{ config, lib, pkgs, ... }: lib.mkMerge [ # not mastodon related { # let us log in users.mutableUsers = false; users.users.root.hashedPassword = ""; services.openssh = { enable = true; settings = { PermitRootLogin = "yes"; PermitEmptyPasswords = "yes"; UsePAM = "no"; }; }; # access to convenient things environment.systemPackages = with pkgs; [ w3m python3 ]; nix.extraOptions = '' extra-experimental-features = nix-command flakes ''; } # mastodon setup { # open up access to the mastodon web interface networking.firewall.allowedTCPPorts = [ 443 ]; services.mastodon = { enable = true; # TODO: set up a domain name, and a DNS service so that this can run not in a vm # localDomain = "domain.social"; configureNginx = true; # TODO: configure a mailserver so this works # smtp.fromAddress = "mastodon@mastodon.localhost"; # TODO: this is hardware-dependent. let's figure it out when we have hardware # streamingProcesses = 1; }; security.acme = { acceptTerms = true; preliminarySelfsigned = true; # TODO: configure a mailserver so we can set up acme # defaults.email = "test@example.com"; }; } # VM setup { # these configurations only apply when producing a VM (e.g. nixos-rebuild build-vm) virtualisation.vmVariant = { config, ... }: { services.mastodon = { # redirects to localhost, but allows it to have a proper domain name localDomain = "mastodon.localhost"; smtp = { fromAddress = "mastodon@mastodon.localhost"; createLocally = false; }; extraConfig = { EMAIL_DOMAIN_ALLOWLIST = "example.com"; }; # from the documentation: recommended is the amount of your CPU cores minus one. # but it also must be a positive integer streamingProcesses = let ncores = config.virtualisation.cores; max = x: y: if x > y then x else y; in max 1 (ncores - 1); }; security.acme = { defaults = { # invalid server; the systemd service will fail, and we won't get properly signed certificates # but let's not spam the letsencrypt servers (and we don't own this domain anyways) server = "https://127.0.0.1"; email = "none"; }; }; virtualisation.memorySize = 2048; virtualisation.forwardPorts = [ { from = "host"; host.port = 44443; guest.port = 443; } { from = "host"; host.port = 2222; guest.port = 22; } ]; }; } # mastodon development environment { virtualisation.vmVariant = { config, ... }: { services.mastodon = { # needed so we can directly access mastodon at port 55001 # otherwise, mastodon has to be accessed *from* port 443, which we can't do via port forwarding enableUnixSocket = false; extraConfig = { RAILS_ENV = "development"; # for letter_opener REMOTE_DEV = "true"; }; }; services.postgresql = { enable = true; ensureUsers = [ { name = config.services.mastodon.database.user; ensureClauses.createdb = true; # ensurePermissions doesn't work anymore # ensurePermissions = { # "mastodon_development.*" = "ALL PRIVILEGES"; # "mastodon_test.*" = "ALL PRIVILEGES"; # } } ]; # ensureDatabases = [ "mastodon_development_test" "mastodon_test" ]; }; # run rails db:seed so that mastodon sets up the databases for us systemd.services.mastodon-init-db.script = lib.mkForce '' if [ `psql -c \ "select count(*) from pg_class c \ join pg_namespace s on s.oid = c.relnamespace \ where s.nspname not in ('pg_catalog', 'pg_toast', 'information_schema') \ and s.nspname not like 'pg_temp%';" | sed -n 3p` -eq 0 ]; then echo "Seeding database" rails db:setup # SAFETY_ASSURED=1 rails db:schema:load rails db:seed else echo "Migrating database (this might be a noop)" # TODO: this breaks for some reason # rails db:migrate fi ''; virtualisation.forwardPorts = lib.mkForce [ { from = "host"; host.port = 55001; guest.port = 55001; } ]; }; } ]