From 1965e83e5d2b7ee8362ad81ddeff07ff4a7527cb Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Nicolas=20=E2=80=9CNiols=E2=80=9D=20Jeannerod?= Date: Fri, 14 Feb 2025 18:51:38 +0100 Subject: [PATCH] Same treatment for Pixelfed --- services/fediversity/default.nix | 21 +--- services/fediversity/pixelfed.nix | 92 ------------------ services/fediversity/pixelfed/default.nix | 96 +++++++++++++++++++ .../group-permissions.patch} | 0 services/fediversity/pixelfed/options.nix | 18 ++++ 5 files changed, 115 insertions(+), 112 deletions(-) delete mode 100644 services/fediversity/pixelfed.nix create mode 100644 services/fediversity/pixelfed/default.nix rename services/fediversity/{pixelfed-group-permissions.patch => pixelfed/group-permissions.patch} (100%) create mode 100644 services/fediversity/pixelfed/options.nix diff --git a/services/fediversity/default.nix b/services/fediversity/default.nix index a8c9f69b..5147c8f9 100644 --- a/services/fediversity/default.nix +++ b/services/fediversity/default.nix @@ -9,7 +9,7 @@ in imports = [ ./garage ./mastodon - ./pixelfed.nix + ./pixelfed ./peertube ]; @@ -27,8 +27,6 @@ in ''; }; - pixelfed.enable = mkEnableOption "default Fediversity Pixelfed configuration"; - temp = mkOption { description = "options that are only used while developing; should be removed eventually"; default = { }; @@ -41,23 +39,6 @@ in }; }; }; - - internal = mkOption { - description = "options that are only meant to be used internally; change at your own risk"; - default = { }; - type = types.submodule { - options = { - ## REVIEW: Do we want to recreate options under - ## `fediversity.internal` or would we rather use the options from - ## the respective services? See Taeer's comment: - ## https://git.fediversity.eu/taeer/simple-nixos-fediverse/pulls/22#issuecomment-124 - pixelfed.domain = mkOption { - type = types.str; - default = "pixelfed.${config.fediversity.domain}"; - }; - }; - }; - }; }; }; diff --git a/services/fediversity/pixelfed.nix b/services/fediversity/pixelfed.nix deleted file mode 100644 index 0b1be364..00000000 --- a/services/fediversity/pixelfed.nix +++ /dev/null @@ -1,92 +0,0 @@ -let - snakeoil_key = { - id = "GKb5615457d44214411e673b7b"; - secret = "5be6799a88ca9b9d813d1a806b64f15efa49482dbe15339ddfaf7f19cf434987"; - }; -in - -{ - config, - lib, - pkgs, - ... -}: - -lib.mkIf (config.fediversity.enable && config.fediversity.pixelfed.enable) { - fediversity.garage = { - ensureBuckets = { - pixelfed = { - website = true; - # TODO: these are too broad, after getting everything works narrow it down to the domain we actually want - corsRules = { - enable = true; - allowedHeaders = [ "*" ]; - allowedMethods = [ "GET" ]; - allowedOrigins = [ "*" ]; - }; - }; - }; - ensureKeys = { - pixelfed = { - inherit (snakeoil_key) id secret; - ensureAccess = { - pixelfed = { - read = true; - write = true; - owner = true; - }; - }; - }; - }; - }; - - services.pixelfed = { - enable = true; - domain = config.fediversity.internal.pixelfed.domain; - - # TODO: secrets management!!! - secretFile = pkgs.writeText "secrets.env" '' - APP_KEY=adKK9EcY8Hcj3PLU7rzG9rJ6KKTOtYfA - ''; - - ## Taeer feels like this way of configuring Nginx is odd; there should - ## instead be a `services.pixefed.nginx.enable` option and the actual Nginx - ## configuration should be in `services.nginx`. See eg. `pretix`. - ## - ## TODO: If that indeed makes sense, upstream. - nginx = { - forceSSL = true; - enableACME = true; - # locations."/public/".proxyPass = "${config.fediversity.garage.web.urlForBucket "pixelfed"}/public/"; - }; - }; - - services.pixelfed.settings = { - ## NOTE: This depends on the targets, eg. universities might want control - ## over who has an account. We probably want a universal - ## `fediversity.openRegistration` option. - OPEN_REGISTRATION = true; - - # DANGEROUSLY_SET_FILESYSTEM_DRIVER = "s3"; - FILESYSTEM_CLOUD = "s3"; - PF_ENABLE_CLOUD = true; - AWS_ACCESS_KEY_ID = snakeoil_key.id; - AWS_SECRET_ACCESS_KEY = snakeoil_key.secret; - AWS_DEFAULT_REGION = "garage"; - AWS_URL = config.fediversity.garage.web.urlForBucket "pixelfed"; - AWS_BUCKET = "pixelfed"; - AWS_ENDPOINT = config.fediversity.garage.api.url; - AWS_USE_PATH_STYLE_ENDPOINT = false; - }; - - ## Only ever run `pixelfed-data-setup` after `ensure-garage` has done its job. - ## Otherwise, everything crashed dramatically. - systemd.services.pixelfed-data-setup = { - after = [ "ensure-garage.service" ]; - }; - - networking.firewall.allowedTCPPorts = [ - 80 - 443 - ]; -} diff --git a/services/fediversity/pixelfed/default.nix b/services/fediversity/pixelfed/default.nix new file mode 100644 index 00000000..4ce28871 --- /dev/null +++ b/services/fediversity/pixelfed/default.nix @@ -0,0 +1,96 @@ +let + snakeoil_key = { + id = "GKb5615457d44214411e673b7b"; + secret = "5be6799a88ca9b9d813d1a806b64f15efa49482dbe15339ddfaf7f19cf434987"; + }; +in + +{ + config, + lib, + pkgs, + ... +}: + +{ + imports = [ ./options.nix ]; + + config = lib.mkIf (config.fediversity.enable && config.fediversity.pixelfed.enable) { + fediversity.garage = { + ensureBuckets = { + pixelfed = { + website = true; + # TODO: these are too broad, after getting everything works narrow it down to the domain we actually want + corsRules = { + enable = true; + allowedHeaders = [ "*" ]; + allowedMethods = [ "GET" ]; + allowedOrigins = [ "*" ]; + }; + }; + }; + ensureKeys = { + pixelfed = { + inherit (snakeoil_key) id secret; + ensureAccess = { + pixelfed = { + read = true; + write = true; + owner = true; + }; + }; + }; + }; + }; + + services.pixelfed = { + enable = true; + domain = config.fediversity.pixelfed.domain; + + # TODO: secrets management!!! + secretFile = pkgs.writeText "secrets.env" '' + APP_KEY=adKK9EcY8Hcj3PLU7rzG9rJ6KKTOtYfA + ''; + + ## Taeer feels like this way of configuring Nginx is odd; there should + ## instead be a `services.pixefed.nginx.enable` option and the actual Nginx + ## configuration should be in `services.nginx`. See eg. `pretix`. + ## + ## TODO: If that indeed makes sense, upstream. + nginx = { + forceSSL = true; + enableACME = true; + # locations."/public/".proxyPass = "${config.fediversity.garage.web.urlForBucket "pixelfed"}/public/"; + }; + }; + + services.pixelfed.settings = { + ## NOTE: This depends on the targets, eg. universities might want control + ## over who has an account. We probably want a universal + ## `fediversity.openRegistration` option. + OPEN_REGISTRATION = true; + + # DANGEROUSLY_SET_FILESYSTEM_DRIVER = "s3"; + FILESYSTEM_CLOUD = "s3"; + PF_ENABLE_CLOUD = true; + AWS_ACCESS_KEY_ID = snakeoil_key.id; + AWS_SECRET_ACCESS_KEY = snakeoil_key.secret; + AWS_DEFAULT_REGION = "garage"; + AWS_URL = config.fediversity.garage.web.urlForBucket "pixelfed"; + AWS_BUCKET = "pixelfed"; + AWS_ENDPOINT = config.fediversity.garage.api.url; + AWS_USE_PATH_STYLE_ENDPOINT = false; + }; + + ## Only ever run `pixelfed-data-setup` after `ensure-garage` has done its job. + ## Otherwise, everything crashed dramatically. + systemd.services.pixelfed-data-setup = { + after = [ "ensure-garage.service" ]; + }; + + networking.firewall.allowedTCPPorts = [ + 80 + 443 + ]; + }; +} diff --git a/services/fediversity/pixelfed-group-permissions.patch b/services/fediversity/pixelfed/group-permissions.patch similarity index 100% rename from services/fediversity/pixelfed-group-permissions.patch rename to services/fediversity/pixelfed/group-permissions.patch diff --git a/services/fediversity/pixelfed/options.nix b/services/fediversity/pixelfed/options.nix new file mode 100644 index 00000000..1a36ea27 --- /dev/null +++ b/services/fediversity/pixelfed/options.nix @@ -0,0 +1,18 @@ +{ config, lib, ... }: + +let + inherit (lib) mkOption mkEnableOption; + inherit (lib.types) types; + +in +{ + options.fediversity.pixelfed = { + enable = mkEnableOption "Enable a Pixelfed server on the machine"; + + domain = mkOption { + type = types.str; + description = "Internal option — change at your own risk"; + default = "pixelfed.${config.fediversity.domain}"; + }; + }; +}