v0.12.3";
|
||||||
|
flake = false;
|
||||||
|
};
|
||||||
|
disko.url = "github:nix-community/disko";
|
||||||
};
|
};
|
||||||
|
|
||||||
outputs = { self, nixpkgs }:
|
outputs = { self, nixpkgs, nixpkgs-latest, pixelfed, disko }:
|
||||||
let
|
let
|
||||||
system = "x86_64-linux";
|
system = "x86_64-linux";
|
||||||
|
lib = nixpkgs.lib;
|
||||||
pkgs = nixpkgs.legacyPackages.${system};
|
pkgs = nixpkgs.legacyPackages.${system};
|
||||||
|
pkgsLatest = nixpkgs-latest.legacyPackages.${system};
|
||||||
|
bleedingFediverseOverlay = (self: super: {
|
||||||
|
pixelfed = pkgsLatest.pixelfed.overrideAttrs (old: {
|
||||||
|
src = pixelfed;
|
||||||
|
patches = (old.patches or [ ]) ++ [ ./fediversity/pixelfed-group-permissions.patch ];
|
||||||
|
});
|
||||||
|
## TODO: give mastodon, peertube the same treatment
|
||||||
|
});
|
||||||
in {
|
in {
|
||||||
|
|
||||||
nixosModules = {
|
nixosModules = {
|
||||||
|
## Bleeding-edge fediverse packages
|
||||||
|
bleedingFediverse = {
|
||||||
|
nixpkgs.overlays = [ bleedingFediverseOverlay ];
|
||||||
|
};
|
||||||
## Fediversity modules
|
## Fediversity modules
|
||||||
fediversity = import ./fediversity;
|
fediversity = import ./fediversity;
|
||||||
|
|
||||||
## VM-specific modules
|
## VM-specific modules
|
||||||
interactive-vm = import ./vm/interactive-vm.nix;
|
interactive-vm = import ./vm/interactive-vm.nix;
|
||||||
|
garage-vm = import ./vm/garage-vm.nix;
|
||||||
mastodon-vm = import ./vm/mastodon-vm.nix;
|
mastodon-vm = import ./vm/mastodon-vm.nix;
|
||||||
peertube-vm = import ./vm/peertube-vm.nix;
|
peertube-vm = import ./vm/peertube-vm.nix;
|
||||||
pixelfed-vm = import ./vm/pixelfed-vm.nix;
|
pixelfed-vm = import ./vm/pixelfed-vm.nix;
|
||||||
|
|
||||||
|
disk-layout = import ./disk-layout.nix;
|
||||||
};
|
};
|
||||||
|
|
||||||
nixosConfigurations = {
|
nixosConfigurations = {
|
||||||
mastodon = nixpkgs.lib.nixosSystem {
|
mastodon = nixpkgs.lib.nixosSystem {
|
||||||
inherit system;
|
inherit system;
|
||||||
modules = with self.nixosModules; [ fediversity interactive-vm mastodon-vm ];
|
modules = with self.nixosModules; [
|
||||||
|
disko.nixosModules.default
|
||||||
|
disk-layout
|
||||||
|
bleedingFediverse
|
||||||
|
fediversity
|
||||||
|
interactive-vm
|
||||||
|
garage-vm
|
||||||
|
mastodon-vm
|
||||||
|
];
|
||||||
};
|
};
|
||||||
|
|
||||||
peertube = nixpkgs.lib.nixosSystem {
|
peertube = nixpkgs.lib.nixosSystem {
|
||||||
inherit system;
|
inherit system;
|
||||||
modules = with self.nixosModules; [ fediversity interactive-vm peertube-vm ];
|
modules = with self.nixosModules; [
|
||||||
|
disko.nixosModules.default
|
||||||
|
disk-layout
|
||||||
|
bleedingFediverse
|
||||||
|
fediversity
|
||||||
|
interactive-vm
|
||||||
|
garage-vm
|
||||||
|
peertube-vm
|
||||||
|
];
|
||||||
};
|
};
|
||||||
|
|
||||||
pixelfed = nixpkgs.lib.nixosSystem {
|
pixelfed = nixpkgs.lib.nixosSystem {
|
||||||
inherit system;
|
inherit system;
|
||||||
modules = with self.nixosModules; [ fediversity interactive-vm pixelfed-vm ];
|
modules = with self.nixosModules; [
|
||||||
|
disko.nixosModules.default
|
||||||
|
disk-layout
|
||||||
|
bleedingFediverse
|
||||||
|
fediversity
|
||||||
|
interactive-vm
|
||||||
|
garage-vm
|
||||||
|
pixelfed-vm
|
||||||
|
];
|
||||||
};
|
};
|
||||||
|
|
||||||
all = nixpkgs.lib.nixosSystem {
|
all = nixpkgs.lib.nixosSystem {
|
||||||
inherit system;
|
inherit system;
|
||||||
modules = with self.nixosModules; [
|
modules = with self.nixosModules; [
|
||||||
|
disko.nixosModules.default
|
||||||
|
disk-layout
|
||||||
|
bleedingFediverse
|
||||||
fediversity
|
fediversity
|
||||||
interactive-vm
|
interactive-vm
|
||||||
|
garage-vm
|
||||||
peertube-vm
|
peertube-vm
|
||||||
pixelfed-vm
|
pixelfed-vm
|
||||||
mastodon-vm
|
mastodon-vm
|
||||||
|
@ -50,6 +97,16 @@
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
|
|
||||||
|
## Fully-feature ISO installer
|
||||||
|
mkInstaller = import ./installer.nix;
|
||||||
|
installers = lib.mapAttrs (_: config: self.mkInstaller nixpkgs config) self.nixosConfigurations;
|
||||||
|
|
||||||
|
deploy =
|
||||||
|
let
|
||||||
|
deployCommand = (pkgs.callPackage ./deploy.nix { });
|
||||||
|
in
|
||||||
|
lib.mapAttrs (name: config: deployCommand name config) self.nixosConfigurations;
|
||||||
|
|
||||||
checks.${system} = {
|
checks.${system} = {
|
||||||
mastodon-garage = import ./tests/mastodon-garage.nix { inherit pkgs self; };
|
mastodon-garage = import ./tests/mastodon-garage.nix { inherit pkgs self; };
|
||||||
pixelfed-garage = import ./tests/pixelfed-garage.nix { inherit pkgs self; };
|
pixelfed-garage = import ./tests/pixelfed-garage.nix { inherit pkgs self; };
|
||||||
|
|
39
installer.nix
Normal file
39
installer.nix
Normal file
|
@ -0,0 +1,39 @@
|
||||||
|
/**
|
||||||
|
Convert a NixOS configuration to one for a minimal installer ISO
|
||||||
|
|
||||||
|
WARNING: Running this installer will format the target disk!
|
||||||
|
*/
|
||||||
|
nixpkgs: machine:
|
||||||
|
let
|
||||||
|
installer = { config, pkgs, lib, ... }:
|
||||||
|
let
|
||||||
|
bootstrap = pkgs.writeShellApplication {
|
||||||
|
name = "bootstrap";
|
||||||
|
runtimeInputs = with pkgs; [ nixos-install-tools ];
|
||||||
|
text = ''
|
||||||
|
${machine.config.system.build.diskoScript}
|
||||||
|
nixos-install --no-root-password --no-channel-copy --system ${machine.config.system.build.toplevel}
|
||||||
|
'';
|
||||||
|
};
|
||||||
|
in
|
||||||
|
{
|
||||||
|
imports = [
|
||||||
|
"${nixpkgs}/nixos/modules/installer/cd-dvd/installation-cd-minimal.nix"
|
||||||
|
];
|
||||||
|
nixpkgs.hostPlatform = "x86_64-linux";
|
||||||
|
services.getty.autologinUser = lib.mkForce "root";
|
||||||
|
programs.bash.loginShellInit = ''
|
||||||
|
${nixpkgs.lib.getExe bootstrap}
|
||||||
|
'';
|
||||||
|
|
||||||
|
isoImage = {
|
||||||
|
compressImage = false;
|
||||||
|
squashfsCompression = "lz4";
|
||||||
|
isoName = lib.mkForce "installer.iso";
|
||||||
|
## ^^ FIXME: Use a more interesting name or keep the default name and
|
||||||
|
## use `isoImage.isoName` in the tests.
|
||||||
|
};
|
||||||
|
};
|
||||||
|
in
|
||||||
|
(nixpkgs.lib.nixosSystem { modules = [installer];}).config.system.build.isoImage
|
||||||
|
|
|
@ -37,7 +37,12 @@ pkgs.nixosTest {
|
||||||
nodes = {
|
nodes = {
|
||||||
server = { config, ... }: {
|
server = { config, ... }: {
|
||||||
virtualisation.memorySize = lib.mkVMOverride 4096;
|
virtualisation.memorySize = lib.mkVMOverride 4096;
|
||||||
imports = with self.nixosModules; [ mastodon-vm ];
|
imports = with self.nixosModules; [
|
||||||
|
bleedingFediverse
|
||||||
|
fediversity
|
||||||
|
garage-vm
|
||||||
|
mastodon-vm
|
||||||
|
];
|
||||||
# TODO: pair down
|
# TODO: pair down
|
||||||
environment.systemPackages = with pkgs; [
|
environment.systemPackages = with pkgs; [
|
||||||
python3
|
python3
|
||||||
|
|
|
@ -136,7 +136,12 @@ pkgs.nixosTest {
|
||||||
memorySize = lib.mkVMOverride 8192;
|
memorySize = lib.mkVMOverride 8192;
|
||||||
cores = 8;
|
cores = 8;
|
||||||
};
|
};
|
||||||
imports = with self.nixosModules; [ pixelfed-vm ];
|
imports = with self.nixosModules; [
|
||||||
|
bleedingFediverse
|
||||||
|
fediversity
|
||||||
|
garage-vm
|
||||||
|
pixelfed-vm
|
||||||
|
];
|
||||||
# TODO: pair down
|
# TODO: pair down
|
||||||
environment.systemPackages = with pkgs; [
|
environment.systemPackages = with pkgs; [
|
||||||
python3
|
python3
|
||||||
|
@ -152,6 +157,8 @@ pkgs.nixosTest {
|
||||||
POST_MEDIA = ./fediversity.png;
|
POST_MEDIA = ./fediversity.png;
|
||||||
AWS_ACCESS_KEY_ID = config.services.garage.ensureKeys.pixelfed.id;
|
AWS_ACCESS_KEY_ID = config.services.garage.ensureKeys.pixelfed.id;
|
||||||
AWS_SECRET_ACCESS_KEY = config.services.garage.ensureKeys.pixelfed.secret;
|
AWS_SECRET_ACCESS_KEY = config.services.garage.ensureKeys.pixelfed.secret;
|
||||||
|
## without this we get frivolous errors in the logs
|
||||||
|
MC_REGION = "garage";
|
||||||
};
|
};
|
||||||
# chrome does not like being run as root
|
# chrome does not like being run as root
|
||||||
users.users.selenium = {
|
users.users.selenium = {
|
||||||
|
@ -202,7 +209,7 @@ pkgs.nixosTest {
|
||||||
|
|
||||||
with subtest("Check that image comes from garage"):
|
with subtest("Check that image comes from garage"):
|
||||||
src = server.succeed("su - selenium -c 'selenium-script-get-src ${email} ${password}'")
|
src = server.succeed("su - selenium -c 'selenium-script-get-src ${email} ${password}'")
|
||||||
if not src.startswith("${nodes.server.fediversity.internal.garage.web.urlFor "pixelfed"}"):
|
if not src.startswith("${nodes.server.fediversity.internal.garage.web.urlForBucket "pixelfed"}"):
|
||||||
raise Exception("image does not come from garage")
|
raise Exception("image does not come from garage")
|
||||||
'';
|
'';
|
||||||
}
|
}
|
||||||
|
|
29
vm/garage-vm.nix
Normal file
29
vm/garage-vm.nix
Normal file
|
@ -0,0 +1,29 @@
|
||||||
|
{ lib, config, modulesPath, ... }:
|
||||||
|
|
||||||
|
let
|
||||||
|
inherit (lib) mkVMOverride;
|
||||||
|
|
||||||
|
fedicfg = config.fediversity.internal.garage;
|
||||||
|
|
||||||
|
in {
|
||||||
|
imports = [ (modulesPath + "/virtualisation/qemu-vm.nix") ];
|
||||||
|
|
||||||
|
services.nginx.virtualHosts.${fedicfg.web.rootDomain} = {
|
||||||
|
forceSSL = mkVMOverride false;
|
||||||
|
enableACME = mkVMOverride false;
|
||||||
|
};
|
||||||
|
|
||||||
|
virtualisation.diskSize = 2048;
|
||||||
|
virtualisation.forwardPorts = [
|
||||||
|
{
|
||||||
|
from = "host";
|
||||||
|
host.port = fedicfg.rpc.port;
|
||||||
|
guest.port = fedicfg.rpc.port;
|
||||||
|
}
|
||||||
|
{
|
||||||
|
from = "host";
|
||||||
|
host.port = fedicfg.web.internalPort;
|
||||||
|
guest.port = fedicfg.web.internalPort;
|
||||||
|
}
|
||||||
|
];
|
||||||
|
}
|
|
@ -1,9 +1,6 @@
|
||||||
{ modulesPath, lib, config, ... }: {
|
{ modulesPath, lib, config, ... }: {
|
||||||
|
|
||||||
imports = [
|
imports = [ (modulesPath + "/virtualisation/qemu-vm.nix") ];
|
||||||
../fediversity
|
|
||||||
(modulesPath + "/virtualisation/qemu-vm.nix")
|
|
||||||
];
|
|
||||||
|
|
||||||
config = lib.mkMerge [
|
config = lib.mkMerge [
|
||||||
{
|
{
|
||||||
|
|
|
@ -1,9 +1,6 @@
|
||||||
{ pkgs, modulesPath, ... }: {
|
{ pkgs, modulesPath, ... }: {
|
||||||
|
|
||||||
imports = [
|
imports = [ (modulesPath + "/virtualisation/qemu-vm.nix") ];
|
||||||
../fediversity
|
|
||||||
(modulesPath + "/virtualisation/qemu-vm.nix")
|
|
||||||
];
|
|
||||||
|
|
||||||
services.peertube = {
|
services.peertube = {
|
||||||
enableWebHttps = false;
|
enableWebHttps = false;
|
||||||
|
|
|
@ -1,9 +1,10 @@
|
||||||
{ pkgs, modulesPath, ... }: {
|
{ pkgs, lib, modulesPath, ... }:
|
||||||
|
|
||||||
imports = [
|
let
|
||||||
../fediversity
|
inherit (lib) mkVMOverride;
|
||||||
(modulesPath + "/virtualisation/qemu-vm.nix")
|
|
||||||
];
|
in {
|
||||||
|
imports = [ (modulesPath + "/virtualisation/qemu-vm.nix") ];
|
||||||
|
|
||||||
fediversity = {
|
fediversity = {
|
||||||
enable = true;
|
enable = true;
|
||||||
|
@ -11,22 +12,16 @@
|
||||||
pixelfed.enable = true;
|
pixelfed.enable = true;
|
||||||
};
|
};
|
||||||
|
|
||||||
networking.firewall.allowedTCPPorts = [ 80 ];
|
|
||||||
services.pixelfed = {
|
services.pixelfed = {
|
||||||
# TODO: secrets management!
|
|
||||||
secretFile = pkgs.writeText "secrets.env" ''
|
|
||||||
APP_KEY=adKK9EcY8Hcj3PLU7rzG9rJ6KKTOtYfA
|
|
||||||
'';
|
|
||||||
settings = {
|
settings = {
|
||||||
OPEN_REGISTRATION = true;
|
|
||||||
FORCE_HTTPS_URLS = false;
|
FORCE_HTTPS_URLS = false;
|
||||||
};
|
};
|
||||||
# I feel like this should have an `enable` option and be configured via `services.nginx` rather than mirroring those options in services.pixelfed.nginx
|
|
||||||
# TODO: If that indeed makes sense, upstream it.
|
|
||||||
nginx = {
|
nginx = {
|
||||||
# locations."/public/".proxyPass = "${config.fediversity.internal.garage.web.urlFor "pixelfed"}/public/";
|
forceSSL = mkVMOverride false;
|
||||||
|
enableACME = mkVMOverride false;
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
|
|
||||||
virtualisation.memorySize = 2048;
|
virtualisation.memorySize = 2048;
|
||||||
virtualisation.forwardPorts = [
|
virtualisation.forwardPorts = [
|
||||||
{
|
{
|
||||||
|
|
Loading…
Reference in a new issue