forked from Fediversity/Fediversity
Same treatment for Pixelfed
This commit is contained in:
parent
a1cfcf1d71
commit
1965e83e5d
GPG key ID:
35DB9EC8886E1CB8
5 changed files with 115 additions and 112 deletions
|
|
@ -9,7 +9,7 @@ in
|
|||
imports = [
|
||||
./garage
|
||||
./mastodon
|
||||
./pixelfed.nix
|
||||
./pixelfed
|
||||
./peertube
|
||||
];
|
||||
|
||||
|
|
@ -27,8 +27,6 @@ in
|
|||
'';
|
||||
};
|
||||
|
||||
pixelfed.enable = mkEnableOption "default Fediversity Pixelfed configuration";
|
||||
|
||||
temp = mkOption {
|
||||
description = "options that are only used while developing; should be removed eventually";
|
||||
default = { };
|
||||
|
|
@ -41,23 +39,6 @@ in
|
|||
};
|
||||
};
|
||||
};
|
||||
|
||||
internal = mkOption {
|
||||
description = "options that are only meant to be used internally; change at your own risk";
|
||||
default = { };
|
||||
type = types.submodule {
|
||||
options = {
|
||||
## REVIEW: Do we want to recreate options under
|
||||
## `fediversity.internal` or would we rather use the options from
|
||||
## the respective services? See Taeer's comment:
|
||||
## https://git.fediversity.eu/taeer/simple-nixos-fediverse/pulls/22#issuecomment-124
|
||||
pixelfed.domain = mkOption {
|
||||
type = types.str;
|
||||
default = "pixelfed.${config.fediversity.domain}";
|
||||
};
|
||||
};
|
||||
};
|
||||
};
|
||||
};
|
||||
};
|
||||
|
||||
|
|
|
|||
|
|
@ -1,92 +0,0 @@
|
|||
let
|
||||
snakeoil_key = {
|
||||
id = "GKb5615457d44214411e673b7b";
|
||||
secret = "5be6799a88ca9b9d813d1a806b64f15efa49482dbe15339ddfaf7f19cf434987";
|
||||
};
|
||||
in
|
||||
|
||||
{
|
||||
config,
|
||||
lib,
|
||||
pkgs,
|
||||
...
|
||||
}:
|
||||
|
||||
lib.mkIf (config.fediversity.enable && config.fediversity.pixelfed.enable) {
|
||||
fediversity.garage = {
|
||||
ensureBuckets = {
|
||||
pixelfed = {
|
||||
website = true;
|
||||
# TODO: these are too broad, after getting everything works narrow it down to the domain we actually want
|
||||
corsRules = {
|
||||
enable = true;
|
||||
allowedHeaders = [ "*" ];
|
||||
allowedMethods = [ "GET" ];
|
||||
allowedOrigins = [ "*" ];
|
||||
};
|
||||
};
|
||||
};
|
||||
ensureKeys = {
|
||||
pixelfed = {
|
||||
inherit (snakeoil_key) id secret;
|
||||
ensureAccess = {
|
||||
pixelfed = {
|
||||
read = true;
|
||||
write = true;
|
||||
owner = true;
|
||||
};
|
||||
};
|
||||
};
|
||||
};
|
||||
};
|
||||
|
||||
services.pixelfed = {
|
||||
enable = true;
|
||||
domain = config.fediversity.internal.pixelfed.domain;
|
||||
|
||||
# TODO: secrets management!!!
|
||||
secretFile = pkgs.writeText "secrets.env" ''
|
||||
APP_KEY=adKK9EcY8Hcj3PLU7rzG9rJ6KKTOtYfA
|
||||
'';
|
||||
|
||||
## Taeer feels like this way of configuring Nginx is odd; there should
|
||||
## instead be a `services.pixefed.nginx.enable` option and the actual Nginx
|
||||
## configuration should be in `services.nginx`. See eg. `pretix`.
|
||||
##
|
||||
## TODO: If that indeed makes sense, upstream.
|
||||
nginx = {
|
||||
forceSSL = true;
|
||||
enableACME = true;
|
||||
# locations."/public/".proxyPass = "${config.fediversity.garage.web.urlForBucket "pixelfed"}/public/";
|
||||
};
|
||||
};
|
||||
|
||||
services.pixelfed.settings = {
|
||||
## NOTE: This depends on the targets, eg. universities might want control
|
||||
## over who has an account. We probably want a universal
|
||||
## `fediversity.openRegistration` option.
|
||||
OPEN_REGISTRATION = true;
|
||||
|
||||
# DANGEROUSLY_SET_FILESYSTEM_DRIVER = "s3";
|
||||
FILESYSTEM_CLOUD = "s3";
|
||||
PF_ENABLE_CLOUD = true;
|
||||
AWS_ACCESS_KEY_ID = snakeoil_key.id;
|
||||
AWS_SECRET_ACCESS_KEY = snakeoil_key.secret;
|
||||
AWS_DEFAULT_REGION = "garage";
|
||||
AWS_URL = config.fediversity.garage.web.urlForBucket "pixelfed";
|
||||
AWS_BUCKET = "pixelfed";
|
||||
AWS_ENDPOINT = config.fediversity.garage.api.url;
|
||||
AWS_USE_PATH_STYLE_ENDPOINT = false;
|
||||
};
|
||||
|
||||
## Only ever run `pixelfed-data-setup` after `ensure-garage` has done its job.
|
||||
## Otherwise, everything crashed dramatically.
|
||||
systemd.services.pixelfed-data-setup = {
|
||||
after = [ "ensure-garage.service" ];
|
||||
};
|
||||
|
||||
networking.firewall.allowedTCPPorts = [
|
||||
80
|
||||
443
|
||||
];
|
||||
}
|
||||
96
services/fediversity/pixelfed/default.nix
Normal file
96
services/fediversity/pixelfed/default.nix
Normal file
|
|
@ -0,0 +1,96 @@
|
|||
let
|
||||
snakeoil_key = {
|
||||
id = "GKb5615457d44214411e673b7b";
|
||||
secret = "5be6799a88ca9b9d813d1a806b64f15efa49482dbe15339ddfaf7f19cf434987";
|
||||
};
|
||||
in
|
||||
|
||||
{
|
||||
config,
|
||||
lib,
|
||||
pkgs,
|
||||
...
|
||||
}:
|
||||
|
||||
{
|
||||
imports = [ ./options.nix ];
|
||||
|
||||
config = lib.mkIf (config.fediversity.enable && config.fediversity.pixelfed.enable) {
|
||||
fediversity.garage = {
|
||||
ensureBuckets = {
|
||||
pixelfed = {
|
||||
website = true;
|
||||
# TODO: these are too broad, after getting everything works narrow it down to the domain we actually want
|
||||
corsRules = {
|
||||
enable = true;
|
||||
allowedHeaders = [ "*" ];
|
||||
allowedMethods = [ "GET" ];
|
||||
allowedOrigins = [ "*" ];
|
||||
};
|
||||
};
|
||||
};
|
||||
ensureKeys = {
|
||||
pixelfed = {
|
||||
inherit (snakeoil_key) id secret;
|
||||
ensureAccess = {
|
||||
pixelfed = {
|
||||
read = true;
|
||||
write = true;
|
||||
owner = true;
|
||||
};
|
||||
};
|
||||
};
|
||||
};
|
||||
};
|
||||
|
||||
services.pixelfed = {
|
||||
enable = true;
|
||||
domain = config.fediversity.pixelfed.domain;
|
||||
|
||||
# TODO: secrets management!!!
|
||||
secretFile = pkgs.writeText "secrets.env" ''
|
||||
APP_KEY=adKK9EcY8Hcj3PLU7rzG9rJ6KKTOtYfA
|
||||
'';
|
||||
|
||||
## Taeer feels like this way of configuring Nginx is odd; there should
|
||||
## instead be a `services.pixefed.nginx.enable` option and the actual Nginx
|
||||
## configuration should be in `services.nginx`. See eg. `pretix`.
|
||||
##
|
||||
## TODO: If that indeed makes sense, upstream.
|
||||
nginx = {
|
||||
forceSSL = true;
|
||||
enableACME = true;
|
||||
# locations."/public/".proxyPass = "${config.fediversity.garage.web.urlForBucket "pixelfed"}/public/";
|
||||
};
|
||||
};
|
||||
|
||||
services.pixelfed.settings = {
|
||||
## NOTE: This depends on the targets, eg. universities might want control
|
||||
## over who has an account. We probably want a universal
|
||||
## `fediversity.openRegistration` option.
|
||||
OPEN_REGISTRATION = true;
|
||||
|
||||
# DANGEROUSLY_SET_FILESYSTEM_DRIVER = "s3";
|
||||
FILESYSTEM_CLOUD = "s3";
|
||||
PF_ENABLE_CLOUD = true;
|
||||
AWS_ACCESS_KEY_ID = snakeoil_key.id;
|
||||
AWS_SECRET_ACCESS_KEY = snakeoil_key.secret;
|
||||
AWS_DEFAULT_REGION = "garage";
|
||||
AWS_URL = config.fediversity.garage.web.urlForBucket "pixelfed";
|
||||
AWS_BUCKET = "pixelfed";
|
||||
AWS_ENDPOINT = config.fediversity.garage.api.url;
|
||||
AWS_USE_PATH_STYLE_ENDPOINT = false;
|
||||
};
|
||||
|
||||
## Only ever run `pixelfed-data-setup` after `ensure-garage` has done its job.
|
||||
## Otherwise, everything crashed dramatically.
|
||||
systemd.services.pixelfed-data-setup = {
|
||||
after = [ "ensure-garage.service" ];
|
||||
};
|
||||
|
||||
networking.firewall.allowedTCPPorts = [
|
||||
80
|
||||
443
|
||||
];
|
||||
};
|
||||
}
|
||||
18
services/fediversity/pixelfed/options.nix
Normal file
18
services/fediversity/pixelfed/options.nix
Normal file
|
|
@ -0,0 +1,18 @@
|
|||
{ config, lib, ... }:
|
||||
|
||||
let
|
||||
inherit (lib) mkOption mkEnableOption;
|
||||
inherit (lib.types) types;
|
||||
|
||||
in
|
||||
{
|
||||
options.fediversity.pixelfed = {
|
||||
enable = mkEnableOption "Enable a Pixelfed server on the machine";
|
||||
|
||||
domain = mkOption {
|
||||
type = types.str;
|
||||
description = "Internal option — change at your own risk";
|
||||
default = "pixelfed.${config.fediversity.domain}";
|
||||
};
|
||||
};
|
||||
}
|
||||
Loading…
Add table
Reference in a new issue