2025-02-14 18:51:38 +01:00
|
|
|
{
|
|
|
|
|
config,
|
|
|
|
|
lib,
|
|
|
|
|
pkgs,
|
|
|
|
|
...
|
|
|
|
|
}:
|
|
|
|
|
|
2025-02-14 19:01:54 +01:00
|
|
|
let
|
2025-02-14 19:46:12 +01:00
|
|
|
inherit (lib) mkIf readFile;
|
2025-02-14 19:01:54 +01:00
|
|
|
|
|
|
|
|
in
|
2025-02-14 18:51:38 +01:00
|
|
|
{
|
|
|
|
|
imports = [ ./options.nix ];
|
|
|
|
|
|
2025-02-14 19:01:54 +01:00
|
|
|
config = mkIf (config.fediversity.enable && config.fediversity.pixelfed.enable) {
|
2025-02-14 18:51:38 +01:00
|
|
|
fediversity.garage = {
|
|
|
|
|
ensureBuckets = {
|
|
|
|
|
pixelfed = {
|
|
|
|
|
website = true;
|
|
|
|
|
# TODO: these are too broad, after getting everything works narrow it down to the domain we actually want
|
|
|
|
|
corsRules = {
|
|
|
|
|
enable = true;
|
|
|
|
|
allowedHeaders = [ "*" ];
|
|
|
|
|
allowedMethods = [ "GET" ];
|
|
|
|
|
allowedOrigins = [ "*" ];
|
|
|
|
|
};
|
|
|
|
|
};
|
|
|
|
|
};
|
2025-02-14 19:01:54 +01:00
|
|
|
|
2025-02-14 18:51:38 +01:00
|
|
|
ensureKeys = {
|
|
|
|
|
pixelfed = {
|
2025-02-14 19:46:12 +01:00
|
|
|
inherit (config.fediversity.pixelfed) s3AccessKeyFile s3SecretKeyFile;
|
2025-02-14 18:51:38 +01:00
|
|
|
ensureAccess = {
|
|
|
|
|
pixelfed = {
|
|
|
|
|
read = true;
|
|
|
|
|
write = true;
|
|
|
|
|
owner = true;
|
|
|
|
|
};
|
|
|
|
|
};
|
|
|
|
|
};
|
|
|
|
|
};
|
|
|
|
|
};
|
|
|
|
|
|
|
|
|
|
services.pixelfed = {
|
|
|
|
|
enable = true;
|
|
|
|
|
domain = config.fediversity.pixelfed.domain;
|
|
|
|
|
|
2025-02-14 19:46:12 +01:00
|
|
|
## FIXME: secrets management; we should have a service that writes the
|
|
|
|
|
## `.env` file based on all the secrets that we need to put there.
|
2025-02-14 18:51:38 +01:00
|
|
|
secretFile = pkgs.writeText "secrets.env" ''
|
|
|
|
|
APP_KEY=adKK9EcY8Hcj3PLU7rzG9rJ6KKTOtYfA
|
2025-02-14 19:46:12 +01:00
|
|
|
AWS_ACCESS_KEY_ID=${readFile config.fediversity.pixelfed.s3AccessKeyFile}
|
|
|
|
|
AWS_SECRET_ACCESS_KEY=${readFile config.fediversity.pixelfed.s3SecretKeyFile}
|
2025-02-14 18:51:38 +01:00
|
|
|
'';
|
|
|
|
|
|
|
|
|
|
## Taeer feels like this way of configuring Nginx is odd; there should
|
|
|
|
|
## instead be a `services.pixefed.nginx.enable` option and the actual Nginx
|
|
|
|
|
## configuration should be in `services.nginx`. See eg. `pretix`.
|
|
|
|
|
##
|
|
|
|
|
## TODO: If that indeed makes sense, upstream.
|
|
|
|
|
nginx = {
|
|
|
|
|
forceSSL = true;
|
|
|
|
|
enableACME = true;
|
|
|
|
|
# locations."/public/".proxyPass = "${config.fediversity.garage.web.urlForBucket "pixelfed"}/public/";
|
|
|
|
|
};
|
|
|
|
|
};
|
|
|
|
|
|
|
|
|
|
services.pixelfed.settings = {
|
|
|
|
|
## NOTE: This depends on the targets, eg. universities might want control
|
|
|
|
|
## over who has an account. We probably want a universal
|
|
|
|
|
## `fediversity.openRegistration` option.
|
|
|
|
|
OPEN_REGISTRATION = true;
|
|
|
|
|
|
|
|
|
|
FILESYSTEM_CLOUD = "s3";
|
|
|
|
|
PF_ENABLE_CLOUD = true;
|
|
|
|
|
AWS_DEFAULT_REGION = "garage";
|
|
|
|
|
AWS_URL = config.fediversity.garage.web.urlForBucket "pixelfed";
|
|
|
|
|
AWS_BUCKET = "pixelfed";
|
|
|
|
|
AWS_ENDPOINT = config.fediversity.garage.api.url;
|
|
|
|
|
AWS_USE_PATH_STYLE_ENDPOINT = false;
|
|
|
|
|
};
|
|
|
|
|
|
|
|
|
|
## Only ever run `pixelfed-data-setup` after `ensure-garage` has done its job.
|
|
|
|
|
## Otherwise, everything crashed dramatically.
|
|
|
|
|
systemd.services.pixelfed-data-setup = {
|
|
|
|
|
after = [ "ensure-garage.service" ];
|
|
|
|
|
};
|
|
|
|
|
|
|
|
|
|
networking.firewall.allowedTCPPorts = [
|
|
|
|
|
80
|
|
|
|
|
443
|
|
|
|
|
];
|
|
|
|
|
};
|
|
|
|
|
}
|
