Faster compression and note on isoName

Co-authored-by: Taeer Bar-Yam <taeer.bar-yam@moduscreate.com>
Co-authored-by: Valentin Gagarin <valentin.gagarin@tweag.io>
Reviewed-on: Fediversity/simple-nixos-fediverse#26
Co-authored-by: Nicolas “Niols” Jeannerod <nicolas.jeannerod@moduscreate.com>
Co-committed-by: Nicolas “Niols” Jeannerod <nicolas.jeannerod@moduscreate.com>

README.md

@@ -46,6 +46,26 @@ NOTE: it sometimes takes a while for the services to start up, and in the meanti
     ```bash
     pixelfed-manage user:create --name=test --username=test --email=test@test.com --password=testtest --confirm_email=1
     ```
+# Building an installer image
+
+Build an installer image for the desired configuration, e.g. for `peertube`:
+
+```bash
+nix build .#installers.peertube
+```
+
+Upload the image in `./result` to Proxmox when creating a VM.
+Booting the image will format the disk and install NixOS with the desired configuration.
+
+# Deploying an updated machine configuration
+
+> TODO: There is currently no way to specify an actual target machine by name.
+
+Assuming you have SSH configuration with access to the remote `root` user stored for a machine called e.g. `peertube`, deploy the configuration by the same name:
+
+```bash
+nix run .#deploy.peertube
+```
 
 ## debugging notes
 

deploy.nix

@@ -0,0 +1,13 @@
+{ writeShellApplication }:
+name: config:
+writeShellApplication {
+  name = "deploy";
+  text = ''
+    result="$(nix build --print-out-paths ${./.}#nixosConfigurations#${name} --eval-store auto --store ssh-ng://${name})"
+    # shellcheck disable=SC2087
+    ssh ${name} << EOF
+    nix-env -p /nix/var/nix/profiles/system --set "$result"
+    "$result"/bin/switch-to-configuration switch
+    EOF
+  '';
+} 

disk-layout.nix

@@ -0,0 +1,36 @@
+{ ... }:
+{
+  disko.devices.disk.main = {
+    device = "/dev/sda";
+    type = "disk";
+    content = {
+      type = "gpt";
+      partitions = {
+        MBR = {
+          priority = 0;
+          size = "1M";
+          type = "EF02";
+        };
+        ESP = {
+          priority = 1;
+          size = "500M";
+          type = "EF00";
+          content = {
+            type = "filesystem";
+            format = "vfat";
+            mountpoint = "/boot";
+          };
+        };
+        root = {
+          priority = 2;
+          size = "100%";
+          content = {
+            type = "filesystem";
+            format = "ext4";
+            mountpoint = "/";
+          };
+        };
+      };
+    };
+  };
+}

fediversity/default.nix

@@ -2,7 +2,7 @@
 
 let
   inherit (builtins) toString;
-  inherit (lib) mkOption mkEnableOption;
+  inherit (lib) mkOption mkEnableOption mkForce;
   inherit (lib.types) types;
 
 in {
@@ -64,17 +64,17 @@ in {
                   type = types.str;
                   default = "web.garage.${config.fediversity.domain}";
                 };
-                port = mkOption {
+                internalPort = mkOption {
                   type = types.int;
                   default = 3902;
                 };
-                rootDomainAndPort = mkOption {
+                domainForBucket = mkOption {
-                  type = types.str;
-                  default = "${config.fediversity.internal.garage.web.rootDomain}:${toString config.fediversity.internal.garage.web.port}";
-                };
-                urlFor = mkOption {
                   type = types.functionTo types.str;
-                  default = bucket: "http://${bucket}.${config.fediversity.internal.garage.web.rootDomainAndPort}";
+                  default = bucket: "${bucket}.${config.fediversity.internal.garage.web.rootDomain}";
+                };
+                urlForBucket = mkOption {
+                  type = types.functionTo types.str;
+                  default = bucket: "http://${config.fediversity.internal.garage.web.domainForBucket bucket}";
                 };
               };
             };
@@ -100,4 +100,19 @@ in {
       };
     };
   };
+
+  config = {
+    ## FIXME: This should clearly go somewhere else; and we should have a
+    ## `staging` vs. `production` setting somewhere.
+    security.acme = {
+      acceptTerms = true;
+      defaults.email = "nicolas.jeannerod+fediversity@moduscreate.com";
+      # defaults.server = "https://acme-staging-v02.api.letsencrypt.org/directory";
+    };
+
+    ## NOTE: For a one-machine deployment, this removes the need to provide an
+    ## `s3.garage.<domain>` domain. However, this will quickly stop working once
+    ## we go to multi-machines deployment.
+    fediversity.internal.garage.api.domain = mkForce "s3.garage.localhost";
+  };
 }

fediversity/garage.nix

@@ -15,6 +15,7 @@ let
   inherit (lib) types mkOption mkEnableOption optionalString concatStringsSep;
   inherit (lib.strings) escapeShellArg;
   cfg = config.services.garage;
+  fedicfg = config.fediversity.internal.garage;
   concatMapAttrs = scriptFn: attrset: concatStringsSep "\n" (lib.mapAttrsToList scriptFn attrset);
   ensureBucketScriptFn = bucket: { website, aliases, corsRules }:
     let
@@ -42,7 +43,7 @@ let
       ${optionalString corsRules.enable ''
         garage bucket allow --read --write --owner ${bucketArg} --key tmp
         # TODO: endpoin-url should not be hard-coded
-        aws --region ${cfg.settings.s3_api.s3_region} --endpoint-url ${config.fediversity.internal.garage.api.url} s3api put-bucket-cors --bucket ${bucketArg} --cors-configuration ${corsRulesJSON}
+        aws --region ${cfg.settings.s3_api.s3_region} --endpoint-url ${fedicfg.api.url} s3api put-bucket-cors --bucket ${bucketArg} --cors-configuration ${corsRulesJSON}
         garage bucket deny --read --write --owner ${bucketArg} --key tmp
       ''}
     '';
@@ -52,7 +53,8 @@ let
       ${escapeShellArg bucket} --key ${escapeShellArg key}
   '';
   ensureKeyScriptFn = key: {id, secret, ensureAccess}: ''
-    garage key import --yes -n ${escapeShellArg key} ${escapeShellArg id} ${escapeShellArg secret}
+    ## FIXME: Check whether the key exist and skip this step if that is the case. Get rid of this `|| :`
+    garage key import --yes -n ${escapeShellArg key} ${escapeShellArg id} ${escapeShellArg secret} || :
     ${concatMapAttrs (ensureAccessScriptFn key) ensureAccess}
   '';
   ensureKeysScript = concatMapAttrs ensureKeyScriptFn cfg.ensureKeys;
@@ -132,25 +134,10 @@ in
   };
 
   config = lib.mkIf config.fediversity.enable {
-    virtualisation.diskSize = 2048;
-    virtualisation.forwardPorts = [
-      {
-        from = "host";
-        host.port = config.fediversity.internal.garage.rpc.port;
-        guest.port = config.fediversity.internal.garage.rpc.port;
-      }
-      {
-        from = "host";
-        host.port = config.fediversity.internal.garage.web.port;
-        guest.port = config.fediversity.internal.garage.web.port;
-      }
-    ];
-
     environment.systemPackages = [ pkgs.minio-client pkgs.awscli ];
 
     networking.firewall.allowedTCPPorts = [
-      config.fediversity.internal.garage.rpc.port
+      fedicfg.rpc.port
-      config.fediversity.internal.garage.web.port
     ];
     services.garage = {
       enable = true;
@@ -160,17 +147,30 @@ in
         # TODO: use a secret file
         rpc_secret = "d576c4478cc7d0d94cfc127138cbb82018b0155c037d1c827dfb6c36be5f6625";
         # TODO: why does this have to be set? is there not a sensible default?
-        rpc_bind_addr = "[::]:${toString config.fediversity.internal.garage.rpc.port}";
+        rpc_bind_addr = "[::]:${toString fedicfg.rpc.port}";
-        rpc_public_addr = "[::1]:${toString config.fediversity.internal.garage.rpc.port}";
+        rpc_public_addr = "[::1]:${toString fedicfg.rpc.port}";
-        s3_api.api_bind_addr = "[::]:${toString config.fediversity.internal.garage.api.port}";
+        s3_api.api_bind_addr = "[::]:${toString fedicfg.api.port}";
-        s3_web.bind_addr = "[::]:${toString config.fediversity.internal.garage.web.port}";
+        s3_web.bind_addr = "[::]:${toString fedicfg.web.internalPort}";
-        s3_web.root_domain = ".${config.fediversity.internal.garage.web.rootDomain}";
+        s3_web.root_domain = ".${fedicfg.web.rootDomain}";
         index = "index.html";
 
         s3_api.s3_region = "garage";
-        s3_api.root_domain = ".${config.fediversity.internal.garage.api.domain}";
+        s3_api.root_domain = ".${fedicfg.api.domain}";
       };
     };
+
+    services.nginx.virtualHosts.${fedicfg.web.rootDomain} = {
+      forceSSL = true;
+      enableACME = true;
+      serverAliases = lib.mapAttrsToList (bucket: _: fedicfg.web.domainForBucket bucket) cfg.ensureBuckets; ## TODO: use wildcard certificates?
+      locations."/" = {
+        proxyPass = "http://localhost:3902";
+        extraConfig = ''
+          proxy_set_header Host $host;
+        '';
+      };
+    };
+
     systemd.services.ensure-garage = {
       after = [ "garage.service" ];
       wantedBy = [ "garage.service" ];
@@ -183,7 +183,7 @@ in
 
         # Give Garage time to start up by waiting until somethings speaks HTTP
         # behind Garage's API URL.
-        until ${pkgs.curl}/bin/curl -sio /dev/null ${config.fediversity.internal.garage.api.url}; do sleep 1; done
+        until ${pkgs.curl}/bin/curl -sio /dev/null ${fedicfg.api.url}; do sleep 1; done
 
         # XXX: this is very sensitive to being a single instance
         # (doing the bare minimum to get garage up and running)
@@ -197,7 +197,8 @@ in
 
         # XXX: this is a hack because we want to write to the buckets here but we're not guaranteed any access keys
         # TODO: generate this key here rather than using a well-known key
-        garage key import --yes -n tmp ${snakeoil_key.id} ${snakeoil_key.secret}
+        # TODO: if the key already exists, we get an error; hacked with this `|| :` which needs to be removed
+        garage key import --yes -n tmp ${snakeoil_key.id} ${snakeoil_key.secret} || :
         export AWS_ACCESS_KEY_ID=${snakeoil_key.id};
         export AWS_SECRET_ACCESS_KEY=${snakeoil_key.secret};
 

fediversity/mastodon.nix

@@ -46,7 +46,7 @@ lib.mkIf (config.fediversity.enable && config.fediversity.mastodon.enable) {
       AWS_ACCESS_KEY_ID = snakeoil_key.id;
       AWS_SECRET_ACCESS_KEY = snakeoil_key.secret;
       S3_PROTOCOL = "http";
-      S3_HOSTNAME = config.fediversity.internal.garage.web.rootDomainAndPort;
+      S3_HOSTNAME = config.fediversity.internal.garage.web.rootDomain;
       # by default it tries to use "<S3_HOSTNAME>/<S3_BUCKET>"
       S3_ALIAS_HOST = "${S3_BUCKET}.${S3_HOSTNAME}";
       # SEE: the last section in https://docs.joinmastodon.org/admin/optional/object-storage/

fediversity/peertube.nix

@@ -74,17 +74,17 @@ lib.mkIf (config.fediversity.enable && config.fediversity.peertube.enable) {
         web_videos = rec {
           bucket_name = "peertube-videos";
           prefix = "";
-          base_url = config.fediversity.internal.garage.web.urlFor bucket_name;
+          base_url = config.fediversity.internal.garage.web.urlForBucket bucket_name;
         };
         videos = rec {
           bucket_name = "peertube-videos";
           prefix = "";
-          base_url = config.fediversity.internal.garage.web.urlFor bucket_name;
+          base_url = config.fediversity.internal.garage.web.urlForBucket bucket_name;
         };
         streaming_playlists = rec {
           bucket_name = "peertube-playlists";
           prefix = "";
-          base_url = config.fediversity.internal.garage.web.urlFor bucket_name;
+          base_url = config.fediversity.internal.garage.web.urlForBucket bucket_name;
         };
       };
     };

fediversity/pixelfed.nix

@@ -38,16 +38,37 @@ lib.mkIf (config.fediversity.enable && config.fediversity.pixelfed.enable) {
   services.pixelfed = {
     enable = true;
     domain = config.fediversity.internal.pixelfed.domain;
+
+    # TODO: secrets management!!!
+    secretFile = pkgs.writeText "secrets.env" ''
+      APP_KEY=adKK9EcY8Hcj3PLU7rzG9rJ6KKTOtYfA
+    '';
+
+    ## Taeer feels like this way of configuring Nginx is odd; there should
+    ## instead be a `services.pixefed.nginx.enable` option and the actual Nginx
+    ## configuration should be in `services.nginx`. See eg. `pretix`.
+    ##
+    ## TODO: If that indeed makes sense, upstream.
+    nginx = {
+      forceSSL = true;
+      enableACME = true;
+      # locations."/public/".proxyPass = "${config.fediversity.internal.garage.web.urlForBucket "pixelfed"}/public/";
+    };
   };
 
   services.pixelfed.settings = {
+    ## NOTE: This depends on the targets, eg. universities might want control
+    ## over who has an account. We probably want a universal
+    ## `fediversity.openRegistration` option.
+    OPEN_REGISTRATION = true;
+
     # DANGEROUSLY_SET_FILESYSTEM_DRIVER = "s3";
     FILESYSTEM_CLOUD = "s3";
     PF_ENABLE_CLOUD = true;
     AWS_ACCESS_KEY_ID = snakeoil_key.id;
     AWS_SECRET_ACCESS_KEY = snakeoil_key.secret;
     AWS_DEFAULT_REGION = "garage";
-    AWS_URL = config.fediversity.internal.garage.web.urlFor "pixelfed";
+    AWS_URL = config.fediversity.internal.garage.web.urlForBucket "pixelfed";
     AWS_BUCKET = "pixelfed";
     AWS_ENDPOINT = config.fediversity.internal.garage.api.url;
     AWS_USE_PATH_STYLE_ENDPOINT = false;
@@ -59,7 +80,5 @@ lib.mkIf (config.fediversity.enable && config.fediversity.pixelfed.enable) {
     after = [ "ensure-garage.service" ];
   };
 
-  services.pixelfed.package = pkgs.pixelfed.overrideAttrs (old: {
+  networking.firewall.allowedTCPPorts = [ 80 443 ];
-    patches = (old.patches or [ ]) ++ [ ./pixelfed-group-permissions.patch ];
-  });
 }

flake.lock

@@ -1,6 +1,55 @@
 {
   "nodes": {
+    "disko": {
+      "inputs": {
+        "nixpkgs": "nixpkgs"
+      },
+      "locked": {
+        "lastModified": 1727347829,
+        "narHash": "sha256-y7cW6TjJKy+tu7efxeWI6lyg4VVx/9whx+OmrhmRShU=",
+        "owner": "nix-community",
+        "repo": "disko",
+        "rev": "1879e48907c14a70302ff5d0539c3b9b6f97feaa",
+        "type": "github"
+      },
+      "original": {
+        "owner": "nix-community",
+        "repo": "disko",
+        "type": "github"
+      }
+    },
     "nixpkgs": {
+      "locked": {
+        "lastModified": 1725194671,
+        "narHash": "sha256-tLGCFEFTB5TaOKkpfw3iYT9dnk4awTP/q4w+ROpMfuw=",
+        "owner": "NixOS",
+        "repo": "nixpkgs",
+        "rev": "b833ff01a0d694b910daca6e2ff4a3f26dee478c",
+        "type": "github"
+      },
+      "original": {
+        "owner": "NixOS",
+        "ref": "nixpkgs-unstable",
+        "repo": "nixpkgs",
+        "type": "github"
+      }
+    },
+    "nixpkgs-latest": {
+      "locked": {
+        "lastModified": 1727220152,
+        "narHash": "sha256-6ezRTVBZT25lQkvaPrfJSxYLwqcbNWm6feD/vG1FO0o=",
+        "owner": "nixos",
+        "repo": "nixpkgs",
+        "rev": "24959f933187217890b206788a85bfa73ba75949",
+        "type": "github"
+      },
+      "original": {
+        "owner": "nixos",
+        "repo": "nixpkgs",
+        "type": "github"
+      }
+    },
+    "nixpkgs_2": {
       "locked": {
         "lastModified": 1723726852,
         "narHash": "sha256-lRzlx4fPRtzA+dgz9Rh4WK5yAW3TsAXx335DQqxY2XY=",
@@ -16,9 +65,29 @@
         "type": "github"
       }
     },
+    "pixelfed": {
+      "flake": false,
+      "locked": {
+        "lastModified": 1719823820,
+        "narHash": "sha256-CKjqnxp7p2z/13zfp4HQ1OAmaoUtqBKS6HFm6TV8Jwg=",
+        "owner": "pixelfed",
+        "repo": "pixelfed",
+        "rev": "4c245cf429330d01fcb8ebeb9aa8c84a9574a645",
+        "type": "github"
+      },
+      "original": {
+        "owner": "pixelfed",
+        "ref": "v0.12.3",
+        "repo": "pixelfed",
+        "type": "github"
+      }
+    },
     "root": {
       "inputs": {
-        "nixpkgs": "nixpkgs"
+        "disko": "disko",
+        "nixpkgs": "nixpkgs_2",
+        "nixpkgs-latest": "nixpkgs-latest",
+        "pixelfed": "pixelfed"
       }
     }
   },

flake.nix

@@ -1,48 +1,95 @@
 {
-  description = "Testing mastodon configurations";
-
   inputs = {
     nixpkgs.url = "github:radvendii/nixpkgs/nixos_rebuild_tests";
+    nixpkgs-latest.url = "github:nixos/nixpkgs";
+    pixelfed = {
+      url = "github:pixelfed/pixelfed?ref=v0.12.3";
+      flake = false;
+    };
+    disko.url = "github:nix-community/disko";
   };
 
-  outputs = { self, nixpkgs }:
+  outputs = { self, nixpkgs, nixpkgs-latest, pixelfed, disko }:
   let
     system = "x86_64-linux";
+    lib = nixpkgs.lib;
     pkgs = nixpkgs.legacyPackages.${system};
+    pkgsLatest = nixpkgs-latest.legacyPackages.${system};
+    bleedingFediverseOverlay = (self: super: {
+      pixelfed = pkgsLatest.pixelfed.overrideAttrs (old: {
+        src = pixelfed;
+        patches = (old.patches or [ ]) ++ [ ./fediversity/pixelfed-group-permissions.patch ];
+      });
+      ## TODO: give mastodon, peertube the same treatment
+    });
   in {
-
     nixosModules = {
+      ## Bleeding-edge fediverse packages
+      bleedingFediverse = {
+        nixpkgs.overlays = [ bleedingFediverseOverlay ];
+      };
       ## Fediversity modules
       fediversity = import ./fediversity;
 
       ## VM-specific modules
       interactive-vm = import ./vm/interactive-vm.nix;
+      garage-vm = import ./vm/garage-vm.nix;
       mastodon-vm = import ./vm/mastodon-vm.nix;
       peertube-vm = import ./vm/peertube-vm.nix;
       pixelfed-vm = import ./vm/pixelfed-vm.nix;
+
+      disk-layout = import ./disk-layout.nix;
     };
 
     nixosConfigurations = {
       mastodon = nixpkgs.lib.nixosSystem {
         inherit system;
-        modules = with self.nixosModules; [ fediversity interactive-vm mastodon-vm ];
+        modules = with self.nixosModules; [
+          disko.nixosModules.default
+          disk-layout
+          bleedingFediverse
+          fediversity
+          interactive-vm
+          garage-vm
+          mastodon-vm
+        ];
       };
 
       peertube = nixpkgs.lib.nixosSystem {
         inherit system;
-        modules = with self.nixosModules; [ fediversity interactive-vm peertube-vm ];
+        modules = with self.nixosModules; [
+          disko.nixosModules.default
+          disk-layout
+          bleedingFediverse
+          fediversity
+          interactive-vm
+          garage-vm
+          peertube-vm
+        ];
       };
 
       pixelfed = nixpkgs.lib.nixosSystem {
         inherit system;
-        modules = with self.nixosModules; [ fediversity interactive-vm pixelfed-vm ];
+        modules = with self.nixosModules; [
+          disko.nixosModules.default
+          disk-layout
+          bleedingFediverse
+          fediversity
+          interactive-vm
+          garage-vm
+          pixelfed-vm
+        ];
       };
 
       all = nixpkgs.lib.nixosSystem {
         inherit system;
         modules = with self.nixosModules; [
+          disko.nixosModules.default
+          disk-layout
+          bleedingFediverse
           fediversity
           interactive-vm
+          garage-vm
           peertube-vm
           pixelfed-vm
           mastodon-vm
@@ -50,6 +97,16 @@
       };
     };
 
+    ## Fully-feature ISO installer
+    mkInstaller = import ./installer.nix;
+    installers = lib.mapAttrs (_: config: self.mkInstaller nixpkgs config) self.nixosConfigurations;
+
+    deploy =
+      let
+        deployCommand = (pkgs.callPackage ./deploy.nix { });
+      in
+      lib.mapAttrs (name: config: deployCommand name config) self.nixosConfigurations;
+
     checks.${system} = {
       mastodon-garage = import ./tests/mastodon-garage.nix { inherit pkgs self; };
       pixelfed-garage = import ./tests/pixelfed-garage.nix { inherit pkgs self; };

installer.nix

@@ -0,0 +1,39 @@
+/**
+  Convert a NixOS configuration to one for a minimal installer ISO
+
+  WARNING: Running this installer will format the target disk!
+*/
+nixpkgs: machine:
+  let
+    installer = { config, pkgs, lib, ... }:
+      let
+        bootstrap = pkgs.writeShellApplication {
+          name = "bootstrap";
+          runtimeInputs = with pkgs; [ nixos-install-tools ];
+          text = ''
+            ${machine.config.system.build.diskoScript}
+            nixos-install --no-root-password --no-channel-copy --system ${machine.config.system.build.toplevel}
+          '';
+        };
+      in
+      {
+        imports = [
+          "${nixpkgs}/nixos/modules/installer/cd-dvd/installation-cd-minimal.nix"
+        ];
+        nixpkgs.hostPlatform = "x86_64-linux";
+        services.getty.autologinUser = lib.mkForce "root";
+        programs.bash.loginShellInit = ''
+          ${nixpkgs.lib.getExe bootstrap}
+        '';
+
+        isoImage = {
+          compressImage = false;
+          squashfsCompression = "lz4";
+          isoName = lib.mkForce "installer.iso";
+          ## ^^ FIXME: Use a more interesting name or keep the default name and
+          ## use `isoImage.isoName` in the tests.
+        };
+      };
+  in
+  (nixpkgs.lib.nixosSystem { modules =  [installer];}).config.system.build.isoImage
+ 

tests/mastodon-garage.nix

@@ -37,7 +37,12 @@ pkgs.nixosTest {
   nodes = {
     server = { config, ... }: {
       virtualisation.memorySize = lib.mkVMOverride 4096;
-      imports = with self.nixosModules; [ mastodon-vm ];
+      imports = with self.nixosModules; [
+        bleedingFediverse
+        fediversity
+        garage-vm
+        mastodon-vm
+      ];
       # TODO: pair down
       environment.systemPackages = with pkgs; [
         python3

tests/pixelfed-garage.nix

@@ -136,7 +136,12 @@ pkgs.nixosTest {
         memorySize = lib.mkVMOverride 8192;
         cores = 8;
       };
-      imports = with self.nixosModules; [ pixelfed-vm ];
+      imports = with self.nixosModules; [
+        bleedingFediverse
+        fediversity
+        garage-vm
+        pixelfed-vm
+      ];
       # TODO: pair down
       environment.systemPackages = with pkgs; [
         python3
@@ -152,6 +157,8 @@ pkgs.nixosTest {
         POST_MEDIA = ./fediversity.png;
         AWS_ACCESS_KEY_ID = config.services.garage.ensureKeys.pixelfed.id;
         AWS_SECRET_ACCESS_KEY = config.services.garage.ensureKeys.pixelfed.secret;
+        ## without this we get frivolous errors in the logs
+        MC_REGION = "garage";
       };
       # chrome does not like being run as root
       users.users.selenium = {
@@ -202,7 +209,7 @@ pkgs.nixosTest {
 
     with subtest("Check that image comes from garage"):
       src = server.succeed("su - selenium -c 'selenium-script-get-src ${email} ${password}'")
-      if not src.startswith("${nodes.server.fediversity.internal.garage.web.urlFor "pixelfed"}"):
+      if not src.startswith("${nodes.server.fediversity.internal.garage.web.urlForBucket "pixelfed"}"):
         raise Exception("image does not come from garage")
   '';
 }

vm/garage-vm.nix

@@ -0,0 +1,29 @@
+{ lib, config, modulesPath, ... }:
+
+let
+  inherit (lib) mkVMOverride;
+
+  fedicfg = config.fediversity.internal.garage;
+
+in {
+  imports = [ (modulesPath + "/virtualisation/qemu-vm.nix") ];
+
+  services.nginx.virtualHosts.${fedicfg.web.rootDomain} = {
+    forceSSL = mkVMOverride false;
+    enableACME = mkVMOverride false;
+  };
+
+  virtualisation.diskSize = 2048;
+  virtualisation.forwardPorts = [
+    {
+      from = "host";
+      host.port = fedicfg.rpc.port;
+      guest.port = fedicfg.rpc.port;
+    }
+    {
+      from = "host";
+      host.port = fedicfg.web.internalPort;
+      guest.port = fedicfg.web.internalPort;
+    }
+  ];
+}

vm/mastodon-vm.nix

@@ -1,9 +1,6 @@
 { modulesPath, lib, config, ... }: {
 
-  imports = [
+  imports = [ (modulesPath + "/virtualisation/qemu-vm.nix") ];
-    ../fediversity
-    (modulesPath + "/virtualisation/qemu-vm.nix")
-  ];
 
   config = lib.mkMerge [
     {

vm/peertube-vm.nix

@@ -1,9 +1,6 @@
 { pkgs, modulesPath, ... }: {
 
-  imports = [
+  imports = [ (modulesPath + "/virtualisation/qemu-vm.nix") ];
-    ../fediversity
-    (modulesPath + "/virtualisation/qemu-vm.nix")
-  ];
 
   services.peertube = {
     enableWebHttps = false;

vm/pixelfed-vm.nix

@@ -1,9 +1,10 @@
-{ pkgs, modulesPath, ... }: {
+{ pkgs, lib, modulesPath, ... }:
 
-  imports = [
+let
-    ../fediversity
+  inherit (lib) mkVMOverride;
-    (modulesPath + "/virtualisation/qemu-vm.nix")
+
-  ];
+in {
+  imports = [ (modulesPath + "/virtualisation/qemu-vm.nix") ];
 
   fediversity = {
     enable = true;
@@ -11,22 +12,16 @@
     pixelfed.enable = true;
   };
 
-  networking.firewall.allowedTCPPorts = [ 80 ];
   services.pixelfed = {
-    # TODO: secrets management!
-    secretFile = pkgs.writeText "secrets.env" ''
-      APP_KEY=adKK9EcY8Hcj3PLU7rzG9rJ6KKTOtYfA
-    '';
     settings = {
-      OPEN_REGISTRATION = true;
       FORCE_HTTPS_URLS = false;
     };
-    # I feel like this should have an `enable` option and be configured via `services.nginx` rather than mirroring those options in services.pixelfed.nginx
-    # TODO: If that indeed makes sense, upstream it.
     nginx = {
-      # locations."/public/".proxyPass = "${config.fediversity.internal.garage.web.urlFor "pixelfed"}/public/";
+      forceSSL = mkVMOverride false;
+      enableACME = mkVMOverride false;
     };
   };
+
   virtualisation.memorySize = 2048;
   virtualisation.forwardPorts = [
     {