Fediversity/services/fediversity/pixelfed/default.nix

{
  config,
  lib,
  pkgs,
  ...
}:

let
  inherit (lib) mkIf mkMerge readFile;

in
{
  imports = [ ./options.nix ];

  config = mkMerge [
    (mkIf
      (
        config.fediversity.garage.enable
        && config.fediversity.pixelfed.s3AccessKeyFile != null
        && config.fediversity.pixelfed.s3SecretKeyFile != null
      )
      {
        fediversity.garage = {
          ensureBuckets = {
            pixelfed = {
              website = true;
              # TODO: these are too broad, after getting everything works narrow it down to the domain we actually want
              corsRules = {
                enable = true;
                allowedHeaders = [ "*" ];
                allowedMethods = [ "GET" ];
                allowedOrigins = [ "*" ];
              };
            };
          };

          ensureKeys = {
            pixelfed = {
              inherit (config.fediversity.pixelfed) s3AccessKeyFile s3SecretKeyFile;
              ensureAccess = {
                pixelfed = {
                  read = true;
                  write = true;
                  owner = true;
                };
              };
            };
          };
        };
      }
    )

    (mkIf config.fediversity.pixelfed.enable {
      services.pixelfed = {
        enable = true;
        domain = config.fediversity.pixelfed.domain;

        ## FIXME: secrets management; we should have a service that writes the
        ## `.env` file based on all the secrets that we need to put there.
        secretFile = pkgs.writeText "secrets.env" ''
          APP_KEY=adKK9EcY8Hcj3PLU7rzG9rJ6KKTOtYfA
          AWS_ACCESS_KEY_ID=${readFile config.fediversity.pixelfed.s3AccessKeyFile}
          AWS_SECRET_ACCESS_KEY=${readFile config.fediversity.pixelfed.s3SecretKeyFile}
        '';

        ## Taeer feels like this way of configuring Nginx is odd; there should
        ## instead be a `services.pixefed.nginx.enable` option and the actual Nginx
        ## configuration should be in `services.nginx`. See eg. `pretix`.
        ##
        ## TODO: If that indeed makes sense, upstream.
        nginx = {
          forceSSL = true;
          enableACME = true;
          # locations."/public/".proxyPass = "${config.fediversity.garage.web.urlForBucket "pixelfed"}/public/";
        };
      };

      services.pixelfed.settings = {
        ## NOTE: This depends on the targets, eg. universities might want control
        ## over who has an account. We probably want a universal
        ## `fediversity.openRegistration` option.
        OPEN_REGISTRATION = true;

        FILESYSTEM_CLOUD = "s3";
        PF_ENABLE_CLOUD = true;
        AWS_DEFAULT_REGION = "garage";
        AWS_URL = config.fediversity.garage.web.urlForBucket "pixelfed";
        AWS_BUCKET = "pixelfed";
        AWS_ENDPOINT = config.fediversity.garage.api.url;
        AWS_USE_PATH_STYLE_ENDPOINT = false;
      };

      ## Only ever run `pixelfed-data-setup` after `ensure-garage` has done its job.
      ## Otherwise, everything crashed dramatically.
      systemd.services.pixelfed-data-setup = {
        after = [ "ensure-garage.service" ];
      };

      networking.firewall.allowedTCPPorts = [
        80
        443
      ];
    })
  ];
}
Same treatment for Pixelfed 2025-02-14 18:51:38 +01:00			`{`
			`config,`
			`lib,`
			`pkgs,`
			`...`
			`}:`

Make access and secret keys parameters 2025-02-14 19:01:54 +01:00			`let`
Allow Garage and services to run on different machines 2025-02-15 11:19:10 +01:00			`inherit (lib) mkIf mkMerge readFile;`
Make access and secret keys parameters 2025-02-14 19:01:54 +01:00
			`in`
Same treatment for Pixelfed 2025-02-14 18:51:38 +01:00			`{`
			`imports = [ ./options.nix ];`

Allow Garage and services to run on different machines 2025-02-15 11:19:10 +01:00			`config = mkMerge [`
			`(mkIf`
			`(`
			`config.fediversity.garage.enable`
			`&& config.fediversity.pixelfed.s3AccessKeyFile != null`
			`&& config.fediversity.pixelfed.s3SecretKeyFile != null`
			`)`
			`{`
			`fediversity.garage = {`
			`ensureBuckets = {`
			`pixelfed = {`
			`website = true;`
			`# TODO: these are too broad, after getting everything works narrow it down to the domain we actually want`
			`corsRules = {`
			`enable = true;`
			`allowedHeaders = [ "*" ];`
			`allowedMethods = [ "GET" ];`
			`allowedOrigins = [ "*" ];`
			`};`
			`};`
Same treatment for Pixelfed 2025-02-14 18:51:38 +01:00			`};`
Make access and secret keys parameters 2025-02-14 19:01:54 +01:00
Allow Garage and services to run on different machines 2025-02-15 11:19:10 +01:00			`ensureKeys = {`
Same treatment for Pixelfed 2025-02-14 18:51:38 +01:00			`pixelfed = {`
Allow Garage and services to run on different machines 2025-02-15 11:19:10 +01:00			`inherit (config.fediversity.pixelfed) s3AccessKeyFile s3SecretKeyFile;`
			`ensureAccess = {`
			`pixelfed = {`
			`read = true;`
			`write = true;`
			`owner = true;`
			`};`
			`};`
Same treatment for Pixelfed 2025-02-14 18:51:38 +01:00			`};`
			`};`
			`};`
Allow Garage and services to run on different machines 2025-02-15 11:19:10 +01:00			`}`
			`)`
Same treatment for Pixelfed 2025-02-14 18:51:38 +01:00
Allow Garage and services to run on different machines 2025-02-15 11:19:10 +01:00			`(mkIf config.fediversity.pixelfed.enable {`
			`services.pixelfed = {`
			`enable = true;`
			`domain = config.fediversity.pixelfed.domain;`
Same treatment for Pixelfed 2025-02-14 18:51:38 +01:00
Allow Garage and services to run on different machines 2025-02-15 11:19:10 +01:00			`## FIXME: secrets management; we should have a service that writes the`
			## `.env` file based on all the secrets that we need to put there.
			`secretFile = pkgs.writeText "secrets.env" ''`
			`APP_KEY=adKK9EcY8Hcj3PLU7rzG9rJ6KKTOtYfA`
			`AWS_ACCESS_KEY_ID=${readFile config.fediversity.pixelfed.s3AccessKeyFile}`
			`AWS_SECRET_ACCESS_KEY=${readFile config.fediversity.pixelfed.s3SecretKeyFile}`
			`'';`
Same treatment for Pixelfed 2025-02-14 18:51:38 +01:00
Allow Garage and services to run on different machines 2025-02-15 11:19:10 +01:00			`## Taeer feels like this way of configuring Nginx is odd; there should`
			## instead be a `services.pixefed.nginx.enable` option and the actual Nginx
			## configuration should be in `services.nginx`. See eg. `pretix`.
			`##`
			`## TODO: If that indeed makes sense, upstream.`
			`nginx = {`
			`forceSSL = true;`
			`enableACME = true;`
			`# locations."/public/".proxyPass = "${config.fediversity.garage.web.urlForBucket "pixelfed"}/public/";`
			`};`
Same treatment for Pixelfed 2025-02-14 18:51:38 +01:00			`};`

Allow Garage and services to run on different machines 2025-02-15 11:19:10 +01:00			`services.pixelfed.settings = {`
			`## NOTE: This depends on the targets, eg. universities might want control`
			`## over who has an account. We probably want a universal`
			## `fediversity.openRegistration` option.
			`OPEN_REGISTRATION = true;`
Same treatment for Pixelfed 2025-02-14 18:51:38 +01:00
Allow Garage and services to run on different machines 2025-02-15 11:19:10 +01:00			`FILESYSTEM_CLOUD = "s3";`
			`PF_ENABLE_CLOUD = true;`
			`AWS_DEFAULT_REGION = "garage";`
			`AWS_URL = config.fediversity.garage.web.urlForBucket "pixelfed";`
			`AWS_BUCKET = "pixelfed";`
			`AWS_ENDPOINT = config.fediversity.garage.api.url;`
			`AWS_USE_PATH_STYLE_ENDPOINT = false;`
			`};`
Same treatment for Pixelfed 2025-02-14 18:51:38 +01:00
Allow Garage and services to run on different machines 2025-02-15 11:19:10 +01:00			## Only ever run `pixelfed-data-setup` after `ensure-garage` has done its job.
			`## Otherwise, everything crashed dramatically.`
			`systemd.services.pixelfed-data-setup = {`
			`after = [ "ensure-garage.service" ];`
			`};`
Same treatment for Pixelfed 2025-02-14 18:51:38 +01:00
Allow Garage and services to run on different machines 2025-02-15 11:19:10 +01:00			`networking.firewall.allowedTCPPorts = [`
			`80`
			`443`
			`];`
			`})`
			`];`
Same treatment for Pixelfed 2025-02-14 18:51:38 +01:00			`}`