Move stuff from pixelfed-vm to pixelfed

2024-09-20 17:56:40 +02:00 · 2024-09-20 17:56:40 +02:00 · 81ab439777
commit 81ab439777
parent 7665609827
2 changed files with 22 additions and 11 deletions
--- a/fediversity/pixelfed.nix
+++ b/fediversity/pixelfed.nix
@ -38,9 +38,28 @@ lib.mkIf (config.fediversity.enable && config.fediversity.pixelfed.enable) {
  services.pixelfed = {
    enable = true;
    domain = config.fediversity.internal.pixelfed.domain;
+
+    # TODO: secrets management!!!
+    secretFile = pkgs.writeText "secrets.env" ''
+      APP_KEY=adKK9EcY8Hcj3PLU7rzG9rJ6KKTOtYfA
+    '';
+
+    ## Taeer feels like this way of configuring Nginx is odd; there should
+    ## instead be a `services.pixefed.nginx.enable` option and the actual Nginx
+    ## configuration should be in `services.nginx`. See eg. `pretix`.
+    ##
+    ## TODO: If that indeed makes sense, upstream.
+    nginx = {
+      # locations."/public/".proxyPass = "${config.fediversity.internal.garage.web.urlFor "pixelfed"}/public/";
+    };
  };

  services.pixelfed.settings = {
+    ## NOTE: This depends on the targets, eg. universities might want control
+    ## over who has an account. We probably want a universal
+    ## `fediversity.openRegistration` option.
+    OPEN_REGISTRATION = true;
+
    # DANGEROUSLY_SET_FILESYSTEM_DRIVER = "s3";
    FILESYSTEM_CLOUD = "s3";
    PF_ENABLE_CLOUD = true;
@ -62,4 +81,6 @@ lib.mkIf (config.fediversity.enable && config.fediversity.pixelfed.enable) {
  services.pixelfed.package = pkgs.pixelfed.overrideAttrs (old: {
    patches = (old.patches or [ ]) ++ [ ./pixelfed-group-permissions.patch ];
  });
+
+  networking.firewall.allowedTCPPorts = [ 80 ];
 }
--- a/vm/pixelfed-vm.nix
+++ b/vm/pixelfed-vm.nix
@ -11,22 +11,12 @@
    pixelfed.enable = true;
  };

-  networking.firewall.allowedTCPPorts = [ 80 ];
  services.pixelfed = {
-    # TODO: secrets management!
-    secretFile = pkgs.writeText "secrets.env" ''
-      APP_KEY=adKK9EcY8Hcj3PLU7rzG9rJ6KKTOtYfA
-    '';
    settings = {
-      OPEN_REGISTRATION = true;
      FORCE_HTTPS_URLS = false;
    };
-    # I feel like this should have an `enable` option and be configured via `services.nginx` rather than mirroring those options in services.pixelfed.nginx
-    # TODO: If that indeed makes sense, upstream it.
-    nginx = {
-      # locations."/public/".proxyPass = "${config.fediversity.internal.garage.web.urlFor "pixelfed"}/public/";
-    };
  };
+
  virtualisation.memorySize = 2048;
  virtualisation.forwardPorts = [
    {